Edit tour

Windows Analysis Report
tu.exe

Overview

General Information

Sample name:	tu.exe
Analysis ID:	1428245
MD5:	de717951989420c6b9790c9160a23d35
SHA1:	df8621b3d9fa7e4e1d511d6ff732457aac6a0a1d
SHA256:	d434e12726aee7ad7378dc4e395dd5f8fba6255546eef9e1dbb51d52d966af2c
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops PE files to the document folder of the user

Drops large PE files

Injects a PE file into a foreign processes

Installs a global keyboard hook

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

tu.exe (PID: 5412 cmdline: "C:\Users\user\Desktop\tu.exe" MD5: DE717951989420C6B9790C9160A23D35)

tu.exe (PID: 4256 cmdline: "C:\Users\user\Desktop\tu.exe" MD5: DE717951989420C6B9790C9160A23D35)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "abril18.con-ip.com:7770:1", "Assigned name": "ALETEO", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-PO8SC5", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b11a:$a1: Remcos restarted by watchdog! 0x6b692:$a3: %02i:%02i:%02i:%03i
Process Memory Space: tu.exe PID: 5412	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: tu.exe PID: 5412	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: tu.exe PID: 5412	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a660:$a1: Remcos restarted by watchdog! 0x7821a:$a1: Remcos restarted by watchdog! 0x6abba:$a3: %02i:%02i:%02i:%03i 0x6afe9:$a3: %02i:%02i:%02i:%03i 0x78774:$a3: %02i:%02i:%02i:%03i 0x78ba3:$a3: %02i:%02i:%02i:%03i
Process Memory Space: tu.exe PID: 4256	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: tu.exe PID: 4256	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: tu.exe PID: 4256	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x306f7:$a1: Remcos restarted by watchdog! 0x30c51:$a3: %02i:%02i:%02i:%03i 0x31080:$a3: %02i:%02i:%02i:%03i
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.tu.exe.550000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.tu.exe.550000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.tu.exe.550000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
5.2.tu.exe.550000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
5.2.tu.exe.550000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
0.2.tu.exe.46d672.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.tu.exe.46d672.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.tu.exe.46d672.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
0.2.tu.exe.46d672.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
0.2.tu.exe.46d672.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
0.2.tu.exe.23c0000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.tu.exe.23c0000.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.tu.exe.23c0000.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0.2.tu.exe.23c0000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0.2.tu.exe.23c0000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
0.2.tu.exe.23c0000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.tu.exe.23c0000.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.tu.exe.23c0000.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
0.2.tu.exe.23c0000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
0.2.tu.exe.23c0000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
0.2.tu.exe.46d672.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.tu.exe.46d672.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.tu.exe.46d672.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
0.2.tu.exe.46d672.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
0.2.tu.exe.46d672.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
5.2.tu.exe.550000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.tu.exe.550000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.tu.exe.550000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
5.2.tu.exe.550000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
5.2.tu.exe.550000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
0.2.tu.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.tu.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.tu.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xd291a:$a1: Remcos restarted by watchdog! 0xd2e92:$a3: %02i:%02i:%02i:%03i
0.2.tu.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0xcc85a:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xcc7ee:$s1: CoGetObject 0xcc802:$s1: CoGetObject 0xcc81e:$s1: CoGetObject 0xd67aa:$s1: CoGetObject 0xcc7ae:$s2: Elevation:Administrator!new:
Click to see the 29 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\tu.exe, ProcessId: 5412, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SentinelOneIsCrap

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\tu.exe, ProcessId: 4256, TargetFilename: C:\ProgramData\remcos\logs.dat

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing

Found malware configuration

Source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "abril18.con-ip.com:7770:1", "Assigned name": "ALETEO", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-PO8SC5", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00583837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

5_2_00583837

Source: tu.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_005574FD _wcslen,CoGetObject,

5_2_005574FD

Source: tu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\vmagent_new\bin\joblist\222359\out\Release\360AdvToolExecutor.pdbpF source: tu.exe, SentinelOne.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\222359\out\Release\360AdvToolExecutor.pdb source: tu.exe, SentinelOne.exe.0.dr

Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00559253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	5_2_00559253
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0056C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	5_2_0056C291
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	5_2_0055C34D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00559665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	5_2_00559665
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0059E879 FindFirstFileExA,	5_2_0059E879
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	5_2_0055880C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055783C FindFirstFileW,FindNextFileW,	5_2_0055783C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00569AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	5_2_00569AF5
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	5_2_0055BB30
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	5_2_0055BD37

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00557C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

5_2_00557C97

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: abril18.con-ip.com

Source: global traffic

TCP traffic: 192.168.2.6:49721 -> 179.14.10.110:7770

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: ColombiaMovilCO ColombiaMovilCO

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

5_2_0056B380

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: abril18.con-ip.com

Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://.inihttps://map/set
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://crl.godaddy.com/gdig2s5-6.crl0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://down.360safe.com/360zip_setup.exe360SysReset
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://down.360safe.com/setup.exeIsBetaVersion360ver.dllSOFTWARE
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/;
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: tu.exe, 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, tu.exe, 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, tu.exe, 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpJ
Source: tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpK
Source: tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpQ
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpT
Source: tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpalF
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://ocsp.godaddy.com/0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://ocsp.godaddy.com/05
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: tu.exe, SentinelOne.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055A2B8 SetWindowsHookExA 0000000D,0055A2A4,00000000

5_2_0055A2B8

Installs a global keyboard hook

Source: C:\Users\user\Desktop\tu.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\tu.exe

Jump to behavior

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055B70E OpenClipboard,GetClipboardData,CloseClipboard,

5_2_0055B70E

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_005668C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_005668C1

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055B70E OpenClipboard,GetClipboardData,CloseClipboard,

5_2_0055B70E

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

5_2_0055A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056C9E2 SystemParametersInfoW,

5_2_0056C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Drops large PE files

Source: C:\Users\user\Desktop\tu.exe

File dump: SentinelOne.exe.0.dr 800000000

Jump to dropped file

Source: C:\Users\user\Desktop\tu.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_004115E1 NtQueryDefaultLocale,

0_2_004115E1

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_00406279: CreateFileA,_memset,DeviceIoControl,CloseHandle,

0_2_00406279

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_005667B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

5_2_005667B4

Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042B525	0_2_0042B525
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_004115E1	0_2_004115E1
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00412583	0_2_00412583
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00407010	0_2_00407010
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040E020	0_2_0040E020
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040E024	0_2_0040E024
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00455031	0_2_00455031
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00456160	0_2_00456160
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0044A29E	0_2_0044A29E
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D2A8	0_2_0040D2A8
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0043F34D	0_2_0043F34D
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040E36C	0_2_0040E36C
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0041236C	0_2_0041236C
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042B441	0_2_0042B441
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00428486	0_2_00428486
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_004124AF	0_2_004124AF
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00455575	0_2_00455575
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042A571	0_2_0042A571
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00440533	0_2_00440533
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D608	0_2_0040D608
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00428613	0_2_00428613
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D62D	0_2_0040D62D
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040F695	0_2_0040F695
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00445732	0_2_00445732
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_004127ED	0_2_004127ED
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D7FF	0_2_0040D7FF
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040F8F3	0_2_0040F8F3
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D882	0_2_0040D882
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042788F	0_2_0042788F
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040D892	0_2_0040D892
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042B8B9	0_2_0042B8B9
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00438950	0_2_00438950
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040F904	0_2_0040F904
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042991A	0_2_0042991A
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00456924	0_2_00456924
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00429A53	0_2_00429A53
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00426A6B	0_2_00426A6B
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040FA08	0_2_0040FA08
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0044CAB8	0_2_0044CAB8
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00438B4E	0_2_00438B4E
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00429B6A	0_2_00429B6A
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00454B06	0_2_00454B06
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00459BC1	0_2_00459BC1
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00455BE0	0_2_00455BE0
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00407B90	0_2_00407B90
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0044EBBB	0_2_0044EBBB
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00406D10	0_2_00406D10
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00455E5B	0_2_00455E5B
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040DE67	0_2_0040DE67
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040CE0C	0_2_0040CE0C
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040CE13	0_2_0040CE13
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040CE28	0_2_0040CE28
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00433E86	0_2_00433E86
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040CE87	0_2_0040CE87
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00403E90	0_2_00403E90
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00426E9F	0_2_00426E9F
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040DF69	0_2_0040DF69
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00411F13	0_2_00411F13
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0040DFF6	0_2_0040DFF6
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00429FFD	0_2_00429FFD
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F002	5_2_0040F002
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00407010	5_2_00407010
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D01B	5_2_0040D01B
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F023	5_2_0040F023
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00456160	5_2_00456160
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D19C	5_2_0040D19C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004121AA	5_2_004121AA
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D2D3	5_2_0040D2D3
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0044A29E	5_2_0044A29E
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D2A8	5_2_0040D2A8
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004112B9	5_2_004112B9
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0043F34D	5_2_0043F34D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D3EA	5_2_0040D3EA
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004124AF	5_2_004124AF
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00455575	5_2_00455575
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00440533	5_2_00440533
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D678	5_2_0040D678
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F695	5_2_0040F695
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00445732	5_2_00445732
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004127ED	5_2_004127ED
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D7FF	5_2_0040D7FF
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004118D7	5_2_004118D7
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D882	5_2_0040D882
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040D892	5_2_0040D892
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F8B1	5_2_0040F8B1
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00438950	5_2_00438950
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040F904	5_2_0040F904
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00456924	5_2_00456924
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040FA08	5_2_0040FA08
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0044CAB8	5_2_0044CAB8
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00411ABC	5_2_00411ABC
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00438B4E	5_2_00438B4E
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00454B06	5_2_00454B06
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00459BC1	5_2_00459BC1
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00455BE0	5_2_00455BE0
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00407B90	5_2_00407B90
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0044EBBB	5_2_0044EBBB
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00406D10	5_2_00406D10
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040EE49	5_2_0040EE49
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00455E5B	5_2_00455E5B
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00433E86	5_2_00433E86
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00403E90	5_2_00403E90
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00410E9D	5_2_00410E9D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00411F57	5_2_00411F57
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0040EF70	5_2_0040EF70
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00411F0D	5_2_00411F0D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058E0CC	5_2_0058E0CC
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0056F0FA	5_2_0056F0FA
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005A4159	5_2_005A4159
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00588168	5_2_00588168
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005961F0	5_2_005961F0
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058E2FB	5_2_0058E2FB
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005A332B	5_2_005A332B
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0057739D	5_2_0057739D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005874E6	5_2_005874E6
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058E558	5_2_0058E558
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00588770	5_2_00588770
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005878FE	5_2_005878FE
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00583946	5_2_00583946
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0059D9C9	5_2_0059D9C9
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00577A46	5_2_00577A46
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0056DB62	5_2_0056DB62
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00577BAF	5_2_00577BAF
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00587D33	5_2_00587D33
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00585E5E	5_2_00585E5E
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00576E0E	5_2_00576E0E
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058DE9D	5_2_0058DE9D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00563FCA	5_2_00563FCA
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00586FEA	5_2_00586FEA

Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00433768 appears 56 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00584E10 appears 54 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00552093 appears 50 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00584770 appears 41 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00443C7F appears 38 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00408EE0 appears 68 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00551E65 appears 34 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 004322DC appears 96 times
Source: C:\Users\user\Desktop\tu.exe	Code function: String function: 00408AE0 appears 94 times

Source: tu.exe

Static PE information: invalid certificate

Source: tu.exe	Binary or memory string: OriginalFilename vs tu.exe
Source: tu.exe, 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe
Source: tu.exe, 00000000.00000000.2099392755.000000000046D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe
Source: tu.exe, 00000000.00000003.2276384508.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs tu.exe
Source: tu.exe, 00000000.00000002.2312497564.0000000002589000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe
Source: tu.exe, 00000000.00000002.2312300285.00000000007DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs tu.exe
Source: tu.exe, 00000005.00000000.2310003818.000000000046D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe
Source: tu.exe	Binary or memory string: OriginalFilenameREGEDIT.EXEj% vs tu.exe

Source: tu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/3@3/2

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_00408380 SetLastError,GetLastError,SetLastError,GetLastError,_wcsrchr,_wcsncpy,_strerror,MultiByteToWideChar,_wcsncpy,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,FormatMessageW,_wcstok,_vswprintf_s,_wcsncpy,GetSystemTime,LocalFree,FreeLibrary,

0_2_00408380

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00567952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

5_2_00567952

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

5_2_0055F474

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

5_2_0056B4A8

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

5_2_0056AA4A

Source: C:\Users\user\Desktop\tu.exe

File created: C:\Users\user\Documents\ChromeUpdate

Jump to behavior

Source: C:\Users\user\Desktop\tu.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-PO8SC5

Source: tu.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\tu.exe

File read: C:\Users\user\Desktop\tu.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tu.exe "C:\Users\user\Desktop\tu.exe"
Source: C:\Users\user\Desktop\tu.exe	Process created: C:\Users\user\Desktop\tu.exe "C:\Users\user\Desktop\tu.exe"
Source: C:\Users\user\Desktop\tu.exe	Process created: C:\Users\user\Desktop\tu.exe "C:\Users\user\Desktop\tu.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\tu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: tu.exe

Static file information: File size 1340704 > 1048576

Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: tu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: tu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: tu.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\vmagent_new\bin\joblist\222359\out\Release\360AdvToolExecutor.pdbpF source: tu.exe, SentinelOne.exe.0.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\222359\out\Release\360AdvToolExecutor.pdb source: tu.exe, SentinelOne.exe.0.dr

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_00447B97 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00447B97

Source: tu.exe

Static PE information: real checksum: 0x798b9 should be: 0x154233

Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00403180 push ecx; mov dword ptr [esp], 00000000h	0_2_00403181
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00432321 push ecx; ret	0_2_00432334
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00403400 push ecx; mov dword ptr [esp], 00000000h	0_2_00403401
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004140D0 push ecx; retf	5_2_004140A5
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004140A6 push ecx; retf	5_2_004140A5
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004140BB push ecx; retf	5_2_004140C1
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00403180 push ecx; mov dword ptr [esp], 00000000h	5_2_00403181
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004152A0 push edi; retf	5_2_0041537A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00417356 push ecx; retf	5_2_0041750A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041537B push edi; retf	5_2_0041537A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00432321 push ecx; ret	5_2_00432334
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00415390 push edi; retf	5_2_0041537A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041539E push edi; retf	5_2_0041537A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00403400 push ecx; mov dword ptr [esp], 00000000h	5_2_00403401
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00415432 push edi; retf	5_2_0041543F
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004154D3 push edi; retf	5_2_00415512
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041750B push ecx; retf	5_2_0041750A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00417535 push ecx; retf	5_2_0041750A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041E630 push ecx; retf	5_2_0041E631
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004136EA push ecx; retf	5_2_00413729
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00413746 push ecx; retf	5_2_00413729
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00418711 push ecx; retf	5_2_004188C7
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0041372A push ecx; retf	5_2_00413729
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004137D3 push edi; retf	5_2_004137E0
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004137BE push esp; retf	5_2_004137D2
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00413840 push ecx; retf	5_2_00413851
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00413867 push edi; retf	5_2_0041386D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004188C8 push ecx; retf	5_2_004188C7
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_004188F2 push ecx; retf	5_2_004188C7
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00415A8C push ecx; retf	5_2_00415A92
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00415AA8 push ecx; retf	5_2_00415AAE

Source: tu.exe	Static PE information: section name: .text entropy: 6.861631705496741
Source: SentinelOne.exe.0.dr	Static PE information: section name: .text entropy: 6.861631705496741

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\tu.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00406279
Source: C:\Users\user\Desktop\tu.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00406210
Source: C:\Users\user\Desktop\tu.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	5_2_00406279
Source: C:\Users\user\Desktop\tu.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	5_2_00406210

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\tu.exe

File created: C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe

Jump to dropped file

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00556EB0 ShellExecuteW,URLDownloadToFileW,

5_2_00556EB0

Source: C:\Users\user\Desktop\tu.exe

File created: C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe

Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\tu.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00406279
Source: C:\Users\user\Desktop\tu.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	0_2_00406210
Source: C:\Users\user\Desktop\tu.exe	Code function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	5_2_00406279
Source: C:\Users\user\Desktop\tu.exe	Code function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d	5_2_00406210

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

5_2_0056AA4A

Source: C:\Users\user\Desktop\tu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SentinelOneIsCrap			Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SentinelOneIsCrap			Jump to behavior

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

5_2_0056CB50

Source: C:\Users\user\Desktop\tu.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0055F7A7 Sleep,ExitProcess,

5_2_0055F7A7

Source: C:\Users\user\Desktop\tu.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

5_2_0056A748

Source: C:\Users\user\Desktop\tu.exe	Window / User API: threadDelayed 9521			Jump to behavior
Source: C:\Users\user\Desktop\tu.exe	Window / User API: foregroundWindowGot 1745			Jump to behavior

Source: C:\Users\user\Desktop\tu.exe

Dropped PE file which has not been started: C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe

Jump to dropped file

Source: C:\Users\user\Desktop\tu.exe	API coverage: 0.8 %
Source: C:\Users\user\Desktop\tu.exe	API coverage: 8.5 %

Source: C:\Users\user\Desktop\tu.exe TID: 6712	Thread sleep count: 137 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 6712	Thread sleep time: -68500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 2420	Thread sleep count: 133 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 2420	Thread sleep time: -399000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 2420	Thread sleep count: 9521 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tu.exe TID: 2420	Thread sleep time: -28563000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00559253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	5_2_00559253
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0056C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	5_2_0056C291
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	5_2_0055C34D
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00559665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	5_2_00559665
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0059E879 FindFirstFileExA,	5_2_0059E879
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	5_2_0055880C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055783C FindFirstFileW,FindNextFileW,	5_2_0055783C
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00569AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	5_2_00569AF5
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	5_2_0055BB30
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0055BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	5_2_0055BD37

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00557C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

5_2_00557C97

Source: tu.exe, 00000005.00000003.2347351969.0000000000972000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000972000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000972000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000972000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\tu.exe

API call chain: ExitProcess graph end node

graph_5-78544

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_0042F43A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0042F43A

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_0040BB10 GetCurrentThreadId,GetProcessHeap,OpenThread,OpenThread,GetLastError,GetProcessHeap,HeapFree,OutputDebugStringW,CloseHandle,

0_2_0040BB10

Source: C:\Users\user\Desktop\tu.exe

0_2_00447B97

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_005932B5 mov eax, dword ptr fs:[00000030h]

5_2_005932B5

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_0040C050 GetProcessHeap,HeapAlloc,

0_2_0040C050

Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_0042F43A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0042F43A
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00430B49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00430B49
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00414B51 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00414B51
Source: C:\Users\user\Desktop\tu.exe	Code function: 0_2_00435C77 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00435C77
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0042F43A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0042F43A
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00430B49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00430B49
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00435C77 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00435C77
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_005849F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_005849F9
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00584B47 SetUnhandledExceptionFilter,	5_2_00584B47
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_0058BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0058BB22
Source: C:\Users\user\Desktop\tu.exe	Code function: 5_2_00584FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00584FDC

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\tu.exe

Memory written: C:\Users\user\Desktop\tu.exe base: 550000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\tu.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

5_2_005620F7

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_00569627 mouse_event,

5_2_00569627

Source: C:\Users\user\Desktop\tu.exe

Process created: C:\Users\user\Desktop\tu.exe "C:\Users\user\Desktop\tu.exe"

Jump to behavior

Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\08
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\D
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQ
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager_
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\2V
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\2
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\25
Source: tu.exe, 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager9
Source: tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, logs.dat.5.dr	Binary or memory string: [Program Manager]
Source: tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC5\54

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_00406100 cpuid

0_2_00406100

Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	0_2_00454050
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_0044B1C1
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	0_2_0045322C
Source: C:\Users\user\Desktop\tu.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0044B2AE
Source: C:\Users\user\Desktop\tu.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	0_2_004492AE
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	0_2_0044B351
Source: C:\Users\user\Desktop\tu.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0044B315
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	0_2_0044845E
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	0_2_00448411
Source: C:\Users\user\Desktop\tu.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	0_2_0044842A
Source: C:\Users\user\Desktop\tu.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	0_2_00449539
Source: C:\Users\user\Desktop\tu.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0044859D
Source: C:\Users\user\Desktop\tu.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	0_2_004497FF
Source: C:\Users\user\Desktop\tu.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00448C0D
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	0_2_0044ADCC
Source: C:\Users\user\Desktop\tu.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	0_2_00435DAF
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_0044AEE3
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	0_2_0044AF7B
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_0044AFEF
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	5_2_00454050
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	5_2_0044B1C1
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	5_2_0045322C
Source: C:\Users\user\Desktop\tu.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0044B2AE
Source: C:\Users\user\Desktop\tu.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	5_2_004492AE
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	5_2_0044B351
Source: C:\Users\user\Desktop\tu.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0044B315
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	5_2_0044845E
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	5_2_00448411
Source: C:\Users\user\Desktop\tu.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	5_2_0044842A
Source: C:\Users\user\Desktop\tu.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	5_2_00449539
Source: C:\Users\user\Desktop\tu.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_0044859D
Source: C:\Users\user\Desktop\tu.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	5_2_004497FF
Source: C:\Users\user\Desktop\tu.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_00448C0D
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	5_2_0044ADCC
Source: C:\Users\user\Desktop\tu.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	5_2_00435DAF
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	5_2_0044AEE3
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	5_2_0044AF7B
Source: C:\Users\user\Desktop\tu.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	5_2_0044AFEF
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoA,	5_2_0055F8D1
Source: C:\Users\user\Desktop\tu.exe	Code function: EnumSystemLocalesW,	5_2_005A2036
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_005A20C3
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	5_2_005A2313
Source: C:\Users\user\Desktop\tu.exe	Code function: EnumSystemLocalesW,	5_2_00598404
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_005A243C
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	5_2_005A2543
Source: C:\Users\user\Desktop\tu.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_005A2610
Source: C:\Users\user\Desktop\tu.exe	Code function: GetLocaleInfoW,	5_2_005988ED
Source: C:\Users\user\Desktop\tu.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_005A1CD8
Source: C:\Users\user\Desktop\tu.exe	Code function: EnumSystemLocalesW,	5_2_005A1F50
Source: C:\Users\user\Desktop\tu.exe	Code function: EnumSystemLocalesW,	5_2_005A1F9B

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_00409120 GetCurrentThreadId,GetLocalTime,__swprintf,

0_2_00409120

Source: C:\Users\user\Desktop\tu.exe

Code function: 5_2_0056B60D GetComputerNameExW,GetUserNameW,

5_2_0056B60D

Source: C:\Users\user\Desktop\tu.exe

Code function: 0_2_004535C3 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

0_2_004535C3

Source: C:\Users\user\Desktop\tu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\tu.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

5_2_0055BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\tu.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		5_2_0055BB30
Source: C:\Users\user\Desktop\tu.exe	Code function: \key3.db		5_2_0055BB30

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\tu.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-PO8SC5

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.tu.exe.550000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.46d672.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tu.exe.550000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tu.exe PID: 5412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tu.exe PID: 4256, type: MEMORYSTR

Source: C:\Users\user\Desktop\tu.exe

Code function: cmd.exe

5_2_0055569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	3 Obfuscated Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Software Packing	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Bootkit	1 Windows Service	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	122 Process Injection	1 Bypass User Account Control	LSA Secrets	23 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	12 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	122 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Bootkit	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tu.exe	8%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
http://geoplugin.net/json.gp/C	100%	URL Reputation	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	false		unknown
abril18.con-ip.com	179.14.10.110	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	true	URL Reputation: phishing	unknown
abril18.con-ip.com	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://down.360safe.com/setup.exeIsBetaVersion360ver.dllSOFTWARE	tu.exe, SentinelOne.exe.0.dr	false		high
http://crl.godaddy.com/gdroot-g2.crl0F	tu.exe, SentinelOne.exe.0.dr	false		high
http://geoplugin.net/json.gpalF	tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.godaddy.com/gdig2s5-6.crl0	tu.exe, SentinelOne.exe.0.dr	false		high
http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe	tu.exe, SentinelOne.exe.0.dr	false		high
http://geoplugin.net/	tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://geoplugin.net/json.gp/C	tu.exe, 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, tu.exe, 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, tu.exe, 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: phishing	unknown
http://geoplugin.net/json.gpl	tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://geoplugin.net/json.gpK	tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://certificates.godaddy.com/repository/0	tu.exe, SentinelOne.exe.0.dr	false		high
http://geoplugin.net/json.gpJ	tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://certs.godaddy.com/repository/1301	tu.exe, SentinelOne.exe.0.dr	false		high
http://geoplugin.net/json.gpT	tu.exe, 00000005.00000002.4579308792.0000000000953000.00000004.00000020.00020000.00000000.sdmp, tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://geoplugin.net/json.gpQ	tu.exe, 00000005.00000003.2347351969.0000000000937000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://down.360safe.com/360zip_setup.exe360SysReset	tu.exe, SentinelOne.exe.0.dr	false		high
https://certs.godaddy.com/repository/0	tu.exe, SentinelOne.exe.0.dr	false		high
http://.inihttps://map/set	tu.exe, SentinelOne.exe.0.dr	false		low
http://certificates.godaddy.com/repository/gdig2.crt0	tu.exe, SentinelOne.exe.0.dr	false		high
http://geoplugin.net/json.gpSystem32	tu.exe, 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://geoplugin.net/;	tu.exe, 00000005.00000003.2347351969.0000000000953000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
179.14.10.110	abril18.con-ip.com	Colombia		27831	ColombiaMovilCO	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428245
Start date and time:	2024-04-18 18:15:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tu.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@3/3@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 72% Number of executed functions: 85 Number of non-executed functions: 352
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: tu.exe

Simulations

Behavior and APIs

Time	Type	Description
18:16:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SentinelOneIsCrap C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe
18:16:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SentinelOneIsCrap C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe
18:16:47	API Interceptor	5917344x Sleep call for process: tu.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	RFQ.NO. S70-23Q-1474-CS-P.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse	geoplugin.net/json.gp
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse	geoplugin.net/json.gp
	5FU4LRpQdy.rtf	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	awb_shipping_documents_17_04_2024_00000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	EFEMACPedido0180040240418.vbs	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	Quotation 20241804.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.Win32.RATX-gen.12024.12837.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	DETAILS.docx.doc	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Carlispa_Ordine_00401702400417.vbs	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	RFQ.NO. S70-23Q-1474-CS-P.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse	178.237.33.50
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse	178.237.33.50
	5FU4LRpQdy.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	awb_shipping_documents_17_04_2024_00000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	EFEMACPedido0180040240418.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	Quotation 20241804.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	SecuriteInfo.com.Win32.RATX-gen.12024.12837.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	DETAILS.docx.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	Carlispa_Ordine_00401702400417.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ColombiaMovilCO	xmrhZ7VhlJjD.exe	Get hash	malicious	Quasar	Browse	179.13.0.175
	enEQvjUlGl.elf	Get hash	malicious	Mirai	Browse	181.207.212.107
	Ns1xkTsDQO.elf	Get hash	malicious	Mirai	Browse	181.68.139.5
	7t5zI3LtK8.elf	Get hash	malicious	Mirai	Browse	181.207.212.113
	MYb7GhRJl7.elf	Get hash	malicious	Mirai	Browse	181.69.231.0
	xBoD1uCJo8Dc.exe	Get hash	malicious	XWorm	Browse	179.13.0.175
	xffRCvQIkXWb.exe	Get hash	malicious	XWorm	Browse	179.13.0.175
	tWpGuzQQoW.elf	Get hash	malicious	Mirai	Browse	181.205.49.129
	5DkGWDuyYR.elf	Get hash	malicious	Mirai	Browse	186.181.146.218
	xmsbkx2F0oQn.exe	Get hash	malicious	Njrat	Browse	179.13.2.154
ATOM86-ASATOM86NL	RFQ.NO. S70-23Q-1474-CS-P.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse	178.237.33.50
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse	178.237.33.50
	5FU4LRpQdy.rtf	Get hash	malicious	Remcos	Browse	178.237.33.50
	awb_shipping_documents_17_04_2024_00000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	EFEMACPedido0180040240418.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	Quotation 20241804.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	SecuriteInfo.com.Win32.RATX-gen.12024.12837.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	DETAILS.docx.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	Carlispa_Ordine_00401702400417.vbs	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50

Process:	C:\Users\user\Desktop\tu.exe
File Type:	data
Category:	dropped
Size (bytes):	288
Entropy (8bit):	3.316572720533958
Encrypted:	false
SSDEEP:	6:6l+VGljF65YcIeeDAlOWAAe5q1gWAAe5q1gWAv:6l9RFKec0WFe5BWFe5BW+
MD5:	5EF0EE6432275F6F7514A02C97553C88
SHA1:	8C31C2D60704EF05C9204DC731A83FE6E85E7747
SHA-256:	C266BF987AF7197AD3E1FD1921B4DD0FA9C94FBCCDE11253F0B9A4E6C620776E
SHA-512:	6944C76B8D07D1E3F9C47A86034AFD9709DE5C84D2E24A843999E290F37FAA1F343CB8F481A438551A9DE4008E0BE345A01B186048CF01D83BFC9B1A8AD5026E
Malicious:	true
Reputation:	low
Preview:	....[.2.0.2.4./.0.4./.1.8. .1.8.:.1.6.:.1.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

Download File

Process:	C:\Users\user\Desktop\tu.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	4.995620093649274
Encrypted:	false
SSDEEP:	12:tklzTknd6CsGkMyGWKyGXPVGArwY3+8aIHrGIArpv/mOAaNO+ao9W7iN5zzkw7Rr:qlkdRNuKyGX855vXhNlT3/77Kdxtro
MD5:	334018F02CE31BCBB4864D602B557FE5
SHA1:	C6DE43E8D6B5C026C0B0A56A898A3F00B282B881
SHA-256:	F70CE925C3923E25A5ADB7089E7EE752E771FBD073888ABFC426138C9094F1B3
SHA-512:	31EF486A2F75226594BC553CBAFA84B645B6ED456F35F363C8EFD6229F4A731981CA1B7736CD4BD739DDCA885F068E96692BB16C7A906314B52220DC63E318BB
Malicious:	false
Reputation:	low
Preview:	{. "geoplugin_request":"81.181.57.52",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Marietta",. "geoplugin_region":"Georgia",. "geoplugin_regionCode":"GA",. "geoplugin_regionName":"Georgia",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"524",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"34.0414",. "geoplugin_longitude":"-84.5053",. "geoplugin_locationAccuracyRadius":"1000",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe

Download File

Process:	C:\Users\user\Desktop\tu.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	800000000
Entropy (8bit):	0.028493769083129367
Encrypted:	false
SSDEEP:
MD5:	F663BBF108427C54B5CC385802066A8E
SHA1:	E75E867A96F2184C56EA3D4F5D73BCDE6BA8E298
SHA-256:	956E8BA641EB4A1A28F42AEFF877E65B44E111158D07E89302C229028723924D
SHA-512:	9E93BB2A83DA4EEB2BA3CBFF4DDFDD15B0EA21D10CE4DA64C23F22681C0DAB5934B69103512E7695A4D8F3F72FC45D26FAF70C081CCE903A758617E20EFA51AD
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K8d..Y...Y...Y.......Y...!...Y...!...Y...!...Y..(.g..Y..(.q..Y...Y...Y...!..]Y.......Y...!...Y..Rich.Y..........PE..L....i3Z............................."............@.......................................@..................................T.......................D.. 1.......,..................................(/..@...............<............................text............................... ..`.rdata..............................@..@.data....`...p...&...R..............@....rsrc................x..............@..@................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.357495907894201
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	tu.exe
File size:	1'340'704 bytes
MD5:	de717951989420c6b9790c9160a23d35
SHA1:	df8621b3d9fa7e4e1d511d6ff732457aac6a0a1d
SHA256:	d434e12726aee7ad7378dc4e395dd5f8fba6255546eef9e1dbb51d52d966af2c
SHA512:	77bdb1c94823c3340082ad5b3ba064cbbd4116758866795053d1b7b0da2f6ba07ad6a94ed8d721aed339a69f5499f0f87406a8dccc64e30aeeb5ef5976c22096
SSDEEP:	24576:ZQHDm64xrB90l7rjM19qIljCh/qIxjySlfa/JY78NLRAgTE//aZ66z24VZbH:J90NM1gqjEBa/S8NLRdTE/iZ66z24VZb
TLSH:	A555AE80F155C8BFD092F5FE079EF1748A69A9F21F63448B3684BF3D1724B84E62065A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K8d..Y...Y...Y.......Y...!...Y...!...Y...!...Y..(.g..Y..(.q..Y...Y...Y...!..]Y.......Y...!...Y..Rich.Y..........PE..L....i3Z...

File Icon


Icon Hash:	981ed3d32d2d1f0f

Static PE Info

General

Entrypoint:	0x4322cf
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A3369A7 [Fri Dec 15 06:20:23 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	770b6801a0e74e55768ad77ae3655811

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	09/10/2020 13:32:46 09/10/2021 13:32:46
Subject Chain	CN=JetBrains s.r.o., O=JetBrains s.r.o., L=Praha 4, C=CZ
Version:	3
Thumbprint MD5:	F0ED2CBDD50CA1AE0E013696A39B9894
Thumbprint SHA-1:	B110CE317AC442440C8E3F77675063F9259CF301
Thumbprint SHA-256:	738E3835BABCEAECEE8DF5DED29576EA3797D64B1FE09DAB9606259E0DA473A4
Serial:	045BD7BDE95F9712

Entrypoint Preview

Instruction
call 00007FD8011E86DEh
jmp 00007FD8011DB69Eh
int3
int3
int3
push 0042F840h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00467BB0h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00467BB0h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00467BB0h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[C++] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6540c	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0xdcab8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x144400	0x3120	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7b000	0x2cb4	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5c3b0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x62f28	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5c000	0x33c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5b000	0x5a600	02f8cb2bc314ba069296f6fb4ac53a7d	False	0.5254770703665284	data	6.861631705496741	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5c000	0xb000	0xa800	b69acd36729a87836d333301d2c8417f	False	0.41010974702380953	data	5.37465193065485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x67000	0x6000	0x2600	f11b127fada2b8d9b324acfb25914626	False	0.31332236842105265	data	3.767451772833356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6d000	0xdcab8	0xdcc00	69692bc3ecb06d030ded6377482dc16d	False	0.6232901861551529	data	7.385118954465469	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x6d63c	0x78c36	PC bitmap, Windows 3.x format, 62709 x 2 x 34, image size 494934, cbSize 494646, bits offset 54			0.7529182486060738
RT_ICON	0xe6274	0xb39c	PC bitmap, Windows 3.x format, 6310 x 2 x 51, image size 46903, cbSize 45980, bits offset 54			0.48575467594606353
RT_ICON	0xf1610	0x6553	PC bitmap, Windows 3.x format, 4148 x 2 x 41, image size 26215, cbSize 25939, bits offset 54			0.5584640888237788
RT_ICON	0xf7b64	0x5a0c	PC bitmap, Windows 3.x format, 3626 x 2 x 52, image size 23606, cbSize 23052, bits offset 54			0.47809300711435015
RT_ICON	0xfd570	0x3eb99	PC bitmap, Windows 3.x format, 32816 x 2 x 35, image size 257638, cbSize 256921, bits offset 54			0.5015705216778699
RT_ICON	0x13c10c	0x1c9c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China	0.9590387766247952
RT_ICON	0x13dda8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	Chinese	China	0.0927609825224374
RT_ICON	0x141fd0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Chinese	China	0.12935684647302906
RT_ICON	0x144578	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0	Chinese	China	0.15813609467455622
RT_ICON	0x145fe0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Chinese	China	0.1855065666041276
RT_ICON	0x147088	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Chinese	China	0.24016393442622952
RT_ICON	0x147a10	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0	Chinese	China	0.313953488372093
RT_ICON	0x1480c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Chinese	China	0.1551418439716312
RT_DIALOG	0x148530	0x11e	data	Chinese	China	0.5699300699300699
RT_STRING	0x148650	0x44	data	English	United States	0.6617647058823529
RT_STRING	0x148694	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x1486c0	0x296	data	English	United States	0.3323262839879154
RT_STRING	0x148958	0x328	data	English	United States	0.34405940594059403
RT_STRING	0x148c80	0x27c	data	English	United States	0.33176100628930816
RT_STRING	0x148efc	0x106	data	English	United States	0.5763358778625954
RT_STRING	0x149004	0xda	data	English	United States	0.43119266055045874
RT_STRING	0x1490e0	0x1f8	data	English	United States	0.36706349206349204
RT_STRING	0x1492d8	0xae	data	English	United States	0.5689655172413793
RT_STRING	0x149388	0x44	data	English	United States	0.6764705882352942
RT_RCDATA	0x1493cc	0x80	data	English	United States	1.0859375
RT_GROUP_ICON	0x14944c	0x76	data	Chinese	China	0.7542372881355932
RT_VERSION	0x1494c4	0x384	data	English	United States	0.4722222222222222
RT_MANIFEST	0x149848	0x26e	ASCII text, with CRLF line terminators	English	United States	0.5176848874598071

Imports

DLL	Import
KERNEL32.dll	LockResource, LoadResource, FindResourceExW, InterlockedIncrement, InterlockedDecrement, lstrlenW, GetLastError, InitializeCriticalSection, MultiByteToWideChar, LoadLibraryExW, lstrcmpiW, Sleep, GetCommandLineW, CloseHandle, DeviceIoControl, CreateFileW, GetCurrentProcessId, CreateProcessW, WriteFile, GetLocalTime, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcessTimes, SetFilePointer, GetFileSize, GetTickCount, DeleteFileW, CreateThread, WaitForSingleObject, CreateEventW, LocalFree, CreateMutexW, OpenMutexW, SetEnvironmentVariableA, CompareStringW, CompareStringA, GetTimeZoneInformation, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, GetDateFormatA, SizeofResource, GetStringTypeW, GetStringTypeA, LCMapStringA, GetLocaleInfoA, GetLocaleInfoW, QueryPerformanceCounter, GetStartupInfoA, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, FlushFileBuffers, GetConsoleMode, GetConsoleCP, WideCharToMultiByte, InitializeCriticalSectionAndSpinCount, InterlockedExchange, SetConsoleCtrlHandler, GetModuleHandleA, FindResourceW, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, GetModuleHandleW, LoadLibraryW, GetCurrentProcess, FlushInstructionCache, DeleteCriticalSection, RaiseException, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetModuleFileNameA, GetStdHandle, GetCurrentThread, FatalAppExitA, HeapCreate, GetStartupInfoW, ExitProcess, FreeLibrary, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, RtlUnwind, ExitThread, TlsFree, DeleteAtom, FindAtomW, TlsAlloc, ReleaseMutex, AddAtomW, GetCurrentThreadId, SetLastError, OpenThread, GetAtomNameW, TlsSetValue, GetProcAddress, GetTimeFormatA, InterlockedCompareExchange, HeapFree, GetProcessHeap, HeapAlloc, LoadLibraryA, IsProcessorFeaturePresent, VirtualFree, VirtualAlloc, HeapDestroy, HeapReAlloc, HeapSize, CreateFileA, SystemTimeToFileTime, GetSystemTimeAsFileTime, LocalFileTimeToFileTime, SetEndOfFile, SetFilePointerEx, ReadFile, GetFileSizeEx, OutputDebugStringW, FormatMessageW, GetSystemTime, TlsGetValue
USER32.dll	TranslateMessage, GetMessageW, DefWindowProcW, UnregisterClassA, CreateDialogParamW, DispatchMessageW, SetWindowLongW, DestroyWindow, SendMessageTimeoutW, FindWindowW, GetActiveWindow, MessageBoxW, RegisterClassW, GetWindowThreadProcessId, GetParent, GetWindow, GetWindowRect, GetWindowLongW, MonitorFromWindow, GetMonitorInfoW, GetClientRect, MapWindowPoints, SetWindowPos, IsDialogMessageW, SendMessageW, PostQuitMessage, GetSystemMetrics, LoadImageW, IsWindow, PostMessageW, CharNextW, GetClassInfoW, PeekMessageW
ADVAPI32.dll	RegQueryValueExA, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegQueryValueExW, RegQueryInfoKeyW, RegSetValueExW, RegEnumKeyExW, RegOpenKeyExW, RegDeleteKeyW
SHELL32.dll	ShellExecuteExW, SHCreateDirectoryExW, ShellExecuteW, CommandLineToArgvW, SHGetSpecialFolderPathW
ole32.dll	CoInitialize, CoCreateInstance, CoTaskMemFree, CoTaskMemAlloc, CoTaskMemRealloc, CoUninitialize
OLEAUT32.dll	VarUI4FromStr, SysFreeString
SHLWAPI.dll	PathRemoveFileSpecW, PathAppendW, PathFindFileNameW, PathFileExistsW, PathRemoveExtensionW, SHGetValueW, PathCombineW
COMCTL32.dll	InitCommonControlsEx
WINTRUST.dll	WinVerifyTrust, WTHelperProvDataFromStateData
CRYPT32.dll	CertGetNameStringW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 18:16:14.517302990 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:16:14.676237106 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:16:14.676347017 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:16:14.682004929 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:16:14.850346088 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:16:14.891710043 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:16:15.052470922 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:16:15.056845903 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:16:15.254281998 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:16:15.254390001 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:16:15.420167923 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:16:15.433981895 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:16:15.596349955 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:16:15.657367945 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:16:15.768258095 CEST	49722	80	192.168.2.6	178.237.33.50
Apr 18, 2024 18:16:15.974117041 CEST	80	49722	178.237.33.50	192.168.2.6
Apr 18, 2024 18:16:15.974262953 CEST	49722	80	192.168.2.6	178.237.33.50
Apr 18, 2024 18:16:15.974826097 CEST	49722	80	192.168.2.6	178.237.33.50
Apr 18, 2024 18:16:16.184247017 CEST	80	49722	178.237.33.50	192.168.2.6
Apr 18, 2024 18:16:16.184367895 CEST	49722	80	192.168.2.6	178.237.33.50
Apr 18, 2024 18:16:16.238990068 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:16:16.449656963 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:16:17.184345961 CEST	80	49722	178.237.33.50	192.168.2.6
Apr 18, 2024 18:16:17.184510946 CEST	49722	80	192.168.2.6	178.237.33.50
Apr 18, 2024 18:16:30.640636921 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:16:30.708592892 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:16:31.016771078 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:16:31.329293966 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:16:31.486228943 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:17:00.590404034 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:17:00.611850023 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:17:00.856513023 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:17:00.856625080 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:17:01.860750914 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:17:02.014426947 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:17:30.170579910 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:17:30.172158003 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:17:34.021656990 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:17:34.198468924 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:18:05.436821938 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:18:05.438321114 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:18:05.626756907 CEST	49722	80	192.168.2.6	178.237.33.50
Apr 18, 2024 18:18:06.173321009 CEST	49722	80	192.168.2.6	178.237.33.50
Apr 18, 2024 18:18:07.360744953 CEST	49722	80	192.168.2.6	178.237.33.50
Apr 18, 2024 18:18:09.563836098 CEST	49722	80	192.168.2.6	178.237.33.50
Apr 18, 2024 18:18:13.876401901 CEST	49722	80	192.168.2.6	178.237.33.50
Apr 18, 2024 18:18:16.673240900 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:18:16.830579996 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:18:22.128321886 CEST	49722	80	192.168.2.6	178.237.33.50
Apr 18, 2024 18:18:38.673280954 CEST	49722	80	192.168.2.6	178.237.33.50
Apr 18, 2024 18:18:41.074959040 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:18:41.076925993 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:18:41.447072983 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:19:10.998938084 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:19:11.000452042 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:19:11.564078093 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:19:12.173347950 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:19:12.338812113 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:19:41.041225910 CEST	7770	49721	179.14.10.110	192.168.2.6
Apr 18, 2024 18:19:41.043339014 CEST	49721	7770	192.168.2.6	179.14.10.110
Apr 18, 2024 18:19:41.432884932 CEST	7770	49721	179.14.10.110	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 18:16:12.672779083 CEST	50817	53	192.168.2.6	1.1.1.1
Apr 18, 2024 18:16:13.699551105 CEST	50817	53	192.168.2.6	1.1.1.1
Apr 18, 2024 18:16:14.512845039 CEST	53	50817	1.1.1.1	192.168.2.6
Apr 18, 2024 18:16:14.512897015 CEST	53	50817	1.1.1.1	192.168.2.6
Apr 18, 2024 18:16:15.646572113 CEST	63640	53	192.168.2.6	1.1.1.1
Apr 18, 2024 18:16:15.751774073 CEST	53	63640	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 18:16:12.672779083 CEST	192.168.2.6	1.1.1.1	0x2f23	Standard query (0)	abril18.con-ip.com	A (IP address)	IN (0x0001)	false
Apr 18, 2024 18:16:13.699551105 CEST	192.168.2.6	1.1.1.1	0x2f23	Standard query (0)	abril18.con-ip.com	A (IP address)	IN (0x0001)	false
Apr 18, 2024 18:16:15.646572113 CEST	192.168.2.6	1.1.1.1	0x6976	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 18:16:14.512845039 CEST	1.1.1.1	192.168.2.6	0x2f23	No error (0)	abril18.con-ip.com	179.14.10.110	A (IP address)	IN (0x0001)	false
Apr 18, 2024 18:16:14.512897015 CEST	1.1.1.1	192.168.2.6	0x2f23	No error (0)	abril18.con-ip.com	179.14.10.110	A (IP address)	IN (0x0001)	false
Apr 18, 2024 18:16:15.751774073 CEST	1.1.1.1	192.168.2.6	0x6976	No error (0)	geoplugin.net	178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49722	178.237.33.50	80	4256	C:\Users\user\Desktop\tu.exe

Timestamp	Bytes transferred	Direction	Data
Apr 18, 2024 18:16:15.974826097 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Apr 18, 2024 18:16:16.184247017 CEST	1171	IN	HTTP/1.1 200 OK date: Thu, 18 Apr 2024 16:16:16 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 31 2e 31 38 31 2e 35 37 2e 35 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4d 61 72 69 65 74 74 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 47 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 35 32 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 34 2e 30 34 31 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 38 34 2e 35 30 35 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 31 30 30 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d Data Ascii: { "geoplugin_request":"81.181.57.52", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Marietta", "geoplugin_region":"Georgia", "geoplugin_regionCode":"GA", "geoplugin_regionName":"Georgia", "geoplugin_areaCode":"", "geoplugin_dmaCode":"524", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"34.0414", "geoplugin_longitude":"-84.5053", "geoplugin_locationAccuracyRadius":"1000", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	18:15:50
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\tu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tu.exe"
Imagebase:	0x400000
File size:	1'340'704 bytes
MD5 hash:	DE717951989420C6B9790C9160A23D35
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.2312383300.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:16:11
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\tu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tu.exe"
Imagebase:	0x400000
File size:	1'340'704 bytes
MD5 hash:	DE717951989420C6B9790C9160A23D35
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4579308792.0000000000937000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4585822426.00000000024CF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4579253118.00000000008F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	24%
Total number of Nodes:	25
Total number of Limit Nodes:	0

Executed Functions

Function 00411F13 Relevance: 47.6, APIs: 1, Strings: 26, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r, xrefs: 00412040
V, xrefs: 00412008
t, xrefs: 0041204E
u, xrefs: 00412024
P, xrefs: 00412039
b, xrefs: 004124EF
a, xrefs: 004124FD
r, xrefs: 004124F6
o, xrefs: 00412047
y, xrefs: 0041250B
r, xrefs: 00412016
a, xrefs: 004124D3
i, xrefs: 0041200F
L, xrefs: 004124C5
l, xrefs: 00412032
t, xrefs: 0041201D
a, xrefs: 0041202B
c, xrefs: 0041205C
t, xrefs: 00412063
r, xrefs: 00412504
L, xrefs: 004124E1
i, xrefs: 004124E8
o, xrefs: 004124CC
e, xrefs: 00412055
d, xrefs: 004124DA
W, xrefs: 00412512

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
API String ID: 0-2457314740
Opcode ID: 6c0678d71f59eaad0a271e74b48422590de4efa6e96bb9f7b1230fa3b77f91a8
Instruction ID: 476cd1d49638d903c036dba307a3613fa274d41bc6001e90f77476314b7ab0cf
Opcode Fuzzy Hash: 6c0678d71f59eaad0a271e74b48422590de4efa6e96bb9f7b1230fa3b77f91a8
Instruction Fuzzy Hash: 09C126B1D092A89AF7218724DC18BEB7A75EF91304F0840FAD44D67282D6BD1FC5CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004124AF Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 293
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00000000,?,00000040,00000000,00000001,?,00413088,00000001,0041305B,00000000,?,00412E23,00000001,00000001,00000000,?), ref: 00413432

Strings

b, xrefs: 004124EF
a, xrefs: 004124FD
r, xrefs: 004124F6
r, xrefs: 00412504
L, xrefs: 004124E1
i, xrefs: 004124E8
y, xrefs: 0041250B
o, xrefs: 004124CC
a, xrefs: 004124D3
d, xrefs: 004124DA
L, xrefs: 004124C5
BE64, xrefs: 004127E8
W, xrefs: 00412512

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: BE64$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 544645111-1563255461
Opcode ID: 50741aaa02ecff7c3c56a48cacdf7b6a643d3d92b9f739f18f153e3e4c9a4a8e
Instruction ID: f4fbf254b82033adbc7d050db839c67a24bd70f736eeffb30d7f5bb2df1b0a09
Opcode Fuzzy Hash: 50741aaa02ecff7c3c56a48cacdf7b6a643d3d92b9f739f18f153e3e4c9a4a8e
Instruction Fuzzy Hash: 0CB104B1D041689AFB248B14DC44BFB76B5EB94300F1481FAD94D66280DABC5EC5CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0041236C Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 314
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00000000,?,00000040,00000000,00000001,?,00413088,00000001,0041305B,00000000,?,00412E23,00000001,00000001,00000000,?), ref: 00413432

Strings

b, xrefs: 004124EF
a, xrefs: 004124FD
r, xrefs: 004124F6
r, xrefs: 00412504
L, xrefs: 004124E1
i, xrefs: 004124E8
y, xrefs: 0041250B
o, xrefs: 004124CC
a, xrefs: 004124D3
d, xrefs: 004124DA
L, xrefs: 004124C5
W, xrefs: 00412512

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 544645111-4069139063
Opcode ID: 1697c17536c43d5224c5223728f30617d934cc08339edc8ab25258b41023f051
Instruction ID: 0e164774676a89a4ddaeb1eb2540a4a1a124e66d4721b90c21cbc7c83e26099d
Opcode Fuzzy Hash: 1697c17536c43d5224c5223728f30617d934cc08339edc8ab25258b41023f051
Instruction Fuzzy Hash: 60C1F2B1D082689AF7248B24DC44BEA7B75EF51310F0441FAD94DA7280E6BD1FC58FA6

Uniqueness

Uniqueness Score: -1.00%

Function 00429B6A Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 292
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0042AC1E

Strings

o, xrefs: 00429CBB
r, xrefs: 00429CF3
L, xrefs: 00429CD0
i, xrefs: 00429CD7
d, xrefs: 00429CC9
y, xrefs: 00429CFA
W, xrefs: 00429D01
a, xrefs: 00429CC2
b, xrefs: 00429CDE
r, xrefs: 00429CE5
a, xrefs: 00429CEC
L, xrefs: 00429CB4

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 544645111-4069139063
Opcode ID: 374fee517d217205c8d990f860241aaa94610111203e1a1e46cff437b155baa5
Instruction ID: 2c10b90d936b34e74c743eeedad6fdb06111070cc7f1826e7be6a01e813448cf
Opcode Fuzzy Hash: 374fee517d217205c8d990f860241aaa94610111203e1a1e46cff437b155baa5
Instruction Fuzzy Hash: 2EC1C0B2D052689AE7208B24DC44BEBBB75EF95310F0480FAD80DA7781D6795EC1CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00429A53 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

o, xrefs: 00429CBB
r, xrefs: 00429CF3
L, xrefs: 00429CD0
i, xrefs: 00429CD7
d, xrefs: 00429CC9
y, xrefs: 00429CFA
W, xrefs: 00429D01
a, xrefs: 00429CC2
b, xrefs: 00429CDE
r, xrefs: 00429CE5
a, xrefs: 00429CEC
L, xrefs: 00429CB4

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 3d10536fc2cfb9d5a69a6ef29ffa2cff4206653b90564503b16debf27cde5b0f
Instruction ID: d3511023427c8a32ec9ab0730e7ac4da0a0acbff21bb0c7547ffc5994e4b7d30
Opcode Fuzzy Hash: 3d10536fc2cfb9d5a69a6ef29ffa2cff4206653b90564503b16debf27cde5b0f
Instruction Fuzzy Hash: 72A1F2A2D056798AE7208B14EC44BEBBA75EF95310F0440FAD80D67781E67D0EC1CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0042991A Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 222
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0042AC1E

Strings

o, xrefs: 00429CBB
r, xrefs: 00429CF3
L, xrefs: 00429CD0
i, xrefs: 00429CD7
d, xrefs: 00429CC9
y, xrefs: 00429CFA
W, xrefs: 00429D01
a, xrefs: 00429CC2
b, xrefs: 00429CDE
r, xrefs: 00429CE5
a, xrefs: 00429CEC
L, xrefs: 00429CB4

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 544645111-4069139063
Opcode ID: 294abf85f3a1608ba1af9e138d5bc7c76b94f74e8d3669d7b637d0ffdee31014
Instruction ID: 9e3484ae8f37d004cd89b3611b91c015ebaaa81bb66835bc5d0b3cd39ed96991
Opcode Fuzzy Hash: 294abf85f3a1608ba1af9e138d5bc7c76b94f74e8d3669d7b637d0ffdee31014
Instruction Fuzzy Hash: 5991D1A2D152689AF7208B24DC44BEBBA75EF95310F0480FAD90D67781E6790EC1CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00412583 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 371
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(00000000,?,00000040,00000000,00000001,?,00413088,00000001,0041305B,00000000,?,00412E23,00000001,00000001,00000000,?), ref: 00413432

Strings

FMKH, xrefs: 0041305E

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: FMKH
API String ID: 544645111-2364774658
Opcode ID: eefdafdcaa40b702c5e12c677b62e72d973b80019278f60722d66e384fa445f5
Instruction ID: d3cd8285267a7954bd6ab46f5573bb8169a7e04926abf037f45bf2c87426fc3a
Opcode Fuzzy Hash: eefdafdcaa40b702c5e12c677b62e72d973b80019278f60722d66e384fa445f5
Instruction Fuzzy Hash: 60E1AEB1E091288FEB24CE14DD94BEA77B5EF85300F1481FAD84DA7640D6786EC2CE56

Uniqueness

Uniqueness Score: -1.00%

Function 0042B525 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0042C03D

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-399585960
Opcode ID: 817dee6a02d4a00ca1df7e87ff7d872a07f8a67fff4a99fb298c32b46e9382e5
Instruction ID: 31a9b62b41435ce74390fe9ef6e94a1f09138d69e291401c5a2d32638974bef9
Opcode Fuzzy Hash: 817dee6a02d4a00ca1df7e87ff7d872a07f8a67fff4a99fb298c32b46e9382e5
Instruction Fuzzy Hash: 9FB158B4E052289FEB24CF14DD90BAAB775FB84304F1041EED94AA6381D7795EC18F85

Uniqueness

Uniqueness Score: -1.00%

Function 00429FFD Relevance: 1.8, APIs: 1, Instructions: 338memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0042AC1E

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 517b7d28ef2f18e0c4725bf27557bc005b38673eb6e57fb953eb8e388ceb4d6d
Instruction ID: d900476614f8f23cc9e879a45790bf3c1646bd389133799c5f08f5fe28d27fe2
Opcode Fuzzy Hash: 517b7d28ef2f18e0c4725bf27557bc005b38673eb6e57fb953eb8e388ceb4d6d
Instruction Fuzzy Hash: D7E18C71E042298FEB64CB18DC94BEAB7B5EF84304F1441EAD90EA7640DA395ED1CE46

Uniqueness

Uniqueness Score: -1.00%

Function 004115E1 Relevance: 1.8, APIs: 1, Instructions: 283nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,FFFFDD34), ref: 00423408

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: b2ee84f09b885da0426a8b4cc7524a39cc0367720e40ed1b25acb2ad259b4017
Instruction ID: 6ff46d42b6d1ddb3ebe1fef3186f4aff8f33b86988ed82ba4cc1de00f3c12425
Opcode Fuzzy Hash: b2ee84f09b885da0426a8b4cc7524a39cc0367720e40ed1b25acb2ad259b4017
Instruction Fuzzy Hash: 4BA1E3B1E041289BEB24CF15DC84AEAB775EB85311F5085FAD80DA6680D63C5FC2CF56

Uniqueness

Uniqueness Score: -1.00%

Function 004127ED Relevance: 1.7, APIs: 1, Instructions: 212memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000000,?,00000040,00000000,00000001,?,00413088,00000001,0041305B,00000000,?,00412E23,00000001,00000001,00000000,?), ref: 00413432

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ab21e6513cc5465660577a6e3733835d22f226260581db0f74d7e79805a448c6
Instruction ID: 4c4cc9cac45f9ecb23ebe1cd26d239c18ac3ca12bdb20e5b32276d34eedd350a
Opcode Fuzzy Hash: ab21e6513cc5465660577a6e3733835d22f226260581db0f74d7e79805a448c6
Instruction Fuzzy Hash: 7071C3B2E041289BFB248B14EC54BFB7775EB94310F1481FAD90DA6280EA7C5EC58E55

Uniqueness

Uniqueness Score: -1.00%

Function 0042B8B9 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 0042C036

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 89d339f187005aac8e4a0435b57b22154c31d0194251427fb786b4e4ddd2d639
Instruction ID: 5a8c98eeb4abc26c21ad2a6fd394327375fe50257aa8bb3f840f3a48dce10db2
Opcode Fuzzy Hash: 89d339f187005aac8e4a0435b57b22154c31d0194251427fb786b4e4ddd2d639
Instruction Fuzzy Hash: E041B5F2D05224AFF7248A10EC55BFB7779EB84310F1041BED90EA6780D67C5EC18A92

Uniqueness

Uniqueness Score: -1.00%

Function 0041209C Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b, xrefs: 004124EF
a, xrefs: 004124FD
r, xrefs: 004124F6
r, xrefs: 00412504
L, xrefs: 004124E1
i, xrefs: 004124E8
y, xrefs: 0041250B
o, xrefs: 004124CC
a, xrefs: 004124D3
d, xrefs: 004124DA
L, xrefs: 004124C5
W, xrefs: 00412512

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 6a3695ecda41a5ce4dd8bfd705eed27bbfa2a34ed51108a9cfdce50e9d1f31e6
Instruction ID: 07e33d738da2e98f83c88bc94ad3fbb7c44ff3308f48e624c88b62337664ae6b
Opcode Fuzzy Hash: 6a3695ecda41a5ce4dd8bfd705eed27bbfa2a34ed51108a9cfdce50e9d1f31e6
Instruction Fuzzy Hash: 269124B1D082688AF7248B24DC19BFA7A75EF51300F0840FED84D97281DABD5FC58B66

Uniqueness

Uniqueness Score: -1.00%

Function 0041213B Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b, xrefs: 004124EF
a, xrefs: 004124FD
r, xrefs: 004124F6
r, xrefs: 00412504
L, xrefs: 004124E1
i, xrefs: 004124E8
y, xrefs: 0041250B
o, xrefs: 004124CC
a, xrefs: 004124D3
d, xrefs: 004124DA
L, xrefs: 004124C5
W, xrefs: 00412512

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: fc4e61dde0ff008e1d8a73e250225d59bce6c42b06b9f0136b307f8bf316a4bf
Instruction ID: d0d281f45b71ee8c2d02bb3531afe43231dd45ba6bb09fd8b5ea2ee9047042b4
Opcode Fuzzy Hash: fc4e61dde0ff008e1d8a73e250225d59bce6c42b06b9f0136b307f8bf316a4bf
Instruction Fuzzy Hash: 148114B1D182989AF7248A24DC18BFA7B75EF51300F0841FED58D97281DABD0FC58B66

Uniqueness

Uniqueness Score: -1.00%

Function 004120DD Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b, xrefs: 004124EF
a, xrefs: 004124FD
r, xrefs: 004124F6
r, xrefs: 00412504
L, xrefs: 004124E1
i, xrefs: 004124E8
y, xrefs: 0041250B
o, xrefs: 004124CC
a, xrefs: 004124D3
d, xrefs: 004124DA
L, xrefs: 004124C5
W, xrefs: 00412512

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 3f5f1c73003a61d64382a1ffdaab053f56a11a512176f9075d5541ddeb027913
Instruction ID: 0932d5da3f2e09af89d36d567ccae22f9a0e807030d037efefe15e26e8eef01a
Opcode Fuzzy Hash: 3f5f1c73003a61d64382a1ffdaab053f56a11a512176f9075d5541ddeb027913
Instruction Fuzzy Hash: FA8148B1D081689AF7248A24DC18BFB7675EF51300F0841FED94D97281DABE0FC58B66

Uniqueness

Uniqueness Score: -1.00%

Function 00412151 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b, xrefs: 004124EF
a, xrefs: 004124FD
r, xrefs: 004124F6
r, xrefs: 00412504
L, xrefs: 004124E1
i, xrefs: 004124E8
y, xrefs: 0041250B
o, xrefs: 004124CC
a, xrefs: 004124D3
d, xrefs: 004124DA
L, xrefs: 004124C5
W, xrefs: 00412512

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 0a9c43b938229f10e82f6b4b4ee82d3ccbb59e176c0801c33592ffeeaba2b152
Instruction ID: 0e2c899ebebb08ab941a628e4290d049498fc0f686630e80d5ac1488c25fb5cc
Opcode Fuzzy Hash: 0a9c43b938229f10e82f6b4b4ee82d3ccbb59e176c0801c33592ffeeaba2b152
Instruction Fuzzy Hash: 998126B1D082588AF7248B24DC18BFA7A75EF51300F0841FED58D97281DABD5FC58B66

