Edit tour

Windows Analysis Report
2852oQ7OHx.exe

Overview

General Information

Sample name:	2852oQ7OHx.exe (renamed file extension from mem to exe, renamed because original name is a hash value)
Original sample name:	2a09719305ad5054f1294b1355f707a945950c5013538c439bd2ae5e5d2ac2f8.mem
Analysis ID:	1545115
MD5:	19c5de2ee75b5e364378b511ea5b960b
SHA1:	6f1c29332f82a6e5dded8f50fd666a53a87ff6c5
SHA256:	2a09719305ad5054f1294b1355f707a945950c5013538c439bd2ae5e5d2ac2f8
Infos:

Detection

Amadey

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Amadey

Contains functionality to start a terminal service

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

2852oQ7OHx.exe (PID: 4508 cmdline: "C:\Users\user\Desktop\2852oQ7OHx.exe" MD5: 19C5DE2EE75B5E364378B511EA5B960B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: 2852oQ7OHx.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 185.215.113.217
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: /CoreOPT/index.php
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: S-%lu-
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: f9c76c1660
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: corept.exe
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Startup
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: rundll32
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Programs
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: %USERPROFILE%
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: cred.dll
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: clip.dll
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: http://
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: https://
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: /quiet
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: /Plugins/
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: &unit=
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: shell32.dll
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: kernel32.dll
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: GetNativeSystemInfo
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ProgramData\
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: AVAST Software
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Kaspersky Lab
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Panda Security
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Doctor Web
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 360TotalSecurity
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Bitdefender
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Norton
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Sophos
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Comodo
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: WinDefender
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 0123456789
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ------
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ?scr=1
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ComputerName
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: -unicode-
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: VideoID
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: DefaultSettings.XResolution
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: DefaultSettings.YResolution
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ProductName
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: CurrentBuild
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: rundll32.exe
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: "taskkill /f /im "
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: " && timeout 1 && del
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: && Exit"
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: " && ren
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Powershell.exe
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: shutdown -s -t 0
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: random
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Keyboard Layout\Preload
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 00000419
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 00000422
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 00000423
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 0000043f
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: rundll32
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: cred.dll
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: https://
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: clip.dll
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: && Exit"
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Startup
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: -unicode-
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Norton
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ?scr=1
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: ------
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Sophos
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: random
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 00000422
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: " && ren
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: /Plugins/
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 00000423
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: /quiet
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: &unit=
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 0000043f
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: VideoID
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Comodo
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: S-%lu-
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: Programs
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: 00000419
Source: 0.2.2852oQ7OHx.exe.400000.0.unpack	String decryptor: http://

Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00406050	0_2_00406050
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_0043065B	0_2_0043065B
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_0042C720	0_2_0042C720
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_004428D7	0_2_004428D7
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00446CD4	0_2_00446CD4
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00446DF4	0_2_00446DF4
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00406DF0	0_2_00406DF0
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00445047	0_2_00445047
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_0043D6DA	0_2_0043D6DA
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00405AF0	0_2_00405AF0
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00433BA0	0_2_00433BA0
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00405DA0	0_2_00405DA0
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_0043DE69	0_2_0043DE69

Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: String function: 0042B7D0 appears 56 times
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: String function: 004242A0 appears 101 times
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: String function: 0042AF81 appears 77 times
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: String function: 00406DF0 appears 57 times
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: String function: 004251B0 appears 136 times

Source: classification engine

Classification label: mal60.troj.spyw.winEXE@1/0@0/0

Source: 2852oQ7OHx.exe	String found in binary or memory: " /add /y
Source: 2852oQ7OHx.exe	String found in binary or memory: " /add
Source: 2852oQ7OHx.exe	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Source: C:\Users\user\Desktop\2852oQ7OHx.exe

Code function: 0_2_0042B221 push ecx; ret

0_2_0042B234

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\2852oQ7OHx.exe

Code function: 0_2_0042E950 LdrInitializeThunk,

0_2_0042E950

Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_0042EDC0 mov eax, dword ptr fs:[00000030h]		0_2_0042EDC0
Source: C:\Users\user\Desktop\2852oQ7OHx.exe	Code function: 0_2_00436FB2 mov eax, dword ptr fs:[00000030h]		0_2_00436FB2

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\2852oQ7OHx.exe

Code function: 0_2_0042B5EF cpuid

0_2_0042B5EF

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Contains functionality to start a terminal service

Source: 2852oQ7OHx.exe, 00000000.00000000.2036258800.0000000000451000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: net start termservice
Source: 2852oQ7OHx.exe, 00000000.00000000.2036258800.0000000000451000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: 2852oQ7OHx.exe	String found in binary or memory: net start termservice
Source: 2852oQ7OHx.exe	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	Path Interception	Path Interception	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Information Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Obfuscated Files or Information	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2852oQ7OHx.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545115
Start date and time:	2024-10-30 06:29:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2852oQ7OHx.exe (renamed file extension from mem to exe, renamed because original name is a hash value)
Original Sample Name:	2a09719305ad5054f1294b1355f707a945950c5013538c439bd2ae5e5d2ac2f8.mem
Detection:	MAL
Classification:	mal60.troj.spyw.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 57

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 2852oQ7OHx.exe, PID 4508 because there are no executed function

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.254054899548336
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2852oQ7OHx.exe
File size:	471'040 bytes
MD5:	19c5de2ee75b5e364378b511ea5b960b
SHA1:	6f1c29332f82a6e5dded8f50fd666a53a87ff6c5
SHA256:	2a09719305ad5054f1294b1355f707a945950c5013538c439bd2ae5e5d2ac2f8
SHA512:	79331035cda117e882b951c0d9d405635c0012ff0deb852433e686576504523048add3895089db8d4b7c19bf07bb0234f998957692d676626636eb97fc0ad8de
SSDEEP:	12288:K0verm3t2E1OLUn3gJ0qUHAJsRP/McRkWKnkHfLyMf:L2EPwJNUPMUMc7f
TLSH:	F3A44B207916D032D62191B11FADFFF195ADA9268B7109DB7BC00E769E201E37A31F39
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D............)....../.r...........)....../....................+......+.?....#.............(....Rich..........