Uniqueness

Uniqueness Score: -1.00%

Function 00412341 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b, xrefs: 004124EF
a, xrefs: 004124FD
r, xrefs: 004124F6
r, xrefs: 00412504
L, xrefs: 004124E1
i, xrefs: 004124E8
y, xrefs: 0041250B
o, xrefs: 004124CC
a, xrefs: 004124D3
d, xrefs: 004124DA
L, xrefs: 004124C5
W, xrefs: 00412512

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: dfdae454c89a602625f1194840656c29d7bbb1ba9c80772e418ffc362118d63d
Instruction ID: c6e788f54a623af09272f5e8fd3885d6c26ec73b86091fbbf0ae000181525045
Opcode Fuzzy Hash: dfdae454c89a602625f1194840656c29d7bbb1ba9c80772e418ffc362118d63d
Instruction Fuzzy Hash: 8E8126B1E182688AF7248B24DC19BFA7675EF51300F0840FED54D97281DABD1FC58B66

Uniqueness

Uniqueness Score: -1.00%

Function 00429A69 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

o, xrefs: 00429CBB
r, xrefs: 00429CF3
L, xrefs: 00429CD0
i, xrefs: 00429CD7
d, xrefs: 00429CC9
y, xrefs: 00429CFA
W, xrefs: 00429D01
a, xrefs: 00429CC2
b, xrefs: 00429CDE
r, xrefs: 00429CE5
a, xrefs: 00429CEC
L, xrefs: 00429CB4

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 34a0e3389018522a20c7abc802efd46577c8738f3168decba13d25fbf94e9783
Instruction ID: bb40d18a901eb47d33f184b3623ae0e726c83ac5be5c1cfb015d8eb32de8a1af
Opcode Fuzzy Hash: 34a0e3389018522a20c7abc802efd46577c8738f3168decba13d25fbf94e9783
Instruction Fuzzy Hash: D261F862D056789AF7208618EC54BEBBA75EF95310F0440FAD80D67381D67D0FC58B66

Uniqueness

Uniqueness Score: -1.00%

Function 004298D2 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 164
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0042AC1E

Strings

o, xrefs: 00429CBB
r, xrefs: 00429CF3
L, xrefs: 00429CD0
i, xrefs: 00429CD7
d, xrefs: 00429CC9
y, xrefs: 00429CFA
W, xrefs: 00429D01
a, xrefs: 00429CC2
b, xrefs: 00429CDE
r, xrefs: 00429CE5
a, xrefs: 00429CEC
L, xrefs: 00429CB4

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 544645111-4069139063
Opcode ID: a4f2cc83fd25b43c880f457718923c8d6c9d5393405ca4fd47fdf62dafc658ac
Instruction ID: 042edc216b3e55aeb17dc9248a9c3bf40472790a1d3d36c57cba72205035dd1c
Opcode Fuzzy Hash: a4f2cc83fd25b43c880f457718923c8d6c9d5393405ca4fd47fdf62dafc658ac
Instruction Fuzzy Hash: 6161E4B2D056689AF7208A14EC48BDBBA75EF95310F0440FAD80D67381D77E1FC58B66

Uniqueness

Uniqueness Score: -1.00%

Function 00413353 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000000,?,00000040,00000000,00000001,?,00413088,00000001,0041305B,00000000,?,00412E23,00000001,00000001,00000000,?), ref: 00413432

Strings

N4MX, xrefs: 00413353

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: N4MX
API String ID: 544645111-1502238160
Opcode ID: f11d1bb817282c64f34785b54cabdf17bbfeedca4a9dda8212e302c361634348
Instruction ID: b3f5b6423f395c244fce6fed571d57211f79f9b2d6e9c3ee9c7ed50247b8c568
Opcode Fuzzy Hash: f11d1bb817282c64f34785b54cabdf17bbfeedca4a9dda8212e302c361634348
Instruction Fuzzy Hash: 003104B2D055288BEB28CB15DCA4AEE7774EF51301F1441EBDC4EA6281DA385FC18F46

Uniqueness

Uniqueness Score: -1.00%

Function 0042A8B1 Relevance: 1.7, APIs: 1, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0042AC1E

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 85e99cd5a47543cf23504f473b9bf5c8599838782771636059b4f93a9c6f9652
Instruction ID: 2c8b9bda661ad755a434faba9ec98905579431e814de408f6a20122d7e8b7f06
Opcode Fuzzy Hash: 85e99cd5a47543cf23504f473b9bf5c8599838782771636059b4f93a9c6f9652
Instruction Fuzzy Hash: 648115B4E046688BDB24CF18DD90BEAB7B2FB49305F5081DAD909A6240D7386ED1CF45

Uniqueness

Uniqueness Score: -1.00%

Function 004131AA Relevance: 1.7, APIs: 1, Instructions: 169memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000000,?,00000040,00000000,00000001,?,00413088,00000001,0041305B,00000000,?,00412E23,00000001,00000001,00000000,?), ref: 00413432

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 135ad8f401c570e547fbf9a6de295c8c17f8dda64c5c229e09ebee3bb5fcf79a
Instruction ID: dfbcb6e350ca6daac2073d7a5693b62bf6c30249a9d3e92a5530cb6827dd7c6a
Opcode Fuzzy Hash: 135ad8f401c570e547fbf9a6de295c8c17f8dda64c5c229e09ebee3bb5fcf79a
Instruction Fuzzy Hash: EF61BFB1D091688BEB24CF14DCA4AEA77B5EF51305F1441EBD84DA7281CA38AFC18F46

Uniqueness

Uniqueness Score: -1.00%

Function 00412B40 Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28487ae78aae608eab2d2545161ebf6b19cc82376cf4a3329a4bb4d8ba58691
Instruction ID: 8a28322eea80c35ed31c940487fd920fc6f79380003dd6abe1bcef62602e9b35
Opcode Fuzzy Hash: e28487ae78aae608eab2d2545161ebf6b19cc82376cf4a3329a4bb4d8ba58691
Instruction Fuzzy Hash: B65136B2E081245BF7248E14DD94BEB7779EB81310F1442FBD90EA6680D67C5FC28E92

Uniqueness

Uniqueness Score: -1.00%

Function 00429E03 Relevance: 1.7, APIs: 1, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0042AC1E

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a111785dfbe2817b58ca473b5518de423a8a8d1cb2e3dbdde65fca0c7fcf4730
Instruction ID: 06b26d028aab56ecb794729ee0f40b45cc42f6d3e09ee1d036040c6ecc2af9c4
Opcode Fuzzy Hash: a111785dfbe2817b58ca473b5518de423a8a8d1cb2e3dbdde65fca0c7fcf4730
Instruction Fuzzy Hash: 8651C3B1D0523A8AE7748B15ED80AFAB7B5EF44310F1141FAE90EA7680E6380EC5DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00412B28 Relevance: 1.6, APIs: 1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0d774cc60a1277266344d9a1fb94b7b47d5551565a28cd2dbd30bcd3532b61
Instruction ID: a7573cebef2906136f3b0afa02416dd457adb12610608d86b69f38783993b9e9
Opcode Fuzzy Hash: 8d0d774cc60a1277266344d9a1fb94b7b47d5551565a28cd2dbd30bcd3532b61
Instruction Fuzzy Hash: 635124B2E091285BE7248F14DD94BEB7778EB91300F1442FBD90EA6240D67C5FC28E92

Uniqueness

Uniqueness Score: -1.00%

Function 00413278 Relevance: 1.6, APIs: 1, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000000,?,00000040,00000000,00000001,?,00413088,00000001,0041305B,00000000,?,00412E23,00000001,00000001,00000000,?), ref: 00413432

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 06ed781546dfaab0410d8f1601ff8999c258ca6fa91cc60a85133b2424d3d6fb
Instruction ID: a21c00fcc79bcb22c0189e895f9f026ca7bd4bd9f74cecf27bce5705025881a3
Opcode Fuzzy Hash: 06ed781546dfaab0410d8f1601ff8999c258ca6fa91cc60a85133b2424d3d6fb
Instruction Fuzzy Hash: 6951D4B1E055688FEB24CE14DDA0BEA7775EF52301F1841EBD84DA6241C6789FC18F46

Uniqueness

Uniqueness Score: -1.00%

Function 00412B99 Relevance: 1.6, APIs: 1, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000000,?,00000040,00000000,00000001,?,00413088,00000001,0041305B,00000000,?,00412E23,00000001,00000001,00000000,?), ref: 00413432

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 13c5e14ee55dbd15f3ab06fe932220a595597ec4c5d0aa910d5f7586367bcf7b
Instruction ID: 8b1e8a8b4b9fe39592d6023537de683c691bb1d6e881ea4865a9a601a5f537c3
Opcode Fuzzy Hash: 13c5e14ee55dbd15f3ab06fe932220a595597ec4c5d0aa910d5f7586367bcf7b
Instruction Fuzzy Hash: DD4117B3E081245BF7248A15DD94BEA7779EB91310F1442FBD90EA2680DA7C5FC28E52

Uniqueness

Uniqueness Score: -1.00%

Function 004126EE Relevance: 1.6, APIs: 1, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000000,?,00000040,00000000,00000001,?,00413088,00000001,0041305B,00000000,?,00412E23,00000001,00000001,00000000,?), ref: 00413432

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d53df6c52190f82a045b6abde2f32d1064df78d50e7a5319fa32487c77a96465
Instruction ID: 47bb9fdaa8cb8e402b1783fa67dceefd33b25e5bb368d2eb5044f5deabe5d923
Opcode Fuzzy Hash: d53df6c52190f82a045b6abde2f32d1064df78d50e7a5319fa32487c77a96465
Instruction Fuzzy Hash: E04138F2D091186BF7288A15EC55BFB3679DB90310F1482BFD90E92180DA7C5FC28A56

Uniqueness

Uniqueness Score: -1.00%

Function 00412B4D Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaea2b933b01a89827b67c139bb5ca4e79706c959fd518baf920d729aa146994
Instruction ID: 990449a8e8947083cfe3145af18ca691894774e68658affb907c9d8a4752bbdd
Opcode Fuzzy Hash: eaea2b933b01a89827b67c139bb5ca4e79706c959fd518baf920d729aa146994
Instruction Fuzzy Hash: 794107B2E091245BE7248B14DD54BFB7779EB91310F1442FBD90EA2640D67C5FC28E92

Uniqueness

Uniqueness Score: -1.00%

Function 004126F8 Relevance: 1.6, APIs: 1, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000000,?,00000040,00000000,00000001,?,00413088,00000001,0041305B,00000000,?,00412E23,00000001,00000001,00000000,?), ref: 00413432

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: aa651d2d9aad907c587bd699a1e9d2807f77056f8f2d7e2648479a82859bb8f8
Instruction ID: 4034f9df38b031ca94e96c70c39b379e6a7100b7d5f9d14358dc1f3ad1fdf1c9
Opcode Fuzzy Hash: aa651d2d9aad907c587bd699a1e9d2807f77056f8f2d7e2648479a82859bb8f8
Instruction Fuzzy Hash: DE4139F2D041245BF7288A15EC55BFB7779DB90310F1481BFD90E92180DA7C5FC18A56

Uniqueness

Uniqueness Score: -1.00%

Function 004127A4 Relevance: 1.6, APIs: 1, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000000,?,00000040,00000000,00000001,?,00413088,00000001,0041305B,00000000,?,00412E23,00000001,00000001,00000000,?), ref: 00413432

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f6cae4a27bb97715e265dba5960fc416d3247b530a20a7857318f27e437f2bc0
Instruction ID: ad96599aa0568e0401edef16a262a4e3169132a17c7bd816b0e54d29e73f2ef4
Opcode Fuzzy Hash: f6cae4a27bb97715e265dba5960fc416d3247b530a20a7857318f27e437f2bc0
Instruction Fuzzy Hash: D23125F3E081145BF7288A14EC55AFB7729DB91310F1582BFD90E62281DA7C5FC28A56

Uniqueness

Uniqueness Score: -1.00%

Function 00412C6B Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a55e3ad4a1909545bdfbef2483007a1dd5747761257bb13a183ba3933f5cb567
Instruction ID: 4ca0f828d6bd0722fb9e6ed604088adf18c745b3b7f6fe70d16349ed05d5e27d
Opcode Fuzzy Hash: a55e3ad4a1909545bdfbef2483007a1dd5747761257bb13a183ba3933f5cb567
Instruction Fuzzy Hash: 293137B3E081285BE7248A15DC54AEA777DDB91300F1541FBDD0EE2181DA7C9FC28E52

Uniqueness

Uniqueness Score: -1.00%

Function 00412C90 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9ff16c9d8587bb0fef7ac9e42add81c87f0d8d1ca4d7f84eb8d5769146e2583a
Instruction ID: ec29e408a0b2560fbee962219c1d550d8966c44ba49c21dec977af826ca43344
Opcode Fuzzy Hash: 9ff16c9d8587bb0fef7ac9e42add81c87f0d8d1ca4d7f84eb8d5769146e2583a
Instruction Fuzzy Hash: 323127B3E081285BE7258A15DC98AEA777CDB91300F0442FBDD0EE2140DA3C9FC58E52

Uniqueness

Uniqueness Score: -1.00%

Function 0041308A Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 95bcb04d5a536c814609ae895372c7fcf05f56ce0913c76de9db09cdd2a53f63
Instruction ID: 6da0136704a98be01a017522292e7ddc84d60c089fd73c4cbd77c81446849781
Opcode Fuzzy Hash: 95bcb04d5a536c814609ae895372c7fcf05f56ce0913c76de9db09cdd2a53f63
Instruction Fuzzy Hash: 2831E1B1D046288BEB248F15DC95AEAB774EB15301F0401EED94EA6241DA38AFC18F41

Uniqueness

Uniqueness Score: -1.00%

Function 0042AA97 Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a21d2ff6d935114ef620497caab0ba85e1609837715adc9d01c394d9a7ce82b
Instruction ID: ecd5b4522e6c4e6edcdb18aee9633c546c3a95a7d69b10dba29616feaf965f23
Opcode Fuzzy Hash: 7a21d2ff6d935114ef620497caab0ba85e1609837715adc9d01c394d9a7ce82b
Instruction Fuzzy Hash: 0C41B070E046688BDB24CA14DD907FBBBB1EF46306F5480EBD949A6600D6395ED0CF46

Uniqueness

Uniqueness Score: -1.00%

Function 004130F7 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3c923280d445580e831e8e5f465ea2d7ba5d979e576ef596b518e963108ace4f
Instruction ID: ea780e03613d9591d4d41f98bfe64335b6b815f6f6f40fceb2ce551db5009c8f
Opcode Fuzzy Hash: 3c923280d445580e831e8e5f465ea2d7ba5d979e576ef596b518e963108ace4f
Instruction Fuzzy Hash: 7121F2B2D085285BE7288B05DC65AEA7778EB55301F0441EFDD0EA2281DA386FC18E52

Uniqueness

Uniqueness Score: -1.00%

Function 0041314E Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4795ca1c476092ecabfd849bac8cadd5b4e3608008a04d92fe2d8ed5a806e6e2
Instruction ID: e62362c9a46b7741eebc7eabbab287c69e11e0caa91c1d28b0053fff01eea8c4
Opcode Fuzzy Hash: 4795ca1c476092ecabfd849bac8cadd5b4e3608008a04d92fe2d8ed5a806e6e2
Instruction Fuzzy Hash: F421F2B2D085285BE7288B05DC65AEA7778EB55301F1441EBDD0EA2281DA386FC18E52

Uniqueness

Uniqueness Score: -1.00%

Function 00413129 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 23794bd0eb24a83d80c83d3f3a95ec04e9a9e91ed29d618bca08fb0f3765c9ca
Instruction ID: b7950e2199067da6556c6f44021988e33d1598b5d1187de5442621625711592a
Opcode Fuzzy Hash: 23794bd0eb24a83d80c83d3f3a95ec04e9a9e91ed29d618bca08fb0f3765c9ca
Instruction Fuzzy Hash: F121F2B2D085285BE7248B05DC65AEA7778EB55301F0441EBDD0EA2281DA386FC18E52

Uniqueness

Uniqueness Score: -1.00%

Function 004128A1 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9ce11b6630ba050c5a3dbf3275fb29dd6160c5ce0a228f6ec4948b1704cf21d6
Instruction ID: 964f5b427979de83e52e4b06fdd8c7444ce8f0a86905a94d76b32b0d0394eae5
Opcode Fuzzy Hash: 9ce11b6630ba050c5a3dbf3275fb29dd6160c5ce0a228f6ec4948b1704cf21d6
Instruction Fuzzy Hash: 202135B2D085285BE7248A05EC65BFA7778DB51301F0441FBDD0EA2181DA385FC18E52

Uniqueness

Uniqueness Score: -1.00%

Function 00429DC1 Relevance: 1.6, APIs: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0042AC1E

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fce3c9e70c013ae024447a0b1b7f0d7a0b9c693d9ab3e45efcb0a6e8f28ddc39
Instruction ID: 556953f433954b4634cf63b90a6ebecca45b76565d7a49542567df38541f697a
Opcode Fuzzy Hash: fce3c9e70c013ae024447a0b1b7f0d7a0b9c693d9ab3e45efcb0a6e8f28ddc39
Instruction Fuzzy Hash: FB1129B3D005385BE7208A08ED08BEB7B78EB44310F4501FBEA0E66640D63D5ED68F96

Uniqueness

Uniqueness Score: -1.00%

Function 00429DB2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ddd743a6013bca8144503c343c6e3dabd5e5e8c74316471d4ee10e03dab04565
Instruction ID: c6b9b15dfea78e486ce1d6701f6cbbc0d34b0132964ab746a0c497b408296b16
Opcode Fuzzy Hash: ddd743a6013bca8144503c343c6e3dabd5e5e8c74316471d4ee10e03dab04565
Instruction Fuzzy Hash: 2311E7B3D101389BE7248A04ED08BEB7B75AB54310F0501BAE90E66640E7385ED5CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0042AB81 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0042AC1E

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 57d98445e9ce9f9e60224b3280659e125f486fcffcf31615c55256045fce7212
Instruction ID: 37484f35a9ec51a60977f212ebe0a7e812490ded26ab04b9ef7e0a040bed9078
Opcode Fuzzy Hash: 57d98445e9ce9f9e60224b3280659e125f486fcffcf31615c55256045fce7212
Instruction Fuzzy Hash: CD012970E046688BCB30CB45DC40BDEB7B2BB49342F5082DBD94AA6244D3746EC1CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0042A4D7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0042AC1E

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 833b4d87fe1af18a22aecd40cce08895c07c35ed3990c15f8b844ad01f083fc8
Instruction ID: a29ea879c4ef05d678e0999b02b84f472cf4dd45ce2750cad96914442ff99ba1
Opcode Fuzzy Hash: 833b4d87fe1af18a22aecd40cce08895c07c35ed3990c15f8b844ad01f083fc8
Instruction Fuzzy Hash: CFE0EDB19001289BD724CA48DD84ADAB7B8EB0C301F1041D6EA0EE6200E2756EC58F56

Uniqueness

Uniqueness Score: -1.00%

Function 0042B4CC Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 0042C036

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 01e8516e96a7b821d84dd7f040e11c91f21bf69e889b62971969fad3d0b5e555
Instruction ID: b92e842a934dc99345efe68ee0b6e9c68736d6021a919a7cb4bce8b1c6a369cf
Opcode Fuzzy Hash: 01e8516e96a7b821d84dd7f040e11c91f21bf69e889b62971969fad3d0b5e555
Instruction Fuzzy Hash: 5FD012A2E14130A6F3601544BC457EA7A28DB42320F350073DD0EA5580C6BD1BC65AD7

Uniqueness

Uniqueness Score: -1.00%

Function 004322CF Relevance: 1.5, APIs: 1, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d66450f66615e8754289d71f7ce8b27221215efdc8e862ed00508b3e6ec40c2
Instruction ID: 0cbf90eee9db89d5c1d60e7f7d2040ba1e2991a0e1e34b0cdb0372245e5a11af
Opcode Fuzzy Hash: 7d66450f66615e8754289d71f7ce8b27221215efdc8e862ed00508b3e6ec40c2
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00448C0D Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 00448C44
___getlocaleinfo.LIBCMT ref: 00448C59
___getlocaleinfo.LIBCMT ref: 00448C6E
___getlocaleinfo.LIBCMT ref: 00448C83
___getlocaleinfo.LIBCMT ref: 00448C9B
___getlocaleinfo.LIBCMT ref: 00448CB0
___getlocaleinfo.LIBCMT ref: 00448CC2
___getlocaleinfo.LIBCMT ref: 00448CD7
___getlocaleinfo.LIBCMT ref: 00448CEF
___getlocaleinfo.LIBCMT ref: 00448D04

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: 51dcb22c4dc93a7f30a99e81a1e24136c466f284c556936e1c7157a4ebd90518
Instruction ID: fd67e2181e606d744a6158f7a2df29ca0b8827f53dc611e391066ddd0200f471
Opcode Fuzzy Hash: 51dcb22c4dc93a7f30a99e81a1e24136c466f284c556936e1c7157a4ebd90518
Instruction Fuzzy Hash: 1AE112B294060EBEEF11DAF1CC85DFF77BDEF48348F00496AB216D6040EA74AA159760

Uniqueness

Uniqueness Score: -1.00%

Function 00408380 Relevance: 42.3, APIs: 19, Strings: 5, Instructions: 323librarywindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000005,?,7622DFA0,?,00408984,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040), ref: 00408395

Part of subcall function 00432DB5: __getptd_noexit.LIBCMT ref: 00432DB5

SetLastError.KERNEL32(00000000,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 004083B9
GetLastError.KERNEL32(?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 004083DA
_wcsrchr.LIBCMT ref: 00408443
_wcsncpy.LIBCMT ref: 00408472
_strerror.LIBCMT ref: 004084ED
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000003), ref: 00408522
_wcsncpy.LIBCMT ref: 00408552
LoadLibraryW.KERNEL32(00000044,?,?,?,?,?,?,?,?,?,?,?,?,?,00403F3C,00000000), ref: 0040855B
LoadLibraryW.KERNEL32(wininet.dll,?,?,?,?,?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040), ref: 0040857C
LoadLibraryW.KERNEL32(mqutil.dll,?,?,?,?,?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040), ref: 004085B6
LoadLibraryW.KERNEL32(netmsg.dll,?,?,?,?,?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040), ref: 004085F2
FormatMessageW.KERNEL32(00001300,?,?,00000000,?,00000000,00000000), ref: 00408632
_wcstok.LIBCMT ref: 00408648
_vswprintf_s.LIBCMT ref: 00408683

Strings

__crt, xrefs: 0040849A
wininet.dll, xrefs: 00408577, 00408585
mqutil.dll, xrefs: 004085B1, 004085BF
t,F, xrefs: 00408652
netmsg.dll, xrefs: 004085ED, 004085FB

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast$_wcsncpy$ByteCharFormatMessageMultiWide__getptd_noexit_strerror_vswprintf_s_wcsrchr_wcstok
String ID: __crt$mqutil.dll$netmsg.dll$t,F$wininet.dll
API String ID: 2660907230-770268917
Opcode ID: faf70c990ec09a4e37772fbcd2026de65b54342e9bca4560a10c4358c1de2a0c
Instruction ID: 47c072ff33d92121b9efd564083845d0c83aee102c006f26be13eb141e8ab587
Opcode Fuzzy Hash: faf70c990ec09a4e37772fbcd2026de65b54342e9bca4560a10c4358c1de2a0c
Instruction Fuzzy Hash: F7C1C271A007059FCB209F75C9857ABB7B5EF58300F14893EE89AE7391EB789900CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00456924 Relevance: 18.3, APIs: 4, Strings: 6, Instructions: 793COMMONLIBRARYCODE

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 00456A3A
__invoke_watson.LIBCMT ref: 00456A4D
_strcpy_s.LIBCMT ref: 00456A66
__invoke_watson.LIBCMT ref: 00456A79

Strings

?, xrefs: 0045698F
T, xrefs: 00456AF4
1#INF, xrefs: 00456A2F
1#IND, xrefs: 00456A20
1#QNAN, xrefs: 00456A5B
1#SNAN, xrefs: 00456A06

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcpy_s
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?$T
API String ID: 3990783250-1230703744
Opcode ID: b9824949ee98a60961a2741ce67b44a1c789cd02af29c55459a49a82930a3c8c
Instruction ID: 0467dba7ca231f73abc79560afe158a2f8043ccf4e020c15938fcbbf0078de2d
Opcode Fuzzy Hash: b9824949ee98a60961a2741ce67b44a1c789cd02af29c55459a49a82930a3c8c
Instruction Fuzzy Hash: D562C132D0465A8BDF25CFA8C4402EEB7B1FF14301F55826BD855AB382D778494ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 00403E90 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 401COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00403EB1
GetFileSizeEx.KERNEL32(?,?,00000000), ref: 00403EC3
_malloc.LIBCMT ref: 00403EF5
SetLastError.KERNEL32(00000008,?,00004000), ref: 00403F05

Strings

GetFileSizeEx(), xrefs: 00403ECD
.\QHImageHlp.c, xrefs: 00403ED7, 00403F1D, 00404238, 004043B2
N/f, xrefs: 00403F84, 004043A8
INIT, xrefs: 00404290
PE, xrefs: 00403F7A

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ErrorFileLastSize_malloc_memset
String ID: N/f$.\QHImageHlp.c$GetFileSizeEx()$INIT$PE
API String ID: 942205088-2408646100
Opcode ID: f120680d6d03f252c3602562e683275613980ac0dca386cd390d9ba89285534a
Instruction ID: 1e5c7d978d549367c3184b98c0c7fe6c27fb078ad7ff0f1d351f26898f72a1fe
Opcode Fuzzy Hash: f120680d6d03f252c3602562e683275613980ac0dca386cd390d9ba89285534a
Instruction Fuzzy Hash: 0AE1A0B1A043009BDB24DF15D841B6B76E4BBD4704F04493EFE89AB3C1E778DA458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00406210 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 114fileCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00406249

Part of subcall function 0042FB25: __FF_MSGBANNER.LIBCMT ref: 0042FB48
Part of subcall function 0042FB25: __NMSG_WRITE.LIBCMT ref: 0042FB4F
Part of subcall function 0042FB25: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,?,00402AFA), ref: 0042FB9C

SetLastError.KERNEL32(00000008,75B4E8E0,004060C2,00000000,00002000,?,00000000,00000000,00401596,?,?,?,00401C5E,?,?), ref: 00406259
CreateFileA.KERNEL32(00000000,00000000,00000003,00000000,00000003,00000080,00000000,00000000,00002000,75B4E8E0,004060C2,00000000,00002000,?,00000000,00000000), ref: 004062A0
_memset.LIBCMT ref: 004062CA
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,00000000,00002800,?,00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000), ref: 0040631A

Strings

DISKID:, xrefs: 00406308
\\.\PhysicalDrive%d, xrefs: 00406281

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: AllocCloseControlCreateDeviceErrorFileHandleHeapLast_malloc_memset
String ID: DISKID:$\\.\PhysicalDrive%d
API String ID: 2265051123-3765948602
Opcode ID: 26cbdce573063f43a07f417fe75e999626897c1eb521f0934345e71a245bb68b
Instruction ID: a225908e938814fc6ce8db3e87b0bc4a74b0325d29c7787301f826e6074e7c24
Opcode Fuzzy Hash: 26cbdce573063f43a07f417fe75e999626897c1eb521f0934345e71a245bb68b
Instruction Fuzzy Hash: 7031EE71644304AFD200EF65EC81E2B77E8EB84758F94053FF845962C1DB74E958879B

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040BB1A
OpenThread.KERNEL32(00000040,00000001,-00000008,00000000,?,?,?,0040BA80,?,?,?,?,?,?,0045B0F0,000000FF), ref: 0040BB75
GetLastError.KERNEL32(?,?,?,0040BA80,?,?,?,?,?,?,0045B0F0,000000FF,?,004083AC,?,00403F3C), ref: 0040BB7B
GetProcessHeap.KERNEL32(?,?,?,0040BA80,?,?,?,?,?,?,0045B0F0,000000FF,?,004083AC,?,00403F3C), ref: 0040BBAA
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,0040BA80,?,?,?,?,?,?,0045B0F0,000000FF), ref: 0040BBB4
OutputDebugStringW.KERNEL32(****** ,?,?,?,0040BA80,?,?,?,?,?,?,0045B0F0,000000FF,?,004083AC), ref: 0040BBC1
CloseHandle.KERNEL32(00000000,?,?,?,0040BA80,?,?,?,?,?,?,0045B0F0,000000FF,?,004083AC), ref: 0040BBCA

Strings

****** , xrefs: 0040BBBC

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: HeapThread$CloseCurrentDebugErrorFreeHandleLastOpenOutputProcessString
String ID: ******
API String ID: 2450575844-1974978773
Opcode ID: 4bb51ded7a3608d7d97a1e27c24b296467d0de8f0afda4e18d8d8d35c90d2ed4
Instruction ID: ba7dbfe72a5486ef3152b13babee1143b1853603010718cc7a74b18ee6d804c4
Opcode Fuzzy Hash: 4bb51ded7a3608d7d97a1e27c24b296467d0de8f0afda4e18d8d8d35c90d2ed4
Instruction Fuzzy Hash: FC315A34604B019FC7149B24CC94B6B77A4EF45702F04457EE985A7795E738F8008F9E

Uniqueness

Uniqueness Score: -1.00%

Function 00406279 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00403370: _vswprintf_s.LIBCMT ref: 0040339C

CreateFileA.KERNEL32(00000000,00000000,00000003,00000000,00000003,00000080,00000000,00000000,00002000,75B4E8E0,004060C2,00000000,00002000,?,00000000,00000000), ref: 004062A0
_memset.LIBCMT ref: 004062CA
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,00000000,00002800,?,00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000), ref: 0040631A

Strings

DISKID:, xrefs: 00406308
\\.\PhysicalDrive%d, xrefs: 00406281

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset_vswprintf_s
String ID: DISKID:$\\.\PhysicalDrive%d
API String ID: 2627556037-3765948602
Opcode ID: 09db851be27ea68fc9fc6b10bab77541122b50d849f044dcab3b52a8cc0bc6df
Instruction ID: 51abea45773ed5e4c9772979f595ec269391c6619f1927a7e50f4261b4a66d35
Opcode Fuzzy Hash: 09db851be27ea68fc9fc6b10bab77541122b50d849f044dcab3b52a8cc0bc6df
Instruction Fuzzy Hash: 2F11C671604300AFD210DF55EC86F2B77D8EB84748F90053EF945E62C1E774A9188BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040DFF6 Relevance: 7.7, Strings: 6, Instructions: 207COMMON

Download Yara Rule

Strings

8, xrefs: 0040E171
x, xrefs: 0040E199
MHO2, xrefs: 0040DFF6
n, xrefs: 0040E18F
n, xrefs: 0040E185
^Q, xrefs: 0040E2E8

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: 8$MHO2$^Q$n$n$x
API String ID: 0-2848278162
Opcode ID: f5a8caf9bc1f093c5d593e4e61edb6814425662af97e89af7f78678314f69f29
Instruction ID: 2c749dc8eec8f9cf2b864a6f0df5ba9062d9c37d5de09f0db79b4939017d85b8
Opcode Fuzzy Hash: f5a8caf9bc1f093c5d593e4e61edb6814425662af97e89af7f78678314f69f29
Instruction Fuzzy Hash: 5E8129B3C011554FF728CB24DE89AEABBB9EB80304F0481FED4096A9D4D3795BC58E52

Uniqueness

Uniqueness Score: -1.00%

Function 0042F43A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00434B8F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00434BA4
UnhandledExceptionFilter.KERNEL32(0045F6C0), ref: 00434BAF
GetCurrentProcess.KERNEL32(C0000409), ref: 00434BCB
TerminateProcess.KERNEL32(00000000), ref: 00434BD2

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1aedecd378c2f8c13ed6721df79a08be873a1827c1eaed0c0787769e19c8aa15
Instruction ID: c87577094888f478b7fe3db4e50f5c35210d74469f5d620301a0bbfa5ab1ebb5
Opcode Fuzzy Hash: 1aedecd378c2f8c13ed6721df79a08be873a1827c1eaed0c0787769e19c8aa15
Instruction Fuzzy Hash: 2521EFB4511B44AFD700DF24E988A443BA0FB18305F18613AE949A6271F7F4A9A5CF4F

Uniqueness

Uniqueness Score: -1.00%

Function 00414B51 Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00434B8F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00434BA4
UnhandledExceptionFilter.KERNEL32(0045F6C0), ref: 00434BAF
GetCurrentProcess.KERNEL32(C0000409), ref: 00434BCB
TerminateProcess.KERNEL32(00000000), ref: 00434BD2

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 5251d79271cddf4743badf86185e3d261b160beed6636030c849ce3be4a5960e
Instruction ID: 886c9f54bc9d7ea2895ebc2780101683a97b709e5cc55707079ea216c227a8b2
Opcode Fuzzy Hash: 5251d79271cddf4743badf86185e3d261b160beed6636030c849ce3be4a5960e
Instruction Fuzzy Hash: 01011D70505780AFE300DF70EC497143B70E70970AF1410AAE606DA1B3E6B55881CF5F

Uniqueness

Uniqueness Score: -1.00%

Function 00409120 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00409124
GetLocalTime.KERNEL32(?), ref: 00409131
__swprintf.LIBCMT ref: 00409150

Strings

<%08X> %02hu:%02hu:%02hu: , xrefs: 0040914A

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CurrentLocalThreadTime__swprintf
String ID: <%08X> %02hu:%02hu:%02hu:
API String ID: 4156772881-2163415560
Opcode ID: a489dfab2371dc3eae81d2dfc5bda05dd664b81eb9ee3823ab1e5aa6a003ac84
Instruction ID: be5f41c029d6ecaa3ec51ae336b2f33e16603824fff27754019517003b9c3123
Opcode Fuzzy Hash: a489dfab2371dc3eae81d2dfc5bda05dd664b81eb9ee3823ab1e5aa6a003ac84
Instruction Fuzzy Hash: 35F08276400711BBC3106B198D458BB76E8EEC4711B448956FC85C6292F678DD24C2A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE67 Relevance: 6.5, Strings: 5, Instructions: 294COMMON

Download Yara Rule

Strings

8, xrefs: 0040E171
x, xrefs: 0040E199
n, xrefs: 0040E18F
n, xrefs: 0040E185
^Q, xrefs: 0040E2E8

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: 8$^Q$n$n$x
API String ID: 544645111-2519598271
Opcode ID: 7e7bdfab31fffe7520be891b3dda0984837ea78a8b943c97327483621f4c4cba
Instruction ID: f0d6c34fff78d01d527dda224145d5394760bc0a89aff5a6d27e5324e8b1942f
Opcode Fuzzy Hash: 7e7bdfab31fffe7520be891b3dda0984837ea78a8b943c97327483621f4c4cba
Instruction Fuzzy Hash: EAC1D7B2D042554FF724CB24DE85AEABBB9EB94300F0481FED409AA6D4D3B95FC58E41

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF69 Relevance: 6.5, Strings: 5, Instructions: 243COMMON

Download Yara Rule

Strings

8, xrefs: 0040E171
x, xrefs: 0040E199
n, xrefs: 0040E18F
n, xrefs: 0040E185
^Q, xrefs: 0040E2E8

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: 8$^Q$n$n$x
API String ID: 0-2519598271
Opcode ID: cb2046acbe303f66547e2c07a6aa3424077591e4f079b1670b2fa05cabce1ead
Instruction ID: cef50274677d04160880c6e3a8f26e4c50c77b2a6cf58296d4e1980ebabccb0c
Opcode Fuzzy Hash: cb2046acbe303f66547e2c07a6aa3424077591e4f079b1670b2fa05cabce1ead
Instruction Fuzzy Hash: A59127B3C011654FF728CA24DE85AEABBB9EB90304F0481BED409AA5D4D3B95FC58E51

Uniqueness

Uniqueness Score: -1.00%

Function 0040E020 Relevance: 6.4, Strings: 5, Instructions: 197COMMON

Download Yara Rule

Strings

8, xrefs: 0040E171
x, xrefs: 0040E199
n, xrefs: 0040E18F
n, xrefs: 0040E185
^Q, xrefs: 0040E2E8

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: 8$^Q$n$n$x
API String ID: 0-2519598271
Opcode ID: ece87ebeb5a04feba06d3f0cad7a080e1b91bd00ec6186574ccb723f5d0c4e1d
Instruction ID: aa1390978b0d68ebc0a167fbc875ae1391f3f3e707e62369f414e39408b0bae4
Opcode Fuzzy Hash: ece87ebeb5a04feba06d3f0cad7a080e1b91bd00ec6186574ccb723f5d0c4e1d
Instruction Fuzzy Hash: 587119B2C011654FF728CB24DE89AEABBB9EB80304F0481FED4096A5D4D3795FC58E42

Uniqueness

Uniqueness Score: -1.00%

Function 0040E024 Relevance: 6.4, Strings: 5, Instructions: 196COMMON

Download Yara Rule

Strings

8, xrefs: 0040E171
x, xrefs: 0040E199
n, xrefs: 0040E18F
n, xrefs: 0040E185
^Q, xrefs: 0040E2E8

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: 8$^Q$n$n$x
API String ID: 0-2519598271
Opcode ID: f9bed76a7f18ec2d0f4b68e9c159614398ac11c0216a5bb5d090fdf93c7305de
Instruction ID: f9d38d6906b09892c7c9541f92a6af24a3cf46377957d0555673c3edf364d667
Opcode Fuzzy Hash: f9bed76a7f18ec2d0f4b68e9c159614398ac11c0216a5bb5d090fdf93c7305de
Instruction Fuzzy Hash: DB7109B2C051654FF728CB24DE99AEABBB9EB80304F0481FED4096A5D4D3795FC58E42

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2A8 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

8, xrefs: 0040D313
n, xrefs: 0040D331
x, xrefs: 0040D33B
n, xrefs: 0040D327

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: 8$n$n$x
API String ID: 0-2129689772
Opcode ID: dbd26719ba5f96f58f6f59ee7a6e958c876c2d5c41b7bf31185cf3e5d0c260c3
Instruction ID: 32c7e96a33cb844f7c72c23f0ce5258408d0960b59636f84b296633eb0b46dbb
Opcode Fuzzy Hash: dbd26719ba5f96f58f6f59ee7a6e958c876c2d5c41b7bf31185cf3e5d0c260c3
Instruction Fuzzy Hash: 1B5127B2C052A44FE728CA24CD497DBBB79EB41304F0581BAD80D6A994D67D5BC9CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE13 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

P2?5, xrefs: 0040CF34
HXWQ, xrefs: 0040CE16

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: HXWQ$P2?5
API String ID: 0-4075685934
Opcode ID: fc4e7237633e15f44501297d4546b46f281e2fe4381cbdd60f8535064e24066b
Instruction ID: 00225a8dfb1658469d3c25a5a9ee49aa43f26e3814125a48ffc18d2d5ec38e5a
Opcode Fuzzy Hash: fc4e7237633e15f44501297d4546b46f281e2fe4381cbdd60f8535064e24066b
Instruction Fuzzy Hash: 207128B2C001958FE724CB24CD95AFEBBB5EF85300F1881BED449AB590D2B95BC58E46

Uniqueness

Uniqueness Score: -1.00%

Function 0040C050 Relevance: 2.5, APIs: 2, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040C053
HeapAlloc.KERNEL32(00000000,00000000,000005B0), ref: 0040C064

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 9baf3c8bfd83b6516b66781d598a04bc8dda0dcc0ac1b73f38a914e68a0faa72
Instruction ID: 580f6c0c1b727f915f45420c6b560cbcb7f6e6cafde418b56ce905b5f2e5ce77
Opcode Fuzzy Hash: 9baf3c8bfd83b6516b66781d598a04bc8dda0dcc0ac1b73f38a914e68a0faa72
Instruction Fuzzy Hash: 90C08C31700B31DADA202BB43C4CACB3A0CEB00A537010021F401F2082C724C801CAFC

Uniqueness

Uniqueness Score: -1.00%

Function 00426E9F Relevance: 2.0, APIs: 1, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a6f1c2ef20d4f6ce27562002f73c38644395044acc83ddd4d5b880fc4a2580
Instruction ID: fcc7e448ca38139ad586aadad377773fab4e99c0378823521c7317bf70d34349
Opcode Fuzzy Hash: 07a6f1c2ef20d4f6ce27562002f73c38644395044acc83ddd4d5b880fc4a2580
Instruction Fuzzy Hash: B102AFB1E081299FDB24CB24EC90BEAB7B5EF84314F5481EBD809A6340D6385EC5CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00448411 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?), ref: 00448422

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7600aa44a35ec1b1ec456989e0333e23b8edb6ab0473bd002e61e064ac84fbd1
Instruction ID: 788031df0fc74cb8050b7ceb17a755f4a65af0da5db70e3e4d61a9992314f5b7
Opcode Fuzzy Hash: 7600aa44a35ec1b1ec456989e0333e23b8edb6ab0473bd002e61e064ac84fbd1
Instruction Fuzzy Hash: C3C0013600024DBB8F025F82ED4889A3F2AEB88261B048020FA28150228B32D931AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00426A6B Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

D47=, xrefs: 00426B9F

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: D47=
API String ID: 0-3728716063
Opcode ID: 12f4ec79a3f8aca3222d3a312428db849cba948f89ed9743aa5dc19d6d68997d
Instruction ID: 1d76649bc7a4eedaa303eb2ebb4ec75060f8daf90673a2d31d8653e2b13d72e0
Opcode Fuzzy Hash: 12f4ec79a3f8aca3222d3a312428db849cba948f89ed9743aa5dc19d6d68997d
Instruction Fuzzy Hash: 4781A2B1D142398AE7648B24DC90BFAB675EF54300F1081FAD54DA7290EA3D5EC1CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE0C Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

P2?5, xrefs: 0040CF34

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: P2?5
API String ID: 0-3284864863
Opcode ID: 829558128b5e2f9f7e7c139cf5c7ed05b15b1e5de2f9f92214fbbd2df816a882
Instruction ID: d978e1048c22fb4af2e126148ab62ef580d4daf8699681b28240bb30ef0bec2e
Opcode Fuzzy Hash: 829558128b5e2f9f7e7c139cf5c7ed05b15b1e5de2f9f92214fbbd2df816a882
Instruction Fuzzy Hash: 757118B2C101958FE724CB24CD95AFEBBB5EF85300F1881BED409AB5D0D2B95BC58E46

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE28 Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

P2?5, xrefs: 0040CF34

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: P2?5
API String ID: 0-3284864863
Opcode ID: b915629ecf9636e1a50f322be0bc94144585b37f529017de573fb4f1ba3a95e9
Instruction ID: d7fa759c572c41ae5a9a47fb33831c2e64d017be3d60502368ad3ab2668dc4d3
Opcode Fuzzy Hash: b915629ecf9636e1a50f322be0bc94144585b37f529017de573fb4f1ba3a95e9
Instruction Fuzzy Hash: 48712772C001958FE724CB24CD95AEEBBB5EF85300F1881FED409AB590D2B95AC58E46

Uniqueness

Uniqueness Score: -1.00%

Function 0040E36C Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

:?L:, xrefs: 0040E498

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: :?L:
API String ID: 0-187022543
Opcode ID: ab9e5a3dbf33d407fb6aeacbee6a3dec57d1528f271c3e041b634375bf3472c0
Instruction ID: c7a37152abdf742581403c0fed52af81b946c038d54bbd33830aa8dee06f9e65
Opcode Fuzzy Hash: ab9e5a3dbf33d407fb6aeacbee6a3dec57d1528f271c3e041b634375bf3472c0
Instruction Fuzzy Hash: B65137B3D001545FE728CA25DD85AEEBB79EBC1310F1481FED40D66A90D3BD5AC68E41

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE87 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

P2?5, xrefs: 0040CF34

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: P2?5
API String ID: 0-3284864863
Opcode ID: ea1d6309b43dc57db74b100131581c403552c1912820ce9fb7c1ce457adfef00
Instruction ID: bcfe43b3626583e74cabbc67fbcc7409420889c2ed51074537a3fcdd0edb5e9a
Opcode Fuzzy Hash: ea1d6309b43dc57db74b100131581c403552c1912820ce9fb7c1ce457adfef00
Instruction Fuzzy Hash: 97515BB2C101958FE714CB38CD95AFEBB75EF85304F0881BED445AB5D1D2B85AC58E06

Uniqueness

Uniqueness Score: -1.00%

Function 00406100 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

%s:%I64X, xrefs: 004061A6

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: _vswprintf_s
String ID: %s:%I64X
API String ID: 677850445-3180616182
Opcode ID: 8e2a16c6592a42fff0cfe875e6b527e75f3c85e4fb726ef5102888ea82c67930
Instruction ID: e144124d62655bf3eaa731ff4750fd2ef03a2d88ea263d9c490b22e00845112c
Opcode Fuzzy Hash: 8e2a16c6592a42fff0cfe875e6b527e75f3c85e4fb726ef5102888ea82c67930
Instruction Fuzzy Hash: 02319371E00218ABDB14CF9AD84079EFBF5FF88710F10412BE815B7380DB7899018B94

Uniqueness

Uniqueness Score: -1.00%

Function 00407B90 Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b439e512d2f2274f2d51447746bdfa11f260257c9624696f8b482fc4d82d582e
Instruction ID: 1023cae0511ab3d43fddd3dc3760f17de12005917cf52bd75e7327f2d6d831f6
Opcode Fuzzy Hash: b439e512d2f2274f2d51447746bdfa11f260257c9624696f8b482fc4d82d582e
Instruction Fuzzy Hash: A612C5BBB983194FDB48CEE5DCC169573E1FB98304F09A43C9A55C7306F6E8AA094790

Uniqueness

Uniqueness Score: -1.00%

Function 0042788F Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca380f85856fe320bc0c99413256e9a87045c9cba0339ac54d5e2416315925d
Instruction ID: 6ccaf752b8d8ea78f5d8c848e62c60230c57617c2eb0205f1da4eb24dcd9d9b8
Opcode Fuzzy Hash: bca380f85856fe320bc0c99413256e9a87045c9cba0339ac54d5e2416315925d
Instruction Fuzzy Hash: ECF17DB1E092298FEB24CB24DC94AEAB7B5FB85304F1081EAD80DA6345D6395EC1CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040D608 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25cdedaa1eafb390bb43f5ac0b99185bf52ccf65a89beac1da3fcd980ce4a81
Instruction ID: a1ecc45f5541d17e686db2fe260ee0f6aba9e1fb8fa2837946db24dff4fc283e
Opcode Fuzzy Hash: a25cdedaa1eafb390bb43f5ac0b99185bf52ccf65a89beac1da3fcd980ce4a81
Instruction Fuzzy Hash: 8F9107B2D441564FE728CA24DE89BEEBB79EB81300F0542FED80D56AD0D6B85AC58E41

Uniqueness

Uniqueness Score: -1.00%

Function 0040D62D Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32200371e365bdf780d40601757575adfb2c0b17e9d44f4cad7bcc73103b22e0
Instruction ID: 9facc0af94ad3b89fb1a6259fb7b993d5c404603322f4cb0fe9e19772579d3ce
Opcode Fuzzy Hash: 32200371e365bdf780d40601757575adfb2c0b17e9d44f4cad7bcc73103b22e0
Instruction Fuzzy Hash: A99107B2D441564FE728CA24DE89BEFBB79EB81300F0542FED80D966D0D7B85AC58E41

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7FF Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a12ad7fd0b2c840adc6a9e2812a0664ab822cad9516781af9bb26c13e69be3e
Instruction ID: 2d3dd497658756ff4c609fa0e379f25625354b2e0894d635f1eee9d2857d66d4
Opcode Fuzzy Hash: 4a12ad7fd0b2c840adc6a9e2812a0664ab822cad9516781af9bb26c13e69be3e
Instruction Fuzzy Hash: E8911A72D441658FEB28CE24CD89BEEBB75EB91300F0442FED40D965E0D7B85AC58E41

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA08 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9de43bcdd577f89d96464d0dc56b912104fbc602b73b41ebb3f0fd9d0d89e40
Instruction ID: baef11cc9e716af9a59e2fb239929fc56db5f58b12b87809a99c96b5b2fc43ea
Opcode Fuzzy Hash: f9de43bcdd577f89d96464d0dc56b912104fbc602b73b41ebb3f0fd9d0d89e40
Instruction Fuzzy Hash: F77104B2D4411A4FE728CA14DD9ABFAB778EB41304F0441FED40E96A90D7BC6EC58E02

Uniqueness

Uniqueness Score: -1.00%

Function 0040F904 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27852bd5941f34932c5d7a261fc2b6e0785adce53a3e9f09d3654e8489cb5c47
Instruction ID: 75d4878b59c995a76098997b89a25319a9a441f62bff6acdc282fa48d20fa7ff
Opcode Fuzzy Hash: 27852bd5941f34932c5d7a261fc2b6e0785adce53a3e9f09d3654e8489cb5c47
Instruction Fuzzy Hash: 4C8105B2D0021A9FE738CA14DD85BFAB779EB85304F0441FAD40DA6A90D7796EC5CE42

Uniqueness

Uniqueness Score: -1.00%

Function 0040D882 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b95772fe7a971707e5bd1bcec9bf7c8c5169b9cdc2160e17cb6a6e178bb12a4
Instruction ID: 5582b0c30218d3769de837e9b797b84d4e6f714c3b7469f4d9cf7e5db4cfc39d
Opcode Fuzzy Hash: 0b95772fe7a971707e5bd1bcec9bf7c8c5169b9cdc2160e17cb6a6e178bb12a4
Instruction Fuzzy Hash: BE712BB2D441558FE728CA24DE89BEEBB79EB81300F0542FED80D566D0D7B85EC58E41

Uniqueness

Uniqueness Score: -1.00%

Function 0040D892 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19977903c5e65d9fb8812f0de9257bb7a88d8e8b2ae9429cd83349e60d998df
Instruction ID: 8b81bda9b8fab892b258e4d6a89dc2dc3055979a3a08e658ae98d0d53afadfae
Opcode Fuzzy Hash: c19977903c5e65d9fb8812f0de9257bb7a88d8e8b2ae9429cd83349e60d998df
Instruction Fuzzy Hash: C0711BB2D441554FEB28CA24DD89BEEBB79EB81300F0542FED80D566E0D7B85EC18E41

Uniqueness

Uniqueness Score: -1.00%

Function 0042B441 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b7681f794f2b859e931b6657aa8847074b694a325a985d2fb16c3b18a4c012
Instruction ID: 2dc78392055df211ea779bd536bb5e45a1508b8059c4953ae852931a4689ae83
Opcode Fuzzy Hash: 14b7681f794f2b859e931b6657aa8847074b694a325a985d2fb16c3b18a4c012
Instruction Fuzzy Hash: B071EEB2D142649BEB248B24EC45BEA7775EF44300F1081EEC88EA7281D77C5EC68F95

Uniqueness

Uniqueness Score: -1.00%

Function 0042A571 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a14b438bf0ba4c90f57067d81787960cb90cc1d62abccabb82ad91f90ae1c24
Instruction ID: 5f45bc051415e163a5c49b6ecb86a20f3ef97ee9ee7b062dab956de84034c9ba
Opcode Fuzzy Hash: 3a14b438bf0ba4c90f57067d81787960cb90cc1d62abccabb82ad91f90ae1c24
Instruction Fuzzy Hash: 987181B1E4012BDBE7248B10ED80BFA7375EB94314F1481FAD90996740E63D4ED29E5A

Uniqueness

Uniqueness Score: -1.00%

Function 00407010 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6cf9bf798da41a0aadd049484754773535c6285bb584e2e0a7867b1c93dbdd2
Instruction ID: c60990d571fcd7b116c92b0716adbbfc50c2c0b6a86323ef44199df878ed642d
Opcode Fuzzy Hash: d6cf9bf798da41a0aadd049484754773535c6285bb584e2e0a7867b1c93dbdd2
Instruction Fuzzy Hash: CE71995410DBE29BC316CF3948D02A8FFE1AE67101708875ED8E647B86C668E1A5DBF1

Uniqueness

Uniqueness Score: -1.00%

Function 0040F695 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37d793a2ac866280ea10549ac07497e5442353c9ff9541e8fe59a2d101c6ba3
Instruction ID: 87f5f4c7b4747d40eb58a693aee0eedec05ec3f6ae5d79e4baa621dc0bc649f2
Opcode Fuzzy Hash: d37d793a2ac866280ea10549ac07497e5442353c9ff9541e8fe59a2d101c6ba3
Instruction Fuzzy Hash: 636116B2D041565FE738DA24CD5ABFABB78EB85304F0441FAD40DD6A90D3786EC68E12

Uniqueness

Uniqueness Score: -1.00%

Function 00428486 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a479ca6773b4e3ececbe5587a715473e9244aabb2c8f1c025aefcb5262441758
Instruction ID: abf781aea15bb2ebf8719a2540621a91c786f6a1666d5b11ea0e5f7e3822d84b
Opcode Fuzzy Hash: a479ca6773b4e3ececbe5587a715473e9244aabb2c8f1c025aefcb5262441758
Instruction Fuzzy Hash: FA61BE71E022798AEB608B25DC547EEB772EF54301F4040FAD80DA7690EA795EC1CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00428613 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f3af31fb63ed0eb6add7f6965b9f21c50ab02195a74bd547025cfbd45a3288
Instruction ID: 393e0e4ff5da66cccfaf8bad3a1d10d57fa0603b28a7b8e271ddb612df54d811
Opcode Fuzzy Hash: 26f3af31fb63ed0eb6add7f6965b9f21c50ab02195a74bd547025cfbd45a3288
Instruction Fuzzy Hash: 6061BE72E062698AE760CB25DC54BEEB775EF54300F0080FAD90DA7680EA395EC5CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00406D10 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3aee1877f2fcf241037364b6e71e7a732ed294a0964b6b06372c4e956ffd973
Instruction ID: ba3aea8688de00197c3961e4e649cdcdc1991a10523b383ba4ecc5571cfa838b
Opcode Fuzzy Hash: f3aee1877f2fcf241037364b6e71e7a732ed294a0964b6b06372c4e956ffd973
Instruction Fuzzy Hash: D3615B725087118FC318DF49D48494AF3E1FFC8328F1A8A6DE9885B361D771E959CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8F3 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380b40b5d6052808e6ceda2128ecf0b24c9b9798fac34f204029c9ebe14efa24
Instruction ID: 3bb65e678d37e689efbe7f995991ac506105481fc4004b9e366a4404860f827b
Opcode Fuzzy Hash: 380b40b5d6052808e6ceda2128ecf0b24c9b9798fac34f204029c9ebe14efa24
Instruction Fuzzy Hash: A95135B2D042565FE728DA24CD5ABFABB78EB81304F0041FAD40D96A90D3785EC68E12

Uniqueness

Uniqueness Score: -1.00%

Function 00446755 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 311COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBCMT ref: 004467CE
DName::DName.LIBCMT ref: 004467EE
operator+.LIBCMT ref: 0044682E
UnDecorator::getScope.LIBCMT ref: 00446857
operator+.LIBCMT ref: 00446863
DName::operator+.LIBCMT ref: 0044686D
operator+.LIBCMT ref: 00446770

Part of subcall function 00443C5B: DName::DName.LIBCMT ref: 00443C6E
Part of subcall function 00443C5B: DName::operator+.LIBCMT ref: 00443C75

DName::DName.LIBCMT ref: 00446791
operator+.LIBCMT ref: 0044687A
UnDecorator::getThisType.LIBCMT ref: 004468BA
operator+.LIBCMT ref: 004468F9
DName::operator+.LIBCMT ref: 00446903
UnDecorator::getThisType.LIBCMT ref: 00446915
DName::operator|=.LIBCMT ref: 0044691F
operator+.LIBCMT ref: 00446936
DName::DName.LIBCMT ref: 00446A9C

Strings

QD, xrefs: 00446994, 00446A22, 00446A70, 00446A7C, 00446A5F, 00446A3E, 004469A8, 00446963, 0044694E, 004468E1, 00446821, 00446846, 0044692D, 00446824, 0044684C, 004468E4, 00446930, 00446966, 004469AB
QD, xrefs: 00446A99, 00446AA1, 00446A8A, 00446933, 004467E9, 004467F3, 004467CB, 0044678C, 00446778, 0044676D

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: operator+$NameName::$Decorator::getName::operator+$ThisType$Name::operator|=Scope
String ID: QD$QD
API String ID: 398566123-1550548732
Opcode ID: 794240fa5a1516c6d0e2d9c5d7a373a49819a2d09ceaf47e05691be9d527f491
Instruction ID: d1b7e0adb0a3f196e2e037ff9ed62cdcf100d09a33e416e05376dfa50685d5fa
Opcode Fuzzy Hash: 794240fa5a1516c6d0e2d9c5d7a373a49819a2d09ceaf47e05691be9d527f491
Instruction Fuzzy Hash: DFB197B2900608AFEB10DF94C882EEE7BB8EF05305F15406FF505A7291DB79DA44CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B780 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 157synchronizationmemoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(0A0B9F7F,?,?,?,?,?,?,?,0045B14B,000000FF), ref: 0040B7C4
__snwprintf.LIBCMT ref: 0040B7DB
CreateMutexW.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,0045B14B,000000FF), ref: 0040B7F5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045B14B,000000FF), ref: 0040B808
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,0045B14B,000000FF), ref: 0040B818
_memset.LIBCMT ref: 0040B834
_swscanf.LIBCMT ref: 0040B86B
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0045B14B,000000FF), ref: 0040B885
HeapAlloc.KERNEL32(00000000,00000000,000005C0,?,?,?,?,?,?,?,?,?,?,?,?,0045B14B), ref: 0040B897
__CxxThrowException@8.LIBCMT ref: 0040B8D2
__swprintf.LIBCMT ref: 0040B8E9
__CxxThrowException@8.LIBCMT ref: 0040B910
ReleaseMutex.KERNEL32(?,?,00465204), ref: 0040B91E
CloseHandle.KERNEL32(?), ref: 0040B940
ReleaseMutex.KERNEL32(00000000), ref: 0040B963
CloseHandle.KERNEL32(00000000), ref: 0040B96E

Strings

1830B7BD-F7A3-4c4d-989B-C004DE465EDE, xrefs: 0040B7CB
%s %u, xrefs: 0040B7D0

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: Mutex$CloseException@8HandleHeapProcessReleaseThrow$AllocCreateCurrentErrorLastObjectSingleWait__snwprintf__swprintf_memset_swscanf
String ID: %s %u$1830B7BD-F7A3-4c4d-989B-C004DE465EDE
API String ID: 2967953817-332789905
Opcode ID: 21630a82ff95050d2a936fc027293757e53b3bd1dc2a9272b0684d330f7f6356
Instruction ID: b0080335ab30dc4e6b4e05c12cebb1b1aa067a19cdad22adf5ef2cdec4d22371
Opcode Fuzzy Hash: 21630a82ff95050d2a936fc027293757e53b3bd1dc2a9272b0684d330f7f6356
Instruction Fuzzy Hash: 145182B1900744ABDB10EFA4DD45BAE77A8EB14714F10423AF905E72D1EBB855048B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00406400 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 153registryCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00406424

Part of subcall function 0042FB25: __FF_MSGBANNER.LIBCMT ref: 0042FB48
Part of subcall function 0042FB25: __NMSG_WRITE.LIBCMT ref: 0042FB4F
Part of subcall function 0042FB25: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,?,00402AFA), ref: 0042FB9C

SetLastError.KERNEL32(00000008,00000000,?,?,?,?,004060DB,00000000,00002000,00000000,00401596,?,?,?,00401C5E,?), ref: 00406434

Part of subcall function 0042F2AE: __lock.LIBCMT ref: 0042F2CC
Part of subcall function 0042F2AE: ___sbh_find_block.LIBCMT ref: 0042F2D7
Part of subcall function 0042F2AE: ___sbh_free_block.LIBCMT ref: 0042F2E6
Part of subcall function 0042F2AE: HeapFree.KERNEL32(00000000,?,00464668,0000000C,0043383B,00000000,004648F0,0000000C,00433875,?,?,?,004479C3,00000004,00464E28,0000000C), ref: 0042F316
Part of subcall function 0042F2AE: GetLastError.KERNEL32(?,004479C3,00000004,00464E28,0000000C,004356E9,?,?,00000000,00000000,00000000,?,004352B5,00000001,00000214), ref: 0042F327

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards,00000000,00020119,?,00000000,?,?,?,?,004060DB,00000000,00002000,00000000,00401596,?), ref: 0040645A
RegEnumKeyExW.ADVAPI32 ref: 00406486
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020119,?), ref: 004064AB
RegQueryValueExA.ADVAPI32(?,ServiceName,00000000,?,00000004,?), ref: 004064DF
RegCloseKey.ADVAPI32(?), ref: 0040650D
RegEnumKeyExW.ADVAPI32(00000000,00000001,00000000,?,00000000,00000000,00000000,00000000), ref: 00406530
RegCloseKey.ADVAPI32(00000000), ref: 0040653F

Strings

ServiceName, xrefs: 004064C9
MAC:, xrefs: 00406593
%012I64X, xrefs: 00406556
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards, xrefs: 00406450

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CloseEnumErrorHeapLastOpen$AllocFreeQueryValue___sbh_find_block___sbh_free_block__lock_malloc
String ID: %012I64X$MAC:$SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards$ServiceName
API String ID: 3177717327-1531755283
Opcode ID: e5e2b6cb0406eebcd3ecfd1ca0ec33acc8a31c79426b9c3f7b5b7b2d670d5707
Instruction ID: 91a01f5ca6e93bf5eebee49e75ff8b246a23b9fedb22c95eae37365d202e933b
Opcode Fuzzy Hash: e5e2b6cb0406eebcd3ecfd1ca0ec33acc8a31c79426b9c3f7b5b7b2d670d5707
Instruction Fuzzy Hash: 6841B171204300BBE620DF95EC85F1BBBE8EFC4B59F40052EF945A22C5E678D908876A

Uniqueness

Uniqueness Score: -1.00%

Function 00408F20 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00408F32

Part of subcall function 00432DB5: __getptd_noexit.LIBCMT ref: 00432DB5

SetLastError.KERNEL32(00000000), ref: 00408F50
_vswprintf_s.LIBCMT ref: 00408FD4
_wcsrchr.LIBCMT ref: 00409015
__snwprintf.LIBCMT ref: 0040903B
__CxxThrowException@8.LIBCMT ref: 00409081
GetLastError.KERNEL32(?,004651D0), ref: 00409094
SetLastError.KERNEL32(00000000), ref: 004090B2
__CxxThrowException@8.LIBCMT ref: 004090D5
__CxxThrowException@8.LIBCMT ref: 004090EB

Strings

4-F, xrefs: 00408F9A
<%s:%d>, xrefs: 00409034

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast$Exception@8Throw$__getptd_noexit__snwprintf_vswprintf_s_wcsrchr
String ID: 4-F$<%s:%d>
API String ID: 1135991162-2115238217
Opcode ID: 8da0d668e8d2bed21a38bc542d697908a3f4a170cb8d83eb15cc4d257e8be0b2
Instruction ID: 14e59de21d721aaef6b68cd87fe21ec90b452582bd65d8ba9509ecaee94afa43
Opcode Fuzzy Hash: 8da0d668e8d2bed21a38bc542d697908a3f4a170cb8d83eb15cc4d257e8be0b2
Instruction Fuzzy Hash: AB51C1715003019BC720EF29CC85BAB76E9EF89710F05493EF94597296EBB8DD04C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00401640 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\360MachineSignature,00000000,00020119,?,00000000,?,00000000,?,?,?,00401C5E,?,?), ref: 00401666
RegQueryValueExW.ADVAPI32(?,Operator,00000000,?,00000000,?,?,00000000,?,?,?,00401C5E,?,?), ref: 004016AD
RegQueryValueExW.ADVAPI32(?,IssueDate,00000000,?,00000000,?,?,00000000,?,?,?,00401C5E,?,?), ref: 004016F4
RegQueryValueExW.ADVAPI32(?,ExpirationDate,00000000,?,00000000,?,?,00000000,?,?,?,00401C5E,?,?), ref: 00401733
RegQueryValueExW.ADVAPI32(?,SignData,00000000,?,00000000,?,?,00000000,?,?,?,00401C5E,?,?), ref: 0040176A
RegCloseKey.ADVAPI32(?), ref: 004017A8
RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,00401C5E,?,?), ref: 004017C1

Strings

ExpirationDate, xrefs: 00401729
IssueDate, xrefs: 004016EA
SOFTWARE\360MachineSignature, xrefs: 00401656
Operator, xrefs: 0040169E
SignData, xrefs: 00401760

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: QueryValue$Close$Open
String ID: ExpirationDate$IssueDate$Operator$SOFTWARE\360MachineSignature$SignData
API String ID: 2895014784-1479031278
Opcode ID: 2d54e4a1bd58c59d3d4e4eac94afafb44d7a5f605dbedefef143314ab1df9f72
Instruction ID: 1f7021fa9f236602036fbd2601c454c1c7a1e4c58a50fa6465acc4d7145fd61b
Opcode Fuzzy Hash: 2d54e4a1bd58c59d3d4e4eac94afafb44d7a5f605dbedefef143314ab1df9f72
Instruction Fuzzy Hash: AA5130B16043029FC320CF69DC80A6BB7E8EBD4754F444A2EF595E3350E774E9098B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0043B54C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 106COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0043B5C0
__getptd.LIBCMT ref: 0043B5D2

Strings

MOC, xrefs: 0043B574
csm, xrefs: 0043B588
csm, xrefs: 0043B640

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: __getptd
String ID: MOC$csm$csm
API String ID: 3384420010-2232927589
Opcode ID: 392d5472d71fa33a46a6336c1c2ef07575f60051be97fb51371ea02d882e00af
Instruction ID: e8da79c3ca801231d8ecad43d2117962de43db7f41a6095863ddad8b9e0fae0f
Opcode Fuzzy Hash: 392d5472d71fa33a46a6336c1c2ef07575f60051be97fb51371ea02d882e00af
Instruction Fuzzy Hash: 1B31AC71400604DFDB308E59C482B6A73A8FB18319F58692BDA86C7352DB78E9458BDB

Uniqueness

Uniqueness Score: -1.00%

Function 004046F0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 255fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,?,?,?,00000000,00000002,00401D80,?,?,?,?,?,?,?,?), ref: 00404709
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?), ref: 0040479C
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,?), ref: 004047B8
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00404844

Strings

GetFileSizeEx(), xrefs: 00404713
.\QHImageHlp.c, xrefs: 0040471D, 00404905, 00404928, 00404950, 0040499A, 004049C0
ReadFile(), xrefs: 0040491E
SetFilePointerEx(), xrefs: 004048FB

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: File$Pointer$ReadSize
String ID: .\QHImageHlp.c$GetFileSizeEx()$ReadFile()$SetFilePointerEx()
API String ID: 1971422761-3013408749
Opcode ID: 1d27160b763ea9f39c40ede33503e64cfab6d797d1ed3998228b8f098f8d92e9
Instruction ID: 03dfb4d2336c3ded1a3879e9d3a15ab1a4d94976a0d75a54ec2001c5ebdae41d
Opcode Fuzzy Hash: 1d27160b763ea9f39c40ede33503e64cfab6d797d1ed3998228b8f098f8d92e9
Instruction Fuzzy Hash: 597114B6B443016BD210EA25DD81F2B7395EBC4B15F14493EFA44A73C0EA7DEC0587A6

Uniqueness

Uniqueness Score: -1.00%

Function 0040B650 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040B67A
_memset.LIBCMT ref: 0040B697
GetCurrentProcessId.KERNEL32 ref: 0040B69F
swprintf.LIBCMT ref: 0040B6BF

Part of subcall function 00432B41: __vswprintf_s_l.LIBCMT ref: 00432B55

FindAtomW.KERNEL32(?), ref: 0040B72F
DeleteAtom.KERNEL32(?), ref: 0040B749

Strings

1830B7BD-F7A3-4c4d-989B-C004DE465EDE, xrefs: 0040B6A5
%s-%d-%s:, xrefs: 0040B6B0
{A0972F10-452C-4cd1-904E-B50E394EDE34}, xrefs: 0040B6AB

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: Atom_memset$CurrentDeleteFindProcess__vswprintf_s_lswprintf
String ID: %s-%d-%s:$1830B7BD-F7A3-4c4d-989B-C004DE465EDE${A0972F10-452C-4cd1-904E-B50E394EDE34}
API String ID: 389091746-1980942712
Opcode ID: 437e8d90748bc7b6513a2a46a6f3fe04147eb6367c4c28063d2286c0b8bc6247
Instruction ID: 2e7dcfaec5885a51cec920f46e6640d5eddf5b0521efb3552e3d683f1a8d1c5a
Opcode Fuzzy Hash: 437e8d90748bc7b6513a2a46a6f3fe04147eb6367c4c28063d2286c0b8bc6247
Instruction Fuzzy Hash: 7021F7B1104300ABD314EB64DC96AFBB3A9EFD4700F84453FFA4583191EBB89504879E

Uniqueness

Uniqueness Score: -1.00%

Function 0044569A Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 004456A4
DName::DName.LIBCMT ref: 004456B0

Part of subcall function 004435CF: DName::doPchar.LIBCMT ref: 004435FC

DName::DName.LIBCMT ref: 004456DD

Part of subcall function 00443203: DNameStatusNode::make.LIBCMT ref: 00443231

UnDecorator::getScopedName.LIBCMT ref: 004456EB
DName::operator+=.LIBCMT ref: 004456F5
DName::operator+=.LIBCMT ref: 00445704
DName::operator+=.LIBCMT ref: 00445710
DName::operator+=.LIBCMT ref: 0044571D

Strings

void, xrefs: 004456FC

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: NameName::operator+=$Name::$Decorator::Decorator::getName::doNode::makePcharScopedScoreStatus
String ID: void
API String ID: 2229739886-3531332078
Opcode ID: 5015c3408bcb27d64949bf4dae6a3a8c0bd37e1f0a86d6c0238cc5b9e1a2eb31
Instruction ID: eb00b007f5abc369386499d998b18eebabc6c8172c4893b9a245dc17d1844bad
Opcode Fuzzy Hash: 5015c3408bcb27d64949bf4dae6a3a8c0bd37e1f0a86d6c0238cc5b9e1a2eb31
Instruction Fuzzy Hash: F2118670900504ABEB08EF64C886AAD7B64AB40709F40405BF006A72D2EBB8AA45CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0043F303 Relevance: 15.2, APIs: 10, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

__getbuf.LIBCMT ref: 00452967
__fileno.LIBCMT ref: 00452978
__fileno.LIBCMT ref: 00452989
__fileno.LIBCMT ref: 00452995
__fileno.LIBCMT ref: 004529A5
__fileno.LIBCMT ref: 004529C8
__fileno.LIBCMT ref: 004529D4
__fileno.LIBCMT ref: 004529E0
__fileno.LIBCMT ref: 004529F0
__cftof.LIBCMT ref: 00452A2C

Part of subcall function 00452CBC: __wctomb_s_l.LIBCMT ref: 00452CCF

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: __fileno$__cftof__getbuf__wctomb_s_l
String ID:
API String ID: 1564009976-0
Opcode ID: 8f5f60656d8aee7740e73f9f92f01c785faa6956bd2cc472c8204fa9af18c4d8
Instruction ID: 83c87296a530c54ed5d9dc8e46f76a92cbeb1989d0cf7a41b3e55cd3b412d914
Opcode Fuzzy Hash: 8f5f60656d8aee7740e73f9f92f01c785faa6956bd2cc472c8204fa9af18c4d8
Instruction Fuzzy Hash: E45133325006059FCB349F29C940A6B73E0AF56329F14852FE8A6D73C2D7B8ED49CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0043784D Relevance: 15.1, APIs: 10, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00437866

Part of subcall function 004356D3: __calloc_impl.LIBCMT ref: 004356E4
Part of subcall function 004356D3: Sleep.KERNEL32(00000000,?,?,00002000), ref: 004356FB

__calloc_crt.LIBCMT ref: 0043788A
__calloc_crt.LIBCMT ref: 004378A6
__copytlocinfo_nolock.LIBCMT ref: 004378CB
__setlocale_nolock.LIBCMT ref: 004378D8
___removelocaleref.LIBCMT ref: 004378E4
___freetlocinfo.LIBCMT ref: 004378EB
__setmbcp_nolock.LIBCMT ref: 00437903
___removelocaleref.LIBCMT ref: 00437918
___freetlocinfo.LIBCMT ref: 0043791F

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: __calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 2969281212-0
Opcode ID: cca770cd89a3457768f8d1dee5c51a7bb805c9547a9ab6f93a5d569ae38ab5d2
Instruction ID: 0bda3ca86f29450c0e7a3ef308c41bbb666b0ae9fb036e98977096b7d3cefda8
Opcode Fuzzy Hash: cca770cd89a3457768f8d1dee5c51a7bb805c9547a9ab6f93a5d569ae38ab5d2
Instruction Fuzzy Hash: 12210675208A01EBE7357F27D806A0A7BE0DF8D364F61943FF4C556261DE399801C65D

Uniqueness

Uniqueness Score: -1.00%

Function 004049E0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 220fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,00405C4F,?,00000000,?), ref: 004049FC
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00405C4F,?,00000000,?), ref: 00404A9C
ReadFile.KERNEL32(?,?,00008000,?,00000000,?,?,?,?,?,00405C4F,?,00000000,?), ref: 00404AB8
_memset.LIBCMT ref: 00404B63

Strings

GetFileSizeEx(), xrefs: 00404A08
.\QHImageHlp.c, xrefs: 00404A12, 00404BC6, 00404BE8, 00404C0F, 00404C34, 00404C59
ReadFile(), xrefs: 00404BDE
SetFilePointerEx(), xrefs: 00404BBC

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: File$PointerReadSize_memset
String ID: .\QHImageHlp.c$GetFileSizeEx()$ReadFile()$SetFilePointerEx()
API String ID: 1834740430-3013408749
Opcode ID: dd4a552fa05887f9568b90e49408ec4a10f34fd83e3cde6fc923f0df16e78341
Instruction ID: c7279cdef8b6de9ed2af9f0036a7ef1b0d318f082f7ee79805dd3dc40297ac8b
Opcode Fuzzy Hash: dd4a552fa05887f9568b90e49408ec4a10f34fd83e3cde6fc923f0df16e78341
Instruction Fuzzy Hash: 816126B17443006BD314DA29DD81B2BB3E0EBC8755F04493EF988E3280E77CE9448B8A

Uniqueness

Uniqueness Score: -1.00%

Function 00403970 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 153fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?), ref: 004039C5
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 00403A7F
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 00403AA9
SetEndOfFile.KERNEL32(?), ref: 00403AE9

Strings

GetFileSizeEx(), xrefs: 004039CF
.\QHImageHlp.c, xrefs: 0040399F, 00403B01
SetEndOfFile(), xrefs: 00403AF7
SetFilePointerEx(), xrefs: 00403B1A, 00403B26

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: File$Pointer$Size
String ID: .\QHImageHlp.c$GetFileSizeEx()$SetEndOfFile()$SetFilePointerEx()
API String ID: 408439848-1520550917
Opcode ID: efe5ed57b227063c12dfbf8f0175d8ac109c7d29c0f11d32ce57c5971a172218
Instruction ID: 1b605d734e155b873fdfd4f28f3e3ae818b90f9930aa0250b92f2f22e38c86b6
Opcode Fuzzy Hash: efe5ed57b227063c12dfbf8f0175d8ac109c7d29c0f11d32ce57c5971a172218
Instruction Fuzzy Hash: 3641B4317043015BD710DE659D81B2B7BD8AB88B4AF04093FF584B72C1E6BCEA058A9E

Uniqueness

Uniqueness Score: -1.00%

Function 004037C0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 138fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?), ref: 004037D1
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 0040386C
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040388C
SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000000), ref: 004038B3

Strings

GetFileSizeEx(), xrefs: 004037DB
.\QHImageHlp.c, xrefs: 00403931, 00403957
ReadFile(), xrefs: 0040391B
SetFilePointerEx(), xrefs: 0040390F, 0040394D

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: File$Pointer$ReadSize
String ID: .\QHImageHlp.c$GetFileSizeEx()$ReadFile()$SetFilePointerEx()
API String ID: 1971422761-3013408749
Opcode ID: d80dedbebb2793100ef8afd5d2585e2e953f73e2ae1894905a99123231bb69ca
Instruction ID: bd2c35f2d9b3925e1a7ba6d6698aa27c55923003429fdbcc139eee9cb6e742a9
Opcode Fuzzy Hash: d80dedbebb2793100ef8afd5d2585e2e953f73e2ae1894905a99123231bb69ca
Instruction Fuzzy Hash: 2A41E3727043016BD710EE29DD81F2BBBD9BBC4B12F14493EF990A62C1D6B8DA04875A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B360 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040B391
_memset.LIBCMT ref: 0040B3AE
GetCurrentProcessId.KERNEL32 ref: 0040B3B6
swprintf.LIBCMT ref: 0040B3D6

Part of subcall function 00432B41: __vswprintf_s_l.LIBCMT ref: 00432B55

GetAtomNameW.KERNEL32(0000C000,?,00000104), ref: 0040B41E

Strings

1830B7BD-F7A3-4c4d-989B-C004DE465EDE, xrefs: 0040B3BC
%s-%d-%s:, xrefs: 0040B3C7
{A0972F10-452C-4cd1-904E-B50E394EDE34}, xrefs: 0040B3C2

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: _memset$AtomCurrentNameProcess__vswprintf_s_lswprintf
String ID: %s-%d-%s:$1830B7BD-F7A3-4c4d-989B-C004DE465EDE${A0972F10-452C-4cd1-904E-B50E394EDE34}
API String ID: 1762070210-1980942712
Opcode ID: 04201b845daf679fd702f084c1f8ee3b84df7fdc10a14036f8850c1365b6ed34
Instruction ID: d3ba892406a69276a2d9f1b618fdd1f673d4abaf0ab7cd1099eba7940fe984af
Opcode Fuzzy Hash: 04201b845daf679fd702f084c1f8ee3b84df7fdc10a14036f8850c1365b6ed34
Instruction Fuzzy Hash: 263189B16043006BD210EB68DC85EABB3E8EF98704F40493FF94593192E775A904879A

Uniqueness

Uniqueness Score: -1.00%

Function 00409180 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00409195
GetLocalTime.KERNEL32(?), ref: 004091A2
__swprintf.LIBCMT ref: 004091C5
_vswprintf_s.LIBCMT ref: 004091FD
OutputDebugStringW.KERNEL32(?), ref: 00409218
OutputDebugStringW.KERNEL32(00462D84), ref: 0040921F
OutputDebugStringW.KERNEL32(?), ref: 00409246

Strings

<%08X> %02hu:%02hu:%02hu: , xrefs: 004091BF

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: DebugOutputString$CurrentLocalThreadTime__swprintf_vswprintf_s
String ID: <%08X> %02hu:%02hu:%02hu:
API String ID: 2086888202-2163415560
Opcode ID: 13ecc129a4f9194a9cc056268f5a874c4d06aae9f71d9bff6946beeb61dacec8
Instruction ID: 8e58f0009974f807aa0a88d16c54b8bf9c07752b702b58f5e1e4d755a66998c4
Opcode Fuzzy Hash: 13ecc129a4f9194a9cc056268f5a874c4d06aae9f71d9bff6946beeb61dacec8
Instruction Fuzzy Hash: 8721C371504311AFD728EB64DD89AFF73E4EFD8700F804A5EF88986191EA789904C797

Uniqueness

Uniqueness Score: -1.00%

Function 0042E240 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 61windowtimeCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Q360AdvToolExecutorWndClass,360AdvToolExecutor), ref: 0042E263
_memset.LIBCMT ref: 0042E28E
GetCommandLineW.KERNEL32 ref: 0042E2A0
IsWindow.USER32(00000000), ref: 0042E2E8
SendMessageTimeoutW.USER32(00000000,0000004A,00000000,00000064,00000001,000007D0,00000000), ref: 0042E319

Strings

360AdvToolExecutor, xrefs: 0042E259
d, xrefs: 0042E2C4
Q360AdvToolExecutorWndClass, xrefs: 0042E25E

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: Window$CommandFindLineMessageSendTimeout_memset
String ID: 360AdvToolExecutor$Q360AdvToolExecutorWndClass$d
API String ID: 1428618593-896946901
Opcode ID: f952c6319ded637e8a2be25a1d5eb67e1dd8c4e37a3a0c622363d516aaf7f046
Instruction ID: be255b2814a9b3d3b0f80194d172021b69f52db360a7e57986c6838927bbd2eb
Opcode Fuzzy Hash: f952c6319ded637e8a2be25a1d5eb67e1dd8c4e37a3a0c622363d516aaf7f046
Instruction Fuzzy Hash: CF216DB0A403189FDB10DF60DC45B99B7F8BF08705F50C5E9A549A6281DFB4AA88CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 004404E9 Relevance: 13.6, APIs: 9, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

__getbuf.LIBCMT ref: 00452967
__fileno.LIBCMT ref: 00452978
__fileno.LIBCMT ref: 00452989
__fileno.LIBCMT ref: 00452995
__fileno.LIBCMT ref: 004529A5
__fileno.LIBCMT ref: 004529C8
__fileno.LIBCMT ref: 004529D4
__fileno.LIBCMT ref: 004529E0
__fileno.LIBCMT ref: 004529F0

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: __fileno$__getbuf
String ID:
API String ID: 3695372198-0
Opcode ID: c173f9ec17edaa17f6ee4bf5f7f1f9aa3a8cbada4bbe69cdd912e2c5fecacc7a
Instruction ID: 6b936e4868124953b0f543ace5912ab53509dea9887a6f8d0f4e089e0e30c8cc
Opcode Fuzzy Hash: c173f9ec17edaa17f6ee4bf5f7f1f9aa3a8cbada4bbe69cdd912e2c5fecacc7a
Instruction Fuzzy Hash: 334136325006448BC734AB29D940A6B7390AF57329F24456FEC66D73C2D7BCEE4A874D

Uniqueness

Uniqueness Score: -1.00%

Function 004052C0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?), ref: 0040532D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040536F

Strings

GetFileSizeEx(), xrefs: 00405337
.\QHImageHlp.c, xrefs: 004052E4, 00405341, 00405398, 004053F5
SetFilePointerEx(), xrefs: 004053EB

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: FileSizeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: .\QHImageHlp.c$GetFileSizeEx()$SetFilePointerEx()
API String ID: 1756747699-2561355867
Opcode ID: 045e6cca237012a5d873fd085605a78d8d810dd21c2544b345ca439df9fc10a8
Instruction ID: bf7b32a8e1ee1daeb80faca7c9eea0b1b867eadaca1b8f7f38da0fe90859c255
Opcode Fuzzy Hash: 045e6cca237012a5d873fd085605a78d8d810dd21c2544b345ca439df9fc10a8
Instruction Fuzzy Hash: 1F51E270740B016BE318EF24DC81FA7B3A4FB84714F54453EE908937C1E7B9A8548A99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B540 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040B56E
_memset.LIBCMT ref: 0040B58B
GetCurrentProcessId.KERNEL32 ref: 0040B593
swprintf.LIBCMT ref: 0040B5AF

Part of subcall function 00432B41: __vswprintf_s_l.LIBCMT ref: 00432B55

GetAtomNameW.KERNEL32(0000C000,?,00000104), ref: 0040B5EE

Strings

{A0972F10-452C-4cd1-904E-B50E394EDE34}, xrefs: 0040B59B
%s-%d-%s:, xrefs: 0040B5A0

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: _memset$AtomCurrentNameProcess__vswprintf_s_lswprintf
String ID: %s-%d-%s:${A0972F10-452C-4cd1-904E-B50E394EDE34}
API String ID: 1762070210-3571227826
Opcode ID: 82fb826cdcdc4336f7a5b576b1eafced99041a18518562a134d50a0958fb8c3e
Instruction ID: cbba3bbbb2408f3d45a6993105ac790f0c08af2375fe902b13238ad858c14082
Opcode Fuzzy Hash: 82fb826cdcdc4336f7a5b576b1eafced99041a18518562a134d50a0958fb8c3e
Instruction Fuzzy Hash: 4121A9726043046BD320EB54DC85AFBB398DF84714F44493EFA4597181EA79A90487DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040B4C9
GetCurrentProcessId.KERNEL32 ref: 0040B4D1
swprintf.LIBCMT ref: 0040B4F2

Part of subcall function 00432B41: __vswprintf_s_l.LIBCMT ref: 00432B55

AddAtomW.KERNEL32(?), ref: 0040B4FF

Strings

1830B7BD-F7A3-4c4d-989B-C004DE465EDE, xrefs: 0040B4D8
%s-%d-%s:%s, xrefs: 0040B4E3
{A0972F10-452C-4cd1-904E-B50E394EDE34}, xrefs: 0040B4DE

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: AtomCurrentProcess__vswprintf_s_l_memsetswprintf
String ID: %s-%d-%s:%s$1830B7BD-F7A3-4c4d-989B-C004DE465EDE${A0972F10-452C-4cd1-904E-B50E394EDE34}
API String ID: 1330282167-1301288515
Opcode ID: 5475c2726ad21a62d9e50e63b03a8a0c46f1695309ac880fdee57f2ad6116d02
Instruction ID: 49f90f98050547606b8eda84904ebd6c00acf6bbc8e1d7b343d1764b10b85a19
Opcode Fuzzy Hash: 5475c2726ad21a62d9e50e63b03a8a0c46f1695309ac880fdee57f2ad6116d02
Instruction Fuzzy Hash: 0E0149B16403007BD300EF61DC86ABBB3A8EF94B04F80083BB994C2181FAF8E404479A

Uniqueness

Uniqueness Score: -1.00%

Function 00404530 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 119fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,000000CC,?,?,?,?,?,0040519E,?,?), ref: 00404576
ReadFile.KERNEL32(?,?,00000008,?,00000000,?,?,?,?,?,0040519E,?,?,00000001,00000000), ref: 00404593

Strings

.\QHImageHlp.c, xrefs: 004045A7, 004045D3, 00404602, 00404662
ReadFile(), xrefs: 0040459D
SetFilePointerEx(), xrefs: 00404658

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: File$PointerRead
String ID: .\QHImageHlp.c$ReadFile()$SetFilePointerEx()
API String ID: 3154509469-2897820174
Opcode ID: 56332d5397ddc3112434a387f4fff7781493f3edbc103fc4514e60ab288b49f8
Instruction ID: a7ba87d3e4fafd734ddcf6f3cd13cbc0dee90a629a9315bd97f3778bfee0730c
Opcode Fuzzy Hash: 56332d5397ddc3112434a387f4fff7781493f3edbc103fc4514e60ab288b49f8
Instruction Fuzzy Hash: 1E4173B0644301ABD610DF11D981A2B73E8EBC9745F404D3FFA85A72C0FBB999058B5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040C150 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0040C159

Part of subcall function 0040C4D0: _DebugHeapAllocator.LIBCPMTD ref: 0040C4E0

CoInitialize.OLE32(00000000), ref: 0040C19E

Part of subcall function 0042E240: FindWindowW.USER32(Q360AdvToolExecutorWndClass,360AdvToolExecutor), ref: 0042E263
Part of subcall function 0042E240: _memset.LIBCMT ref: 0042E28E
Part of subcall function 0042E240: GetCommandLineW.KERNEL32 ref: 0042E2A0
Part of subcall function 0042E240: IsWindow.USER32(00000000), ref: 0042E2E8
Part of subcall function 0042E240: SendMessageTimeoutW.USER32(00000000,0000004A,00000000,00000064,00000001,000007D0,00000000), ref: 0042E319

Strings

Q360SafeMutex_Q360AdvToolExecutorMutex, xrefs: 0040C1A7
\360Util.dll, xrefs: 0040C15E

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: Window$AllocatorCommandDebugFindHeapInitializeIterator_baseIterator_base::_LineMessageSendTimeout_memsetstd::_
String ID: Q360SafeMutex_Q360AdvToolExecutorMutex$\360Util.dll
API String ID: 2683895894-2924836915
Opcode ID: d3b5a0732abc0df9c812d955e8ee18da3f166e572647cfff1f4a083dca471343
Instruction ID: 2be0485e52df47f87d2654ae8b8a047a1d11b9ef034e44ab1b14c8653dacfca3
Opcode Fuzzy Hash: d3b5a0732abc0df9c812d955e8ee18da3f166e572647cfff1f4a083dca471343
Instruction Fuzzy Hash: 53410070D10108EBCB04EBE5DC92AED7778AF14308F4045AEE902771D1EF786A09CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00404D70 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000000), ref: 00404D95
WriteFile.KERNEL32(?,?,00000008,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00404DAE

Strings

.\QHImageHlp.c, xrefs: 00404DC2, 00404DEB, 00404E37
SetFilePointerEx(), xrefs: 00404E2D
WriteFile(), xrefs: 00404DB8

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: File$PointerWrite
String ID: .\QHImageHlp.c$SetFilePointerEx()$WriteFile()
API String ID: 539440098-3552954839
Opcode ID: 430e23e13aa7738b3b1f8b4cdc884e8e9eda3a3689b7ea57677f209dda7beab1
Instruction ID: 549b3c329b9650cef16aae18e47ccf49b9e830f2323170fbef0b8720ceabb87a
Opcode Fuzzy Hash: 430e23e13aa7738b3b1f8b4cdc884e8e9eda3a3689b7ea57677f209dda7beab1
Instruction Fuzzy Hash: 2821A5B67007006BE310DA299C82FB77398EBC4711F44483FFA54E22D1F6BDD90986A6

Uniqueness

Uniqueness Score: -1.00%

Function 00408BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000005,00000000,?,7622DFA0,004089BF,?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040), ref: 00408BC8

Part of subcall function 00432DB5: __getptd_noexit.LIBCMT ref: 00432DB5

SetLastError.KERNEL32(00000000,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 00408BE6
_wcschr.LIBCMT ref: 00408C1B
_wcschr.LIBCMT ref: 00408C3E
__snwprintf.LIBCMT ref: 00408CAD

Strings

%1d|%04hu-%02hu-%02hu|%02hu:%02hu:%02hu|%s|%d|%s|%s|%d|%s, xrefs: 00408C9C

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$__getptd_noexit__snwprintf
String ID: %1d|%04hu-%02hu-%02hu|%02hu:%02hu:%02hu|%s|%d|%s|%s|%d|%s
API String ID: 2287154907-1296420124
Opcode ID: fee108e2de2b253099acefbf970527ccea13f099144c85f6f397bf0c900a826a
Instruction ID: 172b17a69a1951cee07f9fb1351cdc207f06d73bc90140ef39942ad08a7788cd
Opcode Fuzzy Hash: fee108e2de2b253099acefbf970527ccea13f099144c85f6f397bf0c900a826a
Instruction Fuzzy Hash: 5A21B6B2500714ABD3209B65DD45FB7B3F8EF48741F00842EF98987281EB7CA8008774

Uniqueness

Uniqueness Score: -1.00%

Function 00443FED Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getArgumentTypes.LIBCMT ref: 00444028
operator+.LIBCMT ref: 00444037
DName::DName.LIBCMT ref: 00444054
DName::operator+.LIBCMT ref: 0044405B
DName::operator+.LIBCMT ref: 00444062

Strings

throw(, xrefs: 00444031, 0044404C

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: Name::operator+$ArgumentDecorator::getNameName::Typesoperator+
String ID: throw(
API String ID: 4203687869-3159766648
Opcode ID: 65a34e9b409ec9004d59ea8c39782607beeff06af4b3fea58027fa1141fbf606
Instruction ID: 428951cbcfe74a0240c373cc1e93f32a0656e90a4d407b596630d3e776d7e093
Opcode Fuzzy Hash: 65a34e9b409ec9004d59ea8c39782607beeff06af4b3fea58027fa1141fbf606
Instruction Fuzzy Hash: 8B01AC75640208AFDF00EF64DC46FAE37B5EB84709F008057F901AB291D679EA058789

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9F0 Relevance: 9.1, APIs: 6, Instructions: 97synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,0045B0F0,000000FF,?,004083AC,?,00403F3C,00000000,00000000), ref: 0040BA69
__CxxThrowException@8.LIBCMT ref: 0040BA99
TlsSetValue.KERNEL32(?,00000000,?,?,?,?,?,?,0045B0F0,000000FF,?,004083AC,?,00403F3C,00000000,00000000), ref: 0040BAAE
__CxxThrowException@8.LIBCMT ref: 0040BAC8

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$ObjectSingleValueWait
String ID:
API String ID: 2586364301-0
Opcode ID: 16afd0f5b96ec433a7f44ac714009dcb17a785963acd1a11252a5c6dbd44d47e
Instruction ID: 82b94f8ae3ea0c74fc68bf355bcced71143dc14b0de1f656a462604ca47169f4
Opcode Fuzzy Hash: 16afd0f5b96ec433a7f44ac714009dcb17a785963acd1a11252a5c6dbd44d47e
Instruction Fuzzy Hash: 50317271B046049BCB10DB699984A6FB7B4EB44724F20466AE415F33D1E7799D008FD9

Uniqueness

Uniqueness Score: -1.00%

Function 004029A0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 286COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004029F3
_malloc.LIBCMT ref: 00402AF5
SetLastError.KERNEL32(00000008,00002000), ref: 00402B05

Part of subcall function 004050D0: _malloc.LIBCMT ref: 004050DC
Part of subcall function 004050D0: SetLastError.KERNEL32(00000008,?,00402A5E,?,00002000), ref: 004050EE

Strings

`"F, xrefs: 00402CA9
.\QHCheckCertificate.c, xrefs: 00402B21

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast_malloc$_memset
String ID: .\QHCheckCertificate.c$`"F
API String ID: 1834304950-2309566295
Opcode ID: 7ed07e5735caa85ddfcceed7d1779d4573f8b94b652b00a3a12b9954510cbd8c
Instruction ID: 921698dc5f8c579624ca89809a31f904028b7c0024d22f220bc3dc5a3c6b6cd7
Opcode Fuzzy Hash: 7ed07e5735caa85ddfcceed7d1779d4573f8b94b652b00a3a12b9954510cbd8c
Instruction Fuzzy Hash: 5BB16AB19083019BE720DF25C58875BB7E4AF84344F04493EF899A62D1E7B8E949CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00402310 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040243D
SetLastError.KERNEL32(00000008), ref: 0040244D

Part of subcall function 00404EF0: _malloc.LIBCMT ref: 00404EFC
Part of subcall function 00404EF0: SetLastError.KERNEL32(00000008,00000003,004023AF,00000000), ref: 00404F0E

Strings

`"F, xrefs: 00402585
X!F, xrefs: 00402527
.\QHCheckCertificate.c, xrefs: 00402469

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast_malloc
String ID: .\QHCheckCertificate.c$X!F$`"F
API String ID: 1018170914-3988528553
Opcode ID: ced2b3246bb548433fe6192039cd183e0597671a36ff0efda0a7d5906754ef41
Instruction ID: ffef2bb2e26d9b2751a906ac4d56d605a7bea727a65ec4aa2e850bc7b12c3673
Opcode Fuzzy Hash: ced2b3246bb548433fe6192039cd183e0597671a36ff0efda0a7d5906754ef41
Instruction Fuzzy Hash: 57918CB05083019BD710DF25D95476BB7E4BB88348F04493EF889A73C1E7B9D90ACB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405820 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040591B
SetLastError.KERNEL32(00000008,?), ref: 0040592D

Part of subcall function 004046F0: GetFileSizeEx.KERNEL32(?,?,?,?,?,00000000,00000002,00401D80,?,?,?,?,?,?,?,?), ref: 00404709

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004059B9
_memset.LIBCMT ref: 004059CF

Part of subcall function 0042F2AE: __lock.LIBCMT ref: 0042F2CC
Part of subcall function 0042F2AE: ___sbh_find_block.LIBCMT ref: 0042F2D7
Part of subcall function 0042F2AE: ___sbh_free_block.LIBCMT ref: 0042F2E6
Part of subcall function 0042F2AE: HeapFree.KERNEL32(00000000,?,00464668,0000000C,0043383B,00000000,004648F0,0000000C,00433875,?,?,?,004479C3,00000004,00464E28,0000000C), ref: 0042F316
Part of subcall function 0042F2AE: GetLastError.KERNEL32(?,004479C3,00000004,00464E28,0000000C,004356E9,?,?,00000000,00000000,00000000,?,004352B5,00000001,00000214), ref: 0042F327

Strings

.\QHImageHlp.c, xrefs: 0040593D

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast$FileFreeHeapSizeUnothrow_t@std@@@___sbh_find_block___sbh_free_block__ehfuncinfo$??2@__lock_malloc_memset
String ID: .\QHImageHlp.c
API String ID: 2739003063-3639949391
Opcode ID: 53e53731d5dc0c79f27a45eb467555df1d4b9eb4aa099394e6c9ad2dd20175f5
Instruction ID: 517ecf2449ff4585e6a4ee02c056efbb873295a583b86914759d382ca83a3ea7
Opcode Fuzzy Hash: 53e53731d5dc0c79f27a45eb467555df1d4b9eb4aa099394e6c9ad2dd20175f5
Instruction Fuzzy Hash: 405181B1A047059FD310DF26D881A5BF7E4FB88314F44893EE98893341E779E919CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00401BE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00401BF9

Part of subcall function 0042FB25: __FF_MSGBANNER.LIBCMT ref: 0042FB48
Part of subcall function 0042FB25: __NMSG_WRITE.LIBCMT ref: 0042FB4F
Part of subcall function 0042FB25: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,?,00402AFA), ref: 0042FB9C

SetLastError.KERNEL32(00000008,?), ref: 00401C0D
_malloc.LIBCMT ref: 00401C8F
SetLastError.KERNEL32(00000008,?,?,?), ref: 00401CA3

Strings

h#F, xrefs: 00401CE6

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast_malloc$AllocHeap
String ID: h#F
API String ID: 2260188370-2559823950
Opcode ID: 726705ae21d8206b44e732c66c3c47d14e3477e3fb47bf417179ed846ee2f9e3
Instruction ID: 184c4f878ba588457f840cd7963ecda33a4738cc9467846cf079588f42e61e28
Opcode Fuzzy Hash: 726705ae21d8206b44e732c66c3c47d14e3477e3fb47bf417179ed846ee2f9e3
Instruction Fuzzy Hash: 1D4192B16043009FD310EF65D88176BB7E4AF84358F44093FF986A7291EA79E9098B57

Uniqueness

Uniqueness Score: -1.00%

Function 00408A00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 00408950: GetLastError.KERNEL32(?,?,?,00408AFA,?,?,00000000,?,00403DA0,00403DA0,.\QHImageHlp.c,000000F9,SetFilePointerEx(),?,00403F3C,00000000), ref: 00408953
Part of subcall function 00408950: SetLastError.KERNEL32(00000000,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 00408960
Part of subcall function 00408950: SetLastError.KERNEL32(?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 00408999
Part of subcall function 00408950: SetLastError.KERNEL32(?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 004089DA

__CxxThrowException@8.LIBCMT ref: 00408A2C

Part of subcall function 00430AEE: RaiseException.KERNEL32(?,?,?,00408A31,?,?,?,?,?,00408A31,004651D0,004651D0,?,?,00408AC0,F:\WorkCode\Pub\360GPUBNew\dev\include\Interface\QHTL.h), ref: 00430B30

__CxxThrowException@8.LIBCMT ref: 00408A64
SetLastError.KERNEL32(00000008,0A0B9F7F,?,?,0046AFB0,0040BC07), ref: 00408A9D

Part of subcall function 00408A00: __CxxThrowException@8.LIBCMT ref: 00408AD0

Strings

F:\WorkCode\Pub\360GPUBNew\dev\include\Interface\QHTL.h, xrefs: 00408AAD

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast$Exception@8Throw$ExceptionRaise
String ID: F:\WorkCode\Pub\360GPUBNew\dev\include\Interface\QHTL.h
API String ID: 2285286292-3244885242
Opcode ID: 81b26aa33b47442ad6151af77df4906e466fb63e331fc59c623991658bfe5acd
Instruction ID: 78f608b893dcfaa12b1571cf0af7875c925312e8e6e0c0c1070cb4c6a42332e9
Opcode Fuzzy Hash: 81b26aa33b47442ad6151af77df4906e466fb63e331fc59c623991658bfe5acd
Instruction Fuzzy Hash: 612171B1908705BFC304EB55DD41F6BB7ECEB88704F50891EB559D2181E7B499048B76

Uniqueness

Uniqueness Score: -1.00%

Function 00405660 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00002000), ref: 00405680
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,00002000), ref: 004056DC

Strings

GetFileSizeEx(), xrefs: 0040568C
.\QHImageHlp.c, xrefs: 00405696, 004056F0
SetFilePointerEx(), xrefs: 004056E6

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: File$PointerSize
String ID: .\QHImageHlp.c$GetFileSizeEx()$SetFilePointerEx()
API String ID: 3549600656-2561355867
Opcode ID: 002aeee8aa800f027f19e688b6a306bc8dd117ebe09191bab169b82a2e1697c7
Instruction ID: 4410d8122ce1d505d7394927de24803af10f6d9e91fe08e3b22825f4f107851b
Opcode Fuzzy Hash: 002aeee8aa800f027f19e688b6a306bc8dd117ebe09191bab169b82a2e1697c7
Instruction Fuzzy Hash: 8521F5367003055BD710DE6AAC81B17B3D5EBC4756F54083FE948E3381EA7AE8099B69

Uniqueness

Uniqueness Score: -1.00%

Function 00403B40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 004037C0: GetFileSizeEx.KERNEL32(?,?), ref: 004037D1

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 00403B7D
_memset.LIBCMT ref: 00403BC1
SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 00403BD8

Strings

.\QHImageHlp.c, xrefs: 00403B91
SetFilePointerEx(), xrefs: 00403B87

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: File$Pointer$Size_memset
String ID: .\QHImageHlp.c$SetFilePointerEx()
API String ID: 1683371807-3914906174
Opcode ID: 5a486bb19bd36d66ff325cd2ee65ff1c875d8307be99d6bec348bddb0553e176
Instruction ID: f0b076e3bf47f6dd10362d227eaba9b5b1ad37131829524ffb3952f504e23e11
Opcode Fuzzy Hash: 5a486bb19bd36d66ff325cd2ee65ff1c875d8307be99d6bec348bddb0553e176
Instruction Fuzzy Hash: C011D6727403016BD3209E7AAC45F2B7BDD9BC4B59F05483EB509E32C2E978F9058264

Uniqueness

Uniqueness Score: -1.00%

Function 00403A69 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 00403A7F

Part of subcall function 00403660: ReadFile.KERNEL32(?,?,?,O>@,00000000,?,00403E4F,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 0040366B

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 00403AA9

Part of subcall function 004036C0: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004036CB

SetEndOfFile.KERNEL32(?), ref: 00403AE9

Strings

.\QHImageHlp.c, xrefs: 00403B01
SetEndOfFile(), xrefs: 00403AF7

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: File$Pointer$ReadWrite
String ID: .\QHImageHlp.c$SetEndOfFile()
API String ID: 2453416919-4247281097
Opcode ID: e68519310e03d1bb457b939415d6ef20be6265009fbd0bc666f42bf69442ea78
Instruction ID: 5d0f3968e9851f9b99018475ece1dc7d729d9a4bcc906fb307764f292e235d7a
Opcode Fuzzy Hash: e68519310e03d1bb457b939415d6ef20be6265009fbd0bc666f42bf69442ea78
Instruction Fuzzy Hash: 48114F317483006BD310DE61DC81F2B77E8BBC8B49F04493DF584E72D1E678EA018A5A

Uniqueness

Uniqueness Score: -1.00%

Function 00402ED0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402EE9
CloseHandle.KERNEL32(00000000), ref: 00402F2A

Strings

CreateFile(), xrefs: 00402EF8
.\QHCheckCertificate.c, xrefs: 00402F02

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 3498533004-1597445517
Opcode ID: 2bc59f0d90a408989745d97ca6cca8a47ae2d70541a7406858ea88eb858da6c3
Instruction ID: 0d988d63105b4594c576dab5bfcb39c7112a556cb757edef9281528a5c4386ee
Opcode Fuzzy Hash: 2bc59f0d90a408989745d97ca6cca8a47ae2d70541a7406858ea88eb858da6c3
Instruction Fuzzy Hash: A1F04C727803117BE63866B47D49F8B2294AB84FA6F20063AF646F52C1EDF8D400529D

Uniqueness

Uniqueness Score: -1.00%

Function 004026A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004026B4
CloseHandle.KERNEL32(00000000), ref: 004026FF
CloseHandle.KERNEL32(00000000), ref: 00402709

Strings

CreateFile(), xrefs: 004026CB
.\QHCheckCertificate.c, xrefs: 004026D5

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateFile
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 1378612225-1597445517
Opcode ID: 5c2f589d72594a6186557a34d8f9ab2629b2f4204b1ce97046b22886ab6b4dfd
Instruction ID: 5e1955fbec3b060e4e2a518d0272971e3ebcf4dc4b7bfd94ca19ef33900dbc19
Opcode Fuzzy Hash: 5c2f589d72594a6186557a34d8f9ab2629b2f4204b1ce97046b22886ab6b4dfd
Instruction Fuzzy Hash: D8F0E931794711BAEA7433747D8EF9B26855B80F14F100A36FD05B62C1FAFD9881815C

Uniqueness

Uniqueness Score: -1.00%

Function 00402720 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402734
CloseHandle.KERNEL32(00000000), ref: 0040277F
CloseHandle.KERNEL32(00000000), ref: 00402789

Strings

CreateFile(), xrefs: 0040274B
.\QHCheckCertificate.c, xrefs: 00402755

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateFile
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 1378612225-1597445517
Opcode ID: 0bf16aa2d3ef532428e59290cc4adf6f004b3245f62f8279228f85975612d61d
Instruction ID: f9563fed443bc3ce27cc42163b1b5cd02e9fef1377e61b0ea9412f65184119cf
Opcode Fuzzy Hash: 0bf16aa2d3ef532428e59290cc4adf6f004b3245f62f8279228f85975612d61d
Instruction Fuzzy Hash: BEF02435B803117AEA302370BD8EF9B26859B80B14F100639FA05B62C1EAFC8841815D

Uniqueness

Uniqueness Score: -1.00%

Function 004028B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00402883,?), ref: 004028C4
CloseHandle.KERNEL32(00000000), ref: 00402910
CloseHandle.KERNEL32(00000000), ref: 0040291A

Strings

CreateFile(), xrefs: 004028DB
.\QHCheckCertificate.c, xrefs: 004028E5

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateFile
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 1378612225-1597445517
Opcode ID: 3d46a497373ff0ad7eed8fa03e9e28bf72ad28d7d9b947b8055b5f28c65ecda9
Instruction ID: 375de4f723d5be440e722e00ee92808fc970c294448244241056da5e2b769c1f
Opcode Fuzzy Hash: 3d46a497373ff0ad7eed8fa03e9e28bf72ad28d7d9b947b8055b5f28c65ecda9
Instruction Fuzzy Hash: F2F02435B80310BAEA202734BD4AB8B26856B80B25F104636F905B62C1E9F89842818D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402DD4
CloseHandle.KERNEL32(00000000), ref: 00402E20
CloseHandle.KERNEL32(00000000), ref: 00402E2A

Strings

CreateFile(), xrefs: 00402DEB
.\QHCheckCertificate.c, xrefs: 00402DF5

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateFile
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 1378612225-1597445517
Opcode ID: 466f3db981c29cd9ab0c083d27e948281e14ea849801040089524df0435ad0a5
Instruction ID: d6c0eacc6a58afcf47488b7d74c908ad0bdafdd572413e70eb707a3f30383844
Opcode Fuzzy Hash: 466f3db981c29cd9ab0c083d27e948281e14ea849801040089524df0435ad0a5
Instruction Fuzzy Hash: CBF05031780310BBFA302334BD4EFC726855B80B25F110636F901B52C1F9FC9841818C

Uniqueness

Uniqueness Score: -1.00%

Function 00402E40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402E54
CloseHandle.KERNEL32(00000000), ref: 00402EA0
CloseHandle.KERNEL32(00000000), ref: 00402EAA

Strings

CreateFile(), xrefs: 00402E6B
.\QHCheckCertificate.c, xrefs: 00402E75

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateFile
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 1378612225-1597445517
Opcode ID: c3f94df5d2f6d5abf00dbf80a7ee594fe615d63b672bcb7178dd43aa0c17e214
Instruction ID: ff91d42f4f04c0cb6f8a41b4dd40f6b58b4c815e4b6c7e4a66f809b21b469755
Opcode Fuzzy Hash: c3f94df5d2f6d5abf00dbf80a7ee594fe615d63b672bcb7178dd43aa0c17e214
Instruction Fuzzy Hash: 75F02435B803127BEA302374BD4AB8B26855B80B55F100636F905B62C2EAFC8841819D

Uniqueness

Uniqueness Score: -1.00%

Function 00402230 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040220A), ref: 00402244
CloseHandle.KERNEL32(00000000), ref: 00402286

Strings

CreateFile(), xrefs: 00402251
.\QHCheckCertificate.c, xrefs: 0040225B

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 3498533004-1597445517
Opcode ID: 1db1b76687a4e8bb440efb1425c83ca015f779a6c3482fc86869fdcb9be7f4e9
Instruction ID: ea553e56fd4a06c38728b9b31d26958a910725e45176fca1fa0d9a5223a05e07
Opcode Fuzzy Hash: 1db1b76687a4e8bb440efb1425c83ca015f779a6c3482fc86869fdcb9be7f4e9
Instruction Fuzzy Hash: AEF02735784320BBF63433707D4FF8F26855B80F24F100635FA01B51C1E8E8A881404C

Uniqueness

Uniqueness Score: -1.00%

Function 004022A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040221A), ref: 004022B4
CloseHandle.KERNEL32(00000000), ref: 004022F6

Strings

CreateFile(), xrefs: 004022C1
.\QHCheckCertificate.c, xrefs: 004022CB

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 3498533004-1597445517
Opcode ID: efc07ab93a3e5379a1aafee87a645beb55a5777d45d23b4693688bb81b1a3ec9
Instruction ID: 5d39d70a6adc7a977038086a062cd6ab7bed64c32d2e7ad64275184ee054e359
Opcode Fuzzy Hash: efc07ab93a3e5379a1aafee87a645beb55a5777d45d23b4693688bb81b1a3ec9
Instruction Fuzzy Hash: 23F02731B843117AE6343370BD4AF9B26855B80F54F100635FE01B91C1E8FC9841409D

Uniqueness

Uniqueness Score: -1.00%

Function 00402930 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040289A), ref: 00402944
CloseHandle.KERNEL32(00000000), ref: 00402984

Strings

CreateFile(), xrefs: 00402953
.\QHCheckCertificate.c, xrefs: 0040295D

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 3498533004-1597445517
Opcode ID: 23bdb758d88eb6772893afea764e0a844dda7450fbaae3f686122c8a370c2e8a
Instruction ID: 0d69e81b708f15c77efef7e4f17722566965c308e96861222ce979ccf1989810
Opcode Fuzzy Hash: 23bdb758d88eb6772893afea764e0a844dda7450fbaae3f686122c8a370c2e8a
Instruction Fuzzy Hash: 73F05C71B803117BF63063B07D0EF8B2585A740B25F110235FE41F51C1E8E8584181AD

Uniqueness

Uniqueness Score: -1.00%

Function 0043AB05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0043AB1F

Part of subcall function 00435303: __getptd_noexit.LIBCMT ref: 00435306
Part of subcall function 00435303: __amsg_exit.LIBCMT ref: 00435313

__getptd.LIBCMT ref: 0043AB30
__getptd.LIBCMT ref: 0043AB3E

Strings

MOC, xrefs: 0043AB11
csm, xrefs: 0043AB18

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 546a182a6e7d5b12224b1f81106d24650c5b7328c0601bff92d7242a378783a5
Instruction ID: 05e78cd1568f14788fbbe09d30b4e391dea899aa562c3f9198f8c26ae00602dc
Opcode Fuzzy Hash: 546a182a6e7d5b12224b1f81106d24650c5b7328c0601bff92d7242a378783a5
Instruction Fuzzy Hash: E9E04F71110204CFC720AB65C047B297395FB4D318F2620ABEA8DC7322C77CF850954B

Uniqueness

Uniqueness Score: -1.00%

Function 0043EFF9 Relevance: 7.6, APIs: 5, Instructions: 140COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0043EFA1
GetFileType.KERNEL32(00000040,0042911E,?,?,0042910A,00000000,?,?,?,?,?,?,?,?), ref: 0043F02A
GetStdHandle.KERNEL32(-000000F6,0042911E,?,?,0042910A,00000000,?,?,?,?,?,?,?,?), ref: 0043F0B4
GetFileType.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0042DBE7,?,00428DD2), ref: 0043F0C6
SetHandleCount.KERNEL32 ref: 0043F11E

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: FileHandleType$Count__calloc_crt
String ID:
API String ID: 3036974029-0
Opcode ID: b7d48f13b3387f5b17dfcfb8e45931c626402b9b0608b8c8ddddd08fc6d1c4f6
Instruction ID: d13556f11a32f0ffbaa44b49b5a399d0604f6c4d04dba7a1fb5db7e020a721ed
Opcode Fuzzy Hash: b7d48f13b3387f5b17dfcfb8e45931c626402b9b0608b8c8ddddd08fc6d1c4f6
Instruction Fuzzy Hash: 7E512971D04B518EDB288B38DD4472677B0AB1A334F24577AD4B1972E2D77CD80ACB1A

Uniqueness

Uniqueness Score: -1.00%

Function 004087E0 Relevance: 7.6, APIs: 5, Instructions: 113timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,00408EFA,?,?,00000001,?,004036B0), ref: 004087F1

Part of subcall function 00432DB5: __getptd_noexit.LIBCMT ref: 00432DB5

SetLastError.KERNEL32(00000000), ref: 0040880F
_wcsrchr.LIBCMT ref: 00408880
_vswprintf_s.LIBCMT ref: 004088DD
GetSystemTime.KERNEL32(00000288), ref: 00408916

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast$SystemTime__getptd_noexit_vswprintf_s_wcsrchr
String ID:
API String ID: 3942181620-0
Opcode ID: 3be596fcb2dc188245080ee248d0068dd7f63012560903d31e54436db08ccaf5
Instruction ID: a12dfbe8bcb0b0c09f6ff4f14e91d9b616d30136fea910be67afa850a14d1e9c
Opcode Fuzzy Hash: 3be596fcb2dc188245080ee248d0068dd7f63012560903d31e54436db08ccaf5
Instruction Fuzzy Hash: 1A414C719147018FC720AF75C845667B3E4EF58310F04892EE59AD73A1EB78A804CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0042D650 Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042D680
GetModuleFileNameW.KERNEL32(00000000,?,00000102), ref: 0042D696
PathRemoveFileSpecW.SHLWAPI(?), ref: 0042D6A3
_memset.LIBCMT ref: 0042D6FE
SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,?,00000000,?), ref: 0042D713

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: FilePath_memset$FolderModuleNameRemoveSpecSpecial
String ID:
API String ID: 359805494-0
Opcode ID: 7ffac12201360a27492ef9a8c6e46d6ba8d65e8f74295bea7cd19c9cd888329f
Instruction ID: d0c4d087bca0709b8c827d22c595415c302136f733cf5c869673d8418bc65854
Opcode Fuzzy Hash: 7ffac12201360a27492ef9a8c6e46d6ba8d65e8f74295bea7cd19c9cd888329f
Instruction Fuzzy Hash: 0821927190121C9FD754EBA4DC42FE97375AF88708F4000EDA609A7182EE759A988F69

Uniqueness

Uniqueness Score: -1.00%

Function 00436CEA Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00436C41

Part of subcall function 0043385A: __mtinitlocknum.LIBCMT ref: 00433870
Part of subcall function 0043385A: __amsg_exit.LIBCMT ref: 0043387C
Part of subcall function 0043385A: EnterCriticalSection.KERNEL32(?,?,?,004479C3,00000004,00464E28,0000000C,004356E9,?,?,00000000,00000000,00000000,?,004352B5,00000001), ref: 00433884

InterlockedDecrement.KERNEL32(00000000), ref: 00436C53

Part of subcall function 0042F2AE: __lock.LIBCMT ref: 0042F2CC
Part of subcall function 0042F2AE: ___sbh_find_block.LIBCMT ref: 0042F2D7
Part of subcall function 0042F2AE: ___sbh_free_block.LIBCMT ref: 0042F2E6
Part of subcall function 0042F2AE: HeapFree.KERNEL32(00000000,?,00464668,0000000C,0043383B,00000000,004648F0,0000000C,00433875,?,?,?,004479C3,00000004,00464E28,0000000C), ref: 0042F316
Part of subcall function 0042F2AE: GetLastError.KERNEL32(?,004479C3,00000004,00464E28,0000000C,004356E9,?,?,00000000,00000000,00000000,?,004352B5,00000001,00000214), ref: 0042F327

__lock.LIBCMT ref: 00436C81
___removelocaleref.LIBCMT ref: 00436C90
___freetlocinfo.LIBCMT ref: 00436CA9

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: __lock$CriticalDecrementEnterErrorFreeHeapInterlockedLastSection___freetlocinfo___removelocaleref___sbh_find_block___sbh_free_block__amsg_exit__mtinitlocknum
String ID:
API String ID: 1907232653-0
Opcode ID: dddfa3f3178d8383d32f9b27f59e0bf06b1583cf40736a92abf47a8fd31915da
Instruction ID: ec597f54dc5de8ed20ed2a1f663af052850153511863fb80e7f62ebd8217dee4
Opcode Fuzzy Hash: dddfa3f3178d8383d32f9b27f59e0bf06b1583cf40736a92abf47a8fd31915da
Instruction Fuzzy Hash: B1119131501306BADB246FA6D64575E77A4EF08725F26B46FF4D4972C1DE3CC880861D

Uniqueness

Uniqueness Score: -1.00%

Function 00436319 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00436325

Part of subcall function 00435303: __getptd_noexit.LIBCMT ref: 00435306
Part of subcall function 00435303: __amsg_exit.LIBCMT ref: 00435313

__amsg_exit.LIBCMT ref: 00436345
__lock.LIBCMT ref: 00436355
InterlockedDecrement.KERNEL32(?), ref: 00436372
InterlockedIncrement.KERNEL32(00467FD8), ref: 0043639D

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 1c3ee6bdb297f0c583020a54c75024eb37d5180de5e8673e1c7c4d2d8cd9b9a2
Instruction ID: 2120e401ec039c9d3c469062b26075b44e78161f10bd3444f52201ecc5acd4ca
Opcode Fuzzy Hash: 1c3ee6bdb297f0c583020a54c75024eb37d5180de5e8673e1c7c4d2d8cd9b9a2
Instruction Fuzzy Hash: 7401A131900713EBDB11AF66944574E7760BB08714F16912FEC14A3282DB7CA9428BDE

Uniqueness

Uniqueness Score: -1.00%

Function 0042F2AE Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0042F2CC

Part of subcall function 0043385A: __mtinitlocknum.LIBCMT ref: 00433870
Part of subcall function 0043385A: __amsg_exit.LIBCMT ref: 0043387C
Part of subcall function 0043385A: EnterCriticalSection.KERNEL32(?,?,?,004479C3,00000004,00464E28,0000000C,004356E9,?,?,00000000,00000000,00000000,?,004352B5,00000001), ref: 00433884

___sbh_find_block.LIBCMT ref: 0042F2D7
___sbh_free_block.LIBCMT ref: 0042F2E6
HeapFree.KERNEL32(00000000,?,00464668,0000000C,0043383B,00000000,004648F0,0000000C,00433875,?,?,?,004479C3,00000004,00464E28,0000000C), ref: 0042F316
GetLastError.KERNEL32(?,004479C3,00000004,00464E28,0000000C,004356E9,?,?,00000000,00000000,00000000,?,004352B5,00000001,00000214), ref: 0042F327

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: be5a6cb1eb5df8936d36834704c5a715c9b684255bafcbe413cb2a9fed154717
Instruction ID: b01b193fb1bad3170891ec4c80f6ca9d339300dd53edf7a7ab97a6ea33272983
Opcode Fuzzy Hash: be5a6cb1eb5df8936d36834704c5a715c9b684255bafcbe413cb2a9fed154717
Instruction Fuzzy Hash: B601AC31A01315EADB20AFB1AD05B5E7AB49F05765FD0007FF804951D1DB7C85458E9D

Uniqueness

Uniqueness Score: -1.00%

Function 00403C10 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 228COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000CCC,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 00403D80

Part of subcall function 00403660: ReadFile.KERNEL32(?,?,?,O>@,00000000,?,00403E4F,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 0040366B

Strings

.\QHImageHlp.c, xrefs: 00403C76, 00403D94
SetFilePointerEx(), xrefs: 00403D8A

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: File$PointerRead
String ID: .\QHImageHlp.c$SetFilePointerEx()
API String ID: 3154509469-3914906174
Opcode ID: 5d98508b3de8acd582bae8ac88a94eb38bcbdce3d783b9f31bc7296ee13450e1
Instruction ID: a623d500c4186b7208de29a6288d575388abf472c41b592f863d29a671c00f12
Opcode Fuzzy Hash: 5d98508b3de8acd582bae8ac88a94eb38bcbdce3d783b9f31bc7296ee13450e1
Instruction Fuzzy Hash: 04717D71A04701AFD314DF29D881A5AB7E9FB88315F444A3EF848E3780E738E9548BD6

Uniqueness

Uniqueness Score: -1.00%

Function 004050D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004050DC

Part of subcall function 0042FB25: __FF_MSGBANNER.LIBCMT ref: 0042FB48
Part of subcall function 0042FB25: __NMSG_WRITE.LIBCMT ref: 0042FB4F
Part of subcall function 0042FB25: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,?,00402AFA), ref: 0042FB9C

SetLastError.KERNEL32(00000008,?,00402A5E,?,00002000), ref: 004050EE

Strings

Certificate Table, xrefs: 0040526F
.\QHImageHlp.c, xrefs: 004050FE, 00405239, 00405279

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: AllocErrorHeapLast_malloc
String ID: .\QHImageHlp.c$Certificate Table
API String ID: 485325758-1472710443
Opcode ID: 349a017d88896a46223a65075aa5d5ea743bd96e5839130b69b8610103239546
Instruction ID: a446fb7a9fde2d7275c523b3a5589ebdd4a490cd7bb37a51f9c1ccee7326068c
Opcode Fuzzy Hash: 349a017d88896a46223a65075aa5d5ea743bd96e5839130b69b8610103239546
Instruction Fuzzy Hash: D4410575741B005BE320EB25EC41B97B3E0FF80711F04497FE989923C1E6B9A5088B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404EF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00404EFC

Part of subcall function 0042FB25: __FF_MSGBANNER.LIBCMT ref: 0042FB48
Part of subcall function 0042FB25: __NMSG_WRITE.LIBCMT ref: 0042FB4F
Part of subcall function 0042FB25: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,?,00402AFA), ref: 0042FB9C

SetLastError.KERNEL32(00000008,00000003,004023AF,00000000), ref: 00404F0E

Strings

Certificate Table, xrefs: 0040508F
.\QHImageHlp.c, xrefs: 00404F1E, 00405059, 00405099