File Icon


Icon Hash:	00928e8e8686b000

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: 2852oQ7OHx.exePID: 4508, Parent PID: 1028

General

Target ID:	0
Start time:	01:30:03
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\2852oQ7OHx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2852oQ7OHx.exe"
Imagebase:	0x400000
File size:	471'040 bytes
MD5 hash:	19C5DE2EE75B5E364378B511EA5B960B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 2852oQ7OHx.exePID: 4508, Parent PID: 1028COMMON

Non-executed Functions

Function 00406DF0 Relevance: 13.0, Strings: 9, Instructions: 1737COMMON

Download Yara Rule

Strings

pConditionVariableSRW, xrefs: 00407BF8
InitOnceComplete, xrefs: 00407D95
nformationByHandle, xrefs: 00407E45
ointerEx, xrefs: 004075EE
leW, xrefs: 00407B81
OfFile, xrefs: 00407653
(, xrefs: 00408E06
tionVariable, xrefs: 00406E21
ireSRWLockExclusive, xrefs: 00407396, 0040755B

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID: ($InitOnceComplete$OfFile$ireSRWLockExclusive$leW$nformationByHandle$ointerEx$pConditionVariableSRW$tionVariable
API String ID: 0-327484620
Opcode ID: 1972b94060568a1a6c23f14105d9ce1f87121131c5a22917870ddf2ace5125db
Instruction ID: d9c25ca2808add9c2c1b907e17571655aaed943e9baf9b424e1f6e3eef650a93
Opcode Fuzzy Hash: 1972b94060568a1a6c23f14105d9ce1f87121131c5a22917870ddf2ace5125db
Instruction Fuzzy Hash: C7D22571A001189FDB14DF28CD85BDDBB75EF45304F5082AEE805A72D2DB38AA94CF99

Function 00445047 Relevance: 6.7, APIs: 1, Strings: 2, Instructions: 1427COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00445203

Strings

-UA, xrefs: 004464F4
be-BY, xrefs: 004464EA

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: __floor_pentium4
String ID: -UA$be-BY
API String ID: 4168288129-4183263085
Opcode ID: d5a9efa2e9c23db574cee4b0c158dc3bc5b23ea0be2440512a028c19e34b4599
Instruction ID: a1841e2474ac8eb40c61d42c4e8429fe95ecf7bf4dc167e5169c4b11ea00f2f0
Opcode Fuzzy Hash: d5a9efa2e9c23db574cee4b0c158dc3bc5b23ea0be2440512a028c19e34b4599
Instruction Fuzzy Hash: 62D23671E086288BEF64CE28DD407EAB7B5EB49305F1541EBD80DE7241E778AE818F45

Function 00433BA0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1306a0bdd3c789fcb34041474ff1bfeb3c9248328dc782b2ec963238407ea1e4
Instruction ID: 3a84c16b4b0909996b5d636f0b5cf1b5beea668d9c4fa8b5189fbcdd1f31ab16
Opcode Fuzzy Hash: 1306a0bdd3c789fcb34041474ff1bfeb3c9248328dc782b2ec963238407ea1e4
Instruction Fuzzy Hash: A8F15E71E002199FDF14CFA9C9806AEB7B1FF88315F15826AE919AB344D735AE01CB94

Function 00405AF0 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

aveCriticalSection, xrefs: 00405BCB, 00405CA7

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID: aveCriticalSection
API String ID: 0-855654167
Opcode ID: 9ae14f9f86b13af87e59428e2889d5cbfaf2a48a932aa022db6295634ffbcfad
Instruction ID: 7ac3f4d9d387563f90d5dc2aa0919d0dbf2c5824123c68f0ea87c7918ebd5daf
Opcode Fuzzy Hash: 9ae14f9f86b13af87e59428e2889d5cbfaf2a48a932aa022db6295634ffbcfad
Instruction Fuzzy Hash: 8E913675A046898FEB11CF68C4907EFBBF2EF5A304F14856ED490A7782C3799506CB98

Function 00405DA0 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

aveCriticalSection, xrefs: 00405E87, 00405EA0, 00405F77, 00405F93

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID: aveCriticalSection
API String ID: 0-855654167
Opcode ID: 93bb7315f168b93e09cbaaa2c1185cd245bb923f597016554ea7a3079887602c
Instruction ID: b34851fb924a2a63efe97b5a42d582a3dc90b937267a1ba1165ebc8b57b39270
Opcode Fuzzy Hash: 93bb7315f168b93e09cbaaa2c1185cd245bb923f597016554ea7a3079887602c
Instruction Fuzzy Hash: 99812170A006568FEB05CF68D8807EFBBB1FB1A300F15027AD854A7783C7399945CBA9

Function 0043065B Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 004307D7

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8e7168f2e3b80ecde7d41ec60de51f8c2516a765a2e8d7d5a02e4a1990b4a516
Instruction ID: 3b4129d4ecf8157f39b2296d029b743035bb4231ef4267202d516b9fa20236fb
Opcode Fuzzy Hash: 8e7168f2e3b80ecde7d41ec60de51f8c2516a765a2e8d7d5a02e4a1990b4a516
Instruction Fuzzy Hash: 445145B02006485ADB3C9A2988B67BF67999B8E304F14371FE482D7382C71DBD45CE5E

Function 00406050 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd28896bac2394dff04a0e106b80f782989c019b1add2048c7eeb27cac09892
Instruction ID: 160b67f0f93c2cfe30eea0d415556aaba00b70ff8c116c18faa1e517fdd8f42b
Opcode Fuzzy Hash: bcd28896bac2394dff04a0e106b80f782989c019b1add2048c7eeb27cac09892
Instruction Fuzzy Hash: 332240B7F515144BDB0CCA5DDCA27EDB2E3AFD8214B0E803DE40AE3345EA79D9158688

Function 0043DE69 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54aa027eddf16f6854fdf6b806d210553fd582a0f491a2ddc8cd06b739f69f79
Instruction ID: 2896237af8675b297fbb5686fdf12db2cf14473e76bdb5ff9b3c13d6b7c2c0a6
Opcode Fuzzy Hash: 54aa027eddf16f6854fdf6b806d210553fd582a0f491a2ddc8cd06b739f69f79
Instruction Fuzzy Hash: 29321421D2AF014DD7239635C83633A6648AFBB3C5F55E737F81AB5AA6EF28D4834104

Function 004428D7 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1d3900dac022cb441befe31fec314f966ff714a6c06d5e9a3a3704f5df7452e9
Instruction ID: b4579f4f82d2644c3c80af2fee660c9af08fdf0fad1c92a481b21edf63c0aaa5
Opcode Fuzzy Hash: 1d3900dac022cb441befe31fec314f966ff714a6c06d5e9a3a3704f5df7452e9
Instruction Fuzzy Hash: AEB11A756007429BEB349F25CD82BB7B3A8EF44308F94456EF943C6680EAB9F985C714

Function 0043D6DA Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f760a13ac17f532dcbf17cb7eb8e0a05e00dcae94f571a5eb605c551604019de
Instruction ID: 17ce475df930da7fdbd645d37ed63b775b2234915a730f44dac69c65b16ca8a0
Opcode Fuzzy Hash: f760a13ac17f532dcbf17cb7eb8e0a05e00dcae94f571a5eb605c551604019de
Instruction Fuzzy Hash: F3B16D75A10608CFD718CF28D486B657BE0FF09364F25965AE899CF3A1C339E982CB44

Function 0042B5EF Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0053dcc76a4348f16536e283a415c191811d4c22440512c94189cea60e0b0018
Instruction ID: 533fcd1961739dca8835dd84a84100c06e9c6f3d40e74c562fdbe3d3c8090069
Opcode Fuzzy Hash: 0053dcc76a4348f16536e283a415c191811d4c22440512c94189cea60e0b0018
Instruction Fuzzy Hash: AF516EB1A002158BDB15CF55E9857AAB7F4FB88314F14846AD805EB3A1E3B89D40CFD9