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: AllocErrorHeapLast_malloc
String ID: .\QHImageHlp.c$Certificate Table
API String ID: 485325758-1472710443
Opcode ID: 62d59e5dec82c27ee1c675ce2e38e0508c742f546705f42b660697afc313c552
Instruction ID: 56f707983adcd4c1712f8bbe2d9e1cbd60e6c7eff53ffe87e7f68e14888cd6f6
Opcode Fuzzy Hash: 62d59e5dec82c27ee1c675ce2e38e0508c742f546705f42b660697afc313c552
Instruction Fuzzy Hash: 4041D5B1741B015BE320DF25EC41F97B3E0EF80715F14893FE989923C1E6B9A5498B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401520 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040155C
SetLastError.KERNEL32(00000008,?,?,?,00401C5E,?,?), ref: 0040156C

Strings

:ghVI, xrefs: 0040159A
.\QHCheckCertificate.c, xrefs: 0040157C, 004015A4, 004015D1

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast_malloc
String ID: .\QHCheckCertificate.c$:ghVI
API String ID: 1018170914-279542517
Opcode ID: e398552c40245c4c81058395fa59cc72440da4dc1ea5e3436f6df70d9f0a9f0b
Instruction ID: f102504e1e88be22b862c4b36d41646d64cb99423fcae649bfb1a7f27528034d
Opcode Fuzzy Hash: e398552c40245c4c81058395fa59cc72440da4dc1ea5e3436f6df70d9f0a9f0b
Instruction Fuzzy Hash: E021A5F5701A117FD704EB59FD82A467390EB84319B10803BF909A7391F7F998258B9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(000013CC,CreateObject), ref: 0040C3F2
FreeLibrary.KERNEL32(000013CC,?,0040C18C), ref: 0040C408

Strings

CreateObject, xrefs: 0040C3E6

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: AddressFreeLibraryProc
String ID: CreateObject
API String ID: 3013587201-166191583
Opcode ID: d6bd99be3fb84f35f21d06f6efc7538b6342fd60ee3495d6ffe4e42ac6a0d53d
Instruction ID: 5dfa618b8ef0119369d955ab7243a8de27af72229873d7ba0b9cf45c338c119e
Opcode Fuzzy Hash: d6bd99be3fb84f35f21d06f6efc7538b6342fd60ee3495d6ffe4e42ac6a0d53d
Instruction Fuzzy Hash: FA21EA74A00308EFCB00DF94D5D4A6DBBB5BF49315F2082A9E905AB392C735EA81DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00408B20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00408B28

Part of subcall function 00432DB5: __getptd_noexit.LIBCMT ref: 00432DB5

SetLastError.KERNEL32(00000000), ref: 00408B46
__snwprintf.LIBCMT ref: 00408B95

Strings

%s(%s:%d), xrefs: 00408B84

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast$__getptd_noexit__snwprintf
String ID: %s(%s:%d)
API String ID: 2604959178-4223833681
Opcode ID: 4c5ff8d7da7caec13398d7179f177572afe30be613d32b51b72e43316ceb08cc
Instruction ID: c67e5680cbfc749e9507c7cc80fc2d4b5564d9924784b961a3afd699cde5ee08
Opcode Fuzzy Hash: 4c5ff8d7da7caec13398d7179f177572afe30be613d32b51b72e43316ceb08cc
Instruction Fuzzy Hash: 6801B972600704AFC720AFA5ED44AA773E8EF45751F00443FF94997351DBB8AC018799

Uniqueness

Uniqueness Score: -1.00%

Function 004035C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51timeCOMMON

Download Yara Rule

APIs

_swscanf.LIBCMT ref: 004035FD

Part of subcall function 004324AF: _vscan_fn.LIBCMT ref: 004324C6

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,004018B8,00000000,00000000), ref: 0040361F
LocalFileTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,004018B8,00000000,00000000), ref: 00403632

Strings

%hu-%hu-%hu %hu:%hu:%hu, xrefs: 004035F7

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: Time$File$LocalSystem_swscanf_vscan_fn
String ID: %hu-%hu-%hu %hu:%hu:%hu
API String ID: 3712118799-1004895946
Opcode ID: 4751721bb5c0777da57fecde43eb29ccf8ba50de587755977e36d3932f733de8
Instruction ID: 4c245d33534f4f5b71e5f77063661e55d37b6d60919a2df9bc087bf9af5aa4ff
Opcode Fuzzy Hash: 4751721bb5c0777da57fecde43eb29ccf8ba50de587755977e36d3932f733de8
Instruction Fuzzy Hash: 171100B2504301AFC365DFA5C980D9BB7E8ABDC701F044E2EF199D2250F675D648CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0043CA74 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0043143A), ref: 0043CA79
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0043CA89

Strings

KERNEL32, xrefs: 0043CA74
IsProcessorFeaturePresent, xrefs: 0043CA83

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: f5942bad6fb0379af524b8fc5daf5af3d6fb922da830d66f21d94f1b5bcb83af
Instruction ID: 8c0865540f6c5b330ea810b8011c9f56007bea3fab0405eb604f0991b59ca9d9
Opcode Fuzzy Hash: f5942bad6fb0379af524b8fc5daf5af3d6fb922da830d66f21d94f1b5bcb83af
Instruction Fuzzy Hash: A1F01D21A40B0DE2DB00ABA5AC4B36F7A75BB84743F9104A1D592F1096DF74C179D74A

Uniqueness

Uniqueness Score: -1.00%

Function 00403660 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 33fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,O>@,00000000,?,00403E4F,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 0040366B

Strings

.\QHImageHlp.c, xrefs: 0040367F, 004036A1
ReadFile(), xrefs: 00403675
O>@, xrefs: 00403663, 00403667

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: .\QHImageHlp.c$O>@$ReadFile()
API String ID: 2738559852-3347983201
Opcode ID: ad8c54c6b13db8c91e8405195e36127eca5c805619a3687134a11327e549964d
Instruction ID: e18dff2bf5f9ec833f0eb136256613232d54e553c4a64e595da327690e970206
Opcode Fuzzy Hash: ad8c54c6b13db8c91e8405195e36127eca5c805619a3687134a11327e549964d
Instruction Fuzzy Hash: 99E022B179030039F630A630AE47F2726488B84B03F20483FB449A06C1FDFD9840216A

Uniqueness

Uniqueness Score: -1.00%

Function 0044E800 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0044E834
__isleadbyte_l.LIBCMT ref: 0044E868
MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000298,00000002,00000000), ref: 0044E899
MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000298,00000002,00000000), ref: 0044E907

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 29de12d916317f776575526a2aae219ef267f97f715b5e650989a8b0b88a1db2
Instruction ID: 69bd48404784bb6eef6378d994ded7f0c02fa3b1a2743158cb33e4a36fb9aac3
Opcode Fuzzy Hash: 29de12d916317f776575526a2aae219ef267f97f715b5e650989a8b0b88a1db2
Instruction Fuzzy Hash: AF31B331A00255EFEF20EF66C8809BF7BA5FF01311F1445AAE4518B292E734DD40DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042CF40 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

allocator.LIBCPMTD ref: 0042CF77
allocator.LIBCONCRTD ref: 0042CFAB
allocator.LIBCONCRTD ref: 0042CFD7
allocator.LIBCONCRTD ref: 0042D003

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: 55a0b2266a5cad73a88afd20eacca5d9b6afaa86621e6d19beb791bcb8099d20
Instruction ID: 098981022932cbdec035ca30eccc90540c584fe7df76098104e9694cbdb6509b
Opcode Fuzzy Hash: 55a0b2266a5cad73a88afd20eacca5d9b6afaa86621e6d19beb791bcb8099d20
Instruction Fuzzy Hash: 1D315EB1E001089FDB04DF99D841BEFBBB9EF48318F54452AE505A7382D73969148BB6

Uniqueness

Uniqueness Score: -1.00%

Function 0043C93F Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0043C965

Part of subcall function 0043C74D: __fltout2.LIBCMT ref: 0043C779

__cftog_l.LIBCMT ref: 0043C98B
__cftoe_l.LIBCMT ref: 0043C9BD

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction ID: 8ded30c4d0808139d0a8f7a3334d2637decb54840f1bc3447c4a2fd338d10340
Opcode Fuzzy Hash: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction Fuzzy Hash: AE117BB600014ABBCF125E85CC85DEE3F62BF1C354F5A9416FE1868131C73AD9B2AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0042FAAB Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 0042FAB9

Part of subcall function 00435C3E: __set_error_mode.LIBCMT ref: 00435C40
Part of subcall function 00435C3E: __set_error_mode.LIBCMT ref: 00435C4D
Part of subcall function 00435C3E: __NMSG_WRITE.LIBCMT ref: 00435C65
Part of subcall function 00435C3E: __NMSG_WRITE.LIBCMT ref: 00435C6F

__NMSG_WRITE.LIBCMT ref: 0042FAC0

Part of subcall function 00435A6D: __set_error_mode.LIBCMT ref: 00435A9E
Part of subcall function 00435A6D: __set_error_mode.LIBCMT ref: 00435AAF
Part of subcall function 00435A6D: _strcpy_s.LIBCMT ref: 00435AE3
Part of subcall function 00435A6D: __invoke_watson.LIBCMT ref: 00435AF4
Part of subcall function 00435A6D: GetModuleFileNameA.KERNEL32(00000000,0046A8A9,00000104,?,?,00002000), ref: 00435B10
Part of subcall function 00435A6D: _strcpy_s.LIBCMT ref: 00435B25
Part of subcall function 00435A6D: __invoke_watson.LIBCMT ref: 00435B38
Part of subcall function 00435A6D: _strlen.LIBCMT ref: 00435B41
Part of subcall function 00435A6D: _strlen.LIBCMT ref: 00435B4E
Part of subcall function 00435A6D: __invoke_watson.LIBCMT ref: 00435B7B

Part of subcall function 0043157F: ___crtCorExitProcess.LIBCMT ref: 00431587
Part of subcall function 0043157F: ExitProcess.KERNEL32 ref: 00431590

HeapAlloc.KERNEL32(00000000,?), ref: 0042FAEC
HeapAlloc.KERNEL32(00000000,?), ref: 0042FB1C

Part of subcall function 0042FA5C: __lock.LIBCMT ref: 0042FA79
Part of subcall function 0042FA5C: ___sbh_alloc_block.LIBCMT ref: 0042FA84

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: __set_error_mode$__invoke_watson$AllocExitHeapProcess_strcpy_s_strlen$FileModuleName___crt___sbh_alloc_block__lock
String ID:
API String ID: 913549098-0
Opcode ID: 20a47c1bc0b3e505c4640fd5fbb8dac699cbe65c5832f50e0c64fbac4b9dec48
Instruction ID: c97f2a1aac4336ca4233bb19fb3288db2da53e8740355d76d5640405a136ac55
Opcode Fuzzy Hash: 20a47c1bc0b3e505c4640fd5fbb8dac699cbe65c5832f50e0c64fbac4b9dec48
Instruction Fuzzy Hash: 19F0CD31A406256AEA205B15FC41F673764EF14368F901036FC1DE62E1D7A9AC908A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00436AF5 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00436B01

Part of subcall function 00435303: __getptd_noexit.LIBCMT ref: 00435306
Part of subcall function 00435303: __amsg_exit.LIBCMT ref: 00435313

__getptd.LIBCMT ref: 00436B18
__amsg_exit.LIBCMT ref: 00436B26
__lock.LIBCMT ref: 00436B36

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 6797a9c7ad89f79179c35410063c93c7be1a48fe7305491068951a5592eb683d
Instruction ID: 69a392eba205855c063e8f8e15178e0c3a3eead262de5f737cc13f3cb72de6a7
Opcode Fuzzy Hash: 6797a9c7ad89f79179c35410063c93c7be1a48fe7305491068951a5592eb683d
Instruction Fuzzy Hash: 24F06231900711AAD610BB76840674DB7A06B08719F11A15FE441972D2DBACA901CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 0042FC4D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 0042FC60

Part of subcall function 004359B0: __FindPESection.LIBCMT ref: 00435A0B

__getptd_noexit.LIBCMT ref: 0042FC70
__freeptd.LIBCMT ref: 0042FC7A
ExitThread.KERNEL32 ref: 0042FC83

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
String ID:
API String ID: 3182216644-0
Opcode ID: eb11f72c5c0a27ea54c39caa1cddff4bcdd230f116779656fea8b8d54851e959
Instruction ID: 7fb2935e2eb5082df97cbdfaa4370d91d3abcb1d53863283408d7954f040c305
Opcode Fuzzy Hash: eb11f72c5c0a27ea54c39caa1cddff4bcdd230f116779656fea8b8d54851e959
Instruction Fuzzy Hash: B5D01270140B055AD6142773ED1E71B36686B24766FD81077BC00901B2DF7CE88DC91E

Uniqueness

Uniqueness Score: -1.00%

Function 00405B10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405BEF
SetLastError.KERNEL32(00000008,?), ref: 00405C01

Strings

.\QHImageHlp.c, xrefs: 00405C11

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast_malloc
String ID: .\QHImageHlp.c
API String ID: 1018170914-3639949391
Opcode ID: 15c5622575b640bfbf16fac63390eca48eb95dedee77b54ee0b13ad915d23e3b
Instruction ID: cd3631b3a4313c074cd8665c0dc88d8e640489f143659dcbe8033afe21fc79ee
Opcode Fuzzy Hash: 15c5622575b640bfbf16fac63390eca48eb95dedee77b54ee0b13ad915d23e3b
Instruction Fuzzy Hash: 99419DB2A01705AFC724DF1DD880A96BBE4FF44314F84863ED84997311E77AE6298BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00405540 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00002000), ref: 004055FC

Strings

.\QHImageHlp.c, xrefs: 0040557D, 00405610
SetFilePointerEx(), xrefs: 00405606

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID: .\QHImageHlp.c$SetFilePointerEx()
API String ID: 973152223-3914906174
Opcode ID: 2c843a153be4ab8f41abaeefdffeacd9e125d3a162f82d77d6fe0992c1cd8e6f
Instruction ID: af7915da689cad80124b57681fae3e82e07b953628dcdcdd22db9ddc04efbc6b
Opcode Fuzzy Hash: 2c843a153be4ab8f41abaeefdffeacd9e125d3a162f82d77d6fe0992c1cd8e6f
Instruction Fuzzy Hash: B731D5767003156BD720DE25EC80EAB7395EBC8B56F44443AFD08E7380EA79AD058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405A79

Part of subcall function 0042FB25: __FF_MSGBANNER.LIBCMT ref: 0042FB48
Part of subcall function 0042FB25: __NMSG_WRITE.LIBCMT ref: 0042FB4F
Part of subcall function 0042FB25: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,?,00402AFA), ref: 0042FB9C

SetLastError.KERNEL32(00000008,?), ref: 00405A89

Strings

.\QHImageHlp.c, xrefs: 00405A99

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: AllocErrorHeapLast_malloc
String ID: .\QHImageHlp.c
API String ID: 485325758-3639949391
Opcode ID: 0f050a3acdf6a18f2331fc905689a8070437466b217d773e7a30d2c2608276d3
Instruction ID: 4491f1e142483b7a0147f93706028f95dcf45ea172aec906f31b60bdc4f22acb
Opcode Fuzzy Hash: 0f050a3acdf6a18f2331fc905689a8070437466b217d773e7a30d2c2608276d3
Instruction Fuzzy Hash: 8421C7B1B40B046BD360DF6AEC81B53F7E4FB44714F80453EE94A92741EB7AB1188B99

Uniqueness

Uniqueness Score: -1.00%

Function 00408A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000008,0A0B9F7F,?,?,0046AFB0,0040BC07), ref: 00408A9D

Part of subcall function 00408A00: __CxxThrowException@8.LIBCMT ref: 00408A2C
Part of subcall function 00408A00: __CxxThrowException@8.LIBCMT ref: 00408A64
Part of subcall function 00408A00: __CxxThrowException@8.LIBCMT ref: 00408AD0

Strings

F:\WorkCode\Pub\360GPUBNew\dev\include\Interface\QHTL.h, xrefs: 00408AAD

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$ErrorLast
String ID: F:\WorkCode\Pub\360GPUBNew\dev\include\Interface\QHTL.h
API String ID: 3499917866-3244885242
Opcode ID: 02cc4916ce66fc9f49ac957b759d5bf510f036ab9fdb672491d1735664b6ec29
Instruction ID: 8a3096ca1bbf558694c1877c0cbee3ffcdde9a91d7c3d9ee8e518dbb288f5ca6
Opcode Fuzzy Hash: 02cc4916ce66fc9f49ac957b759d5bf510f036ab9fdb672491d1735664b6ec29
Instruction Fuzzy Hash: 7901A2B1944708BFC700EB95CD41F6BB7BCFB48B14F60452EB514A2281E7B895048B66

Uniqueness

Uniqueness Score: -1.00%

Function 00408C29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00408C3E
__snwprintf.LIBCMT ref: 00408CAD

Strings

%1d|%04hu-%02hu-%02hu|%02hu:%02hu:%02hu|%s|%d|%s|%s|%d|%s, xrefs: 00408C9C

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: __snwprintf_wcschr
String ID: %1d|%04hu-%02hu-%02hu|%02hu:%02hu:%02hu|%s|%d|%s|%s|%d|%s
API String ID: 1333472643-1296420124
Opcode ID: 352b012345a64a84e7e5e2f65a586d5f98df0d664cd4b9c6f40050a57f8bcf49
Instruction ID: 482bac71ccbccd4038da37c31077ade87015c13c61ee081a78d39986d3540162
Opcode Fuzzy Hash: 352b012345a64a84e7e5e2f65a586d5f98df0d664cd4b9c6f40050a57f8bcf49
Instruction Fuzzy Hash: 34110CB2210B10AAD720DB69DC45FB7B3F8EF8C701F00891EF69E86250E678A841C775

Uniqueness

Uniqueness Score: -1.00%

Function 0043B2C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00430A3C: __getptd.LIBCMT ref: 00430A42
Part of subcall function 00430A3C: __getptd.LIBCMT ref: 00430A52

__getptd.LIBCMT ref: 0043B2D4

Part of subcall function 00435303: __getptd_noexit.LIBCMT ref: 00435306
Part of subcall function 00435303: __amsg_exit.LIBCMT ref: 00435313

__getptd.LIBCMT ref: 0043B2E2

Strings

csm, xrefs: 0043B2F0

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 7355461b1db248cca9ced8da74d115863494b1204ec6fd7d3153c7297fa21868
Instruction ID: bd3a09f85d3860faa45ff0aba6a44e215a3c079e7dabb4cc9a01332ad76f74b8
Opcode Fuzzy Hash: 7355461b1db248cca9ced8da74d115863494b1204ec6fd7d3153c7297fa21868
Instruction Fuzzy Hash: 9D018630801315CACF38AF61D4507AFB3B4FF28319F24642FE885963A1CB788981CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004036C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004036CB

Strings

.\QHImageHlp.c, xrefs: 004036DF, 00403701
WriteFile(), xrefs: 004036D5

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID: .\QHImageHlp.c$WriteFile()
API String ID: 3934441357-642506210
Opcode ID: 235889d1a65ddb66482a612ad4d7e918c2c37313952fb2fc37993eef172bfc64
Instruction ID: 202be2d2f577f9c48df27ca0d14b2a50dfdd427c70a255348a94a199852964d9
Opcode Fuzzy Hash: 235889d1a65ddb66482a612ad4d7e918c2c37313952fb2fc37993eef172bfc64
Instruction Fuzzy Hash: 61E092B67507003EF628A670AD97FA72648C784B47F20883FB145E55C2F9EC9900256A

Uniqueness

Uniqueness Score: -1.00%

Function 00403750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 0040375F

Strings

.\QHImageHlp.c, xrefs: 00403773
SetFilePointerEx(), xrefs: 00403769

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID: .\QHImageHlp.c$SetFilePointerEx()
API String ID: 973152223-3914906174
Opcode ID: 71aa2a270ad45ce6d700e5ebd6e43204d34a3929848bd06162dfb3f87a5cca2d
Instruction ID: 8f8977cb2d0b4ccc0947b00c7427ef8ecbdd6a3768c7b386d57dae8b174c95d6
Opcode Fuzzy Hash: 71aa2a270ad45ce6d700e5ebd6e43204d34a3929848bd06162dfb3f87a5cca2d
Instruction Fuzzy Hash: CCD05EB87803003AE61097309D86F2B329897C8F07F14886D7544F15D0F9FCE8006619

Uniqueness

Uniqueness Score: -1.00%

Function 00403720 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32 ref: 00403722

Strings

GetFileSizeEx(), xrefs: 0040372C
.\QHImageHlp.c, xrefs: 00403736

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: FileSize
String ID: .\QHImageHlp.c$GetFileSizeEx()
API String ID: 3433856609-1331291865
Opcode ID: 0e9640600f9e4dc9bf96171d40720cf617bf7f8c4e8108b68e31724e6f487238
Instruction ID: 7fe57b970132a0c306ad1d3e9a418fe7e91df63075c9b023bc58e2ed1317afab
Opcode Fuzzy Hash: 0e9640600f9e4dc9bf96171d40720cf617bf7f8c4e8108b68e31724e6f487238
Instruction Fuzzy Hash: 92C08CE4B9070436EA2827311F8BF6721896790F0BF4488BA7900E15C2FEFEC400602B

Uniqueness

Uniqueness Score: -1.00%

Function 00403790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32 ref: 00403791

Strings

.\QHImageHlp.c, xrefs: 004037A5
SetEndOfFile(), xrefs: 0040379B

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: File
String ID: .\QHImageHlp.c$SetEndOfFile()
API String ID: 749574446-4247281097
Opcode ID: 55f561706e4913504b1659c232cbceeeed4d33d718c83365b8535eeb1c4e46c9
Instruction ID: 7b9951fb71824a071ea30372aa77385de4241c8a4e0098c10b8b1c0498ba7ca4
Opcode Fuzzy Hash: 55f561706e4913504b1659c232cbceeeed4d33d718c83365b8535eeb1c4e46c9
Instruction Fuzzy Hash: 60C08CB4B8070126EA2076312E4BF2B20899BE4F47F8488BAB404F25C2F9FCC5005019

Uniqueness

Uniqueness Score: -1.00%

Function 00408950 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00408AFA,?,?,00000000,?,00403DA0,00403DA0,.\QHImageHlp.c,000000F9,SetFilePointerEx(),?,00403F3C,00000000), ref: 00408953
SetLastError.KERNEL32(00000000,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 00408960

Part of subcall function 00408380: GetLastError.KERNEL32(00000005,?,7622DFA0,?,00408984,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040), ref: 00408395
Part of subcall function 00408380: SetLastError.KERNEL32(00000000,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 004083B9
Part of subcall function 00408380: GetLastError.KERNEL32(?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 004083DA
Part of subcall function 00408380: _wcsrchr.LIBCMT ref: 00408443
Part of subcall function 00408380: _wcsncpy.LIBCMT ref: 00408472

SetLastError.KERNEL32(?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 00408999

Part of subcall function 00432DB5: __getptd_noexit.LIBCMT ref: 00432DB5

SetLastError.KERNEL32(?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 004089DA

Memory Dump Source

Source File: 00000000.00000002.2310402585.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2310388760.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310441579.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310456117.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310467519.0000000000468000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310488635.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2310717245.00000000004E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast$__getptd_noexit_wcsncpy_wcsrchr
String ID:
API String ID: 2296084122-0
Opcode ID: 0d298b0919d4d87294302c951d50e0ecb365de6b4711658db1946db0a2c4a62c
Instruction ID: 0ce4ff69a4c326d3965e6ec2f1d0d00c710584094203b3b5be746183993221b1
Opcode Fuzzy Hash: 0d298b0919d4d87294302c951d50e0ecb365de6b4711658db1946db0a2c4a62c
Instruction Fuzzy Hash: 8B114FB56006009FC614EB99D9C09ABB3E9EBC8311F10482EF695D7351CB38EC45CBAA

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tu.exePID: 4256, Parent PID: 5412COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.8%
Total number of Nodes:	1467
Total number of Limit Nodes:	68

Executed Functions

Function 0056CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0055E9E1), ref: 0056CB65
GetProcAddress.KERNEL32(00000000), ref: 0056CB6E
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0055E9E1), ref: 0056CB85
GetProcAddress.KERNEL32(00000000), ref: 0056CB88
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0055E9E1), ref: 0056CB9A
GetProcAddress.KERNEL32(00000000), ref: 0056CB9D
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0055E9E1), ref: 0056CBAE
GetProcAddress.KERNEL32(00000000), ref: 0056CBB1
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0055E9E1), ref: 0056CBC3
GetProcAddress.KERNEL32(00000000), ref: 0056CBC6
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0055E9E1), ref: 0056CBD2
GetProcAddress.KERNEL32(00000000), ref: 0056CBD5
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0055E9E1), ref: 0056CBE6
GetProcAddress.KERNEL32(00000000), ref: 0056CBE9
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0055E9E1), ref: 0056CBFA
GetProcAddress.KERNEL32(00000000), ref: 0056CBFD
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0055E9E1), ref: 0056CC0E
GetProcAddress.KERNEL32(00000000), ref: 0056CC11
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0055E9E1), ref: 0056CC22
GetProcAddress.KERNEL32(00000000), ref: 0056CC25
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0055E9E1), ref: 0056CC36
GetProcAddress.KERNEL32(00000000), ref: 0056CC39
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0055E9E1), ref: 0056CC4A
GetProcAddress.KERNEL32(00000000), ref: 0056CC4D
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0055E9E1), ref: 0056CC5E
GetProcAddress.KERNEL32(00000000), ref: 0056CC61
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0055E9E1), ref: 0056CC72
GetProcAddress.KERNEL32(00000000), ref: 0056CC75
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0055E9E1), ref: 0056CC83
GetProcAddress.KERNEL32(00000000), ref: 0056CC86
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0055E9E1), ref: 0056CC97
GetProcAddress.KERNEL32(00000000), ref: 0056CC9A
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0055E9E1), ref: 0056CCA7
GetProcAddress.KERNEL32(00000000), ref: 0056CCAA
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0055E9E1), ref: 0056CCB7
GetProcAddress.KERNEL32(00000000), ref: 0056CCBA
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0055E9E1), ref: 0056CCCC
GetProcAddress.KERNEL32(00000000), ref: 0056CCCF
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0055E9E1), ref: 0056CCDC
GetProcAddress.KERNEL32(00000000), ref: 0056CCDF
GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0055E9E1), ref: 0056CCF0
GetProcAddress.KERNEL32(00000000), ref: 0056CCF3
GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0055E9E1), ref: 0056CD04
GetProcAddress.KERNEL32(00000000), ref: 0056CD07
LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0055E9E1), ref: 0056CD19
GetProcAddress.KERNEL32(00000000), ref: 0056CD1C
LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0055E9E1), ref: 0056CD29
GetProcAddress.KERNEL32(00000000), ref: 0056CD2C
LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0055E9E1), ref: 0056CD39
GetProcAddress.KERNEL32(00000000), ref: 0056CD3C
LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0055E9E1), ref: 0056CD49
GetProcAddress.KERNEL32(00000000), ref: 0056CD4C

Strings

RmEndSession, xrefs: 0056CD3E
ntdll, xrefs: 0056CBBD, 0056CBC2, 0056CCA1, 0056CCB1, 0056CCE6
IsWow64Process, xrefs: 0056CBD7
Shlwapi, xrefs: 0056CC79
Kernel32, xrefs: 0056CB80
NtUnmapViewOfSection, xrefs: 0056CBB8
GetMonitorInfoW, xrefs: 0056CC4F
kernel32, xrefs: 0056CBCD, 0056CBDC, 0056CBF0, 0056CC18, 0056CC68, 0056CC8D, 0056CCFA
Psapi, xrefs: 0056CB60
SetProcessDEPPolicy, xrefs: 0056CC13
Iphlpapi, xrefs: 0056CCC1, 0056CCCB, 0056CCD6
GetFinalPathNameByHandleW, xrefs: 0056CCF5
NtResumeProcess, xrefs: 0056CCAC
GetExtendedUdpTable, xrefs: 0056CCD1
IsUserAnAdmin, xrefs: 0056CBFF
Rstrtmgr, xrefs: 0056CD0E, 0056CD18, 0056CD23, 0056CD33, 0056CD43
GetProcessImageFileNameW, xrefs: 0056CB5A, 0056CB5F, 0056CB7F
Shell32, xrefs: 0056CC04
RmRegisterResources, xrefs: 0056CD1E
RmStartSession, xrefs: 0056CD09
shcore, xrefs: 0056CB95
GetSystemTimes, xrefs: 0056CC63
EnumDisplayMonitors, xrefs: 0056CC3B
EnumDisplayDevicesW, xrefs: 0056CC27
NtQueryInformationProcess, xrefs: 0056CCE1
SetProcessDpiAwareness, xrefs: 0056CB8F, 0056CB94, 0056CBA8
GetExtendedTcpTable, xrefs: 0056CCBC
NtSuspendProcess, xrefs: 0056CC9C
user32, xrefs: 0056CBA9, 0056CC2C, 0056CC40, 0056CC54
GetConsoleWindow, xrefs: 0056CC88
GetComputerNameExW, xrefs: 0056CBEB
RmGetList, xrefs: 0056CD2E
GlobalMemoryStatusEx, xrefs: 0056CBC8

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 4236061018-3687161714
Opcode ID: 18cd780b3a682a9dd66a2f6f79656dbc0662c591e91a6faadef409b435c09a70
Instruction ID: da508ccbb79a134b441c5a672ea6500d242bc879728d3f223861971fcfd9541b
Opcode Fuzzy Hash: 18cd780b3a682a9dd66a2f6f79656dbc0662c591e91a6faadef409b435c09a70
Instruction Fuzzy Hash: 0841F0A4E807587EDA107BB65C5DD9B3DACF9617943414827B018A7150DAB8FC04DFAC

Uniqueness

Uniqueness Score: -1.00%

Function 0055A2B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0055A2D3
SetWindowsHookExA.USER32(0000000D,0055A2A4,00000000), ref: 0055A2E1
GetLastError.KERNEL32 ref: 0055A2ED

Part of subcall function 0056B4EF: GetLocalTime.KERNEL32(00000000), ref: 0056B509

KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 0055A33B
TranslateMessage.USER32(?), ref: 0055A34A
DispatchMessageA.USER32(?), ref: 0055A355

Strings

Keylogger initialization failure: error , xrefs: 0055A301
`#v, xrefs: 0055A2D3

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Message$CallbackDispatchDispatcherErrorHandleHookLastLocalModuleTimeTranslateUserWindows
String ID: Keylogger initialization failure: error $`#v
API String ID: 941179788-3226811161
Opcode ID: 3894722bacde9c3b6053ff2aed5fa8e03c22c35f2bcbef51823944ff49aaab35
Instruction ID: f89e5f56a9899ce7b7d85cdd1e6802e1a071d69d2c8beddb76941ed7f603634a
Opcode Fuzzy Hash: 3894722bacde9c3b6053ff2aed5fa8e03c22c35f2bcbef51823944ff49aaab35
Instruction Fuzzy Hash: ED119171514602AB9B106B79DC1E86B7FFCFBE6716B100A2FFC85C2190EA709908C762

Uniqueness

Uniqueness Score: -1.00%

Function 0055A3E0 Relevance: 12.1, APIs: 8, Instructions: 112
keyboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(?,?,005C50F0), ref: 0055A416
GetWindowThreadProcessId.USER32(00000000,?), ref: 0055A422
GetKeyboardLayout.USER32(00000000), ref: 0055A429
GetKeyState.USER32(00000010), ref: 0055A433
GetKeyboardState.USER32(?,?,005C50F0), ref: 0055A43E
ToUnicodeEx.USER32(005C5144,?,?,?,00000010,00000000,00000000), ref: 0055A461
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0055A4C1
ToUnicodeEx.USER32(005C5144,?,?,?,00000010,00000000,00000000), ref: 0055A4FA

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID:
API String ID: 1888522110-0
Opcode ID: 8e664c3416300c4fd86c690184f0832bbed758e01b405cc0d21bdb4f57586e61
Instruction ID: ce02045a8a29085128bfe694793b8bd1ba185bafc7a6384295534bc420f4abb2
Opcode Fuzzy Hash: 8e664c3416300c4fd86c690184f0832bbed758e01b405cc0d21bdb4f57586e61
Instruction Fuzzy Hash: 36315F72504305BFDB10DB94DC49FDBBBECFB98744F00082AB645D61A0E6B1A94C9BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0056B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0056B3A7
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0056B3BD
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0056B3D6
InternetCloseHandle.WININET(00000000), ref: 0056B41C
InternetCloseHandle.WININET(00000000), ref: 0056B41F

Strings

http://geoplugin.net/json.gp, xrefs: 0056B3B7

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: c7b2d2ac17722e56516b3d06d42210d180ce889325229d9af3db9fb448fe0d4d
Instruction ID: 8319ae0f45236b154ee8ee960cbaceb1b3de762583aa0baad8a19fd1b2766f9f
Opcode Fuzzy Hash: c7b2d2ac17722e56516b3d06d42210d180ce889325229d9af3db9fb448fe0d4d
Instruction Fuzzy Hash: 0D1182311063226BD624AB259C5DEBF7F9CFF86761F00052EF805D2191DB649949C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0055F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00563549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00563569
Part of subcall function 00563549: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,005C52F0), ref: 00563587
Part of subcall function 00563549: RegCloseKey.KERNEL32(?), ref: 00563592

Sleep.KERNEL32(00000BB8), ref: 0055F85B
ExitProcess.KERNEL32 ref: 0055F8CA

Strings

pth_unenc, xrefs: 0055F7BD, 0055F804, 0055F871
override, xrefs: 0055F7CC
4.9.4 Pro, xrefs: 0055F836, 0055F8A3

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 4.9.4 Pro$override$pth_unenc
API String ID: 2281282204-930821335
Opcode ID: 24c1343afe5f347169e5332833ed860397abbc01cd86f3c0c8325628c32a27de
Instruction ID: 64803a7cf73d5bcec36bbdb94bc22d0ab48ce2110c0856bd54b35dea42b65c9c
Opcode Fuzzy Hash: 24c1343afe5f347169e5332833ed860397abbc01cd86f3c0c8325628c32a27de
Instruction Fuzzy Hash: 3721F761B1460267CA0876798C7FBAE3DA9BFC5712F40002DF806572D7EE259E0983B6

Uniqueness

Uniqueness Score: -1.00%

Function 00583837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,005834BF,00000034,?,?,0090D7B8), ref: 00583849
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00583552,00000000,?,00000000), ref: 0058385F
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00583552,00000000,?,00000000,0056E251), ref: 00583871

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 556233e78c43d4b6f7040fc63c256a5bbdae549c7ed849e2d61ce0baa93463bb
Instruction ID: 6464d22c197035df66de55737d456ba1b361a1e02fd538d9435fa55e21547601
Opcode Fuzzy Hash: 556233e78c43d4b6f7040fc63c256a5bbdae549c7ed849e2d61ce0baa93463bb
Instruction Fuzzy Hash: B3E09231309220BAEB301F25AC0CF573E65FB92BA0F200939F612F40E4E25288049A54

Uniqueness

Uniqueness Score: -1.00%

Function 0056B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,0000002B,005C50E4), ref: 0056B62A
GetUserNameW.ADVAPI32(?,0055F223), ref: 0056B642

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: 4b61dd7c23d8540c5296dacbe0e36155d446bb38843830267b549d4faae88719
Instruction ID: 0830f2a1548e5017192116b85b737e9307b62543aae4e5c340c95207b7e71fae
Opcode Fuzzy Hash: 4b61dd7c23d8540c5296dacbe0e36155d446bb38843830267b549d4faae88719
Instruction Fuzzy Hash: 0001FF7190051DABCB04EBD4DC59EDEBBBCBF44306F100156B806A61A1EE706A8DCBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0055F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,005654FC,005C4EE0,005C5A00,005C4EE0,00000000,005C4EE0,00000000,005C4EE0,4.9.4 Pro), ref: 0055F8E5

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6a8206e4403b50dd048002a696c848facf1e340186255e929eaf5279141128d3
Instruction ID: 3de1cff7c4c71e91c549aca22337bc2572cc7a0612d24b7dc1f45f6126ce1623
Opcode Fuzzy Hash: 6a8206e4403b50dd048002a696c848facf1e340186255e929eaf5279141128d3
Instruction Fuzzy Hash: 55D05B3074411C77D61496959C0EEAA7B9CE701B52F000196BE05D72C0D9E15E0487D1

Uniqueness

Uniqueness Score: -1.00%

Function 0055E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0056CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0055E9E1), ref: 0056CB65
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CB6E
Part of subcall function 0056CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0055E9E1), ref: 0056CB85
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CB88
Part of subcall function 0056CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0055E9E1), ref: 0056CB9A
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CB9D
Part of subcall function 0056CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0055E9E1), ref: 0056CBAE
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CBB1
Part of subcall function 0056CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0055E9E1), ref: 0056CBC3
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CBC6
Part of subcall function 0056CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0055E9E1), ref: 0056CBD2
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CBD5
Part of subcall function 0056CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0055E9E1), ref: 0056CBE6
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CBE9
Part of subcall function 0056CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0055E9E1), ref: 0056CBFA
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CBFD
Part of subcall function 0056CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0055E9E1), ref: 0056CC0E
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CC11
Part of subcall function 0056CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0055E9E1), ref: 0056CC22
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CC25
Part of subcall function 0056CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0055E9E1), ref: 0056CC36
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CC39
Part of subcall function 0056CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0055E9E1), ref: 0056CC4A
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CC4D
Part of subcall function 0056CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0055E9E1), ref: 0056CC5E
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CC61
Part of subcall function 0056CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0055E9E1), ref: 0056CC72
Part of subcall function 0056CB50: GetProcAddress.KERNEL32(00000000), ref: 0056CC75
Part of subcall function 0056CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0055E9E1), ref: 0056CC83

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\tu.exe,00000104), ref: 0055E9EE

Part of subcall function 00560F37: __EH_prolog.LIBCMT ref: 00560F3C

Strings

Exe, xrefs: 0055EB0F
P\, xrefs: 0055F1F3
8S\, xrefs: 0055EF1D
P\, xrefs: 0055F1C7
P\, xrefs: 0055ED47
S\, xrefs: 0055EB62
P\, xrefs: 0055F103
Administrator, xrefs: 0055F287
P\, xrefs: 0055ED7B
Inj, xrefs: 0055EBD5, 0055EBEC
P\, xrefs: 0055EDD3
Software\, xrefs: 0055EAC3
P\, xrefs: 0055F12B
P\, xrefs: 0055EEAC
C:\Users\user\Desktop\tu.exe, xrefs: 0055E9E6, 0055EE0F
license_code.txt, xrefs: 0055EA4D
Access Level: , xrefs: 0055F29F
P\, xrefs: 0055F187
del, xrefs: 0055F2ED, 0055F36F
P\, xrefs: 0055F154
dM\, xrefs: 0055F1A8
del, xrefs: 0055F2D1
P\, xrefs: 0055EA5D
P\, xrefs: 0055F0D8
8S\, xrefs: 0055EE65
P\, xrefs: 0055EF66
PS\, xrefs: 0055F224
S\, xrefs: 0055EB05
User, xrefs: 0055F28E
licence, xrefs: 0055EF88
P\, xrefs: 0055F036
Remcos Agent initialized, xrefs: 0055EFEF
P\, xrefs: 0055EA96
exepath, xrefs: 0055EE92, 0055EF40

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: S\$ S\$8S\$8S\$Access Level: $Administrator$C:\Users\user\Desktop\tu.exe$Exe$Inj$PS\$Remcos Agent initialized$Software\$User$dM\$del$del$exepath$licence$license_code.txt$P\$P\$P\$P\$P\$P\$P\$P\$P\$P\$P\$P\$P\$P\$P\
API String ID: 2830904901-2347464508
Opcode ID: 750edafc8c72c9a364ce49edbcd197d8153bc695de9d03496066375bb76919b1
Instruction ID: e0b1d6631fe4013f52982908bcfa772224e5c6029ce2f96bc2e8919080f444d7
Opcode Fuzzy Hash: 750edafc8c72c9a364ce49edbcd197d8153bc695de9d03496066375bb76919b1
Instruction Fuzzy Hash: 49329560B04A426ADB18B7B09C7FF6E2E997FC1742F40082FBD425B1D2EE649D4D8365

Uniqueness

Uniqueness Score: -1.00%

Function 00564F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,005C52F0,005C50E4,00000000), ref: 00564F7B
WSAGetLastError.WS2_32(00000000,00000001), ref: 0056518C
Sleep.KERNEL32(00000000,00000002), ref: 00565AD7

Part of subcall function 0056B4EF: GetLocalTime.KERNEL32(00000000), ref: 0056B509

Strings

hlight, xrefs: 00565393
Connecting | , xrefs: 00565108
C:\Users\user\Desktop\tu.exe, xrefs: 005653C0
TLS On , xrefs: 005650F3
N\, xrefs: 00565423
P\, xrefs: 00564F54
name, xrefs: 00565366
P\, xrefs: 00565328
4.9.4 Pro, xrefs: 005654CB
PS\, xrefs: 005654FE
dM\, xrefs: 00565499
8S\, xrefs: 00565340
Connection Error: Unable to create socket, xrefs: 005651EA
Disconnected, xrefs: 00565A47
| , xrefs: 00565112, 00565253
TLS Off, xrefs: 005650E5
Connected | , xrefs: 0056524E
P\, xrefs: 00565A9E
%I64u, xrefs: 005652F6
N\, xrefs: 005653E2
Connection Error: , xrefs: 0056519F

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$4.9.4 Pro$8S\$C:\Users\user\Desktop\tu.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PS\$TLS Off$TLS On $dM\$hlight$name$N\$N\$P\$P\$P\
API String ID: 524882891-2418888176
Opcode ID: 27a36eb68890ad90277cca25c22729183c7c0e12446431b8ff8e6cc8ab34aa21
Instruction ID: 0b0ed289875e0a33f0655341b31b68f036d51e709ef184423188acec5e0315f1
Opcode Fuzzy Hash: 27a36eb68890ad90277cca25c22729183c7c0e12446431b8ff8e6cc8ab34aa21
Instruction Fuzzy Hash: 1C526E31A005165ADB18F761EC6BBFE7F75BF90302F5045AAA806671D2EF301E8ACA54

Uniqueness

Uniqueness Score: -1.00%

Function 0055A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 0055A740

Part of subcall function 0055A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0055A74D), ref: 0055A6AB
Part of subcall function 0055A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0055A74D), ref: 0055A6BA
Part of subcall function 0055A675: Sleep.KERNEL32(00002710,?,?,?,0055A74D), ref: 0055A6E7
Part of subcall function 0055A675: FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0055A74D), ref: 0055A6EE

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0055A77C
GetFileAttributesW.KERNEL32(00000000), ref: 0055A78D
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0055A7A4
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0055A81E

Part of subcall function 0056C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0055A843), ref: 0056C49E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,005B6468,?,00000000,00000000,00000000,00000000,00000000), ref: 0055A927

Strings

P\, xrefs: 0055A7AC
pQ\, xrefs: 0055A761
pQ\, xrefs: 0055A771
P\, xrefs: 0055A907
8S\, xrefs: 0055A7F7
8S\, xrefs: 0055A802

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$ChangeCloseDirectoryExistsFindNotificationPathSize
String ID: 8S\$8S\$pQ\$pQ\$P\$P\
API String ID: 110482706-251329498
Opcode ID: 85566b9af313360fd33075959a946e62766eeaa51d3b7d25cf395f8a8214e128
Instruction ID: 0ffca2403cd51f9554794e7abb74cd168f2641ebea564f6204b5059cf4a473d2
Opcode Fuzzy Hash: 85566b9af313360fd33075959a946e62766eeaa51d3b7d25cf395f8a8214e128
Instruction Fuzzy Hash: 82516E712046025ACB04BB70D87ABBE7EA9BFD5342F04092EBD82971D2EF149D0D8766

Uniqueness

Uniqueness Score: -1.00%

Function 005548C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,?), ref: 005548E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00554A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00554A0E
WSAGetLastError.WS2_32 ref: 00554A21

Part of subcall function 0056B4EF: GetLocalTime.KERNEL32(00000000), ref: 0056B509

Strings

TLS Error 3, xrefs: 005549D8
Connection Refused, xrefs: 00554A76
TLS Handshake... | , xrefs: 00554904
TLS Error 2, xrefs: 00554955
Connection Failed: , xrefs: 00554A43
TLS Authentication Failed, xrefs: 00554999
TLS Error 1, xrefs: 00554937

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: a7a8afcdcce2baeba6d079a31a1ed4cf6b67511c10d5f9eb79efa661ae6e0ab9
Instruction ID: 3448c42b8c510d7bf96b6bb8914170347b8932f377f04d4257d0c3c40806a7b4
Opcode Fuzzy Hash: a7a8afcdcce2baeba6d079a31a1ed4cf6b67511c10d5f9eb79efa661ae6e0ab9
Instruction Fuzzy Hash: D041EB65B406076B9A187B79C92F97DBE56BB82305B40011AFC0247AD3FF11AC59CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 0055ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 0055AD38
Sleep.KERNEL32(000001F4), ref: 0055AD43
GetForegroundWindow.USER32 ref: 0055AD49
GetWindowTextLengthW.USER32(00000000), ref: 0055AD52
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0055AD86
Sleep.KERNEL32(000003E8), ref: 0055AE54

Part of subcall function 0055A636: SetEvent.KERNEL32(?,?,00000000,0055B20A,00000000), ref: 0055A662

Strings

], xrefs: 0055ADE8
[, xrefs: 0055ADEE
{ User has been idle for , xrefs: 0055AE86
minutes }, xrefs: 0055AE7A

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: 30c0697e0159ca2c5b628199ff9fc495ac4d9b6b4647014acb34603a24dae964
Instruction ID: 19592cf425a7f6ccb25b0095f243e5dd316a1aa984682d2e2d5fe2b1c7da58fe
Opcode Fuzzy Hash: 30c0697e0159ca2c5b628199ff9fc495ac4d9b6b4647014acb34603a24dae964
Instruction Fuzzy Hash: 465193316046425BD714F760D86AA6E7FA9BFD4302F400A2BFC46931E2EF249E4DC653

Uniqueness

Uniqueness Score: -1.00%

Function 0055DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0055DB9A

Strings

UserProfile, xrefs: 0055DB58
ProgramData, xrefs: 0055DB5F
\system32, xrefs: 0055DAAE
SystemDrive, xrefs: 0055DA91
WinDir, xrefs: 0055DA9B, 0055DABD, 0055DB0F
ProgramFiles, xrefs: 0055DB6E
AppData, xrefs: 0055DB51
\SysWOW64, xrefs: 0055DB00
Temp, xrefs: 0055DA66

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: f43427ddc181c1f48384920502cbdb76f571864092b5d878ae6add96703ae5c5
Instruction ID: 545b32b27c06a31bbfaec89b97944373644146e6ca6cef3b5ac86cf3ed69635d
Opcode Fuzzy Hash: f43427ddc181c1f48384920502cbdb76f571864092b5d878ae6add96703ae5c5
Instruction Fuzzy Hash: C94115321086069BC214FA60DC7ADAFBFB9BED5352F10051FB846921D1FF60A94DCA66

Uniqueness

Uniqueness Score: -1.00%

Function 0056B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0056BFB7: GetCurrentProcess.KERNEL32(?,?,?,0055DAAA,WinDir,00000000,00000000), ref: 0056BFC8

Part of subcall function 005635A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 005635CA
Part of subcall function 005635A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 005635E7
Part of subcall function 005635A6: RegCloseKey.KERNEL32(?), ref: 005635F2

StrToIntA.SHLWAPI(00000000,005BC9F8,00000000,00000000,00000000,005C50E4,00000003,Exe,00000000,0000000E,00000000,005B60BC,00000003,00000000), ref: 0056B33C

Strings

CurrentBuildNumber, xrefs: 0056B31D
(32 bit), xrefs: 0056B36F
(64 bit), xrefs: 0056B368
ProductName, xrefs: 0056B2D2
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0056B2D7, 0056B2E1, 0056B322

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: 0fcc6b1de7b15f07718396813814cabafd7acc857866fdb35cc92039bd7ac224
Instruction ID: b0db8e6dcaa46b52a7cd2dceb405228c738567387ba3da027adee008aab90c5e
Opcode Fuzzy Hash: 0fcc6b1de7b15f07718396813814cabafd7acc857866fdb35cc92039bd7ac224
Instruction Fuzzy Hash: 4A115921B406021AE700B378DC6FEBE7F59BBE0301F440525F902A31D2EB506D89C3A9

Uniqueness

Uniqueness Score: -1.00%

Function 0055A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0055A74D), ref: 0055A6AB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0055A74D), ref: 0055A6BA
Sleep.KERNEL32(00002710,?,?,?,0055A74D), ref: 0055A6E7
FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0055A74D), ref: 0055A6EE

Strings

XQ\, xrefs: 0055A6A0

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationSizeSleep
String ID: XQ\
API String ID: 4068920109-1553192912
Opcode ID: 28ea3272ecbfa793abc0ff2b88e5fc5f7fa7fbf381a1ae5402acbb3201500b59
Instruction ID: 280bd2448272736948b83b0eb80c466883409040ebd8fa6c38e98a506eb40328
Opcode Fuzzy Hash: 28ea3272ecbfa793abc0ff2b88e5fc5f7fa7fbf381a1ae5402acbb3201500b59
Instruction Fuzzy Hash: 1E113A30640B50AEEA3167A498BDB2E3FAABF55352F0C050AFA8246592D7506C8CD366

Uniqueness

Uniqueness Score: -1.00%

Function 0056C3F1 Relevance: 7.6, APIs: 5, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0056C510,00000000,00000000,?), ref: 0056C430
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0055A8E7,?,00000000,00000000), ref: 0056C44D
CloseHandle.KERNEL32(00000000,?,0055A8E7,?,00000000,00000000), ref: 0056C459
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0055A8E7,?,00000000,00000000), ref: 0056C46A
FindCloseChangeNotification.KERNEL32(00000000,?,0055A8E7,?,00000000,00000000), ref: 0056C477

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
String ID:
API String ID: 1087594267-0
Opcode ID: 77e1c333d7fad135d058250766cbcfe2120c62d0efd4a9bbdd23364c63b0978c
Instruction ID: 2d2fb95afc742898f96f9f032296152c814f2687582729790bb39cef2015012a
Opcode Fuzzy Hash: 77e1c333d7fad135d058250766cbcfe2120c62d0efd4a9bbdd23364c63b0978c
Instruction Fuzzy Hash: 4011A5712051257FEE148A25AC99EBB7FACFB56777F104A29F5D2C31C0CA619C049631

Uniqueness

Uniqueness Score: -1.00%

Function 00565AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?), ref: 00565B0F
GetTickCount.KERNEL32 ref: 00565B86

Strings

N\, xrefs: 00565B3E
!DU, xrefs: 00567089

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: !DU$N\
API String ID: 180926312-498127804
Opcode ID: f54c7c05242bda60770f94c2ef3fa1a0fe07c5b9cc10c1b5adf4f67988b20a0d
Instruction ID: 511e9b8751dcdfcc2378847209229d30bfc67b4d7683e05c699e025d11809172
Opcode Fuzzy Hash: f54c7c05242bda60770f94c2ef3fa1a0fe07c5b9cc10c1b5adf4f67988b20a0d
Instruction Fuzzy Hash: A751C1316086025AC724FB20D8AAAEF7FA5BFD1311F50492EB846871D1EF30594ECB96

Uniqueness

Uniqueness Score: -1.00%

Function 0055A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0055A27D,?,00000000,00000000), ref: 0055A1FE
CreateThread.KERNEL32(00000000,00000000,0055A267,?,00000000,00000000), ref: 0055A20E
CreateThread.KERNEL32(00000000,00000000,0055A289,?,00000000,00000000), ref: 0055A21A

Part of subcall function 0055B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0055B172
Part of subcall function 0055B164: wsprintfW.USER32 ref: 0055B1F3

Strings

Offline Keylogger Started, xrefs: 0055A19B, 0055A1A2, 0055A1CF

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 26de8c01eed5994cdbc969d2930dcee02b22c7a5bd98cb9a7b948dda39b98e2c
Instruction ID: 2758f3ef9e88b5c8890d7786b2cc2a14d429d6dcbc1c91ecf156bd7d4574d3e8
Opcode Fuzzy Hash: 26de8c01eed5994cdbc969d2930dcee02b22c7a5bd98cb9a7b948dda39b98e2c
Instruction Fuzzy Hash: AC1158A51006097AA224BB359CAFCBB7E5DFEC1795F40061AFC4603192EA515D5CCBF3

Uniqueness

Uniqueness Score: -1.00%

Function 00554F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000001,005C4EE0,005C5598,?,?,?,?,00565CD6,?,00000001), ref: 00554F81
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,005C4EE0,005C5598,?,?,?,?,00565CD6,?,00000001), ref: 00554FCD
CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00554FE0

Strings

KeepAlive | Enabled | Timeout: , xrefs: 00554F94

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 73dbfeec77fce8e8b2f07144b8820eef61ce8ccb41d50d57446a5ef14af89f68
Instruction ID: fc12f9982812348244512fe3218b6feeab18c99f6b2fb3bec1482f16cc28f8c1
Opcode Fuzzy Hash: 73dbfeec77fce8e8b2f07144b8820eef61ce8ccb41d50d57446a5ef14af89f68
Instruction Fuzzy Hash: DA11E3358046846ADB20A77A9C1EFAB7FB8AFD3715F04040FF84143251D6705489CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0056376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0056377E
RegSetValueExA.KERNEL32(?,005B74B8,00000000,?,00000000,00000000,005C52F0,?,?,0055F853,005B74B8,4.9.4 Pro), ref: 005637A6
RegCloseKey.KERNEL32(?,?,?,0055F853,005B74B8,4.9.4 Pro), ref: 005637B1

Strings

pth_unenc, xrefs: 00563773

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 0497f4e62890003a3d0e62ef0918abe2c7e52c70f7add94e6a5fdaca5d8fdc20
Instruction ID: e2c61d0cbe5556bf5905b69efbafce50cfee12af177397bc346fe0e37c48c568
Opcode Fuzzy Hash: 0497f4e62890003a3d0e62ef0918abe2c7e52c70f7add94e6a5fdaca5d8fdc20
Instruction Fuzzy Hash: B1F06DB2400118BFCF00AFA0EC59EEA3F6CFF45791F104155BE05A6021EB319F18ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00554CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,005C4F50), ref: 00554DB3
CreateThread.KERNEL32(00000000,00000000,?,005C4EF8,00000000,00000000), ref: 00554DC7
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00554DD2
FindCloseChangeNotification.KERNEL32(?,?,00000000), ref: 00554DDB

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
String ID:
API String ID: 2579639479-0
Opcode ID: 25628e283c2893243474b52493f74ab6599a5b0158d193e88a7c61a6033901a8
Instruction ID: ac5713cb2b27a0efd451c77aa7ad3c2968effbd089c1f543b9594a125bfccde3
Opcode Fuzzy Hash: 25628e283c2893243474b52493f74ab6599a5b0158d193e88a7c61a6033901a8
Instruction Fuzzy Hash: A7418271508302ABCB14AB61CC69E7FBFA9BFD5316F04091EFC9282191DB20994D8B62

Uniqueness

Uniqueness Score: -1.00%

Function 0055D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0055EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,005B60BC,00000003,00000000), ref: 0055D078
GetLastError.KERNEL32 ref: 0055D083

Strings

S\, xrefs: 0055D069

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: S\
API String ID: 1925916568-877104314
Opcode ID: 8af12a3d896dd1cfe152ebdc8764552cdcc25eeda18c57438dee76ebe9be44b5
Instruction ID: 487d60c722b963200450078d06e706b45e34d23b13894ee1b4e2bc0df572b1a2
Opcode Fuzzy Hash: 8af12a3d896dd1cfe152ebdc8764552cdcc25eeda18c57438dee76ebe9be44b5
Instruction Fuzzy Hash: 32D012B4604611AFD7081BB49C99B583D94EF64702F400429B507C99E0DBA44898A611

Uniqueness

Uniqueness Score: -1.00%

Function 005635A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 005635CA
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 005635E7
RegCloseKey.KERNEL32(?), ref: 005635F2

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 958a30f86c1af014d8b35120b7ce9eb823dbf4387ebfd5368ba3c43b54610fe5
Instruction ID: 963f2fe8baa36c2874cead38feccc5bbe822ae130d0c7b6e9d93ca899c84041d
Opcode Fuzzy Hash: 958a30f86c1af014d8b35120b7ce9eb823dbf4387ebfd5368ba3c43b54610fe5
Instruction Fuzzy Hash: 9B01627A900128BBCB209B95DD09DEE7F7DEB85750F004195BB05E3210DB719E19DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005636F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,005C52F0), ref: 00563714
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0056372D
RegCloseKey.KERNEL32(00000000), ref: 00563738

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: f0156d184192e1d768dc04df5fc22ec0c42c1b8e78ed95e79090e6425dbd6a85
Instruction ID: e168d6ed2bc62258f26635e30bd8752ee6c1c9e02d300ec33598e577122bc761
Opcode Fuzzy Hash: f0156d184192e1d768dc04df5fc22ec0c42c1b8e78ed95e79090e6425dbd6a85
Instruction Fuzzy Hash: F701FBB540012DBBCF215FA5DC49DEA7F79FF16751F004565BE0862120D7318AA9EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00563549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00563569
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,005C52F0), ref: 00563587
RegCloseKey.KERNEL32(?), ref: 00563592

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 9fa1605136ee50f7bc7b376b21530fe3d5a02c67b43f06c497912ccb46b70488
Instruction ID: edac477c2534e7232af4adae92a9f2d1007c1e0d7ff65014e970ea1dfaac545d
Opcode Fuzzy Hash: 9fa1605136ee50f7bc7b376b21530fe3d5a02c67b43f06c497912ccb46b70488
Instruction Fuzzy Hash: A6F01776900218FFDF109FA19C09FEEBBBCEB55750F1080A5BA05E6150E6715B18AB90

Uniqueness

Uniqueness Score: -1.00%

Function 005634FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0055C19C,005B6C48), ref: 00563516
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0055C19C,005B6C48), ref: 0056352A
RegCloseKey.KERNEL32(?,?,?,0055C19C,005B6C48), ref: 00563535

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: f59f72934ba60ac74aac9e1ba059229c24dfff3d18cb22cdbd111b219b6a0d5c
Instruction ID: 6a68fc39dfd371ec202e29d9dbb69887c4611b8c15e8eeed7fc2a63a33db874f
Opcode Fuzzy Hash: f59f72934ba60ac74aac9e1ba059229c24dfff3d18cb22cdbd111b219b6a0d5c
Instruction Fuzzy Hash: 07E06D72801238FB9F204BA29C0DDEB7F6CFF56BE0B014144BD0DA6111D2614E14E6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00563877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,005B60A4), ref: 00563885
RegSetValueExA.KERNEL32(005B60A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0055C152,005B6C48,00000001,000000AF,005B60A4), ref: 005638A0
RegCloseKey.ADVAPI32(005B60A4,?,?,?,0055C152,005B6C48,00000001,000000AF,005B60A4), ref: 005638AB

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: d95a9311aaf8ed1a9f717677615ad8ab4a80909bbddd8867c1187326f69437c1
Instruction ID: 12ef8974848068367085b69259a760f77c98ea61825d1db54c67ec53aacbf962
Opcode Fuzzy Hash: d95a9311aaf8ed1a9f717677615ad8ab4a80909bbddd8867c1187326f69437c1
Instruction Fuzzy Hash: 27E06D72500228FBEF119FA19C09FEA7B6CFF15B90F104154BF05A7150D3718E18A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00559DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00559DFD

Strings

pQ\, xrefs: 00559E2D

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID: pQ\
API String ID: 176396367-1791869064
Opcode ID: 4754e916d40091b3ecb1249fe725c368338f1a7575d8379d0bddf92142ad085c
Instruction ID: 0ec688c592182b4e41690510389e024b4131b9f12da79a2148f5efd3f964c993
Opcode Fuzzy Hash: 4754e916d40091b3ecb1249fe725c368338f1a7575d8379d0bddf92142ad085c
Instruction Fuzzy Hash: A611A1319006068FCB15EF64E86AAEF7FB9BF94311B04001BFC4652291FF24A909CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0056B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0056B7CA

Strings

@, xrefs: 0056B7C0

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: d55c5c354112fa23abbcc34c8e180aa706aabfb71751e0bc4b0a545af847a6c2
Instruction ID: 571dfcd8e9666550bafe91e62de88c7332d3c7a9a482069338ff1d5d0a8e71aa
Opcode Fuzzy Hash: d55c5c354112fa23abbcc34c8e180aa706aabfb71751e0bc4b0a545af847a6c2
Instruction Fuzzy Hash: 87D017B9802318AFC720DFA8E804A8DBBFCFB08210F00416AEC49E3700E770A8048B84

Uniqueness

Uniqueness Score: -1.00%

Function 00596185 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005961A6

Part of subcall function 00596137: RtlAllocateHeap.NTDLL(00000000,0058529C,?,?,00588847,?,?,00000000,?,?,0055DE62,0058529C,?,?,?,?), ref: 00596169

HeapReAlloc.KERNEL32(00000000,00000000,?,?,0000000F,00000000,00582F02,00000000,0000000F,0057F90C,?,?,005819B3,?,?,00000000), ref: 005961E2

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: a6eb0b06de6fdeafd850ac81c4644fc6f854f6a0c8ed0296f6d9259aa70b40d3
Instruction ID: 723c30323d45aa1e673d6b864eaeca75069112641fc6522ffed3d13796e722a5
Opcode Fuzzy Hash: a6eb0b06de6fdeafd850ac81c4644fc6f854f6a0c8ed0296f6d9259aa70b40d3
Instruction Fuzzy Hash: 9AF090326016167ADF212B29AC05F6F7F5DBFC17B1F21412AF824A61D2DE24D919F1A0