Function 00446DF4 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a0ad7ecf1c58bf6420d2293ad889a581338796447d01f2096d40bb5facebca
Instruction ID: bc7050348d3a5db12d5e9eccc58f09e8c085c1b180475c9669b8c4f5f315a201
Opcode Fuzzy Hash: f6a0ad7ecf1c58bf6420d2293ad889a581338796447d01f2096d40bb5facebca
Instruction Fuzzy Hash: AA21A473F2043947770CC47ECC56279B6E1C68C501745423EE8A6EA2C1D968D917E2E4

Function 00446CD4 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a0a9de66c5f01c2a0f5a382a16250962e160abbdaec7852a83c8998c23eb3d
Instruction ID: fecb72ec5bd630e4daabe26511c8bda6801047fa6ad0fb49ef1aaeb9acb01010
Opcode Fuzzy Hash: e6a0a9de66c5f01c2a0f5a382a16250962e160abbdaec7852a83c8998c23eb3d
Instruction Fuzzy Hash: 5511A363F30C255B775C816D8C172BAA1D2EBD824030F433AD826EB2C4E8A4DE13D290

Function 0042C720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 40b99be074523ca5d8842e7437be6772cb0623a1449b6893050a78a2270d82e1
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 561108BB34016343D6048A3DF9F46BFA395EAD6321BBC43BBD0414B754D32A99499E08

Function 00436FB2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536b44fd73eadf3e31ec865b67989e03e7ee94b5c5c02321cc27c9baea765fb6
Instruction ID: 702073e9089290407ebfe275532974c32e9d1c82f2274f92365efbecf95bb2ad
Opcode Fuzzy Hash: 536b44fd73eadf3e31ec865b67989e03e7ee94b5c5c02321cc27c9baea765fb6
Instruction Fuzzy Hash: 23E08C72911238EBCB14DB89D90498AF3FCEB48B44F16809BF501D3240C274EE00C7D4

Function 0042EDC0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef7b898e1b90659b254094701e8279159d2f3c88fbd92feae3f3b73d03babf6
Instruction ID: 20cfe0d719476d8fe4c12aa44a7c5276cee37f9ac579584d7003eb125dff1e64
Opcode Fuzzy Hash: eef7b898e1b90659b254094701e8279159d2f3c88fbd92feae3f3b73d03babf6
Instruction Fuzzy Hash: 77E08C31100218BFCF116F5AEC4DB9A3B69FB44342F494429F809EA232CB39DD81CB88

Function 0042E950 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781b29d232a99c01b45002bd2319491df8041c6333d592c2fb7b420b592c5fd4
Instruction ID: 4f8ca33565f1c3406906361f11fdec8450dc8c2a1a978169c55fcf8efb899ec2
Opcode Fuzzy Hash: 781b29d232a99c01b45002bd2319491df8041c6333d592c2fb7b420b592c5fd4
Instruction Fuzzy Hash: D7B092B64042096AD200BA42FC06C2BB7ACAAE0B04F40882EF58802122E5226D789636

Function 004336E3 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00433752
_free.LIBCMT ref: 00433768
_free.LIBCMT ref: 0043377B
_free.LIBCMT ref: 00433790
_free.LIBCMT ref: 004337A5

Part of subcall function 0043CE80: _free.LIBCMT ref: 0043CEEB

_free.LIBCMT ref: 00433A5A
_free.LIBCMT ref: 00433A6D
_free.LIBCMT ref: 00433A7B
_free.LIBCMT ref: 00433A86
_free.LIBCMT ref: 00433AC8
_free.LIBCMT ref: 00433AD0
_free.LIBCMT ref: 00433AD6
_free.LIBCMT ref: 00433ADE
_free.LIBCMT ref: 00433AEC

Strings

`=E, xrefs: 00433B17
>E, xrefs: 00433B21

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID: `=E$>E
API String ID: 269201875-1271661499
Opcode ID: 229f0d185bc4384e52d1ff0b66255b6140caf7ed04e40224d04d270c9caa15d5
Instruction ID: 3ec5fb3dd96264c1aade16fbd6d54e04257e4bd2a2b73d7f17a1eb9c949f484b
Opcode Fuzzy Hash: 229f0d185bc4384e52d1ff0b66255b6140caf7ed04e40224d04d270c9caa15d5
Instruction Fuzzy Hash: 66D19AB19003059FDB11AFA9C881BAEBBF4BF0C304F14552EF495E7282DB79A945CB64

Function 00441805 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 373COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044184D
_free.LIBCMT ref: 00441871
_free.LIBCMT ref: 0044187E
_free.LIBCMT ref: 004418A3
_free.LIBCMT ref: 004418B0
_free.LIBCMT ref: 004418B9
_free.LIBCMT ref: 00441B93
_free.LIBCMT ref: 00441B9B

Strings

@bF, xrefs: 00441833
@bF, xrefs: 00441B18

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID: @bF$@bF
API String ID: 269201875-3696685462
Opcode ID: e8e502443f981a65d4dee212598e1ba74a34f463f93ce5860ea95c526d30a543
Instruction ID: 2efe1cd562b27336c6567246b885b7168bcb75ae6b762f3d1a7bf57438ea44d6
Opcode Fuzzy Hash: e8e502443f981a65d4dee212598e1ba74a34f463f93ce5860ea95c526d30a543
Instruction Fuzzy Hash: F2C12572D40304ABEB20DBA9CC83FDE77F9AF08745F14416AFA05FB282D67499418768

Function 0044240D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00442446
___free_lconv_mon.LIBCMT ref: 00442451

Part of subcall function 00441707: _free.LIBCMT ref: 00441724
Part of subcall function 00441707: _free.LIBCMT ref: 00441736
Part of subcall function 00441707: _free.LIBCMT ref: 00441748
Part of subcall function 00441707: _free.LIBCMT ref: 0044175A
Part of subcall function 00441707: _free.LIBCMT ref: 0044176C
Part of subcall function 00441707: _free.LIBCMT ref: 0044177E
Part of subcall function 00441707: _free.LIBCMT ref: 00441790
Part of subcall function 00441707: _free.LIBCMT ref: 004417A2
Part of subcall function 00441707: _free.LIBCMT ref: 004417B4
Part of subcall function 00441707: _free.LIBCMT ref: 004417C6
Part of subcall function 00441707: _free.LIBCMT ref: 004417D8
Part of subcall function 00441707: _free.LIBCMT ref: 004417EA
Part of subcall function 00441707: _free.LIBCMT ref: 004417FC