Uniqueness

Uniqueness Score: -1.00%

Function 0055482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 00554852
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0055530B,?,?,00000000,00000000,?,?,00000000,00555208,?,00000000), ref: 0055488E

Part of subcall function 0055489E: WSAStartup.WS2_32(00000202,00000000), ref: 005548B3

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: 66ca464d6a223a08e0ddcbe90c0b428799524fdb8758e3a59b61ba2dbca26293
Instruction ID: 6a949a7ac497e5fcae0a6e21514beff1752a1b4cfe20ff74a9cc189d474d8857
Opcode Fuzzy Hash: 66ca464d6a223a08e0ddcbe90c0b428799524fdb8758e3a59b61ba2dbca26293
Instruction Fuzzy Hash: 22017C71408B909ED7398F28A8457867FE0BB29308F04495EF4D697BA1C3B1A489DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0055165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction ID: c783b0b58c40f7cedf0a9d0e4c1f9095b59fdeb8978c125fb4ceca7d64efae44
Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction Fuzzy Hash: A6F0547060560299DB1C9A348464B297E957B84352F248A1EF85AD58D1D730C899C708

Uniqueness

Uniqueness Score: -1.00%

Function 0056BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0056BAB8
GetWindowTextW.USER32(00000000,?,00000100), ref: 0056BACB

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 45368537794541ef3a15541fe08f3a74d65ad512acacc69c646805b3380bb941
Instruction ID: 03292c0fb009280a862cee2b157a9b33dd8996172face8f07bb15e7f44593416
Opcode Fuzzy Hash: 45368537794541ef3a15541fe08f3a74d65ad512acacc69c646805b3380bb941
Instruction Fuzzy Hash: 40E0D875A0032827EB20A7A4DC4EFE67B7CFB04700F00009AB918D31C2E9B06948CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00564EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,005C2ADC,005C50E4,00000000,00565188,00000000,00000001), ref: 00564F0B
WSASetLastError.WS2_32(00000000), ref: 00564F10

Part of subcall function 00564D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00564DD5
Part of subcall function 00564D86: LoadLibraryA.KERNEL32(?), ref: 00564E17
Part of subcall function 00564D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00564E37
Part of subcall function 00564D86: FreeLibrary.KERNEL32(00000000), ref: 00564E3E
Part of subcall function 00564D86: LoadLibraryA.KERNEL32(?), ref: 00564E76
Part of subcall function 00564D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00564E88
Part of subcall function 00564D86: FreeLibrary.KERNEL32(00000000), ref: 00564E8F
Part of subcall function 00564D86: GetProcAddress.KERNEL32(00000000,?), ref: 00564E9E

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
String ID:
API String ID: 1170566393-0
Opcode ID: f0b2e9fa550fa70e8273bfc6514c8608b507619167cf62bb52c2dffd51360ab3
Instruction ID: 3d6fb13b9b7755033475b56bc2e227d7c11f468f6e6987cb1a4c3c2fc6164085
Opcode Fuzzy Hash: f0b2e9fa550fa70e8273bfc6514c8608b507619167cf62bb52c2dffd51360ab3
Instruction Fuzzy Hash: F4D05E326015316F9360A76DAC05FBBEEACFFE7B74B05002AF900D3210D6908D4697A1

Uniqueness

Uniqueness Score: -1.00%

Function 0055A367 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(005C50F0,?,?,?), ref: 0055A3D2

Part of subcall function 0055B646: GetKeyState.USER32(00000011), ref: 0055B64B

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CallHookNextState
String ID:
API String ID: 3280314413-0
Opcode ID: 3daec43c4e19d1d1325ea4b05503ef1ae8817b26ec1e089e6593aec27c91a773
Instruction ID: 605866afc6ef5102bff89124aca75e47825067ad0ab893bf257b6fc7226781db
Opcode Fuzzy Hash: 3daec43c4e19d1d1325ea4b05503ef1ae8817b26ec1e089e6593aec27c91a773
Instruction Fuzzy Hash: D4F0A2722042069AEA14AEA89CBCC2EBF55FFD531AF210D2BBC0246952CA61D80C9612

Uniqueness

Uniqueness Score: -1.00%

Function 00596137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0058529C,?,?,00588847,?,?,00000000,?,?,0055DE62,0058529C,?,?,?,?), ref: 00596169

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bc86b077ca4a42df8ccfae7bd8e8435cab14ea6a7306487a0e36dc2ffee2d712
Instruction ID: e5ff273f6ce95f0ca09021053314bee0446a5b64a0edd924b587191321f556ba
Opcode Fuzzy Hash: bc86b077ca4a42df8ccfae7bd8e8435cab14ea6a7306487a0e36dc2ffee2d712
Instruction Fuzzy Hash: 55E06D321016267ADF2226659C09B5B7E5DBB823A1F191125EC15960D6DF60CC08F2E1

Uniqueness

Uniqueness Score: -1.00%

Function 0055489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 005548B3

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 6de7d39e4de00c7ed5f9abadb75be506680e82d9b3d3c8ebf804fd9c9c239d18
Instruction ID: c5834f609789ed15c88504ea41a6502cd07d1e7601f1e2c5c47d4007e228aef5
Opcode Fuzzy Hash: 6de7d39e4de00c7ed5f9abadb75be506680e82d9b3d3c8ebf804fd9c9c239d18
Instruction Fuzzy Hash: 19D0123255861C4EE620AAB4AC0FCE4775CD327615F0007AA6CB5C35D2E680171DD2B7

Uniqueness

Uniqueness Score: -1.00%

Function 00576CC8 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00576CD2

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 0ab9937e7feeab9fe2ee0017ab60946f159ec0345e4e600026ad904a6f8c51a4
Instruction ID: bc527700370bdf1bda3206aa3347b993f0915e79ee5fb946c653ee730549186c
Opcode Fuzzy Hash: 0ab9937e7feeab9fe2ee0017ab60946f159ec0345e4e600026ad904a6f8c51a4
Instruction Fuzzy Hash: E0B09279118202FF8F050B60CC1487A7EAAFBCD381F008E0CB58740130C6328454AB21

Uniqueness

Uniqueness Score: -1.00%

Function 00576CB1 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00576CBB

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: a3974f3f98d858d3c61f52d59c7d724ed1b61f480ba97e3d0f889e8b6ac298ab
Instruction ID: 21bbbea1336bff3a6726632505c94164af816b677cb002ae1a9dd9a6569aa4ac
Opcode Fuzzy Hash: a3974f3f98d858d3c61f52d59c7d724ed1b61f480ba97e3d0f889e8b6ac298ab
Instruction Fuzzy Hash: FFB09279118202FF8E050B60DC148AA7EA6FBCD391F008C0CB58641230C6328494AB22

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00448C0D Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 00448C44
___getlocaleinfo.LIBCMT ref: 00448C59
___getlocaleinfo.LIBCMT ref: 00448C6E
___getlocaleinfo.LIBCMT ref: 00448C83
___getlocaleinfo.LIBCMT ref: 00448C9B
___getlocaleinfo.LIBCMT ref: 00448CB0
___getlocaleinfo.LIBCMT ref: 00448CC2
___getlocaleinfo.LIBCMT ref: 00448CD7
___getlocaleinfo.LIBCMT ref: 00448CEF
___getlocaleinfo.LIBCMT ref: 00448D04

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: 51dcb22c4dc93a7f30a99e81a1e24136c466f284c556936e1c7157a4ebd90518
Instruction ID: fd67e2181e606d744a6158f7a2df29ca0b8827f53dc611e391066ddd0200f471
Opcode Fuzzy Hash: 51dcb22c4dc93a7f30a99e81a1e24136c466f284c556936e1c7157a4ebd90518
Instruction Fuzzy Hash: 1AE112B294060EBEEF11DAF1CC85DFF77BDEF48348F00496AB216D6040EA74AA159760

Uniqueness

Uniqueness Score: -1.00%

Function 00557C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00557CB9
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00557D87
DeleteFileW.KERNEL32(00000000), ref: 00557DA9

Part of subcall function 0056C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C2EC
Part of subcall function 0056C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C31C
Part of subcall function 0056C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C371
Part of subcall function 0056C291: FindClose.KERNEL32(00000000,?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C3D2
Part of subcall function 0056C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C3D9

Part of subcall function 00554AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00554B36

Part of subcall function 0056B4EF: GetLocalTime.KERNEL32(00000000), ref: 0056B509

Part of subcall function 00554AA1: WaitForSingleObject.KERNEL32(?,00000000,0055547D,?,?,00000004,?,?,00000004,?,005C4EF8,?), ref: 00554B47
Part of subcall function 00554AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,005C4EF8,?,?,?,?,?,?,0055547D), ref: 00554B75

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00558197
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00558278
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 005584C4
DeleteFileA.KERNEL32(?), ref: 00558652

Part of subcall function 0055880C: __EH_prolog.LIBCMT ref: 00558811
Part of subcall function 0055880C: FindFirstFileW.KERNEL32(00000000,?,005B6608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005588CA
Part of subcall function 0055880C: __CxxThrowException@8.LIBVCRUNTIME ref: 005588F2
Part of subcall function 0055880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005588FF

Sleep.KERNEL32(000007D0), ref: 005586F8
StrToIntA.SHLWAPI(00000000,00000000), ref: 0055873A

Part of subcall function 0056C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0056CAD7

Strings

Failed to download file: , xrefs: 005580A5
(P\, xrefs: 005581F2
Unable to rename file!, xrefs: 00558413
Downloading file: , xrefs: 00557F7D
XP\, xrefs: 00557DED
Browsing directory: , xrefs: 00558238
open, xrefs: 00558191
XP\, xrefs: 00558718
XP\, xrefs: 00558430
Executing file: , xrefs: 005581AD
Downloaded file: , xrefs: 0055802E
N\, xrefs: 00557CE5
Unable to delete: , xrefs: 00557E07
Deleted file: , xrefs: 00557DC8
XP\, xrefs: 005582E7

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
String ID: (P\$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XP\$XP\$XP\$XP\$open$N\
API String ID: 1067849700-1660823179
Opcode ID: e9ad8f9f8ef302e031fd4cc50c3d903d211e168e5bd96f6344fd40fbd693ccb6
Instruction ID: 2f01f2fe6e2c4def5afdaaa434c6a5dd4b6ffae3617441d26da197d1c8cc2001
Opcode Fuzzy Hash: e9ad8f9f8ef302e031fd4cc50c3d903d211e168e5bd96f6344fd40fbd693ccb6
Instruction Fuzzy Hash: A5426F316046026BC618FB74D87FAAE7EA9BFD1302F40091EFC42571D2EE259A4DC796

Uniqueness

Uniqueness Score: -1.00%

Function 0055569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005556E6

Part of subcall function 00554AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00554B36

__Init_thread_footer.LIBCMT ref: 00555723
CreatePipe.KERNEL32(005C6CCC,005C6CB4,005C6BD8,00000000,005B60BC,00000000), ref: 005557B6
CreatePipe.KERNEL32(005C6CB8,005C6CD4,005C6BD8,00000000), ref: 005557CC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,005C6BE8,005C6CBC), ref: 0055583F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00555897
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005558BC
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 005558E9

Part of subcall function 00584770: __onexit.LIBCMT ref: 00584776

WriteFile.KERNEL32(00000000,00000000,?,00000000,005C4F90,005B60C0,00000062,005B60A4), ref: 005559E4
Sleep.KERNEL32(00000064,00000062,005B60A4), ref: 005559FE
TerminateProcess.KERNEL32(00000000), ref: 00555A17
CloseHandle.KERNEL32 ref: 00555A23
CloseHandle.KERNEL32 ref: 00555A2B
CloseHandle.KERNEL32 ref: 00555A3D
CloseHandle.KERNEL32 ref: 00555A45

Strings

SystemDrive, xrefs: 00555761
0l\, xrefs: 005556D0
cmd.exe, xrefs: 0055574D
k\, xrefs: 005557DB
0l\, xrefs: 00555988
0l\, xrefs: 00555954
0l\, xrefs: 00555A2D
0l\, xrefs: 0055585A

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: 0l\$0l\$0l\$0l\$0l\$SystemDrive$cmd.exe$k\
API String ID: 2994406822-4023221762
Opcode ID: fb512a1001fba5065b2efc887f675c977861c6b33b5273999696e7eeab228157
Instruction ID: d0c6a77ff5337f9c7a30354864a44d613508d7a8ba605cbccb548aec22d97601
Opcode Fuzzy Hash: fb512a1001fba5065b2efc887f675c977861c6b33b5273999696e7eeab228157
Instruction Fuzzy Hash: 4E91D571604606AFC710BB64ECBAE2E3EA9FFD1345F00042EFC85961A2EE655D4C9B61

Uniqueness

Uniqueness Score: -1.00%

Function 005620F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00562106

Part of subcall function 00563877: RegCreateKeyA.ADVAPI32(80000001,00000000,005B60A4), ref: 00563885
Part of subcall function 00563877: RegSetValueExA.KERNEL32(005B60A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0055C152,005B6C48,00000001,000000AF,005B60A4), ref: 005638A0
Part of subcall function 00563877: RegCloseKey.ADVAPI32(005B60A4,?,?,?,0055C152,005B6C48,00000001,000000AF,005B60A4), ref: 005638AB

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00562146
CloseHandle.KERNEL32(00000000), ref: 00562155
CreateThread.KERNEL32(00000000,00000000,005627EE,00000000,00000000,00000000), ref: 005621AB
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0056241A

Strings

Watchdog module activated, xrefs: 00562184, 005623DC
Remcos restarted by watchdog!, xrefs: 00562160
fsutil.exe, xrefs: 0056230F
svchost.exe, xrefs: 005622C5
WinDir, xrefs: 0056221B, 00562270
rmclient.exe, xrefs: 005622EA
\system32\, xrefs: 00562209
Watchdog launch failed!, xrefs: 00562383
\SysWOW64\, xrefs: 00562261
WDH, xrefs: 005621B5, 005621BB, 00562420

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 3018269243-13974260
Opcode ID: 0a085ccdcc7f6d40f0893e60ecc62f55812d87243adf8b68a37a54375b132f0c
Instruction ID: 015dcb692e3b4338dd2ca859b9c489dabcce6b54053caaabe406d9580a436ff0
Opcode Fuzzy Hash: 0a085ccdcc7f6d40f0893e60ecc62f55812d87243adf8b68a37a54375b132f0c
Instruction Fuzzy Hash: E17152315046025BC618FB70DC6F9AE7FA5BEE1712F40092EB846531E2EF60A94DC7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0055BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0055BBAF
FindClose.KERNEL32(00000000), ref: 0055BBC9
FindNextFileA.KERNEL32(00000000,?), ref: 0055BCEC
FindClose.KERNEL32(00000000), ref: 0055BD12

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0055BB52
\logins.json, xrefs: 0055BC34
\key3.db, xrefs: 0055BC76
[Firefox StoredLogins Cleared!], xrefs: 0055BCFF
UserProfile, xrefs: 0055BB60
[Firefox StoredLogins not found], xrefs: 0055BBD4

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: c68c5355b3a69c3396ce8622202827218dcf98e7d5466cc217d2a5843cbde6bc
Instruction ID: fcb77961bde3db91cade77ba77fe94a1bb219655bb8dc3dd44fb4c4485518a0e
Opcode Fuzzy Hash: c68c5355b3a69c3396ce8622202827218dcf98e7d5466cc217d2a5843cbde6bc
Instruction Fuzzy Hash: 7E512D3190051A9ADB14F7A0DC6EEEDBF38BF91302F50055AF806A70D2EF206A4DCB55

Uniqueness

Uniqueness Score: -1.00%

Function 005668C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 005668C2
EmptyClipboard.USER32 ref: 005668D0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 005668F0
GlobalLock.KERNEL32(00000000), ref: 005668F9
GlobalUnlock.KERNEL32(00000000), ref: 0056692F
SetClipboardData.USER32(0000000D,00000000), ref: 00566938
CloseClipboard.USER32 ref: 00566955
OpenClipboard.USER32 ref: 0056695C
GetClipboardData.USER32(0000000D), ref: 0056696C
GlobalLock.KERNEL32(00000000), ref: 00566975
GlobalUnlock.KERNEL32(00000000), ref: 0056697E
CloseClipboard.USER32 ref: 00566984

Part of subcall function 00554AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00554B36

Strings

!DU, xrefs: 00567089

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID: !DU
API String ID: 3520204547-1239079615
Opcode ID: 98d89e87fe66d39e6110becc58300da1a6f70362a13977f1ca54d4f890d4dddb
Instruction ID: 353cdb894b12f26ccdc1b5bc4181b53a009ee3b65124ec64ec9197be8072d5b9
Opcode Fuzzy Hash: 98d89e87fe66d39e6110becc58300da1a6f70362a13977f1ca54d4f890d4dddb
Instruction Fuzzy Hash: 702165312046125FCB14BBB0EC5EA7E7EA9BFD5702F40082EF80686191EF35890DD762

Uniqueness

Uniqueness Score: -1.00%

Function 0055F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C50E4,?,005C5338), ref: 0055F48E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0055F4B9
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0055F4D5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0055F554
CloseHandle.KERNEL32(00000000,?,00000000,?,?,005C5338), ref: 0055F563

Part of subcall function 0056C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0056C1F5
Part of subcall function 0056C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0056C208

CloseHandle.KERNEL32(00000000,?,005C5338), ref: 0055F66E

Strings

ielowutil.exe, xrefs: 0055F716
ieinstal.exe, xrefs: 0055F6D5
Inj, xrefs: 0055F769
C:\Program Files(x86)\Internet Explorer\, xrefs: 0055F6BE

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 3756808967-1743721670
Opcode ID: 4dc5c74c8498b9d4bcb471907d358296d10885b116ae3665a22519bd48a0e323
Instruction ID: ba30d398982539bcb4e09d886daec26bc45887bd31c37dd00881676997b84cd0
Opcode Fuzzy Hash: 4dc5c74c8498b9d4bcb471907d358296d10885b116ae3665a22519bd48a0e323
Instruction Fuzzy Hash: 967126305087425BC714EB70D469AAE7FE5BFD5342F40082EF986431A2EF34A94DCB66

Uniqueness

Uniqueness Score: -1.00%

Function 00569627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON

Download Yara Rule

Strings

4, xrefs: 005697B8
3, xrefs: 00569754
1, xrefs: 00569695
6, xrefs: 00569813
7, xrefs: 0056982A
V\, xrefs: 0056968B
0, xrefs: 00569651
5, xrefs: 00569809
2, xrefs: 005696F4

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7$V\
API String ID: 0-3835458818
Opcode ID: 46aa9eb212c3da5398b39cebb22b37ea00915e7d233048ad0e3514d95c1340ff
Instruction ID: 4752b269eb9ac298658de3c8b8f27c6edf020294cd9e2b377c38826227c5cfd3
Opcode Fuzzy Hash: 46aa9eb212c3da5398b39cebb22b37ea00915e7d233048ad0e3514d95c1340ff
Instruction Fuzzy Hash: 8871DF705087029FD704EF20D87ABAA7F98BF95310F10492EF992571D2EA74AB4DC792

Uniqueness

Uniqueness Score: -1.00%

Function 00403E90 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 401COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00403EB1
GetFileSizeEx.KERNEL32(?,?,00000000), ref: 00403EC3
_malloc.LIBCMT ref: 00403EF5
SetLastError.KERNEL32(00000008,?,00004000), ref: 00403F05

Strings

INIT, xrefs: 00404290
GetFileSizeEx(), xrefs: 00403ECD
.\QHImageHlp.c, xrefs: 00403ED7, 00403F1D, 00404238, 004043B2
PE, xrefs: 00403F7A
N/f, xrefs: 00403F84, 004043A8

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ErrorFileLastSize_malloc_memset
String ID: N/f$.\QHImageHlp.c$GetFileSizeEx()$INIT$PE
API String ID: 942205088-2408646100
Opcode ID: d29a8001341c00f7ee7b1e8bc5221d3bcacaa4554a74bb46b78c7142d63d787c
Instruction ID: 1e5c7d978d549367c3184b98c0c7fe6c27fb078ad7ff0f1d351f26898f72a1fe
Opcode Fuzzy Hash: d29a8001341c00f7ee7b1e8bc5221d3bcacaa4554a74bb46b78c7142d63d787c
Instruction Fuzzy Hash: 0AE1A0B1A043009BDB24DF15D841B6B76E4BBD4704F04493EFE89AB3C1E778DA458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 005574FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00557521
CoGetObject.OLE32(?,00000024,005B6518,00000000), ref: 00557582

Strings

{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00557516, 0055751B, 0055755A
$, xrefs: 0055753B
[+] ucmAllocateElevatedObject, xrefs: 00557508
Elevation:Administrator!new:, xrefs: 00557542
[+] CoGetObject, xrefs: 00557561
[+] CoGetObject SUCCESS, xrefs: 00557595
[-] CoGetObject FAILURE, xrefs: 0055758E

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: f78e103368edaa134c242c68af1072159f8dca33aab9ce6f4de77baf46cf2beb
Instruction ID: 874d9e7fbbf44c2d633ea1b278ce9715940da96bc38c23461e65361c055d34d7
Opcode Fuzzy Hash: f78e103368edaa134c242c68af1072159f8dca33aab9ce6f4de77baf46cf2beb
Instruction Fuzzy Hash: DC117376904219ABD720E6949859EDEBFBCBB4C711F140466F804B3141E774AA088A71

Uniqueness

Uniqueness Score: -1.00%

Function 0056A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,005C58E8), ref: 0056A75E
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0056A7AD
GetLastError.KERNEL32 ref: 0056A7BB
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0056A7F3

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 96ba640f6a040ef7dc633812e0a2701e1799579d23389316277bb03fc48d982d
Instruction ID: fcb34415f463c8610781b8c54bfae6d36fdcea964a69b4f8e9e58e95c411dbc6
Opcode Fuzzy Hash: 96ba640f6a040ef7dc633812e0a2701e1799579d23389316277bb03fc48d982d
Instruction Fuzzy Hash: 88814F31104305ABC314EB60D89AAAFBFA8BFD4345F50091EF98656161EF70EA4DCB96

Uniqueness

Uniqueness Score: -1.00%

Function 005A2610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00598215: GetLastError.KERNEL32(00000020,?,0058A7F5,?,?,?,0058F9A8,?,?,00000020,00000000,?,?,?,0057DD01,0000003B), ref: 00598219
Part of subcall function 00598215: _free.LIBCMT ref: 0059824C
Part of subcall function 00598215: SetLastError.KERNEL32(00000000,0058F9A8,?,?,00000020,00000000,?,?,?,0057DD01,0000003B,?,00000041,00000000,00000000), ref: 0059828D
Part of subcall function 00598215: _abort.LIBCMT ref: 00598293

Part of subcall function 00598215: _free.LIBCMT ref: 00598274
Part of subcall function 00598215: SetLastError.KERNEL32(00000000,0058F9A8,?,?,00000020,00000000,?,?,?,0057DD01,0000003B,?,00000041,00000000,00000000), ref: 00598281

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 005A271C
IsValidCodePage.KERNEL32(00000000), ref: 005A2777
IsValidLocale.KERNEL32(?,00000001), ref: 005A2786
GetLocaleInfoW.KERNEL32(?,00001001,lJY,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 005A27CE
GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 005A27ED

Strings

lJY, xrefs: 005A2639, 005A2649, 005A2709, 005A26AB, 005A26A0, 005A26A3, 005A26AE, 005A270C
lJY, xrefs: 005A26E7, 005A2745, 005A26F2
lJY, xrefs: 005A2626, 005A27C5

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: lJY$lJY$lJY
API String ID: 745075371-3128319784
Opcode ID: b2cc722a0b73c5e23de8ce1d2261949155837a44903b6f1d24c24acbc7025fbe
Instruction ID: 5db2ba950cc92af560677805e7dcf80129e43ee9e43f1447d1987d3d4c7cbd29
Opcode Fuzzy Hash: b2cc722a0b73c5e23de8ce1d2261949155837a44903b6f1d24c24acbc7025fbe
Instruction Fuzzy Hash: CD51A175900216AFDF10DFA9DC86ABE7BB8FF5A300F140469F914EB190EB709A04DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00406210 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 114fileCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00406249

Part of subcall function 0042FB25: __FF_MSGBANNER.LIBCMT ref: 0042FB48
Part of subcall function 0042FB25: __NMSG_WRITE.LIBCMT ref: 0042FB4F
Part of subcall function 0042FB25: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,?,00402AFA), ref: 0042FB9C

SetLastError.KERNEL32(00000008,00065E4E,004060C2,00000000,00002000,?,00000000,00000000,00401596,?,?,?,00401C5E,?,?), ref: 00406259
CreateFileA.KERNEL32(00000000,00000000,00000003,00000000,00000003,00000080,00000000,00000000,00002000,00065E4E,004060C2,00000000,00002000,?,00000000,00000000), ref: 004062A0
_memset.LIBCMT ref: 004062CA
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,00000000,00002800,?,00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000), ref: 0040631A

Strings

\\.\PhysicalDrive%d, xrefs: 00406281
DISKID:, xrefs: 00406308

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: AllocCloseControlCreateDeviceErrorFileHandleHeapLast_malloc_memset
String ID: DISKID:$\\.\PhysicalDrive%d
API String ID: 2265051123-3765948602
Opcode ID: 26cbdce573063f43a07f417fe75e999626897c1eb521f0934345e71a245bb68b
Instruction ID: a225908e938814fc6ce8db3e87b0bc4a74b0325d29c7787301f826e6074e7c24
Opcode Fuzzy Hash: 26cbdce573063f43a07f417fe75e999626897c1eb521f0934345e71a245bb68b
Instruction Fuzzy Hash: 7031EE71644304AFD200EF65EC81E2B77E8EB84758F94053FF845962C1DB74E958879B

Uniqueness

Uniqueness Score: -1.00%

Function 0055C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0055C39B
FindNextFileW.KERNEL32(00000000,?), ref: 0055C46E
FindClose.KERNEL32(00000000), ref: 0055C47D
FindClose.KERNEL32(00000000), ref: 0055C4A8

Strings

\Mozilla\Firefox\Profiles\, xrefs: 0055C36E
\cookies.sqlite, xrefs: 0055C409
AppData, xrefs: 0055C358

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: ee4c6b2711a1b0c1127c4aebcd5d22352efb00ab31d7bf001815378496b28cef
Instruction ID: 21d3f45f7e601bc64e233bab07f3fbd97e444a753dff7ea71b6d510e4dfbaa4b
Opcode Fuzzy Hash: ee4c6b2711a1b0c1127c4aebcd5d22352efb00ab31d7bf001815378496b28cef
Instruction Fuzzy Hash: 16312F3150061A9ACB14E770DCAEEFE7F79BF91712F40055AB806A2091EF746A8DCA54

Uniqueness

Uniqueness Score: -1.00%

Function 0056C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C2EC
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C31C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C38E
DeleteFileW.KERNEL32(?,?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C39B

Part of subcall function 0056C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C371

GetLastError.KERNEL32(?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C3BC
FindClose.KERNEL32(00000000,?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C3D2
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C3D9
FindClose.KERNEL32(00000000,?,?,?,?,?,005C52D8,005C52F0,00000001), ref: 0056C3E2

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: cc568239f23f6b9dd0a07a0a970cacef2136d74671d23ba368737b105b6aac2a
Instruction ID: 619cee102c3a7331b626af3949c1180a1b873a87e8a48d816b6b2cd88578f9a4
Opcode Fuzzy Hash: cc568239f23f6b9dd0a07a0a970cacef2136d74671d23ba368737b105b6aac2a
Instruction Fuzzy Hash: 923164769002296ADB20EBA0DC4CFEA7F7CBF59300F4449A6E595E3151EB319A88CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00569AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00569D4B
FindNextFileW.KERNEL32(00000000,?,?), ref: 00569E17

Part of subcall function 0056C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0055A843), ref: 0056C49E

Strings

P\, xrefs: 00569BD5
N\, xrefs: 00569B25
PX\, xrefs: 00569E2E
8S\, xrefs: 00569BEB
PX\, xrefs: 00569CC8

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: 8S\$PX\$PX\$N\$P\
API String ID: 341183262-3902406203
Opcode ID: f63feef9df0feaae8cf3e6444408b9bb02b1512da37458d65efdde0bd31f2594
Instruction ID: be20e3894755dae1ec959d1940f88e90e6cfd6972c2ae8a8ceda3c2abddd5f41
Opcode Fuzzy Hash: f63feef9df0feaae8cf3e6444408b9bb02b1512da37458d65efdde0bd31f2594
Instruction Fuzzy Hash: 89813D315086425AC314FB60D86AAEF7FA8BFD1341F90492EF846471E2EF30AA4DC756

Uniqueness

Uniqueness Score: -1.00%

Function 005667B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00567952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0056795F
Part of subcall function 00567952: OpenProcessToken.ADVAPI32(00000000), ref: 00567966
Part of subcall function 00567952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00567978
Part of subcall function 00567952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00567997
Part of subcall function 00567952: GetLastError.KERNEL32 ref: 0056799D

ExitWindowsEx.USER32(00000000,00000001), ref: 00566856
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0056686B
GetProcAddress.KERNEL32(00000000), ref: 00566872

Strings

PowrProf.dll, xrefs: 00566866
SetSuspendState, xrefs: 00566861
!DU, xrefs: 00567089

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: !DU$PowrProf.dll$SetSuspendState
API String ID: 1589313981-377163239
Opcode ID: cc239222c99fe59b23ad0848aca6f75392ae07a30a423712195a1bb3349392c4
Instruction ID: 7b30b8233a270fb297c37f475ca91316071874e8ea3d750f37da3c45adbc2f71
Opcode Fuzzy Hash: cc239222c99fe59b23ad0848aca6f75392ae07a30a423712195a1bb3349392c4
Instruction Fuzzy Hash: 24214D616047079ADE14FBB498BFAAE2E9DBFC1741F400C2ABC02975C2EF24980DC765

Uniqueness

Uniqueness Score: -1.00%

Function 005A243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,005A275B,?,00000000), ref: 005A24D5
GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,005A275B,?,00000000), ref: 005A24FE
GetACP.KERNEL32(?,?,005A275B,?,00000000), ref: 005A2513

Strings

ACP, xrefs: 005A245A
['Z, xrefs: 005A24F3, 005A24CA
OCP, xrefs: 005A2490

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP$['Z
API String ID: 2299586839-469542804
Opcode ID: fd947fc5224de4417a7c2987675bb5b914b333a12e929205894f889e918b747b
Instruction ID: f84f506d2f18f08b7e355cbe1b14dbff39b4fd019be8970b47bf011319b12192
Opcode Fuzzy Hash: fd947fc5224de4417a7c2987675bb5b914b333a12e929205894f889e918b747b
Instruction Fuzzy Hash: F221A132A00101AAEF349B5DD906AEF7FA6BF5EB64F568924E909DB110E732DD40C390

Uniqueness

Uniqueness Score: -1.00%

Function 00406279 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00403370: _vswprintf_s.LIBCMT ref: 0040339C

CreateFileA.KERNEL32(00000000,00000000,00000003,00000000,00000003,00000080,00000000,00000000,00002000,00065E4E,004060C2,00000000,00002000,?,00000000,00000000), ref: 004062A0
_memset.LIBCMT ref: 004062CA
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,00000000,00002800,?,00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000), ref: 0040631A

Strings

\\.\PhysicalDrive%d, xrefs: 00406281
DISKID:, xrefs: 00406308

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset_vswprintf_s
String ID: DISKID:$\\.\PhysicalDrive%d
API String ID: 2627556037-3765948602
Opcode ID: 09db851be27ea68fc9fc6b10bab77541122b50d849f044dcab3b52a8cc0bc6df
Instruction ID: 51abea45773ed5e4c9772979f595ec269391c6619f1927a7e50f4261b4a66d35
Opcode Fuzzy Hash: 09db851be27ea68fc9fc6b10bab77541122b50d849f044dcab3b52a8cc0bc6df
Instruction Fuzzy Hash: 2F11C671604300AFD210DF55EC86F2B77D8EB84748F90053EF945E62C1E774A9188BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0055BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0055BA4E
GetLastError.KERNEL32 ref: 0055BA58

Strings

\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0055BA19
UserProfile, xrefs: 0055BA1E
[Chrome StoredLogins found, cleared!], xrefs: 0055BA7E
[Chrome StoredLogins not found], xrefs: 0055BA72

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 2e6e229fb1a4848e54d52a0625fa766783c996c77f40998a5afdaf16887b9c97
Instruction ID: f43e00ee37b30c6c3894186a3922db3695f6f191140a3761f2664b6491e49cb2
Opcode Fuzzy Hash: 2e6e229fb1a4848e54d52a0625fa766783c996c77f40998a5afdaf16887b9c97
Instruction Fuzzy Hash: 2201D631A841066A57047B75DC7F9FD7F24BE62742B400617FC02531E2EE11590CD7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00567952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0056795F
OpenProcessToken.ADVAPI32(00000000), ref: 00567966
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00567978
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00567997
GetLastError.KERNEL32 ref: 0056799D

Strings

SeShutdownPrivilege, xrefs: 00567972

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: d931ebcce19217efd7201645a61ffd73796868d60d0193a3264410f411904288
Instruction ID: d0befca93e09375630981154d3a1e1eb5198ca057359c3a89d784c73279d4acc
Opcode Fuzzy Hash: d931ebcce19217efd7201645a61ffd73796868d60d0193a3264410f411904288
Instruction Fuzzy Hash: 9BF034B6801129BBDB10ABA0EC4DEEFBFBCEF46251F000054B909A1050D6344A08EAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00559253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00559258

Part of subcall function 005548C8: connect.WS2_32(?,?,?), ref: 005548E0

Part of subcall function 00554AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00554B36

__CxxThrowException@8.LIBVCRUNTIME ref: 005592F4
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00559352
FindNextFileW.KERNEL32(00000000,?), ref: 005593AA
FindClose.KERNEL32(00000000), ref: 005593C1

Part of subcall function 00554E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,005551C0,?,?,?,00555159), ref: 00554E38
Part of subcall function 00554E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,005551C0,?,?,?,00555159), ref: 00554E43
Part of subcall function 00554E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,005551C0,?,?,?,00555159), ref: 00554E4C

FindClose.KERNEL32(00000000), ref: 005595B9

Part of subcall function 00554AA1: WaitForSingleObject.KERNEL32(?,00000000,0055547D,?,?,00000004,?,?,00000004,?,005C4EF8,?), ref: 00554B47
Part of subcall function 00554AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,005C4EF8,?,?,?,?,?,?,0055547D), ref: 00554B75

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
String ID:
API String ID: 1824512719-0
Opcode ID: e357272c4c5ed83a9f2448c4eef68c54042deff7da5b90e46a1f803f0869070d
Instruction ID: 13eaec6883640db29fca7b7fc9916e56a6dc3ee1eb4c54338c328caf9ee3322f
Opcode Fuzzy Hash: e357272c4c5ed83a9f2448c4eef68c54042deff7da5b90e46a1f803f0869070d
Instruction Fuzzy Hash: 0DB15F3290011ADBCB14EBA0DDAAAED7F79BF44312F50455AF806A70D1EF346A4DCB91

Uniqueness

Uniqueness Score: -1.00%

Function 0056AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0056A6A0,00000000), ref: 0056AA53
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0056A6A0,00000000), ref: 0056AA68
CloseServiceHandle.ADVAPI32(00000000,?,0056A6A0,00000000), ref: 0056AA75
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0056A6A0,00000000), ref: 0056AA80
CloseServiceHandle.ADVAPI32(00000000,?,0056A6A0,00000000), ref: 0056AA92
CloseServiceHandle.ADVAPI32(00000000,?,0056A6A0,00000000), ref: 0056AA95

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 52ccd005bfbb362d2212f254adf19bf67475afd1b3cdba64b48cdc9cfe4e2f6c
Instruction ID: b889eb1791f13f7a82c50fcd87f9b8ecd4bf9d1ae853ad55ef9c44201434b903
Opcode Fuzzy Hash: 52ccd005bfbb362d2212f254adf19bf67475afd1b3cdba64b48cdc9cfe4e2f6c
Instruction Fuzzy Hash: F6F0BE711012356FD211AB30AC8CEBF3EACFF923A1B10041AF806930009B648C4DF9B1

Uniqueness

Uniqueness Score: -1.00%

Function 005A1CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00598215: GetLastError.KERNEL32(00000020,?,0058A7F5,?,?,?,0058F9A8,?,?,00000020,00000000,?,?,?,0057DD01,0000003B), ref: 00598219
Part of subcall function 00598215: _free.LIBCMT ref: 0059824C
Part of subcall function 00598215: SetLastError.KERNEL32(00000000,0058F9A8,?,?,00000020,00000000,?,?,?,0057DD01,0000003B,?,00000041,00000000,00000000), ref: 0059828D
Part of subcall function 00598215: _abort.LIBCMT ref: 00598293

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00594A73,?,?,?,?,005944CA,?,00000004), ref: 005A1DBA
_wcschr.LIBVCRUNTIME ref: 005A1E4A
_wcschr.LIBVCRUNTIME ref: 005A1E58
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJY,00000000,?), ref: 005A1EFB

Strings

sJY, xrefs: 005A1DD1, 005A1E19, 005A1EC1

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: sJY
API String ID: 4212172061-2983674308
Opcode ID: 354360eeadc32e246718a560b283e49b0d74d6ccc83f9f12757e0790dc48e758
Instruction ID: 90d5060e9376a71eb91d07a595b89181fdafa5b32f0b6ce4345620827c7c7a79
Opcode Fuzzy Hash: 354360eeadc32e246718a560b283e49b0d74d6ccc83f9f12757e0790dc48e758
Instruction Fuzzy Hash: C461F975600A06AADB24AB74CC86ABF7FACFF46310F14046AF905DB581EB74E900C768

Uniqueness

Uniqueness Score: -1.00%

Function 0056B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0056B4B9
LoadResource.KERNEL32(00000000,?,?,0055F3DE,00000000), ref: 0056B4CD
LockResource.KERNEL32(00000000,?,?,0055F3DE,00000000), ref: 0056B4D4
SizeofResource.KERNEL32(00000000,?,?,0055F3DE,00000000), ref: 0056B4E3

Strings

SETTINGS, xrefs: 0056B4AC

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 898968de24fc365dc72409797df19da4255c602016f4eec0b197809cc7a1f565
Instruction ID: 28485de771f882f1beb378e01f2603f98914a0045721bf1723362e6b1fbd2c99
Opcode Fuzzy Hash: 898968de24fc365dc72409797df19da4255c602016f4eec0b197809cc7a1f565
Instruction Fuzzy Hash: A3E09275600761ABDB251B65AC4CD463E29F7E67537150054F5029A231CA314419EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00559665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0055966A
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 005596E2
FindNextFileW.KERNEL32(00000000,?), ref: 0055970B
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00559722

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: e4904d5be2a37a71318f2af1c34ebddaea81a152191d35aca8c281e709442126
Instruction ID: 9c0a204645dd1982f47429ec4c126722ed6124b7bcd0a20414cfb5abed007c88
Opcode Fuzzy Hash: e4904d5be2a37a71318f2af1c34ebddaea81a152191d35aca8c281e709442126
Instruction Fuzzy Hash: 6481323280011ADBCB15EBA0DCAAAED7B78BF55312F10416BE806A7091FF346B4DCB54

Uniqueness

Uniqueness Score: -1.00%

Function 0055880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00558811
FindFirstFileW.KERNEL32(00000000,?,005B6608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005588CA
__CxxThrowException@8.LIBVCRUNTIME ref: 005588F2
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005588FF
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00558A15

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 5cacf23d8b87ac54fdc4059b05f10d814ef41d03afd1d3c632ae796967aa2b25
Instruction ID: 08a0b4de3dc4a32b5d3ba7c2419e79a8584133ec85632401369306856efd2279
Opcode Fuzzy Hash: 5cacf23d8b87ac54fdc4059b05f10d814ef41d03afd1d3c632ae796967aa2b25
Instruction Fuzzy Hash: D451413190150A9ACF04FB74DD6A9ED7F68BF91312F50055ABC06A3092EF349B4CCB91

Uniqueness

Uniqueness Score: -1.00%

Function 0042F43A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00434B8F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00434BA4
UnhandledExceptionFilter.KERNEL32(0045F6C0), ref: 00434BAF
GetCurrentProcess.KERNEL32(C0000409), ref: 00434BCB
TerminateProcess.KERNEL32(00000000), ref: 00434BD2

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1aedecd378c2f8c13ed6721df79a08be873a1827c1eaed0c0787769e19c8aa15
Instruction ID: c87577094888f478b7fe3db4e50f5c35210d74469f5d620301a0bbfa5ab1ebb5
Opcode Fuzzy Hash: 1aedecd378c2f8c13ed6721df79a08be873a1827c1eaed0c0787769e19c8aa15
Instruction Fuzzy Hash: 2521EFB4511B44AFD700DF24E988A443BA0FB18305F18613AE949A6271F7F4A9A5CF4F

Uniqueness

Uniqueness Score: -1.00%

Function 0055783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00557857
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0055791F

Part of subcall function 00554AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00554B36

Strings

XP\, xrefs: 00557877
XP\, xrefs: 0055793A

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: XP\$XP\
API String ID: 4113138495-3919730041
Opcode ID: f5e9e3443a1cd20418efaa5b2745509014eb825035042cdc1f22d5083f74adb0
Instruction ID: c1b6b93b886f7fc31de8aa3cf3a872ffcc96d00b529ee6b510cfbf36ddb600b3
Opcode Fuzzy Hash: f5e9e3443a1cd20418efaa5b2745509014eb825035042cdc1f22d5083f74adb0
Instruction Fuzzy Hash: 692164311082069BC314FB60D86DEEFBFA8BFD5356F40091AF99653091EF20AA4CC666

Uniqueness

Uniqueness Score: -1.00%

Function 0056C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0056CAD7

Part of subcall function 0056376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0056377E
Part of subcall function 0056376F: RegSetValueExA.KERNEL32(?,005B74B8,00000000,?,00000000,00000000,005C52F0,?,?,0055F853,005B74B8,4.9.4 Pro), ref: 005637A6
Part of subcall function 0056376F: RegCloseKey.KERNEL32(?,?,?,0055F853,005B74B8,4.9.4 Pro), ref: 005637B1

Strings

Control Panel\Desktop, xrefs: 0056CA1D, 0056CA50, 0056CAA0
WallpaperStyle, xrefs: 0056CA22, 0056CA55, 0056CAA5
TileWallpaper, xrefs: 0056CAC1

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: bcc921a89dcda094fc7c349dcbcfacee76d01c839721e79538a1ca13d0b06cdd
Instruction ID: 60524d57bd7d051916e9e3600a9e1a7f435d9e9638fc64a208d60794f773a67f
Opcode Fuzzy Hash: bcc921a89dcda094fc7c349dcbcfacee76d01c839721e79538a1ca13d0b06cdd
Instruction Fuzzy Hash: 2B114F62B8020473D918717D4D2FFBE2C06F387B50F944169F9423B6C6D8D72A5443E6

Uniqueness

Uniqueness Score: -1.00%

Function 005932B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0059328B,?), ref: 005932D6
TerminateProcess.KERNEL32(00000000,?,0059328B,?), ref: 005932DD
ExitProcess.KERNEL32 ref: 005932EF

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 490269f7fa21cb95b3455532467ebc97e35f063c6e3325bcfda9b48b10f2b5c1
Instruction ID: 96f9f87215320bac5372278587805cb32729c5b6d17c74df74621ea2b91cf198
Opcode Fuzzy Hash: 490269f7fa21cb95b3455532467ebc97e35f063c6e3325bcfda9b48b10f2b5c1
Instruction Fuzzy Hash: 39E0B635440158EBCF126F64DD09A983F69FF92342F108414F9098A131CB36DE4ADA90

Uniqueness

Uniqueness Score: -1.00%

Function 0055B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0055B711
GetClipboardData.USER32(0000000D), ref: 0055B71D
CloseClipboard.USER32 ref: 0055B725

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: 8b86f082cc6d8324c7ec8c3a9fac3600a61bb13a9c4477b727be7ccce92a548a
Instruction ID: a494b6cd1f989552b4c187631b1c04007fbe2be5b57aa19558da3561be95a6f2
Opcode Fuzzy Hash: 8b86f082cc6d8324c7ec8c3a9fac3600a61bb13a9c4477b727be7ccce92a548a
Instruction Fuzzy Hash: C0E0C230244330AFD7209B60AC5CB9A7F60FFA6B52F00891BB8059E1D0C7708C48C661

Uniqueness

Uniqueness Score: -1.00%

Function 0059E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0059EA0C

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 7caa4a5ad61e8aa0cee7a94281e066a9d892000155353d87da8211b354f683e2
Instruction ID: f4cbc28e4abc75fd7885429fed9af1e2e8347098b2d4e8f8bd6abe45359db79a
Opcode Fuzzy Hash: 7caa4a5ad61e8aa0cee7a94281e066a9d892000155353d87da8211b354f683e2
Instruction Fuzzy Hash: 0D31E57290014AAFDF24DE78CC8AEEA7FBDEF86314F1401A8F818D7251E6309D458B50

Uniqueness

Uniqueness Score: -1.00%

Function 00446755 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 311COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBCMT ref: 004467CE
DName::DName.LIBCMT ref: 004467EE
operator+.LIBCMT ref: 0044682E
UnDecorator::getScope.LIBCMT ref: 00446857
operator+.LIBCMT ref: 00446863
DName::operator+.LIBCMT ref: 0044686D
operator+.LIBCMT ref: 00446770

Part of subcall function 00443C5B: DName::DName.LIBCMT ref: 00443C6E
Part of subcall function 00443C5B: DName::operator+.LIBCMT ref: 00443C75

DName::DName.LIBCMT ref: 00446791
operator+.LIBCMT ref: 0044687A
UnDecorator::getThisType.LIBCMT ref: 004468BA
operator+.LIBCMT ref: 004468F9
DName::operator+.LIBCMT ref: 00446903
UnDecorator::getThisType.LIBCMT ref: 00446915
DName::operator|=.LIBCMT ref: 0044691F
operator+.LIBCMT ref: 00446936
DName::DName.LIBCMT ref: 00446A9C

Strings

QD, xrefs: 00446994, 00446A22, 00446A70, 00446A7C, 00446A5F, 00446A3E, 004469A8, 00446963, 0044694E, 004468E1, 00446821, 00446846, 0044692D, 00446824, 0044684C, 004468E4, 00446930, 00446966, 004469AB
QD, xrefs: 00446A99, 00446AA1, 00446A8A, 00446933, 004467E9, 004467F3, 004467CB, 0044678C, 00446778, 0044676D

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: operator+$NameName::$Decorator::getName::operator+$ThisType$Name::operator|=Scope
String ID: QD$QD
API String ID: 398566123-1550548732
Opcode ID: 794240fa5a1516c6d0e2d9c5d7a373a49819a2d09ceaf47e05691be9d527f491
Instruction ID: d1b7e0adb0a3f196e2e037ff9ed62cdcf100d09a33e416e05376dfa50685d5fa
Opcode Fuzzy Hash: 794240fa5a1516c6d0e2d9c5d7a373a49819a2d09ceaf47e05691be9d527f491
Instruction Fuzzy Hash: DFB197B2900608AFEB10DF94C882EEE7BB8EF05305F15406FF505A7291DB79DA44CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 005680EF Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00568136
GetProcAddress.KERNEL32(00000000), ref: 00568139
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0056814A
GetProcAddress.KERNEL32(00000000), ref: 0056814D
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0056815E
GetProcAddress.KERNEL32(00000000), ref: 00568161
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00568172
GetProcAddress.KERNEL32(00000000), ref: 00568175
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00568217
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0056822F
GetThreadContext.KERNEL32(?,00000000), ref: 00568245
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0056826B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 005682ED
TerminateProcess.KERNEL32(?,00000000), ref: 00568301
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00568341
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0056840B
SetThreadContext.KERNEL32(?,00000000), ref: 00568428
ResumeThread.KERNEL32(?), ref: 00568435
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0056844C
GetCurrentProcess.KERNEL32(?), ref: 00568457
TerminateProcess.KERNEL32(?,00000000), ref: 00568472
GetLastError.KERNEL32 ref: 0056847A

Strings

ntdll, xrefs: 00568121, 00568140, 00568154, 00568168
ZwCreateSection, xrefs: 0056811C
ZwMapViewOfSection, xrefs: 0056813B
`#v, xrefs: 0056830B
ZwClose, xrefs: 00568163
ZwUnmapViewOfSection, xrefs: 0056814F

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
API String ID: 4188446516-108836778
Opcode ID: 52cc15ae73bca60d437bd22940a0360c292f3557a6c61b02b8b31cef3919bc24
Instruction ID: 0cf9f90942272a323c13ef24416b4436c11a057e9ae35dc437549f62d1c864a0
Opcode Fuzzy Hash: 52cc15ae73bca60d437bd22940a0360c292f3557a6c61b02b8b31cef3919bc24
Instruction Fuzzy Hash: DFA15BB0604301AFDB509F64DC89F6ABBE8FF98749F000929F645D7291DB70E848DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0055D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00562850: TerminateProcess.KERNEL32(00000000,pth_unenc,0055F8C8), ref: 00562860
Part of subcall function 00562850: WaitForSingleObject.KERNEL32(000000FF), ref: 00562873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0055D51D
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0055D530
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0055D549
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0055D579

Part of subcall function 0055B8AC: TerminateThread.KERNEL32(Function_0000A27D,00000000,005C52F0,pth_unenc,0055D0B8,005C52D8,005C52F0,?,pth_unenc), ref: 0055B8BB
Part of subcall function 0055B8AC: UnhookWindowsHookEx.USER32(005C50F0), ref: 0055B8C7
Part of subcall function 0055B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0055B8D5

Part of subcall function 0056C3F1: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0056C510,00000000,00000000,?), ref: 0056C430

ShellExecuteW.SHELL32(00000000,open,00000000,005B6468,005B6468,00000000), ref: 0055D7C4
ExitProcess.KERNEL32 ref: 0055D7D0

Strings

while fso.FileExists(", xrefs: 0055D5EC
fso.DeleteFile ", xrefs: 0055D63A
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0055D4C2
fso.DeleteFolder ", xrefs: 0055D6AB
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0055D5AA
\update.vbs, xrefs: 0055D57B
On Error Resume Next, xrefs: 0055D5B9
dM\, xrefs: 0055D45B
8S\, xrefs: 0055D4CF
Temp, xrefs: 0055D580
0q[, xrefs: 0055D78C, 0055D797
"), xrefs: 0055D5D5
wend, xrefs: 0055D689
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0055D701
open, xrefs: 0055D7BE
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0055D773
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0055D471
exepath, xrefs: 0055D4F7
0q[, xrefs: 0055D737, 0055D778, 0055D661, 0055D68E
""", 0, xrefs: 0055D6E7

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$0q[$0q[$8S\$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dM\$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-4139002753
Opcode ID: ad937f99d04aeb2488f22ff119f138143cd005568a4f8515f07fc8258cafc070
Instruction ID: 24cbe5177c5b3612ab50e1f60b512800a4c707c8ffb11ab007623de3df351dc9
Opcode Fuzzy Hash: ad937f99d04aeb2488f22ff119f138143cd005568a4f8515f07fc8258cafc070
Instruction Fuzzy Hash: 9C9151315086055AC714F774D87AAAFBFE9BFD5342F00042FB84A931A2EF20AD4DC666

Uniqueness

Uniqueness Score: -1.00%

Function 00408380 Relevance: 42.3, APIs: 19, Strings: 5, Instructions: 323librarywindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000005,?,00065844,?,00408984,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040), ref: 00408395

Part of subcall function 00432DB5: __getptd_noexit.LIBCMT ref: 00432DB5

SetLastError.KERNEL32(00000000,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 004083B9
GetLastError.KERNEL32(?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 004083DA
_wcsrchr.LIBCMT ref: 00408443
_wcsncpy.LIBCMT ref: 00408472
_strerror.LIBCMT ref: 004084ED
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000003), ref: 00408522
_wcsncpy.LIBCMT ref: 00408552
LoadLibraryW.KERNEL32(00000044,?,?,?,?,?,?,?,?,?,?,?,?,?,00403F3C,00000000), ref: 0040855B
LoadLibraryW.KERNEL32(wininet.dll,?,?,?,?,?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040), ref: 0040857C
LoadLibraryW.KERNEL32(mqutil.dll,?,?,?,?,?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040), ref: 004085B6
LoadLibraryW.KERNEL32(netmsg.dll,?,?,?,?,?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040), ref: 004085F2
FormatMessageW.KERNEL32(00001300,?,?,00000000,?,00000000,00000000), ref: 00408632
_wcstok.LIBCMT ref: 00408648
_vswprintf_s.LIBCMT ref: 00408683

Strings

wininet.dll, xrefs: 00408577, 00408585
mqutil.dll, xrefs: 004085B1, 004085BF
netmsg.dll, xrefs: 004085ED, 004085FB
__crt, xrefs: 0040849A
t,F, xrefs: 00408652

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: LibraryLoad$ErrorLast$_wcsncpy$ByteCharFormatMessageMultiWide__getptd_noexit_strerror_vswprintf_s_wcsrchr_wcstok
String ID: __crt$mqutil.dll$netmsg.dll$t,F$wininet.dll
API String ID: 2660907230-770268917
Opcode ID: faf70c990ec09a4e37772fbcd2026de65b54342e9bca4560a10c4358c1de2a0c
Instruction ID: 47c072ff33d92121b9efd564083845d0c83aee102c006f26be13eb141e8ab587
Opcode Fuzzy Hash: faf70c990ec09a4e37772fbcd2026de65b54342e9bca4560a10c4358c1de2a0c
Instruction Fuzzy Hash: F7C1C271A007059FCB209F75C9857ABB7B5EF58300F14893EE89AE7391EB789900CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0055D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00562850: TerminateProcess.KERNEL32(00000000,pth_unenc,0055F8C8), ref: 00562860
Part of subcall function 00562850: WaitForSingleObject.KERNEL32(000000FF), ref: 00562873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,005C52F0,?,pth_unenc), ref: 0055D1A5
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0055D1B8
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,005C52F0,?,pth_unenc), ref: 0055D1E8
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,005C52F0,?,pth_unenc), ref: 0055D1F7

Part of subcall function 0055B8AC: TerminateThread.KERNEL32(Function_0000A27D,00000000,005C52F0,pth_unenc,0055D0B8,005C52D8,005C52F0,?,pth_unenc), ref: 0055B8BB
Part of subcall function 0055B8AC: UnhookWindowsHookEx.USER32(005C50F0), ref: 0055B8C7
Part of subcall function 0055B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0055B8D5

Part of subcall function 0056B978: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,005B6468,0055D20D,.vbs,?,?,?,?,?,005C52F0), ref: 0056B99F

ShellExecuteW.SHELL32(00000000,open,00000000,005B6468,005B6468,00000000), ref: 0055D412
ExitProcess.KERNEL32 ref: 0055D419

Strings

.vbs, xrefs: 0055D201
while fso.FileExists(", xrefs: 0055D2C8
fso.DeleteFile ", xrefs: 0055D315
pth_unenc, xrefs: 0055D09C
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0055D138
fso.DeleteFolder ", xrefs: 0055D38A
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0055D285
On Error Resume Next, xrefs: 0055D294
Temp, xrefs: 0055D246
"), xrefs: 0055D2B1
wend, xrefs: 0055D364
hp[, xrefs: 0055D38F
open, xrefs: 0055D40C
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0055D3C1
dM\, xrefs: 0055D0D1
8S\, xrefs: 0055D15E
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0055D0E7
exepath, xrefs: 0055D181

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$8S\$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dM\$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hp[$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-1301016536
Opcode ID: aa4386b8d86c121f7fb5efb36bc2cfd483fcf041aae4f8f3a12e6125be01db4b
Instruction ID: 26f7ef07d2ee48938cb0ea7e9fcde269836c9f4780e254516ea95f25ef6395bf
Opcode Fuzzy Hash: aa4386b8d86c121f7fb5efb36bc2cfd483fcf041aae4f8f3a12e6125be01db4b
Instruction Fuzzy Hash: AA8162312086455BC714F770D87AAAF7FA9BFD5302F10082FB886571A2EF60AD4DC666

Uniqueness

Uniqueness Score: -1.00%

Function 00562475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,005C50E4,00000003), ref: 00562494
ExitProcess.KERNEL32(00000000), ref: 005624A0
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0056251A
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00562529
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00562534
CloseHandle.KERNEL32(00000000), ref: 0056253B
GetCurrentProcessId.KERNEL32 ref: 00562541
PathFileExistsW.SHLWAPI(?), ref: 00562572
GetTempPathW.KERNEL32(00000104,?), ref: 005625D5
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 005625EF
lstrcatW.KERNEL32(?,.exe), ref: 00562601

Part of subcall function 0056C3F1: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0056C510,00000000,00000000,?), ref: 0056C430

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00562641
Sleep.KERNEL32(000001F4), ref: 00562682
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00562697
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 005626A2
CloseHandle.KERNEL32(00000000), ref: 005626A9
GetCurrentProcessId.KERNEL32 ref: 005626AF

Strings

open, xrefs: 0056263B
temp_, xrefs: 005625E3
.exe, xrefs: 005625F5
8S\, xrefs: 005624A6
exepath, xrefs: 005624CC
WDH, xrefs: 00562548, 005626B6

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: .exe$8S\$WDH$exepath$open$temp_
API String ID: 2649220323-4018133170
Opcode ID: 8935cd8bc34d446b87612ccec2330e37f10060b7fb8b40eca257e33d4bd26f56
Instruction ID: 6479dcbf7a4cae56bde7c79ed2b59c546a14f8d094eb551f5c1af1d519300b1e
Opcode Fuzzy Hash: 8935cd8bc34d446b87612ccec2330e37f10060b7fb8b40eca257e33d4bd26f56
Instruction Fuzzy Hash: 0F51DD71A006166BDF10ABA0AC9AFFE3B7CBF95311F000556B802A7191EF749E49CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0056B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0056B13C
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0056B150
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,005B60A4), ref: 0056B178
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,005C4EE0,00000000), ref: 0056B18E
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0056B1CF
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0056B1E7
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0056B1FC
SetEvent.KERNEL32 ref: 0056B219
WaitForSingleObject.KERNEL32(000001F4), ref: 0056B22A
CloseHandle.KERNEL32 ref: 0056B23A
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0056B25C
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0056B266

Strings

open ", xrefs: 0056B0D0
pause audio, xrefs: 0056B1CA
" type , xrefs: 0056B0D5
resume audio, xrefs: 0056B1E2
close audio, xrefs: 0056B261
stopped, xrefs: 0056B202
status audio mode, xrefs: 0056B1F7
play audio, xrefs: 0056B14B
stop audio, xrefs: 0056B257
N\, xrefs: 0056B109, 0056B08B
alias audio, xrefs: 0056B0B8

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$N\
API String ID: 738084811-4138994965
Opcode ID: 99af5066d87e2c38fbd4e6a58240a41a05fb67cb75e1f7ace5a74aa84e37ced2
Instruction ID: 35eb947b3e1182f295b43c156e4eb7f71fffb5dd2597c0ce513fa7092e050e8d
Opcode Fuzzy Hash: 99af5066d87e2c38fbd4e6a58240a41a05fb67cb75e1f7ace5a74aa84e37ced2
Instruction Fuzzy Hash: 58519E712442066FE614B770DCAAEAF3FADBFD5755F00041AB946831A1EF206D4CCA66

Uniqueness

Uniqueness Score: -1.00%

Function 00551A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00551AD9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00551B03
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00551B13
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00551B23
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00551B33
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00551B43
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00551B54
WriteFile.KERNEL32(00000000,005C2AAA,00000002,00000000,00000000), ref: 00551B65
WriteFile.KERNEL32(00000000,005C2AAC,00000004,00000000,00000000), ref: 00551B75
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00551B85
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00551B96
WriteFile.KERNEL32(00000000,005C2AB6,00000002,00000000,00000000), ref: 00551BA7
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00551BB7
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00551BC7

Strings

fmt , xrefs: 00551B2D
RIFF, xrefs: 00551AFD
WAVE, xrefs: 00551B1D
data, xrefs: 00551BB1

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 7c12f1387e8c91541a3d05aca912a9bfdd22e53b87f96c31af13d397a7ab61ba
Instruction ID: ff4d73ceb06035cbf8bd33863334d464a2be68f3f732f15121cffe511e7140cc
Opcode Fuzzy Hash: 7c12f1387e8c91541a3d05aca912a9bfdd22e53b87f96c31af13d397a7ab61ba
Instruction Fuzzy Hash: 4E413D726443187EE210DA51DD86FBB7FECEB85F50F40091AF644D6080D7A4A909DBB3

Uniqueness

Uniqueness Score: -1.00%

Function 00557270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\tu.exe,00000001,0055764D,C:\Users\user\Desktop\tu.exe,00000003,00557675,005C52D8,005576CE), ref: 00557284
GetProcAddress.KERNEL32(00000000), ref: 0055728D
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 005572A2
GetProcAddress.KERNEL32(00000000), ref: 005572A5
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 005572B6
GetProcAddress.KERNEL32(00000000), ref: 005572B9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 005572CA
GetProcAddress.KERNEL32(00000000), ref: 005572CD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 005572DE
GetProcAddress.KERNEL32(00000000), ref: 005572E1
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 005572F2
GetProcAddress.KERNEL32(00000000), ref: 005572F5

Strings

C:\Users\user\Desktop\tu.exe, xrefs: 00557271
RtlReleasePebLock, xrefs: 005572D8
NtAllocateVirtualMemory, xrefs: 0055729C
ntdll.dll, xrefs: 00557278, 00557283, 005572A1, 005572B5, 005572C9, 005572DD, 005572F1
RtlAcquirePebLock, xrefs: 005572C4
NtFreeVirtualMemory, xrefs: 005572B0
LdrEnumerateLoadedModules, xrefs: 005572EC
RtlInitUnicodeString, xrefs: 0055727E