_free.LIBCMT ref: 00442468
_free.LIBCMT ref: 0044247D
_free.LIBCMT ref: 00442488
_free.LIBCMT ref: 004424AA
_free.LIBCMT ref: 004424BD
_free.LIBCMT ref: 004424CB
_free.LIBCMT ref: 004424D6
_free.LIBCMT ref: 0044250E
_free.LIBCMT ref: 00442515
_free.LIBCMT ref: 00442532
_free.LIBCMT ref: 0044254A

Strings

@bF, xrefs: 00442423

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free$___free_lconv_mon
String ID: @bF
API String ID: 3658870901-1202698578
Opcode ID: ae52e7fce0134140acc547cdcdbe20a26bdf9873947ab1665f4141750425fcc1
Instruction ID: d696d3614be92bd5a7831bdeb65dfae6c35360da14f11d0627029604851f990b
Opcode Fuzzy Hash: ae52e7fce0134140acc547cdcdbe20a26bdf9873947ab1665f4141750425fcc1
Instruction Fuzzy Hash: 70315971600701AFEB20AA7AD946B57B7E8EF14314F90541FF455D72A1DFBCAD80CA28

Function 00440D8F Relevance: 24.4, APIs: 16, Instructions: 411COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00440DB9
_free.LIBCMT ref: 00440E92
_free.LIBCMT ref: 00440EBF

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 4c8ff88daf29aec305c803ef21f02d376c0965b73fb4190666bb4bec1c73dabb
Instruction ID: ca94d491f9048189be79e20f15e24362d73df6d95f02c96f06b6c40d189120ce
Opcode Fuzzy Hash: 4c8ff88daf29aec305c803ef21f02d376c0965b73fb4190666bb4bec1c73dabb
Instruction Fuzzy Hash: BCD1F771A00305AFEB20AFB5D842A6E77A8AF05314F14416FFA10D7391EBBD9980C75D

Function 00441C24 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00441C92
_free.LIBCMT ref: 00441C9E
_free.LIBCMT ref: 00441DC7
_free.LIBCMT ref: 00441DD2

Strings

@bF, xrefs: 00441C4F

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID: @bF
API String ID: 269201875-1202698578
Opcode ID: 41e98232c88f3691606d4a032a760ccc22e9ed94f37c3f7db9ec4dac68a01374
Instruction ID: d58c710f1dd8d7327cbee3b15c7e7644800adf8136c0417ba398fe17e774b824
Opcode Fuzzy Hash: 41e98232c88f3691606d4a032a760ccc22e9ed94f37c3f7db9ec4dac68a01374
Instruction Fuzzy Hash: ED61B4B19007019FEB20EF75C881BABB7E9AF48710F10455FF955EB251EB78AD808B58

Function 0042DC82 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 0042DD7F
type_info::operator==.LIBVCRUNTIME ref: 0042DDA1
___TypeMatch.LIBVCRUNTIME ref: 0042DEB0
IsInExceptionSpec.LIBVCRUNTIME ref: 0042DF82
_UnwindNestedFrames.LIBCMT ref: 0042E006
CallUnexpected.LIBVCRUNTIME ref: 0042E021

Strings

csm, xrefs: 0042DD2C
csm, xrefs: 0042DDD8
csm, xrefs: 0042DCBF

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: c2eea119acf5c0d3e2a133d299b240dfa57c6749be22527b7d92e0dbe9d40283
Instruction ID: f4d2f0f65e730da260585cffcb6a51f4442b4706a18516626f05f95195296666
Opcode Fuzzy Hash: c2eea119acf5c0d3e2a133d299b240dfa57c6749be22527b7d92e0dbe9d40283
Instruction Fuzzy Hash: E1B1B971E00229AFCF24DFA5E9809AEBBB5FF14314F91405BE8116B302D739DA51CB99

Function 00437978 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043798E
_free.LIBCMT ref: 0043799A
_free.LIBCMT ref: 004379A5
_free.LIBCMT ref: 004379B0
_free.LIBCMT ref: 004379BB
_free.LIBCMT ref: 004379C6
_free.LIBCMT ref: 004379D1
_free.LIBCMT ref: 004379DC
_free.LIBCMT ref: 004379E7
_free.LIBCMT ref: 004379F5

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d305eb2f78d132329aa3d529ae08fdf1df956d88b21b94e35fbfa51ff169c1e5
Instruction ID: 26574e543d5c1ecff23d7658161e9f93dec7c8f2c93cc5639cabfb90113262c9
Opcode Fuzzy Hash: d305eb2f78d132329aa3d529ae08fdf1df956d88b21b94e35fbfa51ff169c1e5
Instruction Fuzzy Hash: 46218976900208EFCB41EF96D842DDD7BB5AF18344F0051ABB515DB121DB39EA94CB84

Function 004361A7 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004362B6
_free.LIBCMT ref: 004362CD
_free.LIBCMT ref: 004362EA
_free.LIBCMT ref: 00436305
_free.LIBCMT ref: 0043631C

Strings

|ME, xrefs: 004361FA
.exe, xrefs: 004361E2, 00436260

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID: .exe$|ME
API String ID: 269201875-3609827028
Opcode ID: 71337688d697aa474ba39f30650b7d541d56b2a90450a5bcaf4100324e5b84e0
Instruction ID: 8d99b6d85113ccfb12dc11ee9a2cf0114295d1050c84d2623030e8d0f5c20512
Opcode Fuzzy Hash: 71337688d697aa474ba39f30650b7d541d56b2a90450a5bcaf4100324e5b84e0
Instruction Fuzzy Hash: DF51F131A00305AFDB21AF6AC842A6BB7F4EF4C724F12956FE805D7250E739D9408B48

Function 004236D0 Relevance: 12.3, APIs: 8, Instructions: 343COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00423797
std::_Rethrow_future_exception.LIBCPMT ref: 004237E4
std::_Rethrow_future_exception.LIBCPMT ref: 004237F4
__Mtx_unlock.LIBCPMT ref: 0042388B
__Mtx_unlock.LIBCPMT ref: 00423984
__Mtx_unlock.LIBCPMT ref: 004239D2
__Cnd_broadcast.LIBCPMT ref: 00423A1C
__Mtx_unlock.LIBCPMT ref: 00423A25

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: Mtx_unlock$Rethrow_future_exceptionstd::_$Cnd_broadcast
String ID:
API String ID: 3990724213-0
Opcode ID: e78533e7b606a0909dfcd03366121f13470cb03426e61e0b551c0070bbbb0ba1
Instruction ID: d09c0a34eeb51e98a1bb2126d931f4d1702b861211562e6a9f1447bdbc52a2e9
Opcode Fuzzy Hash: e78533e7b606a0909dfcd03366121f13470cb03426e61e0b551c0070bbbb0ba1
Instruction Fuzzy Hash: 7CB124B1E002199BCB10DF65E945BAFBBB4AF05305F40452FE81697782DB3CAE44CB96

Function 00432164 Relevance: 11.7, Strings: 9, Instructions: 433COMMON

Download Yara Rule

Strings

p, xrefs: 004322A5
f, xrefs: 0043229E
:, xrefs: 00432211
f, xrefs: 00432258
p, xrefs: 0043225F
p, xrefs: 00432243
X-D, xrefs: 00432424, 00432621
f, xrefs: 0043223C
+C, xrefs: 00432669, 0043246C

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID: +C$:$X-D$f$f$f$p$p$p
API String ID: 0-1539281384
Opcode ID: 5f983773652ee894900f1ad981fc7fe4f74e8e142287481f08e875788fa63c24
Instruction ID: 1a2e329d146b0bcc1b6b2b791c18866c2a6ddf9b4dc7e549178c23938df81c41
Opcode Fuzzy Hash: 5f983773652ee894900f1ad981fc7fe4f74e8e142287481f08e875788fa63c24
Instruction Fuzzy Hash: 33F19A759002199ADF24CFA1D7596EDB772BF1AB18FA0610BD4216B2C4D7BC4E88CB0D

Function 0040D330 Relevance: 11.3, Strings: 9, Instructions: 17COMMON

Download Yara Rule

Strings

ePage, xrefs: 0040C472
ditionVariableCS, xrefs: 0040C338
itializeSRWLock, xrefs: 0040CD08
tdHandle, xrefs: 0040CF7C
ngsW, xrefs: 0040D2E0, 0040D2EC
nnectA, xrefs: 0040C95A
tError, xrefs: 0040CBCE
ion, xrefs: 0040CA94
Process, xrefs: 0040C5AC

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID: Process$ditionVariableCS$ePage$ion$itializeSRWLock$ngsW$nnectA$tError$tdHandle
API String ID: 0-1983367419
Opcode ID: 8bf5032f2f3d83fa4ace3deaee99987575724dbaa925e69e358891a18a3ca2d5
Instruction ID: 63a0c0a5b7652bc92a9bbe983112b2fb791efabc02829aaec55f660287e4b66d
Opcode Fuzzy Hash: 8bf5032f2f3d83fa4ace3deaee99987575724dbaa925e69e358891a18a3ca2d5
Instruction Fuzzy Hash: BFE01272900548ABD711EB69CD41FDBBBBCFB05B20F40073AF421936D0EB7865048698

Function 00436632 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043691D
_free.LIBCMT ref: 00436936
_free.LIBCMT ref: 00436974
_free.LIBCMT ref: 0043697D
_free.LIBCMT ref: 00436989

Strings

C, xrefs: 0043678E

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID: C
API String ID: 269201875-1037565863
Opcode ID: 9ef99747f9037a3f98bf733f0ed22c7ffcfadf3b777ae6ddcc736cff8f92ff25
Instruction ID: 70fd1e37b75d8e25e8ca3505ab589a62ff7870cea8f4a44faca939f70bfc897f
Opcode Fuzzy Hash: 9ef99747f9037a3f98bf733f0ed22c7ffcfadf3b777ae6ddcc736cff8f92ff25
Instruction Fuzzy Hash: 80B15B7590121AAFDB24DF18C884BAEB7B5FF48314F5185AEE849A7350E734AE90CF44

Function 0042D750 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0042D787
___except_validate_context_record.LIBVCRUNTIME ref: 0042D78F
_ValidateLocalCookies.LIBCMT ref: 0042D818
__IsNonwritableInCurrentImage.LIBCMT ref: 0042D843
_ValidateLocalCookies.LIBCMT ref: 0042D898

Strings

csm, xrefs: 0042D82D

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e7b3df09d7a10c5e7891cee4c4d896d8d761d9a625353f9d609074bcca53e697
Instruction ID: a563625e1f0f06dc2a233c7a51a1bf5c49ef0859a84ee330ce3e52a0599d1452
Opcode Fuzzy Hash: e7b3df09d7a10c5e7891cee4c4d896d8d761d9a625353f9d609074bcca53e697
Instruction Fuzzy Hash: 3841F534F002289BCF10EF69D884A9EBBB4BF49328F54806BE8145B352D779D901CB99

Function 00425E70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00425EA6
std::_Lockit::_Lockit.LIBCPMT ref: 00425EC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00425EE6
std::_Facet_Register.LIBCPMT ref: 00425F81
std::_Lockit::~_Lockit.LIBCPMT ref: 00425F99

Strings

yMB, xrefs: 00425E9B

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: yMB
API String ID: 459529453-2036636473
Opcode ID: 93a698dea28e097ab119d0d880fe20d93c5f8692c42930c7be62979f592e2e25
Instruction ID: e49155eec0cbb52e30d557cc949f3f76e31a7f947fda601c991598787c154066
Opcode Fuzzy Hash: 93a698dea28e097ab119d0d880fe20d93c5f8692c42930c7be62979f592e2e25
Instruction Fuzzy Hash: 8441D171A006258FCB10DF55E981BAFB7B4EB04714F55416FE806AB351EB78AD02CBC9

Function 004420E6 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00441E32: _free.LIBCMT ref: 00441E57

_free.LIBCMT ref: 00442134
_free.LIBCMT ref: 0044213F
_free.LIBCMT ref: 0044214A
_free.LIBCMT ref: 0044219E
_free.LIBCMT ref: 004421A9
_free.LIBCMT ref: 004421B4
_free.LIBCMT ref: 004421BF

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: abbf06782d2151277ef86c742c26406c39e67a21eafa21519947c3b4b75dadf7
Instruction ID: 1b6353891330d2d191abfc3505320cd73142413e210ec2ec17a74728ec9b31f0
Opcode Fuzzy Hash: abbf06782d2151277ef86c742c26406c39e67a21eafa21519947c3b4b75dadf7
Instruction Fuzzy Hash: C5112C75581B08BAE520FBB2CC07FCBB79C5F04704F40481EB69EA6063DE7DB9458654

Function 004256E0 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00425715
std::_Lockit::_Lockit.LIBCPMT ref: 00425737
std::_Lockit::~_Lockit.LIBCPMT ref: 00425757
__Getctype.LIBCPMT ref: 004257ED
std::_Facet_Register.LIBCPMT ref: 0042580C
std::_Lockit::~_Lockit.LIBCPMT ref: 00425824

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 556c0cc3a5f117c1b49c2f8bbb2f8fe16617071d9dfb03343d44193ec2772240
Instruction ID: 3e0ed95d43878618b23da20a261c1cb21e1e347a6197fc8a7192369dab5ab031
Opcode Fuzzy Hash: 556c0cc3a5f117c1b49c2f8bbb2f8fe16617071d9dfb03343d44193ec2772240
Instruction Fuzzy Hash: 4E41D171A00624CFCB21DF54E841BAEB7B4EF94714F60416EE805AB351EB78AD41CB99

Function 0043F68E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 330COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043F74B
_free.LIBCMT ref: 0043F917
_free.LIBCMT ref: 0043F98F