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Users\user\Desktop\tu.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-354237639
Opcode ID: 9245e5dea00b3036a9ccec3e1341781426c0fcf51c7c08e019b8a04b7eeafeb6
Instruction ID: 76d0feb6565e89b12ba0da8daf365662541b9fb656263197238e4a23276f8cb3
Opcode Fuzzy Hash: 9245e5dea00b3036a9ccec3e1341781426c0fcf51c7c08e019b8a04b7eeafeb6
Instruction Fuzzy Hash: 920184E5A4471A7ACB116B3F6C64D4B7FDCBE643527090827B805E2151EFBCE808DE60

Uniqueness

Uniqueness Score: -1.00%

Function 0040B780 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 157synchronizationmemoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(BB40E64E,?,?,?,?,?,?,?,0045B14B,000000FF), ref: 0040B7C4
__snwprintf.LIBCMT ref: 0040B7DB
CreateMutexW.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,0045B14B,000000FF), ref: 0040B7F5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045B14B,000000FF), ref: 0040B808
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,0045B14B,000000FF), ref: 0040B818
_memset.LIBCMT ref: 0040B834
_swscanf.LIBCMT ref: 0040B86B
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0045B14B,000000FF), ref: 0040B885
HeapAlloc.KERNEL32(00000000,00000000,000005C0,?,?,?,?,?,?,?,?,?,?,?,?,0045B14B), ref: 0040B897
__CxxThrowException@8.LIBCMT ref: 0040B8D2
__swprintf.LIBCMT ref: 0040B8E9
__CxxThrowException@8.LIBCMT ref: 0040B910
ReleaseMutex.KERNEL32(?,?,00465204), ref: 0040B91E
CloseHandle.KERNEL32(?), ref: 0040B940
ReleaseMutex.KERNEL32(00000000), ref: 0040B963
CloseHandle.KERNEL32(00000000), ref: 0040B96E

Strings

%s %u, xrefs: 0040B7D0
1830B7BD-F7A3-4c4d-989B-C004DE465EDE, xrefs: 0040B7CB

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: Mutex$CloseException@8HandleHeapProcessReleaseThrow$AllocCreateCurrentErrorLastObjectSingleWait__snwprintf__swprintf_memset_swscanf
String ID: %s %u$1830B7BD-F7A3-4c4d-989B-C004DE465EDE
API String ID: 2967953817-332789905
Opcode ID: 21630a82ff95050d2a936fc027293757e53b3bd1dc2a9272b0684d330f7f6356
Instruction ID: b0080335ab30dc4e6b4e05c12cebb1b1aa067a19cdad22adf5ef2cdec4d22371
Opcode Fuzzy Hash: 21630a82ff95050d2a936fc027293757e53b3bd1dc2a9272b0684d330f7f6356
Instruction Fuzzy Hash: 145182B1900744ABDB10EFA4DD45BAE77A8EB14714F10423AF905E72D1EBB855048B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0056C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0056C036
_memcmp.LIBVCRUNTIME ref: 0056C04E
lstrlenW.KERNEL32(?), ref: 0056C067
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0056C0A2
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0056C0B5
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0056C0F9
lstrcmpW.KERNEL32(?,?), ref: 0056C114
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0056C12C
_wcslen.LIBCMT ref: 0056C13B
FindVolumeClose.KERNEL32(?), ref: 0056C15B
GetLastError.KERNEL32 ref: 0056C173
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0056C1A0
lstrcatW.KERNEL32(?,?), ref: 0056C1B9
lstrcpyW.KERNEL32(?,?), ref: 0056C1C8
GetLastError.KERNEL32 ref: 0056C1D0

Strings

?, xrefs: 0056C0CD

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: 5f7e614927783d74169beb8a52130c492aa1119f416ae53d5d7ff2bb32fcf6bf
Instruction ID: 128522f53b6e0d5bf307789a80ff55597b81c222a466805aac4f8a4f0dede4b2
Opcode Fuzzy Hash: 5f7e614927783d74169beb8a52130c492aa1119f416ae53d5d7ff2bb32fcf6bf
Instruction Fuzzy Hash: E9416D71508356ABDB20DF60D84CAABBFECFB96750F40092AF585C3161EB70D948D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0059F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0059F4BF
_free.LIBCMT ref: 0059F4E5
_free.LIBCMT ref: 0059F50E
_free.LIBCMT ref: 0059F546
_free.LIBCMT ref: 0059F577
_free.LIBCMT ref: 0059F5B8
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0059F639
_free.LIBCMT ref: 0059F652
_wcschr.LIBVCRUNTIME ref: 0059F68F
_free.LIBCMT ref: 0059F6FB
_free.LIBCMT ref: 0059F721
_free.LIBCMT ref: 0059F74A
_free.LIBCMT ref: 0059F77F
_free.LIBCMT ref: 0059F7B0
_free.LIBCMT ref: 0059F7F1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0059F876
_free.LIBCMT ref: 0059F88F

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 54ae731eaee3d18a009713a900823fdb681c02f1b5ae9b7e344e28dd93c44ec5
Instruction ID: dd5ecacbd82edf728a6d090d73a46c35b4f2c5f96cfb241f4ca2503abcb6542e
Opcode Fuzzy Hash: 54ae731eaee3d18a009713a900823fdb681c02f1b5ae9b7e344e28dd93c44ec5
Instruction Fuzzy Hash: 56D126719007026FDF24AFB8DC85AAEBFA8FF41324F05417EE915E7281EB3599048790

Uniqueness

Uniqueness Score: -1.00%

Function 00562AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00562ACD

Part of subcall function 0056B978: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,005B6468,0055D20D,.vbs,?,?,?,?,?,005C52F0), ref: 0056B99F

Part of subcall function 00568568: CloseHandle.KERNEL32(005540F5,?,?,005540F5,005B5E74), ref: 0056857E
Part of subcall function 00568568: CloseHandle.KERNEL32(t^[,?,?,005540F5,005B5E74), ref: 00568587

Sleep.KERNEL32(0000000A,005B5E74), ref: 00562C1F
Sleep.KERNEL32(0000000A,005B5E74,005B5E74), ref: 00562CC1
Sleep.KERNEL32(0000000A,005B5E74,005B5E74,005B5E74), ref: 00562D63
DeleteFileW.KERNEL32(00000000,005B5E74,005B5E74,005B5E74), ref: 00562DC5
DeleteFileW.KERNEL32(00000000,005B5E74,005B5E74,005B5E74), ref: 00562DFC
DeleteFileW.KERNEL32(00000000,005B5E74,005B5E74,005B5E74), ref: 00562E38
Sleep.KERNEL32(000001F4,005B5E74,005B5E74,005B5E74), ref: 00562E52
Sleep.KERNEL32(00000064), ref: 00562E94

Part of subcall function 00554AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00554B36

Strings

N\, xrefs: 00562F6C
N\, xrefs: 005630C1
/stext ", xrefs: 00562BAA, 00562C4C, 00562CEE
0T\, xrefs: 00563026
0T\, xrefs: 0056314C

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$0T\$0T\$N\$N\
API String ID: 1223786279-2267169114
Opcode ID: 1edba678f39680cc94cc2328a9b477e3e05dfc614d4a83671ef6c0dd579b0aef
Instruction ID: b835b5c2bca6d7e43e2328b86a320dbc813e3a14d4e05752addd3cd6279d690e
Opcode Fuzzy Hash: 1edba678f39680cc94cc2328a9b477e3e05dfc614d4a83671ef6c0dd579b0aef
Instruction Fuzzy Hash: BD0210315086424AC328EB70D86ABEEBFE5BFD5341F50482EF88A87191EF30594DCB56

Uniqueness

Uniqueness Score: -1.00%

Function 0056C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0056C6B1
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0056C6F5
RegCloseKey.ADVAPI32(?), ref: 0056C9BF

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0056C6A7
InstallDate, xrefs: 0056C790
UninstallString, xrefs: 0056C7A4
InstallLocation, xrefs: 0056C77C
Publisher, xrefs: 0056C751
DisplayVersion, xrefs: 0056C768
DisplayName, xrefs: 0056C73C

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 999f6ebc54995aef4813a19867ea25c14afdcb5177833b2cf41fe39c0f165e13
Instruction ID: 429443b97bd18e76b0417c105cbe3785b8d13b3a255eba4623e724feafd123ac
Opcode Fuzzy Hash: 999f6ebc54995aef4813a19867ea25c14afdcb5177833b2cf41fe39c0f165e13
Instruction Fuzzy Hash: 548103711082469BD324EB20D865EEFBFE8BFD4345F50491EB58A83151FF30AA4DCA66

Uniqueness

Uniqueness Score: -1.00%

Function 00406400 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 153registryCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00406424

Part of subcall function 0042FB25: __FF_MSGBANNER.LIBCMT ref: 0042FB48
Part of subcall function 0042FB25: __NMSG_WRITE.LIBCMT ref: 0042FB4F
Part of subcall function 0042FB25: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,?,00402AFA), ref: 0042FB9C

SetLastError.KERNEL32(00000008,00000000,?,?,?,?,004060DB,00000000,00002000,00000000,00401596,?,?,?,00401C5E,?), ref: 00406434

Part of subcall function 0042F2AE: __lock.LIBCMT ref: 0042F2CC
Part of subcall function 0042F2AE: ___sbh_find_block.LIBCMT ref: 0042F2D7
Part of subcall function 0042F2AE: ___sbh_free_block.LIBCMT ref: 0042F2E6
Part of subcall function 0042F2AE: HeapFree.KERNEL32(00000000,?,00464668,0000000C,0043383B,00000000,004648F0,0000000C,00433875,?,?,?,004479C3,00000004,00464E28,0000000C), ref: 0042F316
Part of subcall function 0042F2AE: GetLastError.KERNEL32(?,004479C3,00000004,00464E28,0000000C,004356E9,?,?,00000000,00000000,00000000,?,004352B5,00000001,00000214), ref: 0042F327

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards,00000000,00020119,?,00000000,?,?,?,?,004060DB,00000000,00002000,00000000,00401596,?), ref: 0040645A
RegEnumKeyExW.ADVAPI32 ref: 00406486
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020119,?), ref: 004064AB
RegQueryValueExA.ADVAPI32(?,ServiceName,00000000,?,00000004,?), ref: 004064DF
RegCloseKey.ADVAPI32(?), ref: 0040650D
RegEnumKeyExW.ADVAPI32(00000000,00000001,00000000,?,00000000,00000000,00000000,00000000), ref: 00406530
RegCloseKey.ADVAPI32(00000000), ref: 0040653F

Strings

%012I64X, xrefs: 00406556
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards, xrefs: 00406450
MAC:, xrefs: 00406593
ServiceName, xrefs: 004064C9

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CloseEnumErrorHeapLastOpen$AllocFreeQueryValue___sbh_find_block___sbh_free_block__lock_malloc
String ID: %012I64X$MAC:$SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards$ServiceName
API String ID: 3177717327-1531755283
Opcode ID: e5e2b6cb0406eebcd3ecfd1ca0ec33acc8a31c79426b9c3f7b5b7b2d670d5707
Instruction ID: 91a01f5ca6e93bf5eebee49e75ff8b246a23b9fedb22c95eae37365d202e933b
Opcode Fuzzy Hash: e5e2b6cb0406eebcd3ecfd1ca0ec33acc8a31c79426b9c3f7b5b7b2d670d5707
Instruction Fuzzy Hash: 6841B171204300BBE620DF95EC85F1BBBE8EFC4B59F40052EF945A22C5E678D908876A

Uniqueness

Uniqueness Score: -1.00%

Function 0056D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0056D5DA
GetCursorPos.USER32(?), ref: 0056D5E9
SetForegroundWindow.USER32(?), ref: 0056D5F2
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0056D60C
Shell_NotifyIconA.SHELL32(00000002,005C4B48), ref: 0056D65D
ExitProcess.KERNEL32 ref: 0056D665
CreatePopupMenu.USER32 ref: 0056D66B
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0056D680

Strings

Close, xrefs: 0056D671

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: 7c847c2d8f425add12ec1dae1a5ff923a6c3f2f2c7fbbd1ea512de2eb610ff9f
Instruction ID: 5ba01663e4ce2c08a22b763f634ebba1891ef3d6cd666c5f6da786a073b67b6b
Opcode Fuzzy Hash: 7c847c2d8f425add12ec1dae1a5ff923a6c3f2f2c7fbbd1ea512de2eb610ff9f
Instruction Fuzzy Hash: B4213671A00108BFDF154FA8ED1EE697F75FB29305F000918F606920B0DBB19D24EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00558B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00558CE3
GetFileSizeEx.KERNEL32(00000000,?), ref: 00558D1B
__aulldiv.LIBCMT ref: 00558D4D

Part of subcall function 00554AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00554B36

Part of subcall function 0056B4EF: GetLocalTime.KERNEL32(00000000), ref: 0056B509

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00558E70
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00558E8B
CloseHandle.KERNEL32(00000000), ref: 00558F64
CloseHandle.KERNEL32(00000000,00000052), ref: 00558FAE
CloseHandle.KERNEL32(00000000), ref: 00558FFC

Strings

N\, xrefs: 00558C17
SetFilePointerEx error, xrefs: 00558FD4
ReadFile error, xrefs: 00558FC8
Uploading file to Controller: , xrefs: 00558DD5

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $N\
API String ID: 3086580692-328270867
Opcode ID: cce3aaf0d9cb548f12dab904a6bbcb3c8054701a97b07b9f4258aedacc451722
Instruction ID: 29742276d85cb811c33b78fb2a0bdddef717d181709f2a510bb75ed80414e50b
Opcode Fuzzy Hash: cce3aaf0d9cb548f12dab904a6bbcb3c8054701a97b07b9f4258aedacc451722
Instruction Fuzzy Hash: CCB190315083419BC714FB24D8AAA7EBFE9BFC5351F40491EF84A93291EF309949CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00408F20 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00408F32

Part of subcall function 00432DB5: __getptd_noexit.LIBCMT ref: 00432DB5

SetLastError.KERNEL32(00000000), ref: 00408F50
_vswprintf_s.LIBCMT ref: 00408FD4
_wcsrchr.LIBCMT ref: 00409015
__snwprintf.LIBCMT ref: 0040903B
__CxxThrowException@8.LIBCMT ref: 00409081
GetLastError.KERNEL32(?,004651D0), ref: 00409094
SetLastError.KERNEL32(00000000), ref: 004090B2
__CxxThrowException@8.LIBCMT ref: 004090D5
__CxxThrowException@8.LIBCMT ref: 004090EB

Strings

4-F, xrefs: 00408F9A
<%s:%d>, xrefs: 00409034

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ErrorLast$Exception@8Throw$__getptd_noexit__snwprintf_vswprintf_s_wcsrchr
String ID: 4-F$<%s:%d>
API String ID: 1135991162-2115238217
Opcode ID: 8da0d668e8d2bed21a38bc542d697908a3f4a170cb8d83eb15cc4d257e8be0b2
Instruction ID: 14e59de21d721aaef6b68cd87fe21ec90b452582bd65d8ba9509ecaee94afa43
Opcode Fuzzy Hash: 8da0d668e8d2bed21a38bc542d697908a3f4a170cb8d83eb15cc4d257e8be0b2
Instruction Fuzzy Hash: AB51C1715003019BC720EF29CC85BAB76E9EF89710F05493EF94597296EBB8DD04C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00401640 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\360MachineSignature,00000000,00020119,?,00000000,?,00000000,?,?,?,00401C5E,?,?), ref: 00401666
RegQueryValueExW.ADVAPI32(?,Operator,00000000,?,00000000,?,?,00000000,?,?,?,00401C5E,?,?), ref: 004016AD
RegQueryValueExW.ADVAPI32(?,IssueDate,00000000,?,00000000,?,?,00000000,?,?,?,00401C5E,?,?), ref: 004016F4
RegQueryValueExW.ADVAPI32(?,ExpirationDate,00000000,?,00000000,?,?,00000000,?,?,?,00401C5E,?,?), ref: 00401733
RegQueryValueExW.ADVAPI32(?,SignData,00000000,?,00000000,?,?,00000000,?,?,?,00401C5E,?,?), ref: 0040176A
RegCloseKey.ADVAPI32(?), ref: 004017A8
RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,00401C5E,?,?), ref: 004017C1

Strings

SOFTWARE\360MachineSignature, xrefs: 00401656
SignData, xrefs: 00401760
IssueDate, xrefs: 004016EA
ExpirationDate, xrefs: 00401729
Operator, xrefs: 0040169E

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: QueryValue$Close$Open
String ID: ExpirationDate$IssueDate$Operator$SOFTWARE\360MachineSignature$SignData
API String ID: 2895014784-1479031278
Opcode ID: 2d54e4a1bd58c59d3d4e4eac94afafb44d7a5f605dbedefef143314ab1df9f72
Instruction ID: 1f7021fa9f236602036fbd2601c454c1c7a1e4c58a50fa6465acc4d7145fd61b
Opcode Fuzzy Hash: 2d54e4a1bd58c59d3d4e4eac94afafb44d7a5f605dbedefef143314ab1df9f72
Instruction Fuzzy Hash: AA5130B16043029FC320CF69DC80A6BB7E8EBD4754F444A2EF595E3350E774E9098B5A

Uniqueness

Uniqueness Score: -1.00%

Function 005A12C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 005A130A

Part of subcall function 005A0502: _free.LIBCMT ref: 005A051F
Part of subcall function 005A0502: _free.LIBCMT ref: 005A0531
Part of subcall function 005A0502: _free.LIBCMT ref: 005A0543
Part of subcall function 005A0502: _free.LIBCMT ref: 005A0555
Part of subcall function 005A0502: _free.LIBCMT ref: 005A0567
Part of subcall function 005A0502: _free.LIBCMT ref: 005A0579
Part of subcall function 005A0502: _free.LIBCMT ref: 005A058B
Part of subcall function 005A0502: _free.LIBCMT ref: 005A059D
Part of subcall function 005A0502: _free.LIBCMT ref: 005A05AF
Part of subcall function 005A0502: _free.LIBCMT ref: 005A05C1
Part of subcall function 005A0502: _free.LIBCMT ref: 005A05D3
Part of subcall function 005A0502: _free.LIBCMT ref: 005A05E5
Part of subcall function 005A0502: _free.LIBCMT ref: 005A05F7

_free.LIBCMT ref: 005A12FF

Part of subcall function 00596782: RtlFreeHeap.NTDLL(00000000,00000000,?,005A0C6F,?,00000000,?,00000000,?,005A0F13,?,00000007,?,?,005A145E,?), ref: 00596798
Part of subcall function 00596782: GetLastError.KERNEL32(?,?,005A0C6F,?,00000000,?,00000000,?,005A0F13,?,00000007,?,?,005A145E,?,?), ref: 005967AA

_free.LIBCMT ref: 005A1321
_free.LIBCMT ref: 005A1336
_free.LIBCMT ref: 005A1341
_free.LIBCMT ref: 005A1363
_free.LIBCMT ref: 005A1376
_free.LIBCMT ref: 005A1384
_free.LIBCMT ref: 005A138F
_free.LIBCMT ref: 005A13C7
_free.LIBCMT ref: 005A13CE
_free.LIBCMT ref: 005A13EB
_free.LIBCMT ref: 005A1403

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 80ec83100d154ff7b483e02c96378f5eb70d38087fb1309d8286723f42a69d0e
Instruction ID: bd1438912cdd726f08fc3d3c8da10b60a1a7121ca56d9ff8af5194d44ef08b95
Opcode Fuzzy Hash: 80ec83100d154ff7b483e02c96378f5eb70d38087fb1309d8286723f42a69d0e
Instruction Fuzzy Hash: 53318B31600B029FEF20AFB9D889B5E7BE8FF42315F10891AE068D6551DA74BD449B68

Uniqueness

Uniqueness Score: -1.00%

Function 0055D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00562850: TerminateProcess.KERNEL32(00000000,pth_unenc,0055F8C8), ref: 00562860
Part of subcall function 00562850: WaitForSingleObject.KERNEL32(000000FF), ref: 00562873

Part of subcall function 005636F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,005C52F0), ref: 00563714
Part of subcall function 005636F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0056372D
Part of subcall function 005636F8: RegCloseKey.KERNEL32(00000000), ref: 00563738

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0055D859
ShellExecuteW.SHELL32(00000000,open,00000000,005B6468,005B6468,00000000), ref: 0055D9B8
ExitProcess.KERNEL32 ref: 0055D9C4

Strings

.vbs, xrefs: 0055D85F
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0055D8F9
open, xrefs: 0055D9B2
8S\, xrefs: 0055D80F
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0055D967
exepath, xrefs: 0055D831
""", 0, xrefs: 0055D8E1
Temp, xrefs: 0055D89A

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$8S\$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-3974700463
Opcode ID: 37187fcf58b3f386143ee757e3c51ec6476a8b3c18d660099c6cc23f8c896721
Instruction ID: fcc6856b51177a2c75371ec20df8a9d7fb692aaba02ae1c4e06e846f40342843
Opcode Fuzzy Hash: 37187fcf58b3f386143ee757e3c51ec6476a8b3c18d660099c6cc23f8c896721
Instruction Fuzzy Hash: C54128319105195ADB14F774DC6ADFEBF79BF95702F00016AF806A3191EF206E8ECAA4

Uniqueness

Uniqueness Score: -1.00%

Function 005A0600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005A0648
_free.LIBCMT ref: 005A066C
_free.LIBCMT ref: 005A0679
_free.LIBCMT ref: 005A069E
_free.LIBCMT ref: 005A06AB
_free.LIBCMT ref: 005A06B4
_free.LIBCMT ref: 005A0992
_free.LIBCMT ref: 005A099A

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 500ad294f088bc857011c103e36cdd8b0dacdbd012b0597b09f94632f85b0c53
Instruction ID: 5ba98d610e304d1b0db0bbb269081c193be7da528067bfeec6d37ec8219fd105
Opcode Fuzzy Hash: 500ad294f088bc857011c103e36cdd8b0dacdbd012b0597b09f94632f85b0c53
Instruction Fuzzy Hash: 0FC16372E40205AFDB20DBA8CC86FEE7BFCBB49704F140165FA05EB282D6749D4597A4

Uniqueness

Uniqueness Score: -1.00%

Function 005A5BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005A58A9: CreateFileW.KERNEL32(00000000,00000000,?,005A5C84,?,?,00000000,?,005A5C84,00000000,0000000C), ref: 005A58C6

GetLastError.KERNEL32 ref: 005A5CEF
__dosmaperr.LIBCMT ref: 005A5CF6
GetFileType.KERNEL32(00000000), ref: 005A5D02
GetLastError.KERNEL32 ref: 005A5D0C
__dosmaperr.LIBCMT ref: 005A5D15
CloseHandle.KERNEL32(00000000), ref: 005A5D35
CloseHandle.KERNEL32(?), ref: 005A5E7F
GetLastError.KERNEL32 ref: 005A5EB1
__dosmaperr.LIBCMT ref: 005A5EB8

Strings

H, xrefs: 005A5E3D

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 29be19f638d08b1537dfb99ebafb7bab748bc12dd7dab3dcd9f350b2d63b003d
Instruction ID: 6bba160f93bc7766e9d4a9154ca5bab9324d4e2131b89af45c704d9130b7a79d
Opcode Fuzzy Hash: 29be19f638d08b1537dfb99ebafb7bab748bc12dd7dab3dcd9f350b2d63b003d
Instruction Fuzzy Hash: 5BA14332A106599FDF189F68DC55BAE3FA0BB47320F180149F811DB2E1EB308D16DB51

Uniqueness

Uniqueness Score: -1.00%

Function 005A0A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005A0A94
_free.LIBCMT ref: 005A0AA2
_free.LIBCMT ref: 005A0BD0
_free.LIBCMT ref: 005A0BDB

Strings

\&\, xrefs: 005A0C1C
`&\, xrefs: 005A0C34
\&\, xrefs: 005A0C24

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _free
String ID: \&\$\&\$`&\
API String ID: 269201875-3168631238
Opcode ID: b78fbc46802a0798c8545c889fdb698924e15e2d3a34476a47235366ccdd791e
Instruction ID: 14292ed4c558d6b5cddede91d0b12fb2228643a85e83e72073d34b3c23ace279
Opcode Fuzzy Hash: b78fbc46802a0798c8545c889fdb698924e15e2d3a34476a47235366ccdd791e
Instruction Fuzzy Hash: E561D371910209AFDB20DF68C942BAEBFF4FB46714F144169E954EB282E770AD41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00564BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

udp, xrefs: 00564C60, 00564C68, 00564C6C
65535, xrefs: 00564BB3

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 9f979b51a65b83826a716c41468b0d833cb297b2389f0d9a808dcfab0e172560
Instruction ID: b8f3768f6cd0b4c1fd3016e56f584b0011ecdfa7f2e25dbf3807ef38d20ee228
Opcode Fuzzy Hash: 9f979b51a65b83826a716c41468b0d833cb297b2389f0d9a808dcfab0e172560
Instruction Fuzzy Hash: 7951D431A06712AFE7259B68D905B3B7FF4FF88740F080929F881972A1D765DC409FA6

Uniqueness

Uniqueness Score: -1.00%

Function 0043B54C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 106COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0043B5C0
__getptd.LIBCMT ref: 0043B5D2

Strings

csm, xrefs: 0043B640
MOC, xrefs: 0043B574
csm, xrefs: 0043B588

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: __getptd
String ID: MOC$csm$csm
API String ID: 3384420010-2232927589
Opcode ID: 392d5472d71fa33a46a6336c1c2ef07575f60051be97fb51371ea02d882e00af
Instruction ID: e8da79c3ca801231d8ecad43d2117962de43db7f41a6095863ddad8b9e0fae0f
Opcode Fuzzy Hash: 392d5472d71fa33a46a6336c1c2ef07575f60051be97fb51371ea02d882e00af
Instruction Fuzzy Hash: 1B31AC71400604DFDB308E59C482B6A73A8FB18319F58692BDA86C7352DB78E9458BDB

Uniqueness

Uniqueness Score: -1.00%

Function 0058A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00551D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0058A892
GetLastError.KERNEL32(?,?,00551D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0058A89F
__dosmaperr.LIBCMT ref: 0058A8A6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00551D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0058A8D2
GetLastError.KERNEL32(?,?,?,00551D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0058A8DC
__dosmaperr.LIBCMT ref: 0058A8E3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00551D55,?), ref: 0058A926
GetLastError.KERNEL32(?,?,?,?,?,?,00551D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0058A930
__dosmaperr.LIBCMT ref: 0058A937
_free.LIBCMT ref: 0058A943
_free.LIBCMT ref: 0058A94A

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 3dae0386e2a5318bcb10d1ae1e442c91518d15b2235e9a76a59c39f217246369
Instruction ID: 1c3497e8d10dd3c2888c2f04362bf1fabdbe5da855d3605e1e272308644958c7
Opcode Fuzzy Hash: 3dae0386e2a5318bcb10d1ae1e442c91518d15b2235e9a76a59c39f217246369
Instruction Fuzzy Hash: 5131B17180814ABFEF11AFA4CC49DAE3F68FF45364B110216FC10661A1DB31CD51EB61

Uniqueness

Uniqueness Score: -1.00%

Function 004046F0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 255fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,?,?,?,00000000,00000002,00401D80,?,?,?,?,?,?,?,?), ref: 00404709
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?), ref: 0040479C
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,?), ref: 004047B8
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00404844

Strings

ReadFile(), xrefs: 0040491E
GetFileSizeEx(), xrefs: 00404713
SetFilePointerEx(), xrefs: 004048FB
.\QHImageHlp.c, xrefs: 0040471D, 00404905, 00404928, 00404950, 0040499A, 004049C0

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: File$Pointer$ReadSize
String ID: .\QHImageHlp.c$GetFileSizeEx()$ReadFile()$SetFilePointerEx()
API String ID: 1971422761-3013408749
Opcode ID: a95abc0583216832b83594f0851043222c33722ba269c4598de5ff927bbac7b7
Instruction ID: 03dfb4d2336c3ded1a3879e9d3a15ab1a4d94976a0d75a54ec2001c5ebdae41d
Opcode Fuzzy Hash: a95abc0583216832b83594f0851043222c33722ba269c4598de5ff927bbac7b7
Instruction Fuzzy Hash: 597114B6B443016BD210EA25DD81F2B7395EBC4B15F14493EFA44A73C0EA7DEC0587A6

Uniqueness

Uniqueness Score: -1.00%

Function 005554A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 005554BF
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0055556F
TranslateMessage.USER32(?), ref: 0055557E
DispatchMessageA.USER32(?), ref: 00555589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,005C4F78), ref: 00555641
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00555679

Part of subcall function 00554AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00554B36

Strings

GetMessage, xrefs: 005555F8
DisplayMessage, xrefs: 005555EC
CloseChat, xrefs: 00555609

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: fe3e7db3b53044761986da8436c230940970a9e551b9aafaf0154a8783094e72
Instruction ID: 1001b087dfdb60c5605bb238b253f0ea78c752adcec61dc67804c5c64339cc47
Opcode Fuzzy Hash: fe3e7db3b53044761986da8436c230940970a9e551b9aafaf0154a8783094e72
Instruction Fuzzy Hash: 66418D32604A026BCB14FB75DC6E96E7FA9BFC6701F40091EB91287591EF34990DCB92

Uniqueness

Uniqueness Score: -1.00%

Function 00567CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00567F2C: __EH_prolog.LIBCMT ref: 00567F31

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,005B60A4), ref: 00567DDC
CloseHandle.KERNEL32(00000000), ref: 00567DE5
DeleteFileA.KERNEL32(00000000), ref: 00567DF4
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00567DA8

Part of subcall function 00554AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00554B36

Strings

0V\, xrefs: 00567E21
<, xrefs: 00567D83
@, xrefs: 00567D8A
0V\, xrefs: 00567DB5
Temp, xrefs: 00567D00

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: 0V\$0V\$<$@$Temp
API String ID: 1704390241-1866660946
Opcode ID: 83e7623cb56d2c82a50ea2ffa7097d30fb48fd40860b1dd7cd9707078e2991ac
Instruction ID: e7c7c9ff82eac06014f4ddcc1a591d27233c7208d18ccd9b4818f61e77b42d9d
Opcode Fuzzy Hash: 83e7623cb56d2c82a50ea2ffa7097d30fb48fd40860b1dd7cd9707078e2991ac
Instruction Fuzzy Hash: 65414A3190020A9ACB14FBA1DC6ABED7F78BF91315F404169F906664D1EF751A8DCBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040B650 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040B67A
_memset.LIBCMT ref: 0040B697
GetCurrentProcessId.KERNEL32 ref: 0040B69F
swprintf.LIBCMT ref: 0040B6BF

Part of subcall function 00432B41: __vswprintf_s_l.LIBCMT ref: 00432B55

FindAtomW.KERNEL32(?), ref: 0040B72F
DeleteAtom.KERNEL32(?), ref: 0040B749

Strings

{A0972F10-452C-4cd1-904E-B50E394EDE34}, xrefs: 0040B6AB
1830B7BD-F7A3-4c4d-989B-C004DE465EDE, xrefs: 0040B6A5
%s-%d-%s:, xrefs: 0040B6B0

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: Atom_memset$CurrentDeleteFindProcess__vswprintf_s_lswprintf
String ID: %s-%d-%s:$1830B7BD-F7A3-4c4d-989B-C004DE465EDE${A0972F10-452C-4cd1-904E-B50E394EDE34}
API String ID: 389091746-1980942712
Opcode ID: 437e8d90748bc7b6513a2a46a6f3fe04147eb6367c4c28063d2286c0b8bc6247
Instruction ID: 2e7dcfaec5885a51cec920f46e6640d5eddf5b0521efb3552e3d683f1a8d1c5a
Opcode Fuzzy Hash: 437e8d90748bc7b6513a2a46a6f3fe04147eb6367c4c28063d2286c0b8bc6247
Instruction Fuzzy Hash: 7021F7B1104300ABD314EB64DC96AFBB3A9EFD4700F84453FFA4583191EBB89504879E

Uniqueness

Uniqueness Score: -1.00%

Function 0044569A Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 004456A4
DName::DName.LIBCMT ref: 004456B0

Part of subcall function 004435CF: DName::doPchar.LIBCMT ref: 004435FC

DName::DName.LIBCMT ref: 004456DD

Part of subcall function 00443203: DNameStatusNode::make.LIBCMT ref: 00443231

UnDecorator::getScopedName.LIBCMT ref: 004456EB
DName::operator+=.LIBCMT ref: 004456F5
DName::operator+=.LIBCMT ref: 00445704
DName::operator+=.LIBCMT ref: 00445710
DName::operator+=.LIBCMT ref: 0044571D

Strings

void, xrefs: 004456FC

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: NameName::operator+=$Name::$Decorator::Decorator::getName::doNode::makePcharScopedScoreStatus
String ID: void
API String ID: 2229739886-3531332078
Opcode ID: 5015c3408bcb27d64949bf4dae6a3a8c0bd37e1f0a86d6c0238cc5b9e1a2eb31
Instruction ID: eb00b007f5abc369386499d998b18eebabc6c8172c4893b9a245dc17d1844bad
Opcode Fuzzy Hash: 5015c3408bcb27d64949bf4dae6a3a8c0bd37e1f0a86d6c0238cc5b9e1a2eb31
Instruction Fuzzy Hash: F2118670900504ABEB08EF64C886AAD7B64AB40709F40405BF006A72D2EBB8AA45CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00566940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00566941
EmptyClipboard.USER32 ref: 0056694F
CloseClipboard.USER32 ref: 00566955
OpenClipboard.USER32 ref: 0056695C
GetClipboardData.USER32(0000000D), ref: 0056696C
GlobalLock.KERNEL32(00000000), ref: 00566975
GlobalUnlock.KERNEL32(00000000), ref: 0056697E
CloseClipboard.USER32 ref: 00566984

Part of subcall function 00554AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00554B36

Strings

!DU, xrefs: 00567089

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID: !DU
API String ID: 2172192267-1239079615
Opcode ID: 5da85d1832b2bb7cf26c2805ca0f50fc878f4069e31ce5947b0f71ad2d8b79e2
Instruction ID: 2ec98e2526cbdd2b9eac807cf941c5cbd307d91309d1931af2cc0fb28ef1729e
Opcode Fuzzy Hash: 5da85d1832b2bb7cf26c2805ca0f50fc878f4069e31ce5947b0f71ad2d8b79e2
Instruction Fuzzy Hash: A00175312146115FCB14BB75EC5D6AE7FB9BFD5712F40082EF806865A1DF31884CDA62

Uniqueness

Uniqueness Score: -1.00%

Function 0043F303 Relevance: 15.2, APIs: 10, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

__getbuf.LIBCMT ref: 00452967
__fileno.LIBCMT ref: 00452978
__fileno.LIBCMT ref: 00452989
__fileno.LIBCMT ref: 00452995
__fileno.LIBCMT ref: 004529A5
__fileno.LIBCMT ref: 004529C8
__fileno.LIBCMT ref: 004529D4
__fileno.LIBCMT ref: 004529E0
__fileno.LIBCMT ref: 004529F0
__cftof.LIBCMT ref: 00452A2C

Part of subcall function 00452CBC: __wctomb_s_l.LIBCMT ref: 00452CCF

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: __fileno$__cftof__getbuf__wctomb_s_l
String ID:
API String ID: 1564009976-0
Opcode ID: 8f5f60656d8aee7740e73f9f92f01c785faa6956bd2cc472c8204fa9af18c4d8
Instruction ID: 83c87296a530c54ed5d9dc8e46f76a92cbeb1989d0cf7a41b3e55cd3b412d914
Opcode Fuzzy Hash: 8f5f60656d8aee7740e73f9f92f01c785faa6956bd2cc472c8204fa9af18c4d8
Instruction Fuzzy Hash: E45133325006059FCB349F29C940A6B73E0AF56329F14852FE8A6D73C2D7B8ED49CB49

Uniqueness

Uniqueness Score: -1.00%

Function 005632D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00563417
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00563425
GetFileSize.KERNEL32(?,00000000), ref: 00563432
UnmapViewOfFile.KERNEL32(00000000), ref: 00563452
CloseHandle.KERNEL32(00000000), ref: 0056345F
CloseHandle.KERNEL32(?), ref: 00563465

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingSizeUnmap
String ID:
API String ID: 297527592-0
Opcode ID: 5fdf79293008db946fe83eb42963e33280f1454cc692ec490f7196deb8f84836
Instruction ID: 9981b4a5777982f7d25521b660aac31d938b3a64e2dfe3aa6c370d78bcd740f2
Opcode Fuzzy Hash: 5fdf79293008db946fe83eb42963e33280f1454cc692ec490f7196deb8f84836
Instruction Fuzzy Hash: 5841B131608202BBEB20AB25DC4AF6B7EACFFC5724F100919F555D61A1DF30CA05D762

Uniqueness

Uniqueness Score: -1.00%

Function 0043784D Relevance: 15.1, APIs: 10, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00437866

Part of subcall function 004356D3: __calloc_impl.LIBCMT ref: 004356E4
Part of subcall function 004356D3: Sleep.KERNEL32(00000000,?,?,00002000), ref: 004356FB

__calloc_crt.LIBCMT ref: 0043788A
__calloc_crt.LIBCMT ref: 004378A6
__copytlocinfo_nolock.LIBCMT ref: 004378CB
__setlocale_nolock.LIBCMT ref: 004378D8
___removelocaleref.LIBCMT ref: 004378E4
___freetlocinfo.LIBCMT ref: 004378EB
__setmbcp_nolock.LIBCMT ref: 00437903
___removelocaleref.LIBCMT ref: 00437918
___freetlocinfo.LIBCMT ref: 0043791F

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: __calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 2969281212-0
Opcode ID: cca770cd89a3457768f8d1dee5c51a7bb805c9547a9ab6f93a5d569ae38ab5d2
Instruction ID: 0bda3ca86f29450c0e7a3ef308c41bbb666b0ae9fb036e98977096b7d3cefda8
Opcode Fuzzy Hash: cca770cd89a3457768f8d1dee5c51a7bb805c9547a9ab6f93a5d569ae38ab5d2
Instruction Fuzzy Hash: 12210675208A01EBE7357F27D806A0A7BE0DF8D364F61943FF4C556261DE399801C65D

Uniqueness

Uniqueness Score: -1.00%

Function 0056AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0056A486,00000000), ref: 0056AB1C
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0056A486,00000000), ref: 0056AB33
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0056A486,00000000), ref: 0056AB40
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0056A486,00000000), ref: 0056AB4F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0056A486,00000000), ref: 0056AB60
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0056A486,00000000), ref: 0056AB63

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 4e2f82c368cfc79e0aa219aa71c4df548ceb16ea73e5776d6758038b46117d38
Instruction ID: 784262f1637285d8ff0644913c768a2423d6436fbcf308da2f9a266e1ac37a04
Opcode Fuzzy Hash: 4e2f82c368cfc79e0aa219aa71c4df548ceb16ea73e5776d6758038b46117d38
Instruction Fuzzy Hash: 9111C2719401286F9721AB64DC8DDFF7FACFB933A1B100016F905A3060DB245D49AAF2

Uniqueness

Uniqueness Score: -1.00%

Function 00598121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00598135

Part of subcall function 00596782: RtlFreeHeap.NTDLL(00000000,00000000,?,005A0C6F,?,00000000,?,00000000,?,005A0F13,?,00000007,?,?,005A145E,?), ref: 00596798
Part of subcall function 00596782: GetLastError.KERNEL32(?,?,005A0C6F,?,00000000,?,00000000,?,005A0F13,?,00000007,?,?,005A145E,?,?), ref: 005967AA

_free.LIBCMT ref: 00598141
_free.LIBCMT ref: 0059814C
_free.LIBCMT ref: 00598157
_free.LIBCMT ref: 00598162
_free.LIBCMT ref: 0059816D
_free.LIBCMT ref: 00598178
_free.LIBCMT ref: 00598183
_free.LIBCMT ref: 0059818E
_free.LIBCMT ref: 0059819C

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c869e7d8ebe7893526974a89e70a55664a4c19222ac7fe1a9a027277b3907d5c
Instruction ID: 4654d42f3d6ca774e620b4cb6afcef314297cfd368b5ffa31ae6d73b9504191e
Opcode Fuzzy Hash: c869e7d8ebe7893526974a89e70a55664a4c19222ac7fe1a9a027277b3907d5c
Instruction Fuzzy Hash: EE11A47A500109AFCF01EF94C886CD93FA5FF44359B0140A5BA588F222DA35EF54ABC0

Uniqueness

Uniqueness Score: -1.00%

Function 004049E0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 220fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,00405C4F,?,00000000,?), ref: 004049FC
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00405C4F,?,00000000,?), ref: 00404A9C
ReadFile.KERNEL32(?,?,00008000,?,00000000,?,?,?,?,?,00405C4F,?,00000000,?), ref: 00404AB8
_memset.LIBCMT ref: 00404B63

Strings

ReadFile(), xrefs: 00404BDE
GetFileSizeEx(), xrefs: 00404A08
SetFilePointerEx(), xrefs: 00404BBC
.\QHImageHlp.c, xrefs: 00404A12, 00404BC6, 00404BE8, 00404C0F, 00404C34, 00404C59

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: File$PointerReadSize_memset
String ID: .\QHImageHlp.c$GetFileSizeEx()$ReadFile()$SetFilePointerEx()
API String ID: 1834740430-3013408749
Opcode ID: a7950db58af37fb67f0db474653cdd921a8e7a1659f061b88f3d7dd1b801e97c
Instruction ID: c7279cdef8b6de9ed2af9f0036a7ef1b0d318f082f7ee79805dd3dc40297ac8b
Opcode Fuzzy Hash: a7950db58af37fb67f0db474653cdd921a8e7a1659f061b88f3d7dd1b801e97c
Instruction Fuzzy Hash: 816126B17443006BD314DA29DD81B2BB3E0EBC8755F04493EF988E3280E77CE9448B8A

Uniqueness

Uniqueness Score: -1.00%

Function 005614F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00561514
inet_ntoa.WS2_32(?), ref: 005615AF

Strings

StartReverse, xrefs: 0056167F
StopForward, xrefs: 00561690
N\, xrefs: 0056153A
StartForward, xrefs: 00561673
StopReverse, xrefs: 005616A1
GetDirectListeningPort, xrefs: 005616B2

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$N\
API String ID: 3578746661-1555973973
Opcode ID: 73e8be69921836e0c7956083a2362af3b0e3607c8f976fa6c29c52b2f60a8295
Instruction ID: 23b202b4d5b15c05a06de06899008da028e8932674b0aa9c90164963f80cfb92
Opcode Fuzzy Hash: 73e8be69921836e0c7956083a2362af3b0e3607c8f976fa6c29c52b2f60a8295
Instruction Fuzzy Hash: 8151E271A04A415FCB14FB34D82EA7E3EA5BBE5301F44452AF8028B6E1DF34990ED796

Uniqueness

Uniqueness Score: -1.00%

Function 00403970 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 153fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?), ref: 004039C5
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 00403A7F
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 00403AA9
SetEndOfFile.KERNEL32(?), ref: 00403AE9

Strings

SetEndOfFile(), xrefs: 00403AF7
GetFileSizeEx(), xrefs: 004039CF
SetFilePointerEx(), xrefs: 00403B1A, 00403B26
.\QHImageHlp.c, xrefs: 0040399F, 00403B01

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: File$Pointer$Size
String ID: .\QHImageHlp.c$GetFileSizeEx()$SetEndOfFile()$SetFilePointerEx()
API String ID: 408439848-1520550917
Opcode ID: efe5ed57b227063c12dfbf8f0175d8ac109c7d29c0f11d32ce57c5971a172218
Instruction ID: 1b605d734e155b873fdfd4f28f3e3ae818b90f9930aa0250b92f2f22e38c86b6
Opcode Fuzzy Hash: efe5ed57b227063c12dfbf8f0175d8ac109c7d29c0f11d32ce57c5971a172218
Instruction Fuzzy Hash: 3641B4317043015BD710DE659D81B2B7BD8AB88B4AF04093FF584B72C1E6BCEA058A9E

Uniqueness

Uniqueness Score: -1.00%

Function 004037C0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 138fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?), ref: 004037D1
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 0040386C
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0040388C
SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000000), ref: 004038B3

Strings

ReadFile(), xrefs: 0040391B
GetFileSizeEx(), xrefs: 004037DB
SetFilePointerEx(), xrefs: 0040390F, 0040394D
.\QHImageHlp.c, xrefs: 00403931, 00403957

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: File$Pointer$ReadSize
String ID: .\QHImageHlp.c$GetFileSizeEx()$ReadFile()$SetFilePointerEx()
API String ID: 1971422761-3013408749
Opcode ID: d80dedbebb2793100ef8afd5d2585e2e953f73e2ae1894905a99123231bb69ca
Instruction ID: bd2c35f2d9b3925e1a7ba6d6698aa27c55923003429fdbcc139eee9cb6e742a9
Opcode Fuzzy Hash: d80dedbebb2793100ef8afd5d2585e2e953f73e2ae1894905a99123231bb69ca
Instruction Fuzzy Hash: 2A41E3727043016BD710EE29DD81F2BBBD9BBC4B12F14493EF990A62C1D6B8DA04875A

Uniqueness

Uniqueness Score: -1.00%

Function 00567495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 005674F5

Part of subcall function 0056C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0055A843), ref: 0056C49E

Sleep.KERNEL32(00000064), ref: 00567521
DeleteFileW.KERNEL32(00000000), ref: 00567555

Strings

/t , xrefs: 005674D4
open, xrefs: 005674EF
\sysinfo.txt, xrefs: 005674A0
dxdiag, xrefs: 005674EA
temp, xrefs: 005674A5

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 147d21fb93897effeecec7586c80ef823822eb551c43b3ddf7e9c3ef71b8faf7
Instruction ID: b8cee27a4681d0423a929bd9ae91bd6949d1c3702f0856432f6c443c47c5b47f
Opcode Fuzzy Hash: 147d21fb93897effeecec7586c80ef823822eb551c43b3ddf7e9c3ef71b8faf7
Instruction Fuzzy Hash: 4531323190011A5ADB04FBA0DCBAEED7F74BF90306F40015AF906670D2EF606D8ECA94

Uniqueness

Uniqueness Score: -1.00%

Function 005573AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005C2B14,00000000,005C52D8,00003000,00000004,00000000,00000001), ref: 005573DD
GetCurrentProcess.KERNEL32(005C2B14,00000000,00008000,?,00000000,00000001,00000000,00557656,C:\Users\user\Desktop\tu.exe), ref: 0055749E

Strings

explorer.exe, xrefs: 00557450, 0055747B
[-] NtAllocateVirtualMemory Error, xrefs: 0055743D
[+] NtAllocateVirtualMemory Success, xrefs: 00557410
\explorer.exe, xrefs: 00557400
windir, xrefs: 005573EA
PEB: %x, xrefs: 005574AF

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 8ce7cbc540471b63b9beb5adc87f84504514538f891daa38c48710a2fe520aae
Instruction ID: 8c948126f60d049050ae19b6950ab39173e57786ef3222d84fe1fd493b0636bb
Opcode Fuzzy Hash: 8ce7cbc540471b63b9beb5adc87f84504514538f891daa38c48710a2fe520aae
Instruction Fuzzy Hash: 1031F675204B05AFD720EFA5EC5AF56BFB8FB98306F000819F91292251DBB4B80C9B61

Uniqueness

Uniqueness Score: -1.00%

Function 0040B360 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040B391
_memset.LIBCMT ref: 0040B3AE
GetCurrentProcessId.KERNEL32 ref: 0040B3B6
swprintf.LIBCMT ref: 0040B3D6

Part of subcall function 00432B41: __vswprintf_s_l.LIBCMT ref: 00432B55

GetAtomNameW.KERNEL32(0000C000,?,00000104), ref: 0040B41E

Strings

{A0972F10-452C-4cd1-904E-B50E394EDE34}, xrefs: 0040B3C2
1830B7BD-F7A3-4c4d-989B-C004DE465EDE, xrefs: 0040B3BC
%s-%d-%s:, xrefs: 0040B3C7

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: _memset$AtomCurrentNameProcess__vswprintf_s_lswprintf
String ID: %s-%d-%s:$1830B7BD-F7A3-4c4d-989B-C004DE465EDE${A0972F10-452C-4cd1-904E-B50E394EDE34}
API String ID: 1762070210-1980942712
Opcode ID: 04201b845daf679fd702f084c1f8ee3b84df7fdc10a14036f8850c1365b6ed34
Instruction ID: d3ba892406a69276a2d9f1b618fdd1f673d4abaf0ab7cd1099eba7940fe984af
Opcode Fuzzy Hash: 04201b845daf679fd702f084c1f8ee3b84df7fdc10a14036f8850c1365b6ed34
Instruction Fuzzy Hash: 263189B16043006BD210EB68DC85EABB3E8EF98704F40493FF94593192E775A904879A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040BB1A
OpenThread.KERNEL32(00000040,00000001,-00000008,00000000,?,?,?,0040BA80,?,?,?,?,?,?,0045B0F0,000000FF), ref: 0040BB75
GetLastError.KERNEL32(?,?,?,0040BA80,?,?,?,?,?,?,0045B0F0,000000FF,?,004083AC,?,00403F3C), ref: 0040BB7B
GetProcessHeap.KERNEL32(?,?,?,0040BA80,?,?,?,?,?,?,0045B0F0,000000FF,?,004083AC,?,00403F3C), ref: 0040BBAA
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,0040BA80,?,?,?,?,?,?,0045B0F0,000000FF), ref: 0040BBB4
OutputDebugStringW.KERNEL32(****** ,?,?,?,0040BA80,?,?,?,?,?,?,0045B0F0,000000FF,?,004083AC), ref: 0040BBC1
CloseHandle.KERNEL32(00000000,?,?,?,0040BA80,?,?,?,?,?,?,0045B0F0,000000FF,?,004083AC), ref: 0040BBCA

Strings

****** , xrefs: 0040BBBC

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: HeapThread$CloseCurrentDebugErrorFreeHandleLastOpenOutputProcessString
String ID: ******
API String ID: 2450575844-1974978773
Opcode ID: 4bb51ded7a3608d7d97a1e27c24b296467d0de8f0afda4e18d8d8d35c90d2ed4
Instruction ID: ba7dbfe72a5486ef3152b13babee1143b1853603010718cc7a74b18ee6d804c4
Opcode Fuzzy Hash: 4bb51ded7a3608d7d97a1e27c24b296467d0de8f0afda4e18d8d8d35c90d2ed4
Instruction Fuzzy Hash: FC315A34604B019FC7149B24CC94B6B77A4EF45702F04457EE985A7795E738F8008F9E

Uniqueness

Uniqueness Score: -1.00%

Function 00551BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00551BF9
waveInOpen.WINMM(005C2AC0,000000FF,005C2AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00551C8F
waveInPrepareHeader.WINMM(005C2A88,00000020), ref: 00551CE3
waveInAddBuffer.WINMM(005C2A88,00000020), ref: 00551CF2
waveInStart.WINMM ref: 00551CFE

Strings

P\, xrefs: 00551C27
|M\, xrefs: 00551C9B
dM\, xrefs: 00551BED

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: dM\$|M\$P\
API String ID: 1356121797-2110958601
Opcode ID: 8523d25518c7fce6fc5b1396abb72329e8402be45ac7a4aa56d62e7bcc6c43bd
Instruction ID: 49f1b953b21459f43370020387182003945e8918c26bdef712d3fc542a3caa97
Opcode Fuzzy Hash: 8523d25518c7fce6fc5b1396abb72329e8402be45ac7a4aa56d62e7bcc6c43bd
Instruction Fuzzy Hash: 16213D71604A01AFC728AF66AC19E197FA5BFA4711F04402AA509C6AB0DBF00409EB68

Uniqueness

Uniqueness Score: -1.00%

Function 00409180 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00409195
GetLocalTime.KERNEL32(?), ref: 004091A2
__swprintf.LIBCMT ref: 004091C5
_vswprintf_s.LIBCMT ref: 004091FD
OutputDebugStringW.KERNEL32(?), ref: 00409218
OutputDebugStringW.KERNEL32(00462D84), ref: 0040921F
OutputDebugStringW.KERNEL32(?), ref: 00409246

Strings

<%08X> %02hu:%02hu:%02hu: , xrefs: 004091BF

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: DebugOutputString$CurrentLocalThreadTime__swprintf_vswprintf_s
String ID: <%08X> %02hu:%02hu:%02hu:
API String ID: 2086888202-2163415560
Opcode ID: 13ecc129a4f9194a9cc056268f5a874c4d06aae9f71d9bff6946beeb61dacec8
Instruction ID: 8e58f0009974f807aa0a88d16c54b8bf9c07752b702b58f5e1e4d755a66998c4
Opcode Fuzzy Hash: 13ecc129a4f9194a9cc056268f5a874c4d06aae9f71d9bff6946beeb61dacec8
Instruction Fuzzy Hash: 8721C371504311AFD728EB64DD89AFF73E4EFD8700F804A5EF88986191EA789904C797

Uniqueness

Uniqueness Score: -1.00%

Function 0042E240 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 61windowtimeCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Q360AdvToolExecutorWndClass,360AdvToolExecutor), ref: 0042E263
_memset.LIBCMT ref: 0042E28E
GetCommandLineW.KERNEL32 ref: 0042E2A0
IsWindow.USER32(00000000), ref: 0042E2E8
SendMessageTimeoutW.USER32(00000000,0000004A,00000000,00000064,00000001,000007D0,00000000), ref: 0042E319

Strings

d, xrefs: 0042E2C4
Q360AdvToolExecutorWndClass, xrefs: 0042E25E
360AdvToolExecutor, xrefs: 0042E259

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: Window$CommandFindLineMessageSendTimeout_memset
String ID: 360AdvToolExecutor$Q360AdvToolExecutorWndClass$d
API String ID: 1428618593-896946901
Opcode ID: f952c6319ded637e8a2be25a1d5eb67e1dd8c4e37a3a0c622363d516aaf7f046
Instruction ID: be255b2814a9b3d3b0f80194d172021b69f52db360a7e57986c6838927bbd2eb
Opcode Fuzzy Hash: f952c6319ded637e8a2be25a1d5eb67e1dd8c4e37a3a0c622363d516aaf7f046
Instruction Fuzzy Hash: CF216DB0A403189FDB10DF60DC45B99B7F8BF08705F50C5E9A549A6281DFB4AA88CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 0056D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0056D476

Part of subcall function 0056D50F: RegisterClassExA.USER32(00000030), ref: 0056D55B
Part of subcall function 0056D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0056D576
Part of subcall function 0056D50F: GetLastError.KERNEL32 ref: 0056D580

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0056D4AD
lstrcpynA.KERNEL32(005C4B60,Remcos,00000080), ref: 0056D4C7
Shell_NotifyIconA.SHELL32(00000000,005C4B48), ref: 0056D4DD
TranslateMessage.USER32(?), ref: 0056D4E9
DispatchMessageA.USER32(?), ref: 0056D4F3
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0056D500

Strings

Remcos, xrefs: 0056D4B8

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: aaaebaac0bc47f5ac9c52a20709a6d1136bdb1e8039e873aff1968eaf76279de
Instruction ID: efa9644eb28ac3ae2cb906eca2ef5d7ab01ea7932b52e7a92a0c66af622b8724
Opcode Fuzzy Hash: aaaebaac0bc47f5ac9c52a20709a6d1136bdb1e8039e873aff1968eaf76279de
Instruction Fuzzy Hash: 05013C71900289AFDF109FA1EC5CF9ABBBCFBA2B09F00441AB511870A0D7B49849DF60

Uniqueness

Uniqueness Score: -1.00%

Function 004404E9 Relevance: 13.6, APIs: 9, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

__getbuf.LIBCMT ref: 00452967
__fileno.LIBCMT ref: 00452978
__fileno.LIBCMT ref: 00452989
__fileno.LIBCMT ref: 00452995
__fileno.LIBCMT ref: 004529A5
__fileno.LIBCMT ref: 004529C8
__fileno.LIBCMT ref: 004529D4
__fileno.LIBCMT ref: 004529E0
__fileno.LIBCMT ref: 004529F0

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: __fileno$__getbuf
String ID:
API String ID: 3695372198-0
Opcode ID: c173f9ec17edaa17f6ee4bf5f7f1f9aa3a8cbada4bbe69cdd912e2c5fecacc7a
Instruction ID: 6b936e4868124953b0f543ace5912ab53509dea9887a6f8d0f4e089e0e30c8cc
Opcode Fuzzy Hash: c173f9ec17edaa17f6ee4bf5f7f1f9aa3a8cbada4bbe69cdd912e2c5fecacc7a
Instruction Fuzzy Hash: 334136325006448BC734AB29D940A6B7390AF57329F24456FEC66D73C2D7BCEE4A874D

Uniqueness

Uniqueness Score: -1.00%

Function 00595179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00598215: GetLastError.KERNEL32(00000020,?,0058A7F5,?,?,?,0058F9A8,?,?,00000020,00000000,?,?,?,0057DD01,0000003B), ref: 00598219
Part of subcall function 00598215: _free.LIBCMT ref: 0059824C
Part of subcall function 00598215: SetLastError.KERNEL32(00000000,0058F9A8,?,?,00000020,00000000,?,?,?,0057DD01,0000003B,?,00000041,00000000,00000000), ref: 0059828D
Part of subcall function 00598215: _abort.LIBCMT ref: 00598293

_memcmp.LIBVCRUNTIME ref: 00595423
_free.LIBCMT ref: 00595494
_free.LIBCMT ref: 005954AD
_free.LIBCMT ref: 005954DF
_free.LIBCMT ref: 005954E8
_free.LIBCMT ref: 005954F4

Strings

C, xrefs: 005952E1

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 60621cfdcf1a326145c4af2b4788d2734fb9076813cf32b06e64e233ac43fb03
Instruction ID: 78060113fd113d699b85cc5d27ad2b8ea212280020886130b15581c0844bc0b1
Opcode Fuzzy Hash: 60621cfdcf1a326145c4af2b4788d2734fb9076813cf32b06e64e233ac43fb03
Instruction Fuzzy Hash: 32B13A7590161A9FDF25DF18C888BADBBB4FF48304F5045AAE949A7351E770AE90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0056490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 00564A46
tcp, xrefs: 00564A73

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 75f7fc580154137afae4dfffcfb91536c4bd571ce3b5715f087e7a9a558849b1
Instruction ID: 784930c1e46801cbaf65fc2332819091616fb0488100c8c79973d47255c9e7f0
Opcode Fuzzy Hash: 75f7fc580154137afae4dfffcfb91536c4bd571ce3b5715f087e7a9a558849b1
Instruction Fuzzy Hash: 1C715570A483429FDB24DF58C484A2ABFE5FB99345F14482EF88587261EB74CD44CF92

Uniqueness

Uniqueness Score: -1.00%

Function 004052C0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?), ref: 0040532D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040536F

Strings

GetFileSizeEx(), xrefs: 00405337
SetFilePointerEx(), xrefs: 004053EB
.\QHImageHlp.c, xrefs: 004052E4, 00405341, 00405398, 004053F5

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: FileSizeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: .\QHImageHlp.c$GetFileSizeEx()$SetFilePointerEx()
API String ID: 1756747699-2561355867
Opcode ID: 045e6cca237012a5d873fd085605a78d8d810dd21c2544b345ca439df9fc10a8
Instruction ID: bf7b32a8e1ee1daeb80faca7c9eea0b1b867eadaca1b8f7f38da0fe90859c255
Opcode Fuzzy Hash: 045e6cca237012a5d873fd085605a78d8d810dd21c2544b345ca439df9fc10a8
Instruction Fuzzy Hash: 1F51E270740B016BE318EF24DC81FA7B3A4FB84714F54453EE908937C1E7B9A8548A99

Uniqueness

Uniqueness Score: -1.00%

Function 0055186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005518BE
ExitThread.KERNEL32 ref: 005518F6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,005C4EE0,00000000), ref: 00551A04

Part of subcall function 00584770: __onexit.LIBCMT ref: 00584776

Strings

N\, xrefs: 00551990
XM\, xrefs: 00551902
Pk\, xrefs: 00551888
N\, xrefs: 0055190D

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: Pk\$XM\$N\$N\
API String ID: 1649129571-2776330165
Opcode ID: 58f2c06e83c732a8ef4c780507030a7c63c7fdb3ac1e4ff2c45c762a1ab81944
Instruction ID: 80c618613ceb5920c700c5e27780fce9f1086e2b16fe6b2f1fc1592b2c224259
Opcode Fuzzy Hash: 58f2c06e83c732a8ef4c780507030a7c63c7fdb3ac1e4ff2c45c762a1ab81944
Instruction Fuzzy Hash: A1419E311046014AC724FB24ECAAEAE7FA5BFD5316F40092EF846861E2DF305D4E9B56

Uniqueness

Uniqueness Score: -1.00%

Function 00557963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,005C4EE0,005B5FA4,?,00000000,00557FFC,00000000), ref: 005579C5
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00557FFC,00000000,?,?,0000000A,00000000), ref: 00557A0D

Part of subcall function 00554AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00554B36

CloseHandle.KERNEL32(00000000,?,00000000,00557FFC,00000000,?,?,0000000A,00000000), ref: 00557A4D
MoveFileW.KERNEL32(00000000,00000000), ref: 00557A6A
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00557A95
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00557AA5

Part of subcall function 00554B96: WaitForSingleObject.KERNEL32(?,000000FF,?,005C4EF8,00554C49,00000000,?,?,?,005C4EF8,?), ref: 00554BA5
Part of subcall function 00554B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0055548B), ref: 00554BC3