Strings

]E, xrefs: 0043FAB5

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID: ]E
API String ID: 269201875-3467577844
Opcode ID: 10af01855852b165286abef80efac0089e4ced1f075bf25bdc5770eddd4ea2d5
Instruction ID: 0861b34dae92f8d92a49fc6ba9b5d05543463b287c5d1b99d70d54d2926dfa1a
Opcode Fuzzy Hash: 10af01855852b165286abef80efac0089e4ced1f075bf25bdc5770eddd4ea2d5
Instruction Fuzzy Hash: 4EA127B1D00215ABDB14AFA5DC42AAFBBB8EF48314F14507FF80497251E7799D48C798

Function 0043C22A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

, xrefs: 0043C4CB, 0043C4D0

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 392943af1409d67af4c3fe8217671e6d0d3babbc889cc684477591dba7ea38ea
Instruction ID: 1d71cd505fe71bc9f88b04a2477f4fc60415b68095a9111b7b6d550c35a01b3f
Opcode Fuzzy Hash: 392943af1409d67af4c3fe8217671e6d0d3babbc889cc684477591dba7ea38ea
Instruction Fuzzy Hash: 05C1D2B0A04315AFDB11DFA9C8C1BBE7BB1AF5D304F10505AE901AB3A2C7799941CB69

Function 0040EA50 Relevance: 8.9, Strings: 7, Instructions: 178COMMON

Download Yara Rule

Strings

leTimeToSystemTime, xrefs: 004104BE
rnetCloseHandle, xrefs: 004110F4, 00411118
tFileType, xrefs: 00410733
vF, xrefs: 004134CF
(, xrefs: 00410A7E
FreeLibraryWhenCallbackReturns, xrefs: 0041046D
@3P, xrefs: 0040FDB7

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID: ($@3P$FreeLibraryWhenCallbackReturns$leTimeToSystemTime$rnetCloseHandle$tFileType$vF
API String ID: 0-702564196
Opcode ID: 31bd1cc51f94046419b360ab95be535f616e11923930a594cee46109b2111f9f
Instruction ID: 64750e3c67b5a2828dea5bcee1b291ea6752ba0cbb1632cef5eb356c99eaa10d
Opcode Fuzzy Hash: 31bd1cc51f94046419b360ab95be535f616e11923930a594cee46109b2111f9f
Instruction Fuzzy Hash: 29512471A002049FEB04CF69DD80BAFBBB5EF05314F54456EE801AB382E779A954CB99

Function 0043D133 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0043D1B7
__alloca_probe_16.LIBCMT ref: 0043D27D
__freea.LIBCMT ref: 0043D2E9
__freea.LIBCMT ref: 0043D2F2
__freea.LIBCMT ref: 0043D315

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID:
API String ID: 3509577899-0
Opcode ID: da02b6ee7e5ff368d747182ed4b7df38b9c5915a50071cba704e8ab9a43cb572
Instruction ID: b7eddfb3fb9baff70de296c7cc90b490b11f55b4f2e22696a4d7a5cce6b372eb
Opcode Fuzzy Hash: da02b6ee7e5ff368d747182ed4b7df38b9c5915a50071cba704e8ab9a43cb572
Instruction Fuzzy Hash: 64512472A00216ABEF215F65EC41EBF77A9EF88754F15116BFC04A7240EB78DD1086A8

Function 00428070 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 004281F9
__Mtx_unlock.LIBCPMT ref: 0042820A
__Cnd_broadcast.LIBCPMT ref: 00428230
__Mtx_unlock.LIBCPMT ref: 00428236
Concurrency::cancel_current_task.LIBCPMT ref: 0042827F

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: Mtx_unlock$Cnd_broadcastConcurrency::cancel_current_task
String ID:
API String ID: 3354401312-0
Opcode ID: 2ffe0209e6ec834a4bf081228b46bf415e7d8ffdaf4dee744f5d3dd11ca3c207
Instruction ID: 0e36f6b657f5236eb2f2ea684418ed3ccc8d65dcfb5c19a08503ec01347a574d
Opcode Fuzzy Hash: 2ffe0209e6ec834a4bf081228b46bf415e7d8ffdaf4dee744f5d3dd11ca3c207
Instruction Fuzzy Hash: 10619F70A02229DFDF14DFA1D9447AEBBB8BF04304F54419EE805A7342DB38AA05CBA5

Function 00441BBB Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00441BD3
_free.LIBCMT ref: 00441BE5
_free.LIBCMT ref: 00441BF7
_free.LIBCMT ref: 00441C09
_free.LIBCMT ref: 00441C1B

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3700b1d01d0f743a177f9bcd14190786602e042492a4215b080e5bbd353f2358
Instruction ID: 3cf758f4ad92919f32a4ea1b5ac0949abd66dcc53902ff8af57eb6743356d5fc
Opcode Fuzzy Hash: 3700b1d01d0f743a177f9bcd14190786602e042492a4215b080e5bbd353f2358
Instruction Fuzzy Hash: 33F0F972514300AB9624FBA9F9D2C1BB7E9EE14710B651C5EF408D7620DB6CFCC08AAC

Function 0044479F Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

__dosmaperr.LIBCMT ref: 004448BA
__dosmaperr.LIBCMT ref: 004448D9
__dosmaperr.LIBCMT ref: 00444A7F

Strings

H, xrefs: 00444A04

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: __dosmaperr
String ID: H
API String ID: 2332233096-2852464175
Opcode ID: 20d193a1bd4e72dc9360de1517e7a5aea7d7b8b8aaa6c15b70c616326f9f7bff
Instruction ID: 8927fcc0488463e00a6b9b5f139f7772fdd49af587a4ff79472888eb6b1947e1
Opcode Fuzzy Hash: 20d193a1bd4e72dc9360de1517e7a5aea7d7b8b8aaa6c15b70c616326f9f7bff
Instruction Fuzzy Hash: 60A14872A002548FDF19DF78DC517AE3BA0AB8A324F14015EF811AB3E1D7798C12C75A

Function 0043FD82 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FF1C

Strings

*?, xrefs: 0043FDC5

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 317533a8bd29bf9178b6c3dde1179d32943e398613007d640f2a0047592b5bbe
Instruction ID: 2a98f7be1039f70ab430b98fa202d60f2c234db38430196a5aff728fe1c21f29
Opcode Fuzzy Hash: 317533a8bd29bf9178b6c3dde1179d32943e398613007d640f2a0047592b5bbe
Instruction Fuzzy Hash: B5617D75E002199FDB14DFA9C8819EEFBF5EF4C314F24916AE805E7301E638AE458B94

Function 00433441 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004334F0
_free.LIBCMT ref: 0043351E
_free.LIBCMT ref: 00433561

Strings

q6C, xrefs: 00433477, 004334C1, 004334FD, 0043347A, 004334C4

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID: q6C
API String ID: 269201875-3434830378
Opcode ID: e0d68be3173fd7e35b9fb156597df15bb8683acd2e2c62fb6ea591588a37da6f
Instruction ID: b14d341f000f2ac958c88b6ad792d2a32d6711a8f222f9a8ef05bba9c3d2e13d
Opcode Fuzzy Hash: e0d68be3173fd7e35b9fb156597df15bb8683acd2e2c62fb6ea591588a37da6f
Instruction Fuzzy Hash: DA417B31600205AFD724DFACC885A6AB3E9FF4D325B24166EF445C73A1EB39ED109B58

Function 00429CE3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00429DC3
__Xtime_diff_to_millis2.LIBCPMT ref: 00429E09
_xtime_get.LIBCPMT ref: 00429E2C

Strings

;@, xrefs: 00429DBD, 00429E02, 00429E26, 00429DC2, 00429E05, 00429E2B

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _xtime_get$Xtime_diff_to_millis2
String ID: ;@
API String ID: 2858396081-2925476404
Opcode ID: 32c6520eb408b0b7023a1b4e99d757177a819bec6b9d07bf3c0f193e4cf47272
Instruction ID: 1c162ca247d7765678bc443c92c28bab5f2bb286a5d41d2fbc7ec8912a6e6e28
Opcode Fuzzy Hash: 32c6520eb408b0b7023a1b4e99d757177a819bec6b9d07bf3c0f193e4cf47272
Instruction Fuzzy Hash: 51519031A10225CFCF10DF64E5859AAB7B4FF08351F9540ABE8069B292C734EC41DFA9

Function 0043FA89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB59

Part of subcall function 0043F92F: _free.LIBCMT ref: 0043F98F

Strings

]E, xrefs: 0043FAB5

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID: ]E
API String ID: 269201875-3467577844
Opcode ID: aadf71b320f6944541fe5b70adffda86bf0af346bf541737f3ac9a766f1d8a9f
Instruction ID: 95f605f128a2d44de440c9e5feb36fe87527329c680f6d94a51df8ba88950c2e
Opcode Fuzzy Hash: aadf71b320f6944541fe5b70adffda86bf0af346bf541737f3ac9a766f1d8a9f
Instruction Fuzzy Hash: BE213AB2C0031956CB20A765DC56D9BB77C9F88328F11127FF82593292EF3CAD4A856D

Function 0041B0C0 Relevance: 6.4, Strings: 5, Instructions: 171COMMON

Download Yara Rule

Strings

tartup, xrefs: 0041BA69
unter, xrefs: 0041BA86
ocessorFeaturePresent, xrefs: 0041B40B
, xrefs: 0041BB08
ndNextFileW, xrefs: 0041B425

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID: $ndNextFileW$ocessorFeaturePresent$tartup$unter
API String ID: 0-1013036707
Opcode ID: 55c933f156c078c72751149bc83545c829b0f29f9cdadf0ccdcdf6a26b2e8e5a
Instruction ID: b35d56cb1100a7b33bd93be651dfe9cfebd3625df64ef4fe5ad33d36f06ee225
Opcode Fuzzy Hash: 55c933f156c078c72751149bc83545c829b0f29f9cdadf0ccdcdf6a26b2e8e5a
Instruction Fuzzy Hash: A6619330A00258DFEB14DBA9DD557DEBB72EB45308FA081DED405272C2D7790E84CBA6

Function 00405960 Relevance: 6.4, Strings: 5, Instructions: 133COMMON

Download Yara Rule

Strings

HeapFree, xrefs: 004059A1, 004059EB
GdipCreateBitmapFromHBITMAP, xrefs: 0040569D
Alloc, xrefs: 004059CC
DisposeImage, xrefs: 00405815, 004059C1
ExitProcess, xrefs: 0040575F, 00405802, 00405919

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID: Alloc$DisposeImage$ExitProcess$GdipCreateBitmapFromHBITMAP$HeapFree
API String ID: 0-719005267
Opcode ID: cbcfc92cb95ebe9b44906c26dd74fddf52b02b50a8d2ea0fc6905463852a74f9
Instruction ID: bd8f403721b9843bb821ef89121ed9ba4d399f0515ee0faaf5614e0e2f7b78e8
Opcode Fuzzy Hash: cbcfc92cb95ebe9b44906c26dd74fddf52b02b50a8d2ea0fc6905463852a74f9
Instruction Fuzzy Hash: 0E41E2717005849FEB04CF2DCC806AEBBA5FB89318FA4427EFC55D7381D67899908B99

Function 00439E88 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00439F12

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 81afa335b41f4f710963bccd7ea6607cd356900f5081b631e9a078a8aa9009a0
Instruction ID: 4ead7efb9f50ff051d7512ddabc437f0a6aa756a5b65b10a1932ee57bc8643c8
Opcode Fuzzy Hash: 81afa335b41f4f710963bccd7ea6607cd356900f5081b631e9a078a8aa9009a0
Instruction Fuzzy Hash: BFB135329002459FDB15CF68C881BAFBBB5EF59344F24916BE884EB341D67C9D01CB6A

Function 0044863C Relevance: 6.2, APIs: 4, Instructions: 244COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00448795
__alloca_probe_16.LIBCMT ref: 0044882B
__freea.LIBCMT ref: 00448896
__freea.LIBCMT ref: 004488A2

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: __alloca_probe_16__freea
String ID:
API String ID: 1635606685-0
Opcode ID: dc519855e3166abf4f9e0cf8e285ff4c6058ad5d8e0f79acf0afa5c52c5aaa52
Instruction ID: a0c7fd6f79aafda01e0c610cdd04406831cf261749f7614afc6c2ab7c523162c
Opcode Fuzzy Hash: dc519855e3166abf4f9e0cf8e285ff4c6058ad5d8e0f79acf0afa5c52c5aaa52
Instruction Fuzzy Hash: DF81B172D002199BEF20AF658C41AEF7BB5AF49354F69045FE904B7341DB39CC408BA9

Function 0042DA2B Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0042DAF2
___AdjustPointer.LIBCMT ref: 0042DB15
___AdjustPointer.LIBCMT ref: 0042DBB1

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c3d1ca1c0cc0dcef1f0ec59fdcd4a37e6a636825a7af76eb0c596ff30569b59e
Instruction ID: 63c3a5a24afae3d27759f248bdfeb16889284888026a40dfd1296d73adc5bd1c
Opcode Fuzzy Hash: c3d1ca1c0cc0dcef1f0ec59fdcd4a37e6a636825a7af76eb0c596ff30569b59e
Instruction Fuzzy Hash: DB51E371F052269FDB288F11E891BBABBA4EF00314F99442FE84187391D739EC41CB98

Function 00426D80 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00426E57
std::_Rethrow_future_exception.LIBCPMT ref: 00426EA9
std::_Rethrow_future_exception.LIBCPMT ref: 00426EB9

Part of subcall function 00404660: __Mtx_unlock.LIBCPMT ref: 00404754

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: Mtx_unlockRethrow_future_exceptionstd::_
String ID:
API String ID: 3298230783-0
Opcode ID: b30651e0761f0e9ad3e8f29b30edf1bd0b0f34b740de1e09294c6221c768bdd6
Instruction ID: c66a80f9546818ec040ac4052a8b43355dc38a007c2d04e7eb6b1f8f42c5482d
Opcode Fuzzy Hash: b30651e0761f0e9ad3e8f29b30edf1bd0b0f34b740de1e09294c6221c768bdd6
Instruction Fuzzy Hash: 76410B71E003185BCB10EFA5E841BAFBBA8DF15304F41457FE546A3642EB396944C7AA