Strings

.part, xrefs: 00557989

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 1f9f93ec445725dad4789207605c8e5f6697469a02ff7bd578a7074f14510c7b
Instruction ID: 9f7dfcaa06f787a3b4f9c27eeab2ccf54d5e1047c68c58b07c2e5023accf5bdd
Opcode Fuzzy Hash: 1f9f93ec445725dad4789207605c8e5f6697469a02ff7bd578a7074f14510c7b
Instruction Fuzzy Hash: 3731A4314083159FC710EB20DC6999FBBA8FFD4356F40491EB84692151EB70AE4CCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040B540 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040B56E
_memset.LIBCMT ref: 0040B58B
GetCurrentProcessId.KERNEL32 ref: 0040B593
swprintf.LIBCMT ref: 0040B5AF

Part of subcall function 00432B41: __vswprintf_s_l.LIBCMT ref: 00432B55

GetAtomNameW.KERNEL32(0000C000,?,00000104), ref: 0040B5EE

Strings

{A0972F10-452C-4cd1-904E-B50E394EDE34}, xrefs: 0040B59B
%s-%d-%s:, xrefs: 0040B5A0

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: _memset$AtomCurrentNameProcess__vswprintf_s_lswprintf
String ID: %s-%d-%s:${A0972F10-452C-4cd1-904E-B50E394EDE34}
API String ID: 1762070210-3571227826
Opcode ID: 82fb826cdcdc4336f7a5b576b1eafced99041a18518562a134d50a0958fb8c3e
Instruction ID: cbba3bbbb2408f3d45a6993105ac790f0c08af2375fe902b13238ad858c14082
Opcode Fuzzy Hash: 82fb826cdcdc4336f7a5b576b1eafced99041a18518562a134d50a0958fb8c3e
Instruction Fuzzy Hash: 4121A9726043046BD320EB54DC85AFBB398DF84714F44493EFA4597181EA79A90487DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040B4C9
GetCurrentProcessId.KERNEL32 ref: 0040B4D1
swprintf.LIBCMT ref: 0040B4F2

Part of subcall function 00432B41: __vswprintf_s_l.LIBCMT ref: 00432B55

AddAtomW.KERNEL32(?), ref: 0040B4FF

Strings

%s-%d-%s:%s, xrefs: 0040B4E3
{A0972F10-452C-4cd1-904E-B50E394EDE34}, xrefs: 0040B4DE
1830B7BD-F7A3-4c4d-989B-C004DE465EDE, xrefs: 0040B4D8

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: AtomCurrentProcess__vswprintf_s_l_memsetswprintf
String ID: %s-%d-%s:%s$1830B7BD-F7A3-4c4d-989B-C004DE465EDE${A0972F10-452C-4cd1-904E-B50E394EDE34}
API String ID: 1330282167-1301288515
Opcode ID: 5475c2726ad21a62d9e50e63b03a8a0c46f1695309ac880fdee57f2ad6116d02
Instruction ID: 49f90f98050547606b8eda84904ebd6c00acf6bbc8e1d7b343d1764b10b85a19
Opcode Fuzzy Hash: 5475c2726ad21a62d9e50e63b03a8a0c46f1695309ac880fdee57f2ad6116d02
Instruction Fuzzy Hash: 0E0149B16403007BD300EF61DC86ABBB3A8EF94B04F80083BB994C2181FAF8E404479A

Uniqueness

Uniqueness Score: -1.00%

Function 0059AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0057DD01,?,?,?,0059AE9A,00000001,00000001,?), ref: 0059ACA3
__alloca_probe_16.LIBCMT ref: 0059ACDB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0057DD01,?,?,?,0059AE9A,00000001,00000001,?), ref: 0059AD29
__alloca_probe_16.LIBCMT ref: 0059ADC0
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0059AE23
__freea.LIBCMT ref: 0059AE30

Part of subcall function 00596137: RtlAllocateHeap.NTDLL(00000000,0058529C,?,?,00588847,?,?,00000000,?,?,0055DE62,0058529C,?,?,?,?), ref: 00596169

__freea.LIBCMT ref: 0059AE39
__freea.LIBCMT ref: 0059AE5E

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: b6de9d51c9809231ee9676e5cb0d8581d6d4a5fdfdc4727e8c040ab9558888dc
Instruction ID: 9e840125420312e573bfc008123ea2b93da683bdecec26e4659750769b018801
Opcode Fuzzy Hash: b6de9d51c9809231ee9676e5cb0d8581d6d4a5fdfdc4727e8c040ab9558888dc
Instruction Fuzzy Hash: 4351BF72600216ABDF259F64CC45EBB7FAEFB84750F194629FD05DA140EB34DC8086A1

Uniqueness

Uniqueness Score: -1.00%

Function 00569993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 005699CC
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 005699ED
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00569A0D
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00569A21
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00569A37
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00569A54
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00569A6F
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00569A8B

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: cc243fc30a8b5de77c36eb9feac25697a5c6e8898f66afcc6af33aa4d9043224
Instruction ID: f62f7989beaa52b34fb31cca21240d27f5ac43c3c9214fc6ad8e677ae80b6937
Opcode Fuzzy Hash: cc243fc30a8b5de77c36eb9feac25697a5c6e8898f66afcc6af33aa4d9043224
Instruction Fuzzy Hash: B0318031558308AEE311CF51D941BEBBFDCEF98B54F00080FF6809B191D2B295898BA7

Uniqueness

Uniqueness Score: -1.00%

Function 00597571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00597679
__freea.LIBCMT ref: 00597723
__freea.LIBCMT ref: 00597741

Part of subcall function 00585E40: _free.LIBCMT ref: 00585E56

Strings

zY, xrefs: 005979AB
a/p, xrefs: 00597808
am/pm, xrefs: 005977A4

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm$zY
API String ID: 2936374016-3243681459
Opcode ID: 9c5ccf7b606a3bd2f54f35a1ed02122f28954f9489f98edfaf298cc05f80ee0b
Instruction ID: c7fc4a95805de11226d44c48ef28903fc4dccadd5afb639ebec0044dc8761316
Opcode Fuzzy Hash: 9c5ccf7b606a3bd2f54f35a1ed02122f28954f9489f98edfaf298cc05f80ee0b
Instruction Fuzzy Hash: 7FD1F43192820ECADF289F68C849BBABFB5FF09700F24455BE945AB255D3359D40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00599190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00599212
_free.LIBCMT ref: 00599236
_free.LIBCMT ref: 005993BD
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005AF234), ref: 005993CF
WideCharToMultiByte.KERNEL32(00000000,00000000,005C2764,000000FF,00000000,0000003F,00000000,?,?), ref: 00599447
WideCharToMultiByte.KERNEL32(00000000,00000000,005C27B8,000000FF,?,0000003F,00000000,?), ref: 00599474
_free.LIBCMT ref: 00599589

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 3ed368f293ef95d712da1541df462c5c815bfd663d8d696165c8fcfbb89c442e
Instruction ID: 95845b9d1394400ad62a3cdc03ee460a1b46580b336f8d55499e2d957ec32328
Opcode Fuzzy Hash: 3ed368f293ef95d712da1541df462c5c815bfd663d8d696165c8fcfbb89c442e
Instruction Fuzzy Hash: 6BC12775900246AFDF219F6C8C45AAEBFF8FF96310F1405AEE89497281EB308E46D750

Uniqueness

Uniqueness Score: -1.00%

Function 00563A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00563ABC
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00563AEB
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00563B8B

Strings

T\, xrefs: 00563BFD
[regsplt], xrefs: 00563C17
xU\, xrefs: 00563C46

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$xU\$T\
API String ID: 3554306468-2864833391
Opcode ID: ea23a2d16ee7e0bde8f2dc3d4a7cb91587f13730e027443b35f62d0473e66b07
Instruction ID: 407f0a1cf778af1f3a127c88e6d32e247d3da31916dbd9d43f810e6b8370e44e
Opcode Fuzzy Hash: ea23a2d16ee7e0bde8f2dc3d4a7cb91587f13730e027443b35f62d0473e66b07
Instruction Fuzzy Hash: 2D510D71900119AADB14EBE4DC99EEFBFBDBF55305F500166F906A2091EF706B48CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0059B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0059BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0059B3FE
__fassign.LIBCMT ref: 0059B479
__fassign.LIBCMT ref: 0059B494
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0059B4BA
WriteFile.KERNEL32(?,FF8BC35D,00000000,0059BB31,00000000,?,?,?,?,?,?,?,?,?,0059BB31,?), ref: 0059B4D9
WriteFile.KERNEL32(?,?,00000001,0059BB31,00000000,?,?,?,?,?,?,?,?,?,0059BB31,?), ref: 0059B512

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: dfc667d696f2c57dbf5992acd06087ca9cf2d1eb195dd593b8c66a18f28b4406
Instruction ID: b3326495bcafa32527f81010b071e9c9701a7a4baadbf2d22f3cbd4c855fc330
Opcode Fuzzy Hash: dfc667d696f2c57dbf5992acd06087ca9cf2d1eb195dd593b8c66a18f28b4406
Instruction Fuzzy Hash: FB51C470900209AFEF10CFA8ED85AEEBBF8FF19300F15455AE955E7291E7709A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005A6C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005A6D49

Strings

D[Z, xrefs: 005A6D10
D[Z, xrefs: 005A6C6D, 005A6D5E

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _free
String ID: D[Z$D[Z
API String ID: 269201875-3018883146
Opcode ID: e7a74acdb18084c3f784572c46c164020b4932660a9c1a286dcaf728e36473d4
Instruction ID: 4e9b1f3a125f5e7865ebeddeaaa65d97a7073b7aeb2f9f1bcdc4cc98f6643b67
Opcode Fuzzy Hash: e7a74acdb18084c3f784572c46c164020b4932660a9c1a286dcaf728e36473d4
Instruction Fuzzy Hash: F841E631B001166ADF256BB88C8ABAE3FA8FF873B0F1D0615F424D61D1EA748D4156A1

Uniqueness

Uniqueness Score: -1.00%

Function 00404530 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 119fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,000000CC,?,?,?,?,?,0040519E,?,?), ref: 00404576
ReadFile.KERNEL32(?,?,00000008,?,00000000,?,?,?,?,?,0040519E,?,?,00000001,00000000), ref: 00404593

Strings

ReadFile(), xrefs: 0040459D
SetFilePointerEx(), xrefs: 00404658
.\QHImageHlp.c, xrefs: 004045A7, 004045D3, 00404602, 00404662

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: File$PointerRead
String ID: .\QHImageHlp.c$ReadFile()$SetFilePointerEx()
API String ID: 3154509469-2897820174
Opcode ID: 56332d5397ddc3112434a387f4fff7781493f3edbc103fc4514e60ab288b49f8
Instruction ID: a7ba87d3e4fafd734ddcf6f3cd13cbc0dee90a629a9315bd97f3778bfee0730c
Opcode Fuzzy Hash: 56332d5397ddc3112434a387f4fff7781493f3edbc103fc4514e60ab288b49f8
Instruction Fuzzy Hash: 1E4173B0644301ABD610DF11D981A2B73E8EBC9745F404D3FFA85A72C0FBB999058B5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040C150 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0040C159

Part of subcall function 0040C4D0: _DebugHeapAllocator.LIBCPMTD ref: 0040C4E0

CoInitialize.OLE32(00000000), ref: 0040C19E

Part of subcall function 0042E240: FindWindowW.USER32(Q360AdvToolExecutorWndClass,360AdvToolExecutor), ref: 0042E263
Part of subcall function 0042E240: _memset.LIBCMT ref: 0042E28E
Part of subcall function 0042E240: GetCommandLineW.KERNEL32 ref: 0042E2A0
Part of subcall function 0042E240: IsWindow.USER32(00000000), ref: 0042E2E8
Part of subcall function 0042E240: SendMessageTimeoutW.USER32(00000000,0000004A,00000000,00000064,00000001,000007D0,00000000), ref: 0042E319

Strings

\360Util.dll, xrefs: 0040C15E
Q360SafeMutex_Q360AdvToolExecutorMutex, xrefs: 0040C1A7

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: Window$AllocatorCommandDebugFindHeapInitializeIterator_baseIterator_base::_LineMessageSendTimeout_memsetstd::_
String ID: Q360SafeMutex_Q360AdvToolExecutorMutex$\360Util.dll
API String ID: 2683895894-2924836915
Opcode ID: d3b5a0732abc0df9c812d955e8ee18da3f166e572647cfff1f4a083dca471343
Instruction ID: 2be0485e52df47f87d2654ae8b8a047a1d11b9ef034e44ab1b14c8653dacfca3
Opcode Fuzzy Hash: d3b5a0732abc0df9c812d955e8ee18da3f166e572647cfff1f4a083dca471343
Instruction Fuzzy Hash: 53410070D10108EBCB04EBE5DC92AED7778AF14308F4045AEE902771D1EF786A09CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00404D70 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000000), ref: 00404D95
WriteFile.KERNEL32(?,?,00000008,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00404DAE

Strings

SetFilePointerEx(), xrefs: 00404E2D
.\QHImageHlp.c, xrefs: 00404DC2, 00404DEB, 00404E37
WriteFile(), xrefs: 00404DB8

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: File$PointerWrite
String ID: .\QHImageHlp.c$SetFilePointerEx()$WriteFile()
API String ID: 539440098-3552954839
Opcode ID: 430e23e13aa7738b3b1f8b4cdc884e8e9eda3a3689b7ea57677f209dda7beab1
Instruction ID: 549b3c329b9650cef16aae18e47ccf49b9e830f2323170fbef0b8720ceabb87a
Opcode Fuzzy Hash: 430e23e13aa7738b3b1f8b4cdc884e8e9eda3a3689b7ea57677f209dda7beab1
Instruction Fuzzy Hash: 2821A5B67007006BE310DA299C82FB77398EBC4711F44483FFA54E22D1F6BDD90986A6

Uniqueness

Uniqueness Score: -1.00%

Function 0056B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0056361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,005C50E4), ref: 0056363D
Part of subcall function 0056361B: RegQueryValueExW.ADVAPI32(?,0055F313,00000000,00000000,?,00000400), ref: 0056365C
Part of subcall function 0056361B: RegCloseKey.ADVAPI32(?), ref: 00563665

Part of subcall function 0056BFB7: GetCurrentProcess.KERNEL32(?,?,?,0055DAAA,WinDir,00000000,00000000), ref: 0056BFC8

_wcslen.LIBCMT ref: 0056B763

Strings

http\shell\open\command, xrefs: 0056B69A
8S\, xrefs: 0056B709, 0056B70E
program files\, xrefs: 0056B749, 0056B750, 0056B762
.exe, xrefs: 0056B6B5
program files (x86)\, xrefs: 0056B75D

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$8S\$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-1755051579
Opcode ID: d59cb19618a90f7928f40f186de2c927bad438f6480385015a174321c884e152
Instruction ID: e7a6f7615f3f86be4b73a2d945018cae93ba90b96525fe0f014a790b72dcffa2
Opcode Fuzzy Hash: d59cb19618a90f7928f40f186de2c927bad438f6480385015a174321c884e152
Instruction Fuzzy Hash: BB218861A0010567DF14BAB48CAAEFE7E6DBFC5325F04053EF806A7282EE24AD0D4764

Uniqueness

Uniqueness Score: -1.00%

Function 00408BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000005,00000000,?,00065844,004089BF,?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040), ref: 00408BC8

Part of subcall function 00432DB5: __getptd_noexit.LIBCMT ref: 00432DB5

SetLastError.KERNEL32(00000000,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 00408BE6
_wcschr.LIBCMT ref: 00408C1B
_wcschr.LIBCMT ref: 00408C3E
__snwprintf.LIBCMT ref: 00408CAD

Strings

%1d|%04hu-%02hu-%02hu|%02hu:%02hu:%02hu|%s|%d|%s|%s|%d|%s, xrefs: 00408C9C

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ErrorLast_wcschr$__getptd_noexit__snwprintf
String ID: %1d|%04hu-%02hu-%02hu|%02hu:%02hu:%02hu|%s|%d|%s|%s|%d|%s
API String ID: 2287154907-1296420124
Opcode ID: fee108e2de2b253099acefbf970527ccea13f099144c85f6f397bf0c900a826a
Instruction ID: 172b17a69a1951cee07f9fb1351cdc207f06d73bc90140ef39942ad08a7788cd
Opcode Fuzzy Hash: fee108e2de2b253099acefbf970527ccea13f099144c85f6f397bf0c900a826a
Instruction Fuzzy Hash: 5A21B6B2500714ABD3209B65DD45FB7B3F8EF48741F00842EF98987281EB7CA8008774

Uniqueness

Uniqueness Score: -1.00%

Function 005A6B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb37b8dc32453dc6fbefc8deb1ce5ecd1de519bef159c85ec724c7c626b42a1
Instruction ID: a2cf50e0d5a9b5fc5e5b1fdf2d9bd3f7104a89ed5527f4e2e4134766ab516615
Opcode Fuzzy Hash: ceb37b8dc32453dc6fbefc8deb1ce5ecd1de519bef159c85ec724c7c626b42a1
Instruction Fuzzy Hash: 9611AF7250422ABFDF202FB68C08A6F7EACFFD2730B154A15B851D6291DA308C4596B0

Uniqueness

Uniqueness Score: -1.00%

Function 00561163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00561170
int.LIBCPMT ref: 00561183

Part of subcall function 0055E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0055E0D2
Part of subcall function 0055E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0055E0EC

std::_Facet_Register.LIBCPMT ref: 005611C3
std::_Lockit::~_Lockit.LIBCPMT ref: 005611CC
__CxxThrowException@8.LIBVCRUNTIME ref: 005611EA

Strings

(m\, xrefs: 0056117B

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: (m\
API String ID: 2536120697-2073151103
Opcode ID: 1fc13177b2c889100127a8b875dac1f84b751656fdaa2ccef1570fcc1f8023b5
Instruction ID: c68e13bf6ef4f222a9f352f7ea7d429bdd85a4134d99ef9385b6a48e9e9f06ec
Opcode Fuzzy Hash: 1fc13177b2c889100127a8b875dac1f84b751656fdaa2ccef1570fcc1f8023b5
Instruction Fuzzy Hash: DF11E732900519ABCB14FBA4D81ACADBFB8BF81350B14055AFD05A7291EF309E44C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0058A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0058A351,005892BE), ref: 0058A368
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0058A376
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0058A38F
SetLastError.KERNEL32(00000000,?,0058A351,005892BE), ref: 0058A3E1

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4f08fc8029119c50f5909cbcda06ee3e1388c0f4fbaca81dc04d0de958509410
Instruction ID: f7c9ddd15ee332c301bbe5a7718b385d9f994ce866ee6947ac766abdda4bfbf9
Opcode Fuzzy Hash: 4f08fc8029119c50f5909cbcda06ee3e1388c0f4fbaca81dc04d0de958509410
Instruction Fuzzy Hash: B801B53210CB525FB61536786C8DA7B2F48FB537B5720072AF914741E1EF524C446385

Uniqueness

Uniqueness Score: -1.00%

Function 005575B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\tu.exe), ref: 005575D0

Part of subcall function 005574FD: _wcslen.LIBCMT ref: 00557521
Part of subcall function 005574FD: CoGetObject.OLE32(?,00000024,005B6518,00000000), ref: 00557582

CoUninitialize.OLE32 ref: 00557629

Strings

C:\Users\user\Desktop\tu.exe, xrefs: 005575B0, 005575B3, 00557605
[+] ucmCMLuaUtilShellExecMethod, xrefs: 005575B5
[+] before ShellExec, xrefs: 005575F1
[+] ShellExec success, xrefs: 0055760E

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Users\user\Desktop\tu.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-665246844
Opcode ID: e64150d5ec461ac1983aff29124da3618fd9c87dfd143acd7faa2d02df840f07
Instruction ID: 439d814b63f639deee5bdc31ad0b24757bf88c08c2ba9b17721e08f99e79c197
Opcode Fuzzy Hash: e64150d5ec461ac1983aff29124da3618fd9c87dfd143acd7faa2d02df840f07
Instruction Fuzzy Hash: 2501DE723086196FE6245B65FC6EFAB7F48FB89726F10042FFD0186182EB90AC084661

Uniqueness

Uniqueness Score: -1.00%

Function 0055BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0055BADD
GetLastError.KERNEL32 ref: 0055BAE7

Strings

[Chrome Cookies found, cleared!], xrefs: 0055BB0D
[Chrome Cookies not found], xrefs: 0055BB01
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0055BAA8
UserProfile, xrefs: 0055BAAD

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: e461ddcd034508139ea109e17ec3292c62074193c336af5644743dbf657760db
Instruction ID: 3087b986fe07124ed4340532f54a3dd2b5b44d56355c26f6ed07cb419b54bfbf
Opcode Fuzzy Hash: e461ddcd034508139ea109e17ec3292c62074193c336af5644743dbf657760db
Instruction Fuzzy Hash: EA01A231A4010A9B9A04B7B9DC7F8FE7F24BD52712B400117FC02631E6EE515A0D9692

Uniqueness

Uniqueness Score: -1.00%

Function 00443FED Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getArgumentTypes.LIBCMT ref: 00444028
operator+.LIBCMT ref: 00444037
DName::DName.LIBCMT ref: 00444054
DName::operator+.LIBCMT ref: 0044405B
DName::operator+.LIBCMT ref: 00444062

Strings

throw(, xrefs: 00444031, 0044404C

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: Name::operator+$ArgumentDecorator::getNameName::Typesoperator+
String ID: throw(
API String ID: 4203687869-3159766648
Opcode ID: 65a34e9b409ec9004d59ea8c39782607beeff06af4b3fea58027fa1141fbf606
Instruction ID: 428951cbcfe74a0240c373cc1e93f32a0656e90a4d407b596630d3e776d7e093
Opcode Fuzzy Hash: 65a34e9b409ec9004d59ea8c39782607beeff06af4b3fea58027fa1141fbf606
Instruction Fuzzy Hash: 8B01AC75640208AFDF00EF64DC46FAE37B5EB84709F008057F901AB291D679EA058789

Uniqueness

Uniqueness Score: -1.00%

Function 0058AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0058AC69
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0058AC85
__allrem.LIBCMT ref: 0058AC9C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0058ACBA
__allrem.LIBCMT ref: 0058ACD1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0058ACEF

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction ID: 42bd430be9eb4fc24c506cfedab11d3b4191ad85aefe5b3ebfb3690aefcfc472
Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction Fuzzy Hash: B781F772A017079BF724BE68CC45B6ABBE9BF84320F24452BF914E7681EB74DD408751

Uniqueness

Uniqueness Score: -1.00%

Function 00554371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,0055D262), ref: 005544C4

Part of subcall function 00554607: __EH_prolog.LIBCMT ref: 0055460C

Strings

GetFrame, xrefs: 0055459F
FreeFrame, xrefs: 005545B0
HN\, xrefs: 005545E6
CloseCamera, xrefs: 0055458E
OpenCamera, xrefs: 00554582

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HN\$OpenCamera
API String ID: 3469354165-3415887970
Opcode ID: 78702a343de5787e262ccf117f67afecabf69dff4f788b00f62fd6671c39e9ed
Instruction ID: 31722839ba5e35a07c30bd8e6d807e85254bb9e47e3787090dc0c96fac8ceda6
Opcode Fuzzy Hash: 78702a343de5787e262ccf117f67afecabf69dff4f788b00f62fd6671c39e9ed
Instruction Fuzzy Hash: 1551D235A046025BCA24FB749C7EB6E3F59BBD1746F00041AFC0547A92EF249A4DCBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00561CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0056179C: SetLastError.KERNEL32(0000000D,00561D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00561CFA), ref: 005617A2

SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00561CFA), ref: 00561D37
GetNativeSystemInfo.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00561CFA), ref: 00561DA5
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00561DC9

Part of subcall function 00561CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00561DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00561CB3

GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00561E10
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00561E17
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00561F2A

Part of subcall function 00562077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00561F37,?,?,?,?,?), ref: 005620E7
Part of subcall function 00562077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 005620EE

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID:
API String ID: 3950776272-0
Opcode ID: 23edd0a071ad9375fa3cc62b1ef734c5c298ae634c643c08caa0d6513bec3dad
Instruction ID: a8a653058c71fa09581f94e896d7c7eb1a9d2843311e50c2ea0b57232e5de878
Opcode Fuzzy Hash: 23edd0a071ad9375fa3cc62b1ef734c5c298ae634c643c08caa0d6513bec3dad
Instruction Fuzzy Hash: 3361F170600A11ABD750AF25C985B7ABFA9FF84340F0C4519FD058B282EBB4DC54CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 005958F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00595925
__cftoe.LIBCMT ref: 00595957

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 4b66811ec266f3d33220ea29ee449ce7a62fdb42ad339d6ad60e6740db9cfd2e
Instruction ID: 06fd52e8ea2965724f08ececce49062f711f4b9fdef86452bdaeb899626082ee
Opcode Fuzzy Hash: 4b66811ec266f3d33220ea29ee449ce7a62fdb42ad339d6ad60e6740db9cfd2e
Instruction Fuzzy Hash: D751C832900606ABEF269B68C885EAE7FA9FF89331F144219F81596182FB35DD10C764

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9F0 Relevance: 9.1, APIs: 6, Instructions: 97synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,0045B0F0,000000FF,?,004083AC,?,00403F3C,00000000,00000000), ref: 0040BA69
__CxxThrowException@8.LIBCMT ref: 0040BA99
TlsSetValue.KERNEL32(?,00000000,?,?,?,?,?,?,0045B0F0,000000FF,?,004083AC,?,00403F3C,00000000,00000000), ref: 0040BAAE
__CxxThrowException@8.LIBCMT ref: 0040BAC8

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: Exception@8Throw$ObjectSingleValueWait
String ID:
API String ID: 2586364301-0
Opcode ID: 16afd0f5b96ec433a7f44ac714009dcb17a785963acd1a11252a5c6dbd44d47e
Instruction ID: 82b94f8ae3ea0c74fc68bf355bcced71143dc14b0de1f656a462604ca47169f4
Opcode Fuzzy Hash: 16afd0f5b96ec433a7f44ac714009dcb17a785963acd1a11252a5c6dbd44d47e
Instruction Fuzzy Hash: 50317271B046049BCB10DB699984A6FB7B4EB44724F20466AE415F33D1E7799D008FD9

Uniqueness

Uniqueness Score: -1.00%

Function 0056AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0056A38E,00000000), ref: 0056AC88
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0056A38E,00000000), ref: 0056AC9C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0056A38E,00000000), ref: 0056ACA9
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0056A38E,00000000), ref: 0056ACDE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0056A38E,00000000), ref: 0056ACF0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0056A38E,00000000), ref: 0056ACF3

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: 11227860947522182d562a78eee6d8b4a26512485c7ec856a286c2f6912e0cb8
Instruction ID: 3363288d508be401e6305a486a58210736e690182791fb805c2003e8f492632e
Opcode Fuzzy Hash: 11227860947522182d562a78eee6d8b4a26512485c7ec856a286c2f6912e0cb8
Instruction Fuzzy Hash: D701D2311441257BE6105B389C4EFBB3E6CFB433B0F100216F926A71C0DA609E49A9A6

Uniqueness

Uniqueness Score: -1.00%

Function 00598215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000020,?,0058A7F5,?,?,?,0058F9A8,?,?,00000020,00000000,?,?,?,0057DD01,0000003B), ref: 00598219
_free.LIBCMT ref: 0059824C
_free.LIBCMT ref: 00598274
SetLastError.KERNEL32(00000000,0058F9A8,?,?,00000020,00000000,?,?,?,0057DD01,0000003B,?,00000041,00000000,00000000), ref: 00598281
SetLastError.KERNEL32(00000000,0058F9A8,?,?,00000020,00000000,?,?,?,0057DD01,0000003B,?,00000041,00000000,00000000), ref: 0059828D
_abort.LIBCMT ref: 00598293

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d41589dacb002ac3a05a8e0ad1b3de5e6941add3155c6a297ee1fee03159bb01
Instruction ID: 5fc881c696c94ae04e3704ba5bab9edea893e3a7fe43b1215359c617286cc31f
Opcode Fuzzy Hash: d41589dacb002ac3a05a8e0ad1b3de5e6941add3155c6a297ee1fee03159bb01
Instruction Fuzzy Hash: FDF0F43D104E022ACE1233286C4DF7B2E19FFD37A5F280618F92492192EF288C09A1A0

Uniqueness

Uniqueness Score: -1.00%

Function 0056AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0056A623,00000000), ref: 0056AAB5
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0056A623,00000000), ref: 0056AAC9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0056A623,00000000), ref: 0056AAD6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0056A623,00000000), ref: 0056AAE5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0056A623,00000000), ref: 0056AAF7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0056A623,00000000), ref: 0056AAFA

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: aa3bf56ccdf3d7974645b2f6f9c32e905b50a73b9d9b38921c5a81c164953d58
Instruction ID: d8069fd92096ce66e57ed5d66a16a897e83ef76701d2b5ed96265ff6e45cee04
Opcode Fuzzy Hash: aa3bf56ccdf3d7974645b2f6f9c32e905b50a73b9d9b38921c5a81c164953d58
Instruction Fuzzy Hash: 54F0C2315402286BD710AB64AC4DEBB7FACFF96291F000016FD0997141DB649D49AAF1

Uniqueness

Uniqueness Score: -1.00%

Function 0056ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0056A5A3,00000000), ref: 0056ABB9
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0056A5A3,00000000), ref: 0056ABCD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0056A5A3,00000000), ref: 0056ABDA
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0056A5A3,00000000), ref: 0056ABE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0056A5A3,00000000), ref: 0056ABFB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0056A5A3,00000000), ref: 0056ABFE

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: c97be9a94693c2fff0f05fc0c7edd8674cc6a999180f8497a900d5f63afc2117
Instruction ID: 385084755456c5f77f5983c4a9a0911cacd31f12a74e6248fbdf193a31825c1f
Opcode Fuzzy Hash: c97be9a94693c2fff0f05fc0c7edd8674cc6a999180f8497a900d5f63afc2117
Instruction Fuzzy Hash: CFF0C2315001286BD610AB349C4DEBB3FACFF96391F500016FE0997141DB249D09A9F5

Uniqueness

Uniqueness Score: -1.00%

Function 0056AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0056A523,00000000), ref: 0056AC20
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0056A523,00000000), ref: 0056AC34
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0056A523,00000000), ref: 0056AC41
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0056A523,00000000), ref: 0056AC50
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0056A523,00000000), ref: 0056AC62
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0056A523,00000000), ref: 0056AC65

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 6922cbdf38e4adbf14e4742d034778daf4795194594dbfc735820a580f62281f
Instruction ID: fe71940e3c4774b00e46bff0e469ea4d5ad2fec698a7fb21c8f99c53da7c5c41
Opcode Fuzzy Hash: 6922cbdf38e4adbf14e4742d034778daf4795194594dbfc735820a580f62281f
Instruction Fuzzy Hash: 7DF0C2315001286BD210AB34AC4DEBB3FACFF96291F000016FE0997140DB349D49A9F5

Uniqueness

Uniqueness Score: -1.00%

Function 004029A0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 286COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004029F3
_malloc.LIBCMT ref: 00402AF5
SetLastError.KERNEL32(00000008,00002000), ref: 00402B05

Part of subcall function 004050D0: _malloc.LIBCMT ref: 004050DC
Part of subcall function 004050D0: SetLastError.KERNEL32(00000008,?,00402A5E,?,00002000), ref: 004050EE

Strings

.\QHCheckCertificate.c, xrefs: 00402B21
`"F, xrefs: 00402CA9

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ErrorLast_malloc$_memset
String ID: .\QHCheckCertificate.c$`"F
API String ID: 1834304950-2309566295
Opcode ID: 7ed07e5735caa85ddfcceed7d1779d4573f8b94b652b00a3a12b9954510cbd8c
Instruction ID: 921698dc5f8c579624ca89809a31f904028b7c0024d22f220bc3dc5a3c6b6cd7
Opcode Fuzzy Hash: 7ed07e5735caa85ddfcceed7d1779d4573f8b94b652b00a3a12b9954510cbd8c
Instruction Fuzzy Hash: 5BB16AB19083019BE720DF25C58875BB7E4AF84344F04493EF899A62D1E7B8E949CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00402310 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040243D
SetLastError.KERNEL32(00000008), ref: 0040244D

Part of subcall function 00404EF0: _malloc.LIBCMT ref: 00404EFC
Part of subcall function 00404EF0: SetLastError.KERNEL32(00000008,00000003,004023AF,00000000), ref: 00404F0E

Strings

.\QHCheckCertificate.c, xrefs: 00402469
X!F, xrefs: 00402527
`"F, xrefs: 00402585

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ErrorLast_malloc
String ID: .\QHCheckCertificate.c$X!F$`"F
API String ID: 1018170914-3988528553
Opcode ID: ced2b3246bb548433fe6192039cd183e0597671a36ff0efda0a7d5906754ef41
Instruction ID: ffef2bb2e26d9b2751a906ac4d56d605a7bea727a65ec4aa2e850bc7b12c3673
Opcode Fuzzy Hash: ced2b3246bb548433fe6192039cd183e0597671a36ff0efda0a7d5906754ef41
Instruction Fuzzy Hash: 57918CB05083019BD710DF25D95476BB7E4BB88348F04493EF889A73C1E7B9D90ACB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405820 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040591B
SetLastError.KERNEL32(00000008,?), ref: 0040592D

Part of subcall function 004046F0: GetFileSizeEx.KERNEL32(?,?,?,?,?,00000000,00000002,00401D80,?,?,?,?,?,?,?,?), ref: 00404709

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004059B9
_memset.LIBCMT ref: 004059CF

Part of subcall function 0042F2AE: __lock.LIBCMT ref: 0042F2CC
Part of subcall function 0042F2AE: ___sbh_find_block.LIBCMT ref: 0042F2D7
Part of subcall function 0042F2AE: ___sbh_free_block.LIBCMT ref: 0042F2E6
Part of subcall function 0042F2AE: HeapFree.KERNEL32(00000000,?,00464668,0000000C,0043383B,00000000,004648F0,0000000C,00433875,?,?,?,004479C3,00000004,00464E28,0000000C), ref: 0042F316
Part of subcall function 0042F2AE: GetLastError.KERNEL32(?,004479C3,00000004,00464E28,0000000C,004356E9,?,?,00000000,00000000,00000000,?,004352B5,00000001,00000214), ref: 0042F327

Strings

.\QHImageHlp.c, xrefs: 0040593D

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ErrorLast$FileFreeHeapSizeUnothrow_t@std@@@___sbh_find_block___sbh_free_block__ehfuncinfo$??2@__lock_malloc_memset
String ID: .\QHImageHlp.c
API String ID: 2739003063-3639949391
Opcode ID: 53e53731d5dc0c79f27a45eb467555df1d4b9eb4aa099394e6c9ad2dd20175f5
Instruction ID: 517ecf2449ff4585e6a4ee02c056efbb873295a583b86914759d382ca83a3ea7
Opcode Fuzzy Hash: 53e53731d5dc0c79f27a45eb467555df1d4b9eb4aa099394e6c9ad2dd20175f5
Instruction Fuzzy Hash: 405181B1A047059FD310DF26D881A5BF7E4FB88314F44893EE98893341E779E919CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00401BE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00401BF9

Part of subcall function 0042FB25: __FF_MSGBANNER.LIBCMT ref: 0042FB48
Part of subcall function 0042FB25: __NMSG_WRITE.LIBCMT ref: 0042FB4F
Part of subcall function 0042FB25: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,?,00402AFA), ref: 0042FB9C

SetLastError.KERNEL32(00000008,?), ref: 00401C0D
_malloc.LIBCMT ref: 00401C8F
SetLastError.KERNEL32(00000008,?,?,?), ref: 00401CA3

Strings

h#F, xrefs: 00401CE6

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ErrorLast_malloc$AllocHeap
String ID: h#F
API String ID: 2260188370-2559823950
Opcode ID: 726705ae21d8206b44e732c66c3c47d14e3477e3fb47bf417179ed846ee2f9e3
Instruction ID: 184c4f878ba588457f840cd7963ecda33a4738cc9467846cf079588f42e61e28
Opcode Fuzzy Hash: 726705ae21d8206b44e732c66c3c47d14e3477e3fb47bf417179ed846ee2f9e3
Instruction Fuzzy Hash: 1D4192B16043009FD310EF65D88176BB7E4AF84358F44093FF986A7291EA79E9098B57

Uniqueness

Uniqueness Score: -1.00%

Function 00408A00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 00408950: GetLastError.KERNEL32(?,?,?,00408AFA,?,?,00000000,?,00403DA0,00403DA0,.\QHImageHlp.c,000000F9,SetFilePointerEx(),?,00403F3C,00000000), ref: 00408953
Part of subcall function 00408950: SetLastError.KERNEL32(00000000,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 00408960
Part of subcall function 00408950: SetLastError.KERNEL32(?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 00408999
Part of subcall function 00408950: SetLastError.KERNEL32(?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 004089DA

__CxxThrowException@8.LIBCMT ref: 00408A2C

Part of subcall function 00430AEE: RaiseException.KERNEL32(?,?,?,00408A31,?,?,?,?,?,00408A31,004651D0,004651D0,?,?,00408AC0,F:\WorkCode\Pub\360GPUBNew\dev\include\Interface\QHTL.h), ref: 00430B30

__CxxThrowException@8.LIBCMT ref: 00408A64
SetLastError.KERNEL32(00000008,BB40E64E,?,?,0046AFB0,0040BC07), ref: 00408A9D

Part of subcall function 00408A00: __CxxThrowException@8.LIBCMT ref: 00408AD0

Strings

F:\WorkCode\Pub\360GPUBNew\dev\include\Interface\QHTL.h, xrefs: 00408AAD

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ErrorLast$Exception@8Throw$ExceptionRaise
String ID: F:\WorkCode\Pub\360GPUBNew\dev\include\Interface\QHTL.h
API String ID: 2285286292-3244885242
Opcode ID: 81b26aa33b47442ad6151af77df4906e466fb63e331fc59c623991658bfe5acd
Instruction ID: 78f608b893dcfaa12b1571cf0af7875c925312e8e6e0c0c1070cb4c6a42332e9
Opcode Fuzzy Hash: 81b26aa33b47442ad6151af77df4906e466fb63e331fc59c623991658bfe5acd
Instruction Fuzzy Hash: 612171B1908705BFC304EB55DD41F6BB7ECEB88704F50891EB559D2181E7B499048B76

Uniqueness

Uniqueness Score: -1.00%

Function 00405660 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00002000), ref: 00405680
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,00002000), ref: 004056DC

Strings

GetFileSizeEx(), xrefs: 0040568C
SetFilePointerEx(), xrefs: 004056E6
.\QHImageHlp.c, xrefs: 00405696, 004056F0

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: File$PointerSize
String ID: .\QHImageHlp.c$GetFileSizeEx()$SetFilePointerEx()
API String ID: 3549600656-2561355867
Opcode ID: 002aeee8aa800f027f19e688b6a306bc8dd117ebe09191bab169b82a2e1697c7
Instruction ID: 4410d8122ce1d505d7394927de24803af10f6d9e91fe08e3b22825f4f107851b
Opcode Fuzzy Hash: 002aeee8aa800f027f19e688b6a306bc8dd117ebe09191bab169b82a2e1697c7
Instruction Fuzzy Hash: 8521F5367003055BD710DE6AAC81B17B3D5EBC4756F54083FE948E3381EA7AE8099B69

Uniqueness

Uniqueness Score: -1.00%

Function 00403B40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 004037C0: GetFileSizeEx.KERNEL32(?,?), ref: 004037D1

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 00403B7D
_memset.LIBCMT ref: 00403BC1
SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 00403BD8

Strings

SetFilePointerEx(), xrefs: 00403B87
.\QHImageHlp.c, xrefs: 00403B91

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: File$Pointer$Size_memset
String ID: .\QHImageHlp.c$SetFilePointerEx()
API String ID: 1683371807-3914906174
Opcode ID: 5a486bb19bd36d66ff325cd2ee65ff1c875d8307be99d6bec348bddb0553e176
Instruction ID: f0b076e3bf47f6dd10362d227eaba9b5b1ad37131829524ffb3952f504e23e11
Opcode Fuzzy Hash: 5a486bb19bd36d66ff325cd2ee65ff1c875d8307be99d6bec348bddb0553e176
Instruction Fuzzy Hash: C011D6727403016BD3209E7AAC45F2B7BDD9BC4B59F05483EB509E32C2E978F9058264

Uniqueness

Uniqueness Score: -1.00%

Function 0055B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0055B172
wsprintfW.USER32 ref: 0055B1F3

Part of subcall function 0055A636: SetEvent.KERNEL32(?,?,00000000,0055B20A,00000000), ref: 0055A662

Strings

], xrefs: 0055B180
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0055B17B
Offline Keylogger Started, xrefs: 0055B16B

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: 9e1cc0fae71134d49d517e663f6512e620ae6c6363b0b445dd10374e47b6358a
Instruction ID: 39aa3704526c6e0cc10b478df72604d45ee998af558d77cbf671bd35cebb5f7c
Opcode Fuzzy Hash: 9e1cc0fae71134d49d517e663f6512e620ae6c6363b0b445dd10374e47b6358a
Instruction Fuzzy Hash: 94114872504019A6C718BB64DC699FE7FBCBE98351B00011BF80656091FF746A49D6B8

Uniqueness

Uniqueness Score: -1.00%

Function 00403A69 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 00403A7F

Part of subcall function 00403660: ReadFile.KERNEL32(?,?,?,O>@,00000000,?,00403E4F,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 0040366B

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 00403AA9

Part of subcall function 004036C0: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004036CB

SetEndOfFile.KERNEL32(?), ref: 00403AE9

Strings

SetEndOfFile(), xrefs: 00403AF7
.\QHImageHlp.c, xrefs: 00403B01

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: File$Pointer$ReadWrite
String ID: .\QHImageHlp.c$SetEndOfFile()
API String ID: 2453416919-4247281097
Opcode ID: e68519310e03d1bb457b939415d6ef20be6265009fbd0bc666f42bf69442ea78
Instruction ID: 5d0f3968e9851f9b99018475ece1dc7d729d9a4bcc906fb307764f292e235d7a
Opcode Fuzzy Hash: e68519310e03d1bb457b939415d6ef20be6265009fbd0bc666f42bf69442ea78
Instruction Fuzzy Hash: 48114F317483006BD310DE61DC81F2B77E8BBC8B49F04493DF584E72D1E678EA018A5A

Uniqueness

Uniqueness Score: -1.00%

Function 0056D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0056D55B
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0056D576
GetLastError.KERNEL32 ref: 0056D580

Strings

0, xrefs: 0056D52B
MsgWindowClass, xrefs: 0056D526

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 406cce5398a2cee51def0a786bf17365c58c58645e20e25ddc99f390e0f75c62
Instruction ID: 086d7df859b1770bbbbb5860280c405d0d486b29c7be6cf2c707041eae73b568
Opcode Fuzzy Hash: 406cce5398a2cee51def0a786bf17365c58c58645e20e25ddc99f390e0f75c62
Instruction Fuzzy Hash: D801E9B1D00229ABDB10DFD5DC849EFBBBCFA49354B40052AF911A6240E77159058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00402ED0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402EE9
CloseHandle.KERNEL32(00000000), ref: 00402F2A

Strings

.\QHCheckCertificate.c, xrefs: 00402F02
CreateFile(), xrefs: 00402EF8

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 3498533004-1597445517
Opcode ID: 2bc59f0d90a408989745d97ca6cca8a47ae2d70541a7406858ea88eb858da6c3
Instruction ID: 0d988d63105b4594c576dab5bfcb39c7112a556cb757edef9281528a5c4386ee
Opcode Fuzzy Hash: 2bc59f0d90a408989745d97ca6cca8a47ae2d70541a7406858ea88eb858da6c3
Instruction Fuzzy Hash: A1F04C727803117BE63866B47D49F8B2294AB84FA6F20063AF646F52C1EDF8D400529D

Uniqueness

Uniqueness Score: -1.00%

Function 00557755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0055779B
CloseHandle.KERNEL32(?), ref: 005577AA
CloseHandle.KERNEL32(?), ref: 005577AF

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00557791
C:\Windows\System32\cmd.exe, xrefs: 00557796

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: f8a8e0bdac22176b619b85ba50e19ed0fb409a683c3b3f01be1770e623b86fa2
Instruction ID: 66991e5577c50a840cc869574fa0bdfe4c9e38d3b8c7023ff9c1ec18eb327288
Opcode Fuzzy Hash: f8a8e0bdac22176b619b85ba50e19ed0fb409a683c3b3f01be1770e623b86fa2
Instruction Fuzzy Hash: 8FF01D76D402AD7ACF20AAD6DC4DEDF7F7DEBC6B11F00056ABA08A6140D6706404CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 004026A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004026B4
CloseHandle.KERNEL32(00000000), ref: 004026FF
CloseHandle.KERNEL32(00000000), ref: 00402709

Strings

.\QHCheckCertificate.c, xrefs: 004026D5
CreateFile(), xrefs: 004026CB

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CloseHandle$CreateFile
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 1378612225-1597445517
Opcode ID: 5c2f589d72594a6186557a34d8f9ab2629b2f4204b1ce97046b22886ab6b4dfd
Instruction ID: 5e1955fbec3b060e4e2a518d0272971e3ebcf4dc4b7bfd94ca19ef33900dbc19
Opcode Fuzzy Hash: 5c2f589d72594a6186557a34d8f9ab2629b2f4204b1ce97046b22886ab6b4dfd
Instruction Fuzzy Hash: D8F0E931794711BAEA7433747D8EF9B26855B80F14F100A36FD05B62C1FAFD9881815C

Uniqueness

Uniqueness Score: -1.00%

Function 00402720 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402734
CloseHandle.KERNEL32(00000000), ref: 0040277F
CloseHandle.KERNEL32(00000000), ref: 00402789

Strings

.\QHCheckCertificate.c, xrefs: 00402755
CreateFile(), xrefs: 0040274B

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CloseHandle$CreateFile
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 1378612225-1597445517
Opcode ID: 0bf16aa2d3ef532428e59290cc4adf6f004b3245f62f8279228f85975612d61d
Instruction ID: f9563fed443bc3ce27cc42163b1b5cd02e9fef1377e61b0ea9412f65184119cf
Opcode Fuzzy Hash: 0bf16aa2d3ef532428e59290cc4adf6f004b3245f62f8279228f85975612d61d
Instruction Fuzzy Hash: BEF02435B803117AEA302370BD8EF9B26859B80B14F100639FA05B62C1EAFC8841815D

Uniqueness

Uniqueness Score: -1.00%

Function 004028B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00402883,?), ref: 004028C4
CloseHandle.KERNEL32(00000000), ref: 00402910
CloseHandle.KERNEL32(00000000), ref: 0040291A

Strings

.\QHCheckCertificate.c, xrefs: 004028E5
CreateFile(), xrefs: 004028DB

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CloseHandle$CreateFile
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 1378612225-1597445517
Opcode ID: 3d46a497373ff0ad7eed8fa03e9e28bf72ad28d7d9b947b8055b5f28c65ecda9
Instruction ID: 375de4f723d5be440e722e00ee92808fc970c294448244241056da5e2b769c1f
Opcode Fuzzy Hash: 3d46a497373ff0ad7eed8fa03e9e28bf72ad28d7d9b947b8055b5f28c65ecda9
Instruction Fuzzy Hash: F2F02435B80310BAEA202734BD4AB8B26856B80B25F104636F905B62C1E9F89842818D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402DD4
CloseHandle.KERNEL32(00000000), ref: 00402E20
CloseHandle.KERNEL32(00000000), ref: 00402E2A

Strings

.\QHCheckCertificate.c, xrefs: 00402DF5
CreateFile(), xrefs: 00402DEB

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CloseHandle$CreateFile
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 1378612225-1597445517
Opcode ID: 466f3db981c29cd9ab0c083d27e948281e14ea849801040089524df0435ad0a5
Instruction ID: d6c0eacc6a58afcf47488b7d74c908ad0bdafdd572413e70eb707a3f30383844
Opcode Fuzzy Hash: 466f3db981c29cd9ab0c083d27e948281e14ea849801040089524df0435ad0a5
Instruction Fuzzy Hash: CBF05031780310BBFA302334BD4EFC726855B80B25F110636F901B52C1F9FC9841818C

Uniqueness

Uniqueness Score: -1.00%

Function 00402E40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402E54
CloseHandle.KERNEL32(00000000), ref: 00402EA0
CloseHandle.KERNEL32(00000000), ref: 00402EAA

Strings

.\QHCheckCertificate.c, xrefs: 00402E75
CreateFile(), xrefs: 00402E6B

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CloseHandle$CreateFile
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 1378612225-1597445517
Opcode ID: c3f94df5d2f6d5abf00dbf80a7ee594fe615d63b672bcb7178dd43aa0c17e214
Instruction ID: ff91d42f4f04c0cb6f8a41b4dd40f6b58b4c815e4b6c7e4a66f809b21b469755
Opcode Fuzzy Hash: c3f94df5d2f6d5abf00dbf80a7ee594fe615d63b672bcb7178dd43aa0c17e214
Instruction Fuzzy Hash: 75F02435B803127BEA302374BD4AB8B26855B80B55F100636F905B62C2EAFC8841819D

Uniqueness

Uniqueness Score: -1.00%

Function 00557260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

S\, xrefs: 005576DA
C:\Users\user\Desktop\tu.exe, xrefs: 005576C4

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: S\$C:\Users\user\Desktop\tu.exe
API String ID: 0-1295420917
Opcode ID: 7689a4ec7becda211271bb556b75848923144ba8ff1fbc306209c107a24be7f4
Instruction ID: 3da44fa899a64a0d547f114c26073e4992e7279b7096bb97eadc5b21c31d9724
Opcode Fuzzy Hash: 7689a4ec7becda211271bb556b75848923144ba8ff1fbc306209c107a24be7f4
Instruction Fuzzy Hash: 03F09674614D659FCF0467A47D39B683E95FBA9783F400867FC03CA1A1EB644C4DD624

Uniqueness

Uniqueness Score: -1.00%

Function 00402230 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040220A), ref: 00402244
CloseHandle.KERNEL32(00000000), ref: 00402286

Strings

.\QHCheckCertificate.c, xrefs: 0040225B
CreateFile(), xrefs: 00402251

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 3498533004-1597445517
Opcode ID: 1db1b76687a4e8bb440efb1425c83ca015f779a6c3482fc86869fdcb9be7f4e9
Instruction ID: ea553e56fd4a06c38728b9b31d26958a910725e45176fca1fa0d9a5223a05e07
Opcode Fuzzy Hash: 1db1b76687a4e8bb440efb1425c83ca015f779a6c3482fc86869fdcb9be7f4e9
Instruction Fuzzy Hash: AEF02735784320BBF63433707D4FF8F26855B80F24F100635FA01B51C1E8E8A881404C

Uniqueness

Uniqueness Score: -1.00%

Function 004022A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040221A), ref: 004022B4
CloseHandle.KERNEL32(00000000), ref: 004022F6

Strings

.\QHCheckCertificate.c, xrefs: 004022CB
CreateFile(), xrefs: 004022C1

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 3498533004-1597445517
Opcode ID: efc07ab93a3e5379a1aafee87a645beb55a5777d45d23b4693688bb81b1a3ec9
Instruction ID: 5d39d70a6adc7a977038086a062cd6ab7bed64c32d2e7ad64275184ee054e359
Opcode Fuzzy Hash: efc07ab93a3e5379a1aafee87a645beb55a5777d45d23b4693688bb81b1a3ec9
Instruction Fuzzy Hash: 23F02731B843117AE6343370BD4AF9B26855B80F54F100635FE01B91C1E8FC9841409D

Uniqueness

Uniqueness Score: -1.00%

Function 00402930 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040289A), ref: 00402944
CloseHandle.KERNEL32(00000000), ref: 00402984

Strings

.\QHCheckCertificate.c, xrefs: 0040295D
CreateFile(), xrefs: 00402953

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .\QHCheckCertificate.c$CreateFile()
API String ID: 3498533004-1597445517
Opcode ID: 23bdb758d88eb6772893afea764e0a844dda7450fbaae3f686122c8a370c2e8a
Instruction ID: 0d69e81b708f15c77efef7e4f17722566965c308e96861222ce979ccf1989810
Opcode Fuzzy Hash: 23bdb758d88eb6772893afea764e0a844dda7450fbaae3f686122c8a370c2e8a
Instruction Fuzzy Hash: 73F05C71B803117BF63063B07D0EF8B2585A740B25F110235FE41F51C1E8E8584181AD

Uniqueness

Uniqueness Score: -1.00%

Function 0059333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,005932EB,?,?,0059328B,?), ref: 0059335A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0059336D
FreeLibrary.KERNEL32(00000000,?,?,?,005932EB,?,?,0059328B,?), ref: 00593390

Strings

mscoree.dll, xrefs: 00593353
CorExitProcess, xrefs: 00593365

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 54862582b64c07b9a2d7f3c08a0888364795bb448104f05ce2a944a495fa0964
Instruction ID: 4483612b1ce96fe60924071afb78409a10d3cdc0dcc2c103b021761816c41c77
Opcode Fuzzy Hash: 54862582b64c07b9a2d7f3c08a0888364795bb448104f05ce2a944a495fa0964
Instruction Fuzzy Hash: A8F04F34A41219FBCF11AFA4EC49BADBFB4FF45752F0041A9F805A2260DB749E44DB90

Uniqueness

Uniqueness Score: -1.00%

Function 005550E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00555120
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00554E7A,00000001), ref: 0055512C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00554E7A,00000001), ref: 00555137
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00554E7A,00000001), ref: 00555140

Part of subcall function 0056B4EF: GetLocalTime.KERNEL32(00000000), ref: 0056B509

Strings

KeepAlive | Disabled, xrefs: 005550F9

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 0bf274f8949dcffd3d4c2fbf4ec098b669adeee0d06b8d35bc6860dbee0bcfc2
Instruction ID: 2841e4717c7851962fd72042cbc9f2f0693ddb96937d7e91bd08d54d09158242
Opcode Fuzzy Hash: 0bf274f8949dcffd3d4c2fbf4ec098b669adeee0d06b8d35bc6860dbee0bcfc2
Instruction Fuzzy Hash: 1DF02475804711BFEB213B748C1EB6A7E98BF13312F00080EFCC2826A1D9614808DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0043AB05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0043AB1F

Part of subcall function 00435303: __getptd_noexit.LIBCMT ref: 00435306
Part of subcall function 00435303: __amsg_exit.LIBCMT ref: 00435313

__getptd.LIBCMT ref: 0043AB30
__getptd.LIBCMT ref: 0043AB3E

Strings

MOC, xrefs: 0043AB11
csm, xrefs: 0043AB18

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 546a182a6e7d5b12224b1f81106d24650c5b7328c0601bff92d7242a378783a5
Instruction ID: 05e78cd1568f14788fbbe09d30b4e391dea899aa562c3f9198f8c26ae00602dc
Opcode Fuzzy Hash: 546a182a6e7d5b12224b1f81106d24650c5b7328c0601bff92d7242a378783a5
Instruction Fuzzy Hash: E9E04F71110204CFC720AB65C047B297395FB4D318F2620ABEA8DC7322C77CF850954B

Uniqueness

Uniqueness Score: -1.00%

Function 0055140A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00551414
GetProcAddress.KERNEL32(00000000), ref: 0055141B

Strings

GetCursorInfo, xrefs: 0055140A
User32.dll, xrefs: 0055140F
`#v, xrefs: 00551414

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll$`#v
API String ID: 1646373207-1032071883
Opcode ID: baf76192c9bb759ac01362edc647f33f4bdfb054bdab9bacc145317017d73603
Instruction ID: e90bcedeef89d52fe8bc9f2ec7930fd227ec85d381db6dd45e5ef3b1a360cdbb
Opcode Fuzzy Hash: baf76192c9bb759ac01362edc647f33f4bdfb054bdab9bacc145317017d73603
Instruction Fuzzy Hash: 00B092B8582A20ABCB005BF4AC0EE853EA4FAB57023000059B40291160DBB02048EA28

Uniqueness

Uniqueness Score: -1.00%

Function 0059139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c75021fd5035f935ea661cd5ea1e057e24b24be03cfadd74577296c2c080cc
Instruction ID: aea2287324febd86e342084a61e4f505d859bd9c4e152427947f0b33a53ac204
Opcode Fuzzy Hash: 98c75021fd5035f935ea661cd5ea1e057e24b24be03cfadd74577296c2c080cc
Instruction Fuzzy Hash: 8571B235901A379BCF218F95C884ABEBFB9FF95360F160629E41267281DB708D41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00594CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00596137: RtlAllocateHeap.NTDLL(00000000,0058529C,?,?,00588847,?,?,00000000,?,?,0055DE62,0058529C,?,?,?,?), ref: 00596169

_free.LIBCMT ref: 00594E06
_free.LIBCMT ref: 00594E1D
_free.LIBCMT ref: 00594E3C
_free.LIBCMT ref: 00594E57
_free.LIBCMT ref: 00594E6E

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 1daf295fcfd0403364a099682d484f6cc4d0f87ba8337f556071e90f38940cf5
Instruction ID: 87f704412bad8e863b139f4e1779a51d50c59ad01605619fe8ab37ffa4906cb6
Opcode Fuzzy Hash: 1daf295fcfd0403364a099682d484f6cc4d0f87ba8337f556071e90f38940cf5
Instruction Fuzzy Hash: CB51BE72A00705AFDF21DF69C881E6A7BF8FF49724B144669E819D7250E735AE02CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00599365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005AF234), ref: 005993CF
WideCharToMultiByte.KERNEL32(00000000,00000000,005C2764,000000FF,00000000,0000003F,00000000,?,?), ref: 00599447
WideCharToMultiByte.KERNEL32(00000000,00000000,005C27B8,000000FF,?,0000003F,00000000,?), ref: 00599474
_free.LIBCMT ref: 005993BD

Part of subcall function 00596782: RtlFreeHeap.NTDLL(00000000,00000000,?,005A0C6F,?,00000000,?,00000000,?,005A0F13,?,00000007,?,?,005A145E,?), ref: 00596798
Part of subcall function 00596782: GetLastError.KERNEL32(?,?,005A0C6F,?,00000000,?,00000000,?,005A0F13,?,00000007,?,?,005A145E,?,?), ref: 005967AA

_free.LIBCMT ref: 00599589

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 12352806e19cea900e6de51d0b50fdf3aa03bd0db44f28ed5448d492579886b1
Instruction ID: 219bef0ce3c03885086aca1110f7874c2d885f33b7aab27a87fd07464ed6876f
Opcode Fuzzy Hash: 12352806e19cea900e6de51d0b50fdf3aa03bd0db44f28ed5448d492579886b1
Instruction Fuzzy Hash: 6E51E57190021AAFCF11EFA99C85DAEBFBCFF95310B10066EE41497191EB308E459B50

Uniqueness

Uniqueness Score: -1.00%

Function 0055F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0056BFB7: GetCurrentProcess.KERNEL32(?,?,?,0055DAAA,WinDir,00000000,00000000), ref: 0056BFC8

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0055F91B
Process32FirstW.KERNEL32(00000000,?), ref: 0055F93F
Process32NextW.KERNEL32(00000000,0000022C), ref: 0055F94E
CloseHandle.KERNEL32(00000000), ref: 0055FB05

Part of subcall function 0056BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0055F5F9,00000000,?,?,005C5338), ref: 0056BFFA

Part of subcall function 0056C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0056C1F5
Part of subcall function 0056C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0056C208

Process32NextW.KERNEL32(00000000,0000022C), ref: 0055FAF6

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: a92bed001775c7457ad66e46f831beb08ef9bd9cc30857e2f05f83585a3d698c
Instruction ID: e2a2e57cc93d7ed7c6309b400eef6c5db7ef3ec20994f96b8f656ba121b4ea1a
Opcode Fuzzy Hash: a92bed001775c7457ad66e46f831beb08ef9bd9cc30857e2f05f83585a3d698c
Instruction Fuzzy Hash: E14112311086465BC324E721DC6ABEFBBA9BFD4341F50492EF88A83191EF30594DC766

Uniqueness

Uniqueness Score: -1.00%

Function 004087E0 Relevance: 7.6, APIs: 5, Instructions: 113timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,00408EFA,?,?,00000001,?,004036B0), ref: 004087F1

Part of subcall function 00432DB5: __getptd_noexit.LIBCMT ref: 00432DB5

SetLastError.KERNEL32(00000000), ref: 0040880F
_wcsrchr.LIBCMT ref: 00408880
_vswprintf_s.LIBCMT ref: 004088DD
GetSystemTime.KERNEL32(00000288), ref: 00408916

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ErrorLast$SystemTime__getptd_noexit_vswprintf_s_wcsrchr
String ID:
API String ID: 3942181620-0
Opcode ID: 3be596fcb2dc188245080ee248d0068dd7f63012560903d31e54436db08ccaf5
Instruction ID: a12dfbe8bcb0b0c09f6ff4f14e91d9b616d30136fea910be67afa850a14d1e9c
Opcode Fuzzy Hash: 3be596fcb2dc188245080ee248d0068dd7f63012560903d31e54436db08ccaf5
Instruction Fuzzy Hash: 1A414C719147018FC720AF75C845667B3E4EF58310F04892EE59AD73A1EB78A804CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 005A112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0057DD01,?,?,?,00000001,00000000,?,00000001,0057DD01,0057DD01), ref: 005A1179
__alloca_probe_16.LIBCMT ref: 005A11B1
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0057DD01,?,?,?,00000001,00000000,?,00000001,0057DD01,0057DD01,?), ref: 005A1202
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0057DD01,0057DD01,?,00000002,00000000), ref: 005A1214
__freea.LIBCMT ref: 005A121D

Part of subcall function 00596137: RtlAllocateHeap.NTDLL(00000000,0058529C,?,?,00588847,?,?,00000000,?,?,0055DE62,0058529C,?,?,?,?), ref: 00596169