Function 0042D914 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0042D930
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0042D949

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: e05244602e1e9cb5709058beeb82151e4566f510a6517080351c7c7d7050e3ef
Instruction ID: 57f03592deb0f1eeb2c4bddb12f89ff2c5427e9d264b472c4e1c6722acea6e98
Opcode Fuzzy Hash: e05244602e1e9cb5709058beeb82151e4566f510a6517080351c7c7d7050e3ef
Instruction Fuzzy Hash: BE01D4767093316EA72427767C855A72A54EB02B7ABA0023FF514C01E2FF9A4C81928D

Function 004353CB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004353D4
_free.LIBCMT ref: 004353E7
_free.LIBCMT ref: 004353F8
_free.LIBCMT ref: 00435409

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 01caac258aac6b6712d6790cdd87dd8d9563967e9898c5393353104566d3ce8e
Instruction ID: 036d99e447797a2c94cac6f1b2a2f5ef543bb890fe1ca93a8b44865cf93ca9c6
Opcode Fuzzy Hash: 01caac258aac6b6712d6790cdd87dd8d9563967e9898c5393353104566d3ce8e
Instruction Fuzzy Hash: 6AE09AF5411321AA8E017F26EC02486BA29AB58714B01502EF40852235EBFD0D569FCE

Function 00442E26 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00442FA6
_wcschr.LIBVCRUNTIME ref: 00442FB4

Strings

api-ms-win-core-string-l1-1-0, xrefs: 00442FE4

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _wcschr
String ID: api-ms-win-core-string-l1-1-0
API String ID: 2691759472-1889975206
Opcode ID: e3e8b9743329bd35a0dc30a48afc358f3413f1c59876c2bc82b717f4c1b4ece7
Instruction ID: e7df83d89a1fc82624522dd102d21c9a3c22cda9bc48d6bdf14d377c458b51c3
Opcode Fuzzy Hash: e3e8b9743329bd35a0dc30a48afc358f3413f1c59876c2bc82b717f4c1b4ece7
Instruction Fuzzy Hash: 98711871600202AAF724AF76DD46BAB77A8EF48705F64402FF505D7281EBB8DE40876D

Function 0043F92F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043F98F
_free.LIBCMT ref: 0043FB59

Strings

]E, xrefs: 0043FAB5

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID: ]E
API String ID: 269201875-3467577844
Opcode ID: 42b2a21e575063c8e3e6a62053de0b2407ee710dc51a9ff6d2f41027a296ae59
Instruction ID: 8b87b1761b457b0fdac4b1dc5b2f9633eff48290dce43e809b33843db34ed1f5
Opcode Fuzzy Hash: 42b2a21e575063c8e3e6a62053de0b2407ee710dc51a9ff6d2f41027a296ae59
Instruction Fuzzy Hash: A9511AB1D00224AACB10ABA6DC46A9FBB78EF48314F10517BF414A7251E7B89D48CB9D

Function 00440813 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044088B

Strings

hfF, xrefs: 004408B3

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID: hfF
API String ID: 269201875-362638094
Opcode ID: 173f9efad1886856cc4ce38ebed74c3bb075ab4478f2ba4a61fd1c510ea55269
Instruction ID: 30a28dfcd0e6e4cb2493a4639250ac0c48f284b78bc834ebb6d228ad02fcb611
Opcode Fuzzy Hash: 173f9efad1886856cc4ce38ebed74c3bb075ab4478f2ba4a61fd1c510ea55269
Instruction Fuzzy Hash: 0D31A372900209AFEB10EF59D881A9F77B4EF44354F11406EFA10972A1EB3A9D61CFA4

Function 00431A55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431A83
_free.LIBCMT ref: 00431AA9

Strings

0bF, xrefs: 00431B10

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID: _free
String ID: 0bF
API String ID: 269201875-324980994
Opcode ID: 51bbd509ddf82067f75488d846fcfebd2e83db89cf60e1679928f3b17376c206
Instruction ID: 2a2ac9ab1e039bfcf84795bc9025b6f8db1c5539c5774bdb366a97a06fa4759f
Opcode Fuzzy Hash: 51bbd509ddf82067f75488d846fcfebd2e83db89cf60e1679928f3b17376c206
Instruction Fuzzy Hash: DE11D371A013015ADB20EB29AC51B56369C9B5D725F14222BF920CB3E0F7F8DC82878E

Function 0041BEC0 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

ltiByte, xrefs: 00418843, 004196C7, 0041C891
tUnhandledExceptionFilter, xrefs: 0041C1C1
ngsW, xrefs: 0041A8AA, 0041A8CF, 0041AB9F, 0041ABC1, 0041BF08, 0041BF2D, 0041C228, 0041C24A
., xrefs: 0041C8C5

Memory Dump Source

Source File: 00000000.00000002.3289894659.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3289879373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289929515.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289949715.0000000000466000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3289966125.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2852oQ7OHx.jbxd

Similarity

API ID:
String ID: .$ltiByte$ngsW$tUnhandledExceptionFilter
API String ID: 0-3238422506
Opcode ID: fff905ac232d852d7df88624791c1ebf0197db7633036c5017137f9140c53bb5
Instruction ID: cda9f2293ec8d64ff13efef12bd02e1bf558bf961c9360de76b8f1fc3b1d121d
Opcode Fuzzy Hash: fff905ac232d852d7df88624791c1ebf0197db7633036c5017137f9140c53bb5
Instruction Fuzzy Hash: 60C19070D0429CDFEF10DBA8C9497DDBFB5AF45308FA08099D40467282D7B85A88DFA6

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2852oQ7OHx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 2852oQ7OHx.exePID: 4508, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: 2852oQ7OHx.exePID: 4508, Parent PID: 1028COMMON

Non-executed Functions

Function 00406DF0 Relevance: 13.0, Strings: 9, Instructions: 1737COMMON

Function 00445047 Relevance: 6.7, APIs: 1, Strings: 2, Instructions: 1427COMMON

Function 00433BA0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Function 00405AF0 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Function 00405DA0 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Function 0043065B Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Function 00406050 Relevance: .7, Instructions: 701COMMON

Function 0043DE69 Relevance: .6, Instructions: 637COMMON

Function 004428D7 Relevance: .3, Instructions: 327COMMON

Function 0043D6DA Relevance: .3, Instructions: 274COMMON

Function 0042B5EF Relevance: .1, Instructions: 144COMMON

Function 00446DF4 Relevance: .1, Instructions: 104COMMON

Function 00446CD4 Relevance: .1, Instructions: 81COMMON

Windows Analysis Report
2852oQ7OHx.exe