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: b2ab026d7c4794194375f40632af7ed5a3f14aa1d089a135a348e27d244bc233
Instruction ID: 18e2d84c631cc4eae661f73d8bc46ff88af6da52389372134cf790b54718a7d0
Opcode Fuzzy Hash: b2ab026d7c4794194375f40632af7ed5a3f14aa1d089a135a348e27d244bc233
Instruction Fuzzy Hash: 8C31DA76A0061AABDF249FA5CC45EAE7FA5FF82310F040168FC04DA291E735CD91CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0059F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0059F363
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0059F386

Part of subcall function 00596137: RtlAllocateHeap.NTDLL(00000000,0058529C,?,?,00588847,?,?,00000000,?,?,0055DE62,0058529C,?,?,?,?), ref: 00596169

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0059F3AC
_free.LIBCMT ref: 0059F3BF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0059F3CE

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 3ddf21385187281f66a9b0b4b5f7cca11722972da94c51e505eba8ac7d1294b0
Instruction ID: ef24125c5720e5b648b2b5efbb76110ba433770c5a01fd3b7fd890e6d8edb32d
Opcode Fuzzy Hash: 3ddf21385187281f66a9b0b4b5f7cca11722972da94c51e505eba8ac7d1294b0
Instruction Fuzzy Hash: 190144736016257F2B211ABA5C8CCBF7E6DEAC7BA5325093AFD14C6241DA688D0592B0

Uniqueness

Uniqueness Score: -1.00%

Function 0042D650 Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042D680
GetModuleFileNameW.KERNEL32(00000000,?,00000102), ref: 0042D696
PathRemoveFileSpecW.SHLWAPI(?), ref: 0042D6A3
_memset.LIBCMT ref: 0042D6FE
SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,?,00000000,?), ref: 0042D713

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: FilePath_memset$FolderModuleNameRemoveSpecSpecial
String ID:
API String ID: 359805494-0
Opcode ID: 7ffac12201360a27492ef9a8c6e46d6ba8d65e8f74295bea7cd19c9cd888329f
Instruction ID: d0c4d087bca0709b8c827d22c595415c302136f733cf5c869673d8418bc65854
Opcode Fuzzy Hash: 7ffac12201360a27492ef9a8c6e46d6ba8d65e8f74295bea7cd19c9cd888329f
Instruction Fuzzy Hash: 0821927190121C9FD754EBA4DC42FE97375AF88708F4000EDA609A7182EE759A988F69

Uniqueness

Uniqueness Score: -1.00%

Function 00436CEA Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00436C41

Part of subcall function 0043385A: __mtinitlocknum.LIBCMT ref: 00433870
Part of subcall function 0043385A: __amsg_exit.LIBCMT ref: 0043387C
Part of subcall function 0043385A: EnterCriticalSection.KERNEL32(?,?,?,004479C3,00000004,00464E28,0000000C,004356E9,?,?,00000000,00000000,00000000,?,004352B5,00000001), ref: 00433884

InterlockedDecrement.KERNEL32(00000000), ref: 00436C53

Part of subcall function 0042F2AE: __lock.LIBCMT ref: 0042F2CC
Part of subcall function 0042F2AE: ___sbh_find_block.LIBCMT ref: 0042F2D7
Part of subcall function 0042F2AE: ___sbh_free_block.LIBCMT ref: 0042F2E6
Part of subcall function 0042F2AE: HeapFree.KERNEL32(00000000,?,00464668,0000000C,0043383B,00000000,004648F0,0000000C,00433875,?,?,?,004479C3,00000004,00464E28,0000000C), ref: 0042F316
Part of subcall function 0042F2AE: GetLastError.KERNEL32(?,004479C3,00000004,00464E28,0000000C,004356E9,?,?,00000000,00000000,00000000,?,004352B5,00000001,00000214), ref: 0042F327

__lock.LIBCMT ref: 00436C81
___removelocaleref.LIBCMT ref: 00436C90
___freetlocinfo.LIBCMT ref: 00436CA9

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: __lock$CriticalDecrementEnterErrorFreeHeapInterlockedLastSection___freetlocinfo___removelocaleref___sbh_find_block___sbh_free_block__amsg_exit__mtinitlocknum
String ID:
API String ID: 1907232653-0
Opcode ID: dddfa3f3178d8383d32f9b27f59e0bf06b1583cf40736a92abf47a8fd31915da
Instruction ID: ec597f54dc5de8ed20ed2a1f663af052850153511863fb80e7f62ebd8217dee4
Opcode Fuzzy Hash: dddfa3f3178d8383d32f9b27f59e0bf06b1583cf40736a92abf47a8fd31915da
Instruction Fuzzy Hash: B1119131501306BADB246FA6D64575E77A4EF08725F26B46FF4D4972C1DE3CC880861D

Uniqueness

Uniqueness Score: -1.00%

Function 0043F18D Relevance: 7.6, APIs: 5, Instructions: 53timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0043F1C4
GetCurrentProcessId.KERNEL32 ref: 0043F1D0
GetCurrentThreadId.KERNEL32 ref: 0043F1D8
GetTickCount.KERNEL32 ref: 0043F1E0
QueryPerformanceCounter.KERNEL32(?), ref: 0043F1EC

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: d0d8306bcb5e26c02142090d8190e6228b7ca3820eab039a88585cbb8b5a3025
Instruction ID: 7a47d9cedc6821939cea3c025b9ead3d05f34fa2e758b9e5b5024ba19f434d7b
Opcode Fuzzy Hash: d0d8306bcb5e26c02142090d8190e6228b7ca3820eab039a88585cbb8b5a3025
Instruction Fuzzy Hash: DA11A076D00324DFCB109BF4E88865BB7E8AB0C755F5209B2E811E7111EA749E008B99

Uniqueness

Uniqueness Score: -1.00%

Function 00598299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,0058BC87,00000000,00000000,?,0058BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0059829E
_free.LIBCMT ref: 005982D3
_free.LIBCMT ref: 005982FA
SetLastError.KERNEL32(00000000,?,00555103), ref: 00598307
SetLastError.KERNEL32(00000000,?,00555103), ref: 00598310

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4f06469ca68e04c12506171678416b98e851dcb7d71711df0d8949c542ebbe49
Instruction ID: 3d3170a43b1013da1590e6082bbac7410bce6f71b270b2c9a77784f54fae8c75
Opcode Fuzzy Hash: 4f06469ca68e04c12506171678416b98e851dcb7d71711df0d8949c542ebbe49
Instruction Fuzzy Hash: C001D13E100F012A8E1267646C8DE7B2D1EFBD37B57240928F81596192EF688C09A164

Uniqueness

Uniqueness Score: -1.00%

Function 00436319 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00436325

Part of subcall function 00435303: __getptd_noexit.LIBCMT ref: 00435306
Part of subcall function 00435303: __amsg_exit.LIBCMT ref: 00435313

__amsg_exit.LIBCMT ref: 00436345
__lock.LIBCMT ref: 00436355
InterlockedDecrement.KERNEL32(?), ref: 00436372
InterlockedIncrement.KERNEL32(00467FD8), ref: 0043639D

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 1c3ee6bdb297f0c583020a54c75024eb37d5180de5e8673e1c7c4d2d8cd9b9a2
Instruction ID: 2120e401ec039c9d3c469062b26075b44e78161f10bd3444f52201ecc5acd4ca
Opcode Fuzzy Hash: 1c3ee6bdb297f0c583020a54c75024eb37d5180de5e8673e1c7c4d2d8cd9b9a2
Instruction Fuzzy Hash: 7401A131900713EBDB11AF66944574E7760BB08714F16912FEC14A3282DB7CA9428BDE

Uniqueness

Uniqueness Score: -1.00%

Function 0042F2AE Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0042F2CC

Part of subcall function 0043385A: __mtinitlocknum.LIBCMT ref: 00433870
Part of subcall function 0043385A: __amsg_exit.LIBCMT ref: 0043387C
Part of subcall function 0043385A: EnterCriticalSection.KERNEL32(?,?,?,004479C3,00000004,00464E28,0000000C,004356E9,?,?,00000000,00000000,00000000,?,004352B5,00000001), ref: 00433884

___sbh_find_block.LIBCMT ref: 0042F2D7
___sbh_free_block.LIBCMT ref: 0042F2E6
HeapFree.KERNEL32(00000000,?,00464668,0000000C,0043383B,00000000,004648F0,0000000C,00433875,?,?,?,004479C3,00000004,00464E28,0000000C), ref: 0042F316
GetLastError.KERNEL32(?,004479C3,00000004,00464E28,0000000C,004356E9,?,?,00000000,00000000,00000000,?,004352B5,00000001,00000214), ref: 0042F327

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: be5a6cb1eb5df8936d36834704c5a715c9b684255bafcbe413cb2a9fed154717
Instruction ID: b01b193fb1bad3170891ec4c80f6ca9d339300dd53edf7a7ab97a6ea33272983
Opcode Fuzzy Hash: be5a6cb1eb5df8936d36834704c5a715c9b684255bafcbe413cb2a9fed154717
Instruction Fuzzy Hash: B601AC31A01315EADB20AFB1AD05B5E7AB49F05765FD0007FF804951D1DB7C85458E9D

Uniqueness

Uniqueness Score: -1.00%

Function 005A09BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005A09D4

Part of subcall function 00596782: RtlFreeHeap.NTDLL(00000000,00000000,?,005A0C6F,?,00000000,?,00000000,?,005A0F13,?,00000007,?,?,005A145E,?), ref: 00596798
Part of subcall function 00596782: GetLastError.KERNEL32(?,?,005A0C6F,?,00000000,?,00000000,?,005A0F13,?,00000007,?,?,005A145E,?,?), ref: 005967AA

_free.LIBCMT ref: 005A09E6
_free.LIBCMT ref: 005A09F8
_free.LIBCMT ref: 005A0A0A
_free.LIBCMT ref: 005A0A1C

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a5a6b067f3043cce0f4fa8d4186cdcd73bda14aa7a63387858db4c630bdf31a7
Instruction ID: 930b962f9c6ebe7fd1ea7dcfc4de3d846e133f7acf6fbbe9637305d09d354677
Opcode Fuzzy Hash: a5a6b067f3043cce0f4fa8d4186cdcd73bda14aa7a63387858db4c630bdf31a7
Instruction Fuzzy Hash: A6F0F632010A00BFCA20EB9CF8C6C1E3BDDFA423157589905F029D3543CB38FC8496A4

Uniqueness

Uniqueness Score: -1.00%

Function 00594048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00594066

Part of subcall function 00596782: RtlFreeHeap.NTDLL(00000000,00000000,?,005A0C6F,?,00000000,?,00000000,?,005A0F13,?,00000007,?,?,005A145E,?), ref: 00596798
Part of subcall function 00596782: GetLastError.KERNEL32(?,?,005A0C6F,?,00000000,?,00000000,?,005A0F13,?,00000007,?,?,005A145E,?,?), ref: 005967AA

_free.LIBCMT ref: 00594078
_free.LIBCMT ref: 0059408B
_free.LIBCMT ref: 0059409C
_free.LIBCMT ref: 005940AD

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c9311afa16c645f6a826b797c93ba964811bdccbc96401403d78083cee2b73a7
Instruction ID: a44a6ab28766ad34ec427b6fbd4381cc9211fdc2de71de2ba0489ff490fb45b0
Opcode Fuzzy Hash: c9311afa16c645f6a826b797c93ba964811bdccbc96401403d78083cee2b73a7
Instruction Fuzzy Hash: C9F0BE72801E209FCA21AF68BC89C053F61F725725784420AF02466671C7B89E4EFFC6

Uniqueness

Uniqueness Score: -1.00%

Function 00403C10 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 228COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000CCC,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 00403D80

Part of subcall function 00403660: ReadFile.KERNEL32(?,?,?,O>@,00000000,?,00403E4F,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 0040366B

Strings

SetFilePointerEx(), xrefs: 00403D8A
.\QHImageHlp.c, xrefs: 00403C76, 00403D94

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: File$PointerRead
String ID: .\QHImageHlp.c$SetFilePointerEx()
API String ID: 3154509469-3914906174
Opcode ID: 5d98508b3de8acd582bae8ac88a94eb38bcbdce3d783b9f31bc7296ee13450e1
Instruction ID: a623d500c4186b7208de29a6288d575388abf472c41b592f863d29a671c00f12
Opcode Fuzzy Hash: 5d98508b3de8acd582bae8ac88a94eb38bcbdce3d783b9f31bc7296ee13450e1
Instruction Fuzzy Hash: 04717D71A04701AFD314DF29D881A5AB7E9FB88315F444A3EF848E3780E738E9548BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0059E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0059E738
_free.LIBCMT ref: 0059E855

Part of subcall function 0058BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0058BCEB,00555103,?,00000000,00000000,005520A6,00000000,00000000,?,0058BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0058BD1B
Part of subcall function 0058BD19: GetCurrentProcess.KERNEL32(C0000417,?,00555103), ref: 0058BD3D
Part of subcall function 0058BD19: TerminateProcess.KERNEL32(00000000,?,00555103), ref: 0058BD44

Strings

*?, xrefs: 0059E72C
., xrefs: 0059EA0C

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction ID: 2475401379c27503c05eed2aa92d9d8a2396e30609e7d9c8e463aeaff84ca9d8
Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction Fuzzy Hash: 26519175E0020AAFDF14DFA8C886AADBFB5FF98314F244169E854E7341EB319E018B50

Uniqueness

Uniqueness Score: -1.00%

Function 00592385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005924DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005924F3

Strings

`#Y, xrefs: 00592400
`#Y, xrefs: 005924ED

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: `#Y$`#Y
API String ID: 885266447-1769481409
Opcode ID: c45c2ccb37e70a9e09080734f4a7968359ee650ff68b623af33ced09871762d0
Instruction ID: d10f614519fdac59f3cafe7286de8f8e5c3b21e78938e1c8d120cea002f36324
Opcode Fuzzy Hash: c45c2ccb37e70a9e09080734f4a7968359ee650ff68b623af33ced09871762d0
Instruction Fuzzy Hash: 25516971A00209AFCF18DF58C884AADBFB2FB98324F19C199E8189B361D7719D51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 004050D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004050DC

Part of subcall function 0042FB25: __FF_MSGBANNER.LIBCMT ref: 0042FB48
Part of subcall function 0042FB25: __NMSG_WRITE.LIBCMT ref: 0042FB4F
Part of subcall function 0042FB25: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,?,00402AFA), ref: 0042FB9C

SetLastError.KERNEL32(00000008,?,00402A5E,?,00002000), ref: 004050EE

Strings

Certificate Table, xrefs: 0040526F
.\QHImageHlp.c, xrefs: 004050FE, 00405239, 00405279

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: AllocErrorHeapLast_malloc
String ID: .\QHImageHlp.c$Certificate Table
API String ID: 485325758-1472710443
Opcode ID: 349a017d88896a46223a65075aa5d5ea743bd96e5839130b69b8610103239546
Instruction ID: a446fb7a9fde2d7275c523b3a5589ebdd4a490cd7bb37a51f9c1ccee7326068c
Opcode Fuzzy Hash: 349a017d88896a46223a65075aa5d5ea743bd96e5839130b69b8610103239546
Instruction Fuzzy Hash: D4410575741B005BE320EB25EC41B97B3E0FF80711F04497FE989923C1E6B9A5088B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404EF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00404EFC

Part of subcall function 0042FB25: __FF_MSGBANNER.LIBCMT ref: 0042FB48
Part of subcall function 0042FB25: __NMSG_WRITE.LIBCMT ref: 0042FB4F
Part of subcall function 0042FB25: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,?,00402AFA), ref: 0042FB9C

SetLastError.KERNEL32(00000008,00000003,004023AF,00000000), ref: 00404F0E

Strings

Certificate Table, xrefs: 0040508F
.\QHImageHlp.c, xrefs: 00404F1E, 00405059, 00405099

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: AllocErrorHeapLast_malloc
String ID: .\QHImageHlp.c$Certificate Table
API String ID: 485325758-1472710443
Opcode ID: 62d59e5dec82c27ee1c675ce2e38e0508c742f546705f42b660697afc313c552
Instruction ID: 56f707983adcd4c1712f8bbe2d9e1cbd60e6c7eff53ffe87e7f68e14888cd6f6
Opcode Fuzzy Hash: 62d59e5dec82c27ee1c675ce2e38e0508c742f546705f42b660697afc313c552
Instruction Fuzzy Hash: 4041D5B1741B015BE320DF25EC41F97B3E0EF80715F14893FE989923C1E6B9A5498B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00593435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\tu.exe,00000104), ref: 00593475
_free.LIBCMT ref: 00593540
_free.LIBCMT ref: 0059354A

Strings

C:\Users\user\Desktop\tu.exe, xrefs: 0059346C, 00593473, 005934A2, 005934DA

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\tu.exe
API String ID: 2506810119-1793143716
Opcode ID: 084b2eaec1d15fc67494d4c39baaabfb6bbdad8a02972c5781d9a3f6a13edcec
Instruction ID: 9df2f9c03eb0356270eb258e33efbce7d84da3e7c91f381beba4b63280310620
Opcode Fuzzy Hash: 084b2eaec1d15fc67494d4c39baaabfb6bbdad8a02972c5781d9a3f6a13edcec
Instruction Fuzzy Hash: A4317C71A00258EFDF22DB99DC89D9EBFACFB89710F114066F80497211D6B09F45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00401520 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040155C
SetLastError.KERNEL32(00000008,?,?,?,00401C5E,?,?), ref: 0040156C

Strings

.\QHCheckCertificate.c, xrefs: 0040157C, 004015A4, 004015D1
:ghVI, xrefs: 0040159A

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ErrorLast_malloc
String ID: .\QHCheckCertificate.c$:ghVI
API String ID: 1018170914-279542517
Opcode ID: e398552c40245c4c81058395fa59cc72440da4dc1ea5e3436f6df70d9f0a9f0b
Instruction ID: f102504e1e88be22b862c4b36d41646d64cb99423fcae649bfb1a7f27528034d
Opcode Fuzzy Hash: e398552c40245c4c81058395fa59cc72440da4dc1ea5e3436f6df70d9f0a9f0b
Instruction Fuzzy Hash: E021A5F5701A117FD704EB59FD82A467390EB84319B10803BF909A7391F7F998258B9B

Uniqueness

Uniqueness Score: -1.00%

Function 0055404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00554066

Part of subcall function 0056B978: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,005B6468,0055D20D,.vbs,?,?,?,?,?,005C52F0), ref: 0056B99F

Part of subcall function 00568568: CloseHandle.KERNEL32(005540F5,?,?,005540F5,005B5E74), ref: 0056857E
Part of subcall function 00568568: CloseHandle.KERNEL32(t^[,?,?,005540F5,005B5E74), ref: 00568587

Part of subcall function 0056C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0055A843), ref: 0056C49E

Sleep.KERNEL32(000000FA,005B5E74), ref: 00554138

Strings

/sort "Visit Time" /stext ", xrefs: 005540B2
0N\, xrefs: 00554097

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0N\
API String ID: 368326130-898489816
Opcode ID: cc93dbb78251c965438b3ebfbeb8415c15537333fc0482795fd30641fb8c6fb6
Instruction ID: 1dbf4ddbe00e1e3813f97e1ce259f529f40d7ab2440626264f55f7e71e886b65
Opcode Fuzzy Hash: cc93dbb78251c965438b3ebfbeb8415c15537333fc0482795fd30641fb8c6fb6
Instruction Fuzzy Hash: D131223191051A5BCB18F6B4D8AAAED7F79BFD1302F40006AF90697191EF205D8DCAA5

Uniqueness

Uniqueness Score: -1.00%

Function 005662E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005662F5

Part of subcall function 00563877: RegCreateKeyA.ADVAPI32(80000001,00000000,005B60A4), ref: 00563885
Part of subcall function 00563877: RegSetValueExA.KERNEL32(005B60A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0055C152,005B6C48,00000001,000000AF,005B60A4), ref: 005638A0
Part of subcall function 00563877: RegCloseKey.ADVAPI32(005B60A4,?,?,?,0055C152,005B6C48,00000001,000000AF,005B60A4), ref: 005638AB

Part of subcall function 00559DE4: _wcslen.LIBCMT ref: 00559DFD

Strings

P\, xrefs: 00566322
!DU, xrefs: 00567089
okmode, xrefs: 0056630F

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: _wcslen$CloseCreateValue
String ID: !DU$okmode$P\
API String ID: 3411444782-2694033837
Opcode ID: 7ee0cb8003c66fa5ac8bf06562c261c13ab6f3abe5bbfd9536a9385ae6d11eae
Instruction ID: 31cd3fb922e4973f51b6fa1788c3ea9acb8c4e92a395d7542b789897d0c9db56
Opcode Fuzzy Hash: 7ee0cb8003c66fa5ac8bf06562c261c13ab6f3abe5bbfd9536a9385ae6d11eae
Instruction Fuzzy Hash: 5111C3317449021EDA1877B0A87FB7D2E9ABFD0311F44082FBD428B6D2EF6458499325

Uniqueness

Uniqueness Score: -1.00%

Function 0055C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0055C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0055C4F6

PathFileExistsW.SHLWAPI(00000000), ref: 0055C61D
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0055C688

Strings

User Data\Profile ?\Network\Cookies, xrefs: 0055C635
User Data\Default\Network\Cookies, xrefs: 0055C603

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: db180ea14324cc3b224616fdd8f152eff650c3adaf50409e832cfd336e2f9d4a
Instruction ID: 87c69604b3d5a1dc1783538f9f3978af7a12b5fbd0c36137063076caa0a7df35
Opcode Fuzzy Hash: db180ea14324cc3b224616fdd8f152eff650c3adaf50409e832cfd336e2f9d4a
Instruction Fuzzy Hash: E321E57190061A9ACB04F7B5DC7ADEEBF78FE90712F400417F90693195EF206A4EC6A4

Uniqueness

Uniqueness Score: -1.00%

Function 0055C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0055C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0055C559

PathFileExistsW.SHLWAPI(00000000), ref: 0055C6EC
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0055C757

Strings

User Data\Profile ?\Network\Cookies, xrefs: 0055C704
User Data\Default\Network\Cookies, xrefs: 0055C6D2

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: 6b5de0c16035eb5fee2f7137ced6678b063151531d01d3a2e7e8d8372bb3ccb7
Instruction ID: d5b6fc6eee726224c0a33a674d57bf84e050768251331a8c0e599268a4430e0e
Opcode Fuzzy Hash: 6b5de0c16035eb5fee2f7137ced6678b063151531d01d3a2e7e8d8372bb3ccb7
Instruction Fuzzy Hash: F221D67191011A5ACB04F7B1DC6ADEEBF78FE94712B40041BF90293191EF20694ECA94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(000013CC,CreateObject), ref: 0040C3F2
FreeLibrary.KERNEL32(000013CC,?,0040C18C), ref: 0040C408

Strings

CreateObject, xrefs: 0040C3E6

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: CreateObject
API String ID: 3013587201-166191583
Opcode ID: d6bd99be3fb84f35f21d06f6efc7538b6342fd60ee3495d6ffe4e42ac6a0d53d
Instruction ID: 5dfa618b8ef0119369d955ab7243a8de27af72229873d7ba0b9cf45c338c119e
Opcode Fuzzy Hash: d6bd99be3fb84f35f21d06f6efc7538b6342fd60ee3495d6ffe4e42ac6a0d53d
Instruction Fuzzy Hash: FA21EA74A00308EFCB00DF94D5D4A6DBBB5BF49315F2082A9E905AB392C735EA81DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00556A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00556A82
GetProcAddress.KERNEL32(00000000), ref: 00556A89

Strings

crypt32, xrefs: 00556A7D
CryptUnprotectData, xrefs: 00556A78

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: ef34a67cc75fc31d68559deddc6c8f686a8b090f1380b4874a8991af3c623d7e
Instruction ID: 951abdba5ef7ec09ab61e443a7de95c4d8e5efc2da1821a0fdd379cbf9eb949c
Opcode Fuzzy Hash: ef34a67cc75fc31d68559deddc6c8f686a8b090f1380b4874a8991af3c623d7e
Instruction Fuzzy Hash: 2401B535A04256AFCB18DFADDC549AEBFB8FF55301F04416EED55E3240D67099088790

Uniqueness

Uniqueness Score: -1.00%

Function 00408B20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00408B28

Part of subcall function 00432DB5: __getptd_noexit.LIBCMT ref: 00432DB5

SetLastError.KERNEL32(00000000), ref: 00408B46
__snwprintf.LIBCMT ref: 00408B95

Strings

%s(%s:%d), xrefs: 00408B84

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ErrorLast$__getptd_noexit__snwprintf
String ID: %s(%s:%d)
API String ID: 2604959178-4223833681
Opcode ID: 4c5ff8d7da7caec13398d7179f177572afe30be613d32b51b72e43316ceb08cc
Instruction ID: c67e5680cbfc749e9507c7cc80fc2d4b5564d9924784b961a3afd699cde5ee08
Opcode Fuzzy Hash: 4c5ff8d7da7caec13398d7179f177572afe30be613d32b51b72e43316ceb08cc
Instruction Fuzzy Hash: 6801B972600704AFC720AFA5ED44AA773E8EF45751F00443FF94997351DBB8AC018799

Uniqueness

Uniqueness Score: -1.00%

Function 004035C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51timeCOMMON

Download Yara Rule

APIs

_swscanf.LIBCMT ref: 004035FD

Part of subcall function 004324AF: _vscan_fn.LIBCMT ref: 004324C6

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,004018B8,00000000,00000000), ref: 0040361F
LocalFileTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,004018B8,00000000,00000000), ref: 00403632

Strings

%hu-%hu-%hu %hu:%hu:%hu, xrefs: 004035F7

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: Time$File$LocalSystem_swscanf_vscan_fn
String ID: %hu-%hu-%hu %hu:%hu:%hu
API String ID: 3712118799-1004895946
Opcode ID: 4751721bb5c0777da57fecde43eb29ccf8ba50de587755977e36d3932f733de8
Instruction ID: 4c245d33534f4f5b71e5f77063661e55d37b6d60919a2df9bc087bf9af5aa4ff
Opcode Fuzzy Hash: 4751721bb5c0777da57fecde43eb29ccf8ba50de587755977e36d3932f733de8
Instruction Fuzzy Hash: 171100B2504301AFC365DFA5C980D9BB7E8ABDC701F044E2EF199D2250F675D648CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0055515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00555159), ref: 00555173
CloseHandle.KERNEL32(?), ref: 005551CA
SetEvent.KERNEL32(?), ref: 005551D9

Strings

Connection Timeout, xrefs: 00555198

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 774833371271baf623cb53f7cf3013424089c3179c476bfd002ceb6560da2e55
Instruction ID: 359004c61d1b797c0d48f2e06aafe3e7cab900d43bde6afdac91c5a067cc6fa3
Opcode Fuzzy Hash: 774833371271baf623cb53f7cf3013424089c3179c476bfd002ceb6560da2e55
Instruction Fuzzy Hash: 8F012835501F01AFE7257F358CB952ABFD0BF51703704091EE9C342AB1EA20A408DB41

Uniqueness

Uniqueness Score: -1.00%

Function 0055E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0055E833

Strings

ios_base::badbit set, xrefs: 0055E7EF
ios_base::failbit set, xrefs: 0055E815
ios_base::eofbit set, xrefs: 0055E822

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 64251097121c642b18977544799c08406e4f5e552c74fc56ee805ab01eac976c
Instruction ID: 8b91086addd5f5d6e57d9de3e4ed642792b65eed21704d6b11fc9104b9604656
Opcode Fuzzy Hash: 64251097121c642b18977544799c08406e4f5e552c74fc56ee805ab01eac976c
Instruction Fuzzy Hash: 8701DF305443496AE71CEA94C82BFFD7F98BB58703F00484AFD15A5082FA606B09C662

Uniqueness

Uniqueness Score: -1.00%

Function 00563814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,005C52D8), ref: 0056381F
RegSetValueExW.ADVAPI32(005C52D8,?,00000000,00000001,00000000,00000000,005C52F0,?,0055F823,pth_unenc,005C52D8), ref: 0056384D
RegCloseKey.ADVAPI32(005C52D8,?,0055F823,pth_unenc,005C52D8), ref: 00563858

Strings

pth_unenc, xrefs: 00563818

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 9bed5c13b0d670f2b9dc02ad0cad934a1c71b3da021c043a6cc21275aa10f6a6
Instruction ID: 4915845894c0dfab8da8c0396fbb1429bb0f0f77b933f977d78db0df5f399e22
Opcode Fuzzy Hash: 9bed5c13b0d670f2b9dc02ad0cad934a1c71b3da021c043a6cc21275aa10f6a6
Instruction Fuzzy Hash: 41F04972540128BBDF109FA1EC5ABEA3B6CFF46791F104525BD0697150EB319B08EAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0043CA74 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0043143A), ref: 0043CA79
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0043CA89

Strings

IsProcessorFeaturePresent, xrefs: 0043CA83
KERNEL32, xrefs: 0043CA74

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: f5942bad6fb0379af524b8fc5daf5af3d6fb922da830d66f21d94f1b5bcb83af
Instruction ID: 8c0865540f6c5b330ea810b8011c9f56007bea3fab0405eb604f0991b59ca9d9
Opcode Fuzzy Hash: f5942bad6fb0379af524b8fc5daf5af3d6fb922da830d66f21d94f1b5bcb83af
Instruction Fuzzy Hash: A1F01D21A40B0DE2DB00ABA5AC4B36F7A75BB84743F9104A1D592F1096DF74C179D74A

Uniqueness

Uniqueness Score: -1.00%

Function 00403660 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 33fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,O>@,00000000,?,00403E4F,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 0040366B

Strings

ReadFile(), xrefs: 00403675
O>@, xrefs: 00403663, 00403667
.\QHImageHlp.c, xrefs: 0040367F, 004036A1

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: FileRead
String ID: .\QHImageHlp.c$O>@$ReadFile()
API String ID: 2738559852-3347983201
Opcode ID: ad8c54c6b13db8c91e8405195e36127eca5c805619a3687134a11327e549964d
Instruction ID: e18dff2bf5f9ec833f0eb136256613232d54e553c4a64e595da327690e970206
Opcode Fuzzy Hash: ad8c54c6b13db8c91e8405195e36127eca5c805619a3687134a11327e549964d
Instruction Fuzzy Hash: 99E022B179030039F630A630AE47F2726488B84B03F20483FB449A06C1FDFD9840216A

Uniqueness

Uniqueness Score: -1.00%

Function 00566C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00566C47
ShowWindow.USER32(00000009), ref: 00566C61
SetForegroundWindow.USER32 ref: 00566C6D

Part of subcall function 0056CD9B: AllocConsole.KERNEL32(005C5338), ref: 0056CDA4
Part of subcall function 0056CD9B: ShowWindow.USER32(00000000,00000000), ref: 0056CDBD
Part of subcall function 0056CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0056CDE2

Strings

!DU, xrefs: 00567089

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
String ID: !DU
API String ID: 3446828153-1239079615
Opcode ID: f0c3d93d192d06b54c39b0744b3a1dbb768c325196a1b814d1305e60c0d51c94
Instruction ID: 4c6f77a9bdfa93f94ffee4a52814d2dc872656ac4b7dd7b46ab25e697564dd65
Opcode Fuzzy Hash: f0c3d93d192d06b54c39b0744b3a1dbb768c325196a1b814d1305e60c0d51c94
Instruction Fuzzy Hash: CFF05E74118541AEDB20AB61EC1EF7A7F68FFB5351F00082AF846C60A1DF214C4DAA61

Uniqueness

Uniqueness Score: -1.00%

Function 00409120 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00409124
GetLocalTime.KERNEL32(?), ref: 00409131
__swprintf.LIBCMT ref: 00409150

Strings

<%08X> %02hu:%02hu:%02hu: , xrefs: 0040914A

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CurrentLocalThreadTime__swprintf
String ID: <%08X> %02hu:%02hu:%02hu:
API String ID: 4156772881-2163415560
Opcode ID: a489dfab2371dc3eae81d2dfc5bda05dd664b81eb9ee3823ab1e5aa6a003ac84
Instruction ID: be5f41c029d6ecaa3ec51ae336b2f33e16603824fff27754019517003b9c3123
Opcode Fuzzy Hash: a489dfab2371dc3eae81d2dfc5bda05dd664b81eb9ee3823ab1e5aa6a003ac84
Instruction Fuzzy Hash: 35F08276400711BBC3106B198D458BB76E8EEC4711B448956FC85C6292F678DD24C2A5

Uniqueness

Uniqueness Score: -1.00%

Function 005660EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00566130

Strings

open, xrefs: 0056612A
cmd.exe, xrefs: 00566125
/C , xrefs: 0056610E

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 5bc6f014b336afa499155f0af01907a697af151416fcbbe02ebbdb3ba8275f4f
Instruction ID: 0e36376cb4af2ff8dec404c4c89d89ebc13c8422e98a4a9f05f0342f5bfb0b27
Opcode Fuzzy Hash: 5bc6f014b336afa499155f0af01907a697af151416fcbbe02ebbdb3ba8275f4f
Instruction Fuzzy Hash: D2E0C0701087456ACB08E674DCAADAB7FADBE90706F400C1E754392092EF64AD4DCA69

Uniqueness

Uniqueness Score: -1.00%

Function 0055B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(Function_0000A27D,00000000,005C52F0,pth_unenc,0055D0B8,005C52D8,005C52F0,?,pth_unenc), ref: 0055B8BB
UnhookWindowsHookEx.USER32(005C50F0), ref: 0055B8C7
TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0055B8D5

Strings

pth_unenc, xrefs: 0055B8AC

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: 341e8fbd40bcc19157a1645a9fb2738107a0eae574db79ef12b82c7ac01c5b84
Instruction ID: c3b314117fe9b5cdbb7907cdc202c2171bbaf33eca63c5232ea02c18224cbb9f
Opcode Fuzzy Hash: 341e8fbd40bcc19157a1645a9fb2738107a0eae574db79ef12b82c7ac01c5b84
Instruction Fuzzy Hash: F8E01276205366EFEB241F949CA98657EEEFE25787314083FF6C242560C6710C0CDB50

Uniqueness

Uniqueness Score: -1.00%

Function 005514AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 005514B9
GetProcAddress.KERNEL32(00000000), ref: 005514C0

Strings

GetLastInputInfo, xrefs: 005514AF
User32.dll, xrefs: 005514B4

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 4a3e5315ab444f2939789aedd1051f9f42ba8c918f1b62c5bad1a477da80341f
Instruction ID: 177fff20dce3425ebf079fe700103036dfc2a2df82d3d2222ebed0c35b66db0f
Opcode Fuzzy Hash: 4a3e5315ab444f2939789aedd1051f9f42ba8c918f1b62c5bad1a477da80341f
Instruction Fuzzy Hash: F1B092B95C1610ABCB005BA8AC0ED993EA8BA75702300404AB801D1160DBB02008AFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0059A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0059A08F
__alldvrm.LIBCMT ref: 0059A290
__alldvrm.LIBCMT ref: 0059A2B2

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
Instruction ID: f6c9b81d3467e7e042596a59d3b520ff873ddcaa80e3e4493a6393081d0b0b9d
Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
Instruction Fuzzy Hash: 46A13635A043869FEF21CF58C8817AEBFE5FF55314F144169E8959B282D3398941C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00592801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b40ed74c97168db56e5e5f893fcc63f2281cb0c0192d1aa31597210dbde1510
Instruction ID: fb5ca3981a6db0d135ff955cf773892fcf9d27e3ec8726e30d67e2e9fc8ed4eb
Opcode Fuzzy Hash: 2b40ed74c97168db56e5e5f893fcc63f2281cb0c0192d1aa31597210dbde1510
Instruction Fuzzy Hash: 2241F971A00305BFDB24AF78CC45B5A7FE9FBC8710F10452AF155DB691D67199418790

Uniqueness

Uniqueness Score: -1.00%

Function 0044E800 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0044E834
__isleadbyte_l.LIBCMT ref: 0044E868
MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000298,00000002,00000000), ref: 0044E899
MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000298,00000002,00000000), ref: 0044E907

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 29de12d916317f776575526a2aae219ef267f97f715b5e650989a8b0b88a1db2
Instruction ID: 69bd48404784bb6eef6378d994ded7f0c02fa3b1a2743158cb33e4a36fb9aac3
Opcode Fuzzy Hash: 29de12d916317f776575526a2aae219ef267f97f715b5e650989a8b0b88a1db2
Instruction Fuzzy Hash: AF31B331A00255EFEF20EF66C8809BF7BA5FF01311F1445AAE4518B292E734DD40DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0055C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0055C021
Sleep.KERNEL32(00001388), ref: 0055C0A9

Strings

Cleared browsers logins and cookies., xrefs: 0055C0F5
[Cleared browsers logins and cookies.], xrefs: 0055C0E4

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 1479fc3cc2f00da66388640359fcc79c4735f041765218a0ba0f4209d3e36abe
Instruction ID: effa7d51191008b037a552c1146449f2c84067b0b40461a720d75ddd3508097e
Opcode Fuzzy Hash: 1479fc3cc2f00da66388640359fcc79c4735f041765218a0ba0f4209d3e36abe
Instruction Fuzzy Hash: 2131D405249381AEEA15ABB4587E7EE7F826FE3746F08445EBCC40B3E3C952480D9363

Uniqueness

Uniqueness Score: -1.00%

Function 0042CF40 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

allocator.LIBCPMTD ref: 0042CF77
allocator.LIBCONCRTD ref: 0042CFAB
allocator.LIBCONCRTD ref: 0042CFD7
allocator.LIBCONCRTD ref: 0042D003

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: 55a0b2266a5cad73a88afd20eacca5d9b6afaa86621e6d19beb791bcb8099d20
Instruction ID: 098981022932cbdec035ca30eccc90540c584fe7df76098104e9694cbdb6509b
Opcode Fuzzy Hash: 55a0b2266a5cad73a88afd20eacca5d9b6afaa86621e6d19beb791bcb8099d20
Instruction Fuzzy Hash: 1D315EB1E001089FDB04DF99D841BEFBBB9EF48318F54452AE505A7382D73969148BB6

Uniqueness

Uniqueness Score: -1.00%

Function 0055A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0056C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0056C561
Part of subcall function 0056C551: GetWindowTextLengthW.USER32(00000000), ref: 0056C56A
Part of subcall function 0056C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0056C594

Sleep.KERNEL32(000001F4), ref: 0055A573
Sleep.KERNEL32(00000064), ref: 0055A5FD

Strings

[ , xrefs: 0055A58F
], xrefs: 0055A57B

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: de7a0ba232dffb4c41b5ff6b284417d79f8644215d6d1e7d72b8f36d72ea5dcb
Instruction ID: 2bf5de2bc08c851ebf88c6373725d46eaf0eb3187e3beb615dbcf91139561c75
Opcode Fuzzy Hash: de7a0ba232dffb4c41b5ff6b284417d79f8644215d6d1e7d72b8f36d72ea5dcb
Instruction Fuzzy Hash: 261162315046015BC614BB74CC6B9AF7FA87F91302F40051EF957560E2FF21AA5CC696

Uniqueness

Uniqueness Score: -1.00%

Function 00593A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b42576b6a2345273cdcf84020880551165e338762428740c07b50ac7c8a6ff
Instruction ID: f5e6a14a2355f3643d8ab79ae5e4eb3b2bdb5ac8019528eadbf7e70c57aa2e78
Opcode Fuzzy Hash: 96b42576b6a2345273cdcf84020880551165e338762428740c07b50ac7c8a6ff
Instruction Fuzzy Hash: DF01F2B3609616BEEF201A786CC4F676A1DFB917B9B340726F470A11D1EAA08E005160

Uniqueness

Uniqueness Score: -1.00%

Function 00593AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86ee573496b0ea6077d5559f931faa23a5f061d92d941d5a9f409692e9d2b61
Instruction ID: dc865f86023eb6c9ebd50630ff00a2ba6b73f9783ea0634140ff815164d0b68c
Opcode Fuzzy Hash: d86ee573496b0ea6077d5559f931faa23a5f061d92d941d5a9f409692e9d2b61
Instruction Fuzzy Hash: 8701F9B2609612BEEF111ABCACC4D277A5DFF913B93340726F531511E1DB708E045160

Uniqueness

Uniqueness Score: -1.00%

Function 00598566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0059850D,00000000,00000000,00000000,00000000,?,00598839,00000006,FlsSetValue), ref: 00598598
GetLastError.KERNEL32(?,0059850D,00000000,00000000,00000000,00000000,?,00598839,00000006,FlsSetValue,005AF160,005AF168,00000000,00000364,?,005982E7), ref: 005985A4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0059850D,00000000,00000000,00000000,00000000,?,00598839,00000006,FlsSetValue,005AF160,005AF168,00000000), ref: 005985B2

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 80904f2f75869883cf1108f92ce7ab0da073ccf3ee265ab307479ca98a535008
Instruction ID: d0b444c1c0de04b554d6196a6b071e0c4c27cc0c18904eb966a3bcf942bff2d0
Opcode Fuzzy Hash: 80904f2f75869883cf1108f92ce7ab0da073ccf3ee265ab307479ca98a535008
Instruction Fuzzy Hash: 5E01D836606232BBCF214B689C44A677F58BF577A1B164520ED06D7240DF30DD08DAE0

Uniqueness

Uniqueness Score: -1.00%

Function 0056C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0055A843), ref: 0056C49E
GetFileSize.KERNEL32(00000000,00000000), ref: 0056C4B2
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0056C4D7
CloseHandle.KERNEL32(00000000), ref: 0056C4E5

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: f64233f3f56235af16402c12acce09afd3083912695df8144564e1f4c45244b2
Instruction ID: 614e08c7dfb375a2c5572273be5d141deaaf38ca079fa00a06b03e46ef368643
Opcode Fuzzy Hash: f64233f3f56235af16402c12acce09afd3083912695df8144564e1f4c45244b2
Instruction Fuzzy Hash: 83F0FC712012187FEA105B24AC94FBB3F5CFBC77A6F00051AF941E31C0CA154C099231

Uniqueness

Uniqueness Score: -1.00%

Function 0043C93F Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0043C965

Part of subcall function 0043C74D: __fltout2.LIBCMT ref: 0043C779

__cftog_l.LIBCMT ref: 0043C98B
__cftoe_l.LIBCMT ref: 0043C9BD

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction ID: 8ded30c4d0808139d0a8f7a3334d2637decb54840f1bc3447c4a2fd338d10340
Opcode Fuzzy Hash: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction Fuzzy Hash: AE117BB600014ABBCF125E85CC85DEE3F62BF1C354F5A9416FE1868131C73AD9B2AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0056C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0056C1F5
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0056C208
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0056C233
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0056C23B

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: 31c26421f554f15c0939451b800a281a23889b1b0ddeb7fdf58f0de6d1e0b633
Instruction ID: 36ceab62d03375c1ff1696ec48ba60e47cc744a04d2f5b48f5018b5427c49778
Opcode Fuzzy Hash: 31c26421f554f15c0939451b800a281a23889b1b0ddeb7fdf58f0de6d1e0b633
Instruction Fuzzy Hash: F20126B52402256BDA1053D49C5DF7BBF7CFB95795F000052FEC9C3291EE609D458671

Uniqueness

Uniqueness Score: -1.00%

Function 00589863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0058987A

Part of subcall function 00589EB2: ___AdjustPointer.LIBCMT ref: 00589EFC

_UnwindNestedFrames.LIBCMT ref: 00589891
___FrameUnwindToState.LIBVCRUNTIME ref: 005898A3
CallCatchBlock.LIBVCRUNTIME ref: 005898C7

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: db6ad42773e523be555dbbeaff42508d93f9dc4f479c496ebb7000329e50d61e
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 6C01053200010AABDF12AF55CC05EEA3FBAFF89750F084514FD1876120C736E8619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0042FAAB Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 0042FAB9

Part of subcall function 00435C3E: __set_error_mode.LIBCMT ref: 00435C40
Part of subcall function 00435C3E: __set_error_mode.LIBCMT ref: 00435C4D
Part of subcall function 00435C3E: __NMSG_WRITE.LIBCMT ref: 00435C65
Part of subcall function 00435C3E: __NMSG_WRITE.LIBCMT ref: 00435C6F

__NMSG_WRITE.LIBCMT ref: 0042FAC0

Part of subcall function 00435A6D: __set_error_mode.LIBCMT ref: 00435A9E
Part of subcall function 00435A6D: __set_error_mode.LIBCMT ref: 00435AAF
Part of subcall function 00435A6D: _strcpy_s.LIBCMT ref: 00435AE3
Part of subcall function 00435A6D: __invoke_watson.LIBCMT ref: 00435AF4
Part of subcall function 00435A6D: GetModuleFileNameA.KERNEL32(00000000,0046A8A9,00000104,?,?,00002000), ref: 00435B10
Part of subcall function 00435A6D: _strcpy_s.LIBCMT ref: 00435B25
Part of subcall function 00435A6D: __invoke_watson.LIBCMT ref: 00435B38
Part of subcall function 00435A6D: _strlen.LIBCMT ref: 00435B41
Part of subcall function 00435A6D: _strlen.LIBCMT ref: 00435B4E
Part of subcall function 00435A6D: __invoke_watson.LIBCMT ref: 00435B7B

Part of subcall function 0043157F: ___crtCorExitProcess.LIBCMT ref: 00431587
Part of subcall function 0043157F: ExitProcess.KERNEL32 ref: 00431590

HeapAlloc.KERNEL32(00000000,?), ref: 0042FAEC
HeapAlloc.KERNEL32(00000000,?), ref: 0042FB1C

Part of subcall function 0042FA5C: __lock.LIBCMT ref: 0042FA79
Part of subcall function 0042FA5C: ___sbh_alloc_block.LIBCMT ref: 0042FA84

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: __set_error_mode$__invoke_watson$AllocExitHeapProcess_strcpy_s_strlen$FileModuleName___crt___sbh_alloc_block__lock
String ID:
API String ID: 913549098-0
Opcode ID: 20a47c1bc0b3e505c4640fd5fbb8dac699cbe65c5832f50e0c64fbac4b9dec48
Instruction ID: c97f2a1aac4336ca4233bb19fb3288db2da53e8740355d76d5640405a136ac55
Opcode Fuzzy Hash: 20a47c1bc0b3e505c4640fd5fbb8dac699cbe65c5832f50e0c64fbac4b9dec48
Instruction Fuzzy Hash: 19F0CD31A406256AEA205B15FC41F673764EF14368F901036FC1DE62E1D7A9AC908A9D

Uniqueness

Uniqueness Score: -1.00%

Function 005693E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 005693F0
GetSystemMetrics.USER32(0000004D), ref: 005693F6
GetSystemMetrics.USER32(0000004E), ref: 005693FC
GetSystemMetrics.USER32(0000004F), ref: 00569402

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 6e39856485ed1501e7168f812fdd8b57f09975f632fc2d0b43b3c0f139507f3e
Instruction ID: db50abb709919332961a41ffcb23271754bd0292fb35d51fa04b3eee9c7b592c
Opcode Fuzzy Hash: 6e39856485ed1501e7168f812fdd8b57f09975f632fc2d0b43b3c0f139507f3e
Instruction Fuzzy Hash: 06F08CB1B043165BDB50EA658845A2AAED9FBD4260F10093EE2198B281EEB4DC068B81

Uniqueness

Uniqueness Score: -1.00%

Function 00436AF5 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00436B01

Part of subcall function 00435303: __getptd_noexit.LIBCMT ref: 00435306
Part of subcall function 00435303: __amsg_exit.LIBCMT ref: 00435313

__getptd.LIBCMT ref: 00436B18
__amsg_exit.LIBCMT ref: 00436B26
__lock.LIBCMT ref: 00436B36

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 6797a9c7ad89f79179c35410063c93c7be1a48fe7305491068951a5592eb683d
Instruction ID: 69a392eba205855c063e8f8e15178e0c3a3eead262de5f737cc13f3cb72de6a7
Opcode Fuzzy Hash: 6797a9c7ad89f79179c35410063c93c7be1a48fe7305491068951a5592eb683d
Instruction Fuzzy Hash: 24F06231900711AAD610BB76840674DB7A06B08719F11A15FE441972D2DBACA901CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 0042FC4D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 0042FC60

Part of subcall function 004359B0: __FindPESection.LIBCMT ref: 00435A0B

__getptd_noexit.LIBCMT ref: 0042FC70
__freeptd.LIBCMT ref: 0042FC7A
ExitThread.KERNEL32 ref: 0042FC83

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
String ID:
API String ID: 3182216644-0
Opcode ID: eb11f72c5c0a27ea54c39caa1cddff4bcdd230f116779656fea8b8d54851e959
Instruction ID: 7fb2935e2eb5082df97cbdfaa4370d91d3abcb1d53863283408d7954f040c305
Opcode Fuzzy Hash: eb11f72c5c0a27ea54c39caa1cddff4bcdd230f116779656fea8b8d54851e959
Instruction Fuzzy Hash: B5D01270140B055AD6142773ED1E71B36686B24766FD81077BC00901B2DF7CE88DC91E

Uniqueness

Uniqueness Score: -1.00%

Function 00405B10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405BEF
SetLastError.KERNEL32(00000008,?), ref: 00405C01

Strings

.\QHImageHlp.c, xrefs: 00405C11

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ErrorLast_malloc
String ID: .\QHImageHlp.c
API String ID: 1018170914-3639949391
Opcode ID: 15c5622575b640bfbf16fac63390eca48eb95dedee77b54ee0b13ad915d23e3b
Instruction ID: cd3631b3a4313c074cd8665c0dc88d8e640489f143659dcbe8033afe21fc79ee
Opcode Fuzzy Hash: 15c5622575b640bfbf16fac63390eca48eb95dedee77b54ee0b13ad915d23e3b
Instruction Fuzzy Hash: 99419DB2A01705AFC724DF1DD880A96BBE4FF44314F84863ED84997311E77AE6298BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00405540 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00002000), ref: 004055FC

Strings

SetFilePointerEx(), xrefs: 00405606
.\QHImageHlp.c, xrefs: 0040557D, 00405610

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: FilePointer
String ID: .\QHImageHlp.c$SetFilePointerEx()
API String ID: 973152223-3914906174
Opcode ID: 2c843a153be4ab8f41abaeefdffeacd9e125d3a162f82d77d6fe0992c1cd8e6f
Instruction ID: af7915da689cad80124b57681fae3e82e07b953628dcdcdd22db9ddc04efbc6b
Opcode Fuzzy Hash: 2c843a153be4ab8f41abaeefdffeacd9e125d3a162f82d77d6fe0992c1cd8e6f
Instruction Fuzzy Hash: B731D5767003156BD720DE25EC80EAB7395EBC8B56F44443AFD08E7380EA79AD058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0055B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00584770: __onexit.LIBCMT ref: 00584776

__Init_thread_footer.LIBCMT ref: 0055B797

Strings

[End of clipboard], xrefs: 0055B7D9
[Text copied to clipboard], xrefs: 0055B7E6

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 9cc285ef5fd6b6422a9091b1608de2aa8357c959f783a599e748e22fbf7e9791
Instruction ID: d5f4c4e0bd10c8eb6fb690d8d7a09b70fba56b90998bc89d0645c40950775c2d
Opcode Fuzzy Hash: 9cc285ef5fd6b6422a9091b1608de2aa8357c959f783a599e748e22fbf7e9791
Instruction Fuzzy Hash: E2217131A1050A5ADB14F774E8AA9EDBF79BF94312F40052AE90653192EF306E4ECB94

Uniqueness

Uniqueness Score: -1.00%

Function 005A1B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,005A1D92,?,00000050,?,?,?,?,?), ref: 005A1C12

Strings

ACP, xrefs: 005A1B55
OCP, xrefs: 005A1B8B

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 8811fd5b43106b835546d43f6f4e8332e5cb032c875dc247512665c51b7748f1
Instruction ID: f39b4d00daa2f49edc6ec51c0b2113ec263265e9edcf2293b5676385e1f805ac
Opcode Fuzzy Hash: 8811fd5b43106b835546d43f6f4e8332e5cb032c875dc247512665c51b7748f1
Instruction Fuzzy Hash: 8F212D22A44904A6D734DF64CA0179F7AAAFF52B71F558560E90AD7100F731DD40C378

Uniqueness

Uniqueness Score: -1.00%

Function 00405A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405A79

Part of subcall function 0042FB25: __FF_MSGBANNER.LIBCMT ref: 0042FB48
Part of subcall function 0042FB25: __NMSG_WRITE.LIBCMT ref: 0042FB4F
Part of subcall function 0042FB25: HeapAlloc.KERNEL32(00000000,?,00000000,?,?,?,00402AFA), ref: 0042FB9C

SetLastError.KERNEL32(00000008,?), ref: 00405A89

Strings

.\QHImageHlp.c, xrefs: 00405A99

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: AllocErrorHeapLast_malloc
String ID: .\QHImageHlp.c
API String ID: 485325758-3639949391
Opcode ID: 0f050a3acdf6a18f2331fc905689a8070437466b217d773e7a30d2c2608276d3
Instruction ID: 4491f1e142483b7a0147f93706028f95dcf45ea172aec906f31b60bdc4f22acb
Opcode Fuzzy Hash: 0f050a3acdf6a18f2331fc905689a8070437466b217d773e7a30d2c2608276d3
Instruction Fuzzy Hash: 8421C7B1B40B046BD360DF6AEC81B53F7E4FB44714F80453EE94A92741EB7AB1188B99

Uniqueness

Uniqueness Score: -1.00%

Function 0056663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00566640
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 005666A2

Strings

!DU, xrefs: 00567089

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: !DU
API String ID: 1931167962-1239079615
Opcode ID: 200e7ac98cba2b81500d2df9f3ac766dad22654517fad868f35d5ded72eda8bc
Instruction ID: fd9f0548a96bdfca1711c3776bb7e2527ebdba8f69412328a0d614982c0b6bab
Opcode Fuzzy Hash: 200e7ac98cba2b81500d2df9f3ac766dad22654517fad868f35d5ded72eda8bc
Instruction Fuzzy Hash: F71151716086429ACB14FB70D8BAA7E7FA8BF94301F400C6EF84243092EF34990DC726

Uniqueness

Uniqueness Score: -1.00%

Function 0056B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0056B509

Strings

%02i:%02i:%02i:%03i , xrefs: 0056B51E
| , xrefs: 0056B53C

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 458c4c6565c4d3050b7312f902efda8f703bab1afff49354336bc8cc5ce3f454
Instruction ID: 54ee092183cc8cfb45b0d0907a5300a9f4687ee7e6ed7fa035b83ce2f21689fa
Opcode Fuzzy Hash: 458c4c6565c4d3050b7312f902efda8f703bab1afff49354336bc8cc5ce3f454
Instruction Fuzzy Hash: 5B1151714082455AC304EB65E8699FEBFE8BF94341F50091FF896831D1EF24EA4DC766

Uniqueness

Uniqueness Score: -1.00%

Function 00408A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000008,BB40E64E,?,?,0046AFB0,0040BC07), ref: 00408A9D

Part of subcall function 00408A00: __CxxThrowException@8.LIBCMT ref: 00408A2C
Part of subcall function 00408A00: __CxxThrowException@8.LIBCMT ref: 00408A64
Part of subcall function 00408A00: __CxxThrowException@8.LIBCMT ref: 00408AD0

Strings

F:\WorkCode\Pub\360GPUBNew\dev\include\Interface\QHTL.h, xrefs: 00408AAD

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: Exception@8Throw$ErrorLast
String ID: F:\WorkCode\Pub\360GPUBNew\dev\include\Interface\QHTL.h
API String ID: 3499917866-3244885242
Opcode ID: 02cc4916ce66fc9f49ac957b759d5bf510f036ab9fdb672491d1735664b6ec29
Instruction ID: 8a3096ca1bbf558694c1877c0cbee3ffcdde9a91d7c3d9ee8e518dbb288f5ca6
Opcode Fuzzy Hash: 02cc4916ce66fc9f49ac957b759d5bf510f036ab9fdb672491d1735664b6ec29
Instruction Fuzzy Hash: 7901A2B1944708BFC700EB95CD41F6BB7BCFB48B14F60452EB514A2281E7B895048B66

Uniqueness

Uniqueness Score: -1.00%

Function 00408C29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00408C3E
__snwprintf.LIBCMT ref: 00408CAD

Strings

%1d|%04hu-%02hu-%02hu|%02hu:%02hu:%02hu|%s|%d|%s|%s|%d|%s, xrefs: 00408C9C

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: __snwprintf_wcschr
String ID: %1d|%04hu-%02hu-%02hu|%02hu:%02hu:%02hu|%s|%d|%s|%s|%d|%s
API String ID: 1333472643-1296420124
Opcode ID: 352b012345a64a84e7e5e2f65a586d5f98df0d664cd4b9c6f40050a57f8bcf49
Instruction ID: 482bac71ccbccd4038da37c31077ade87015c13c61ee081a78d39986d3540162
Opcode Fuzzy Hash: 352b012345a64a84e7e5e2f65a586d5f98df0d664cd4b9c6f40050a57f8bcf49
Instruction Fuzzy Hash: 34110CB2210B10AAD720DB69DC45FB7B3F8EF8C701F00891EF69E86250E678A841C775

Uniqueness

Uniqueness Score: -1.00%

Function 0055B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0055B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0055B172
Part of subcall function 0055B164: wsprintfW.USER32 ref: 0055B1F3

Part of subcall function 0056B4EF: GetLocalTime.KERNEL32(00000000), ref: 0056B509

CloseHandle.KERNEL32(?), ref: 0055B0B4
UnhookWindowsHookEx.USER32 ref: 0055B0C7

Strings

Online Keylogger Stopped, xrefs: 0055B061, 0055B069, 0055B090

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 1be8d56b3abc9844feef70421900c59ccbbec8bb816eecb782390e9fbe0123bd
Instruction ID: 034ca8d3407fb7fd2ca4d8a6c7bf2a40b86e5d1cf923ef82b2e87746300ac254
Opcode Fuzzy Hash: 1be8d56b3abc9844feef70421900c59ccbbec8bb816eecb782390e9fbe0123bd
Instruction Fuzzy Hash: B701F535A002055BEB257B34C82F7BE7FB5BB82302F40045EE842035E2EB61285DD7D2

Uniqueness

Uniqueness Score: -1.00%

Function 005517EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(?,00000020,?,?,005C6B50,005C4EE0,?,00000000,00551A15), ref: 00551849
waveInAddBuffer.WINMM(?,00000020,?,00000000,00551A15), ref: 0055185F

Strings

XM\, xrefs: 005517F8

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XM\
API String ID: 2315374483-3135539853
Opcode ID: ad51a3edfaf059b3dc4b546e00c92bb32bb98db263a30e667c68e1b81c332264
Instruction ID: 07e8570c631d764872c4403e773505761f016d1c563e5c5e6f03af8272d905d3
Opcode Fuzzy Hash: ad51a3edfaf059b3dc4b546e00c92bb32bb98db263a30e667c68e1b81c332264
Instruction Fuzzy Hash: F601AD71700A11AFD710AF25EC58E297FA9FFA9301B00012AF80AC3721EB715C19DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0043B2C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00430A3C: __getptd.LIBCMT ref: 00430A42
Part of subcall function 00430A3C: __getptd.LIBCMT ref: 00430A52

__getptd.LIBCMT ref: 0043B2D4

Part of subcall function 00435303: __getptd_noexit.LIBCMT ref: 00435306
Part of subcall function 00435303: __amsg_exit.LIBCMT ref: 00435313

__getptd.LIBCMT ref: 0043B2E2

Strings

csm, xrefs: 0043B2F0

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 7355461b1db248cca9ced8da74d115863494b1204ec6fd7d3153c7297fa21868
Instruction ID: bd3a09f85d3860faa45ff0aba6a44e215a3c079e7dabb4cc9a01332ad76f74b8
Opcode Fuzzy Hash: 7355461b1db248cca9ced8da74d115863494b1204ec6fd7d3153c7297fa21868
Instruction Fuzzy Hash: 9D018630801315CACF38AF61D4507AFB3B4FF28319F24642FE885963A1CB788981CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00598AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,JY,00000000,00000001,?,?,00594AEA,?,?,005944CA,?,00000004), ref: 00598B32

Strings

IsValidLocaleName, xrefs: 00598AF7, 00598B01
JY, xrefs: 00598B29, 00598B16

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$JY
API String ID: 1901932003-3861476880
Opcode ID: be70a9d418664d2fac4710360ff295ac5f4d04aee4e0dc2a59fbbf1ef43ccebe
Instruction ID: 7929fbb8b1eaecb5f1b39f998425a35b055600882f6fc12515fb82a8cdf14540
Opcode Fuzzy Hash: be70a9d418664d2fac4710360ff295ac5f4d04aee4e0dc2a59fbbf1ef43ccebe
Instruction Fuzzy Hash: 87F0E270A81619F7CF106BA0DC0AFBDBF59FF66B51F000169FD056A290DE715E019798

Uniqueness

Uniqueness Score: -1.00%

Function 0055C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0055C4F6

Strings

UserProfile, xrefs: 0055C4CA
\AppData\Local\Google\Chrome\, xrefs: 0055C4E0

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: 91fb42755a056660ad88b6e0f53aba617b9f7bfb5dad5c2e82b6aac551267e1b
Instruction ID: e4f8ffd3b5b2d66ac49955c87c81ed0d6869c1d7e7e44ab09de62c0c3ca5caa0
Opcode Fuzzy Hash: 91fb42755a056660ad88b6e0f53aba617b9f7bfb5dad5c2e82b6aac551267e1b
Instruction Fuzzy Hash: A9F05E3190021A9A8B04B7F49C6F8FF7F68BE90742B400427BD02A21C2EE64AD49C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 0055C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0055C559

Strings

UserProfile, xrefs: 0055C52D
\AppData\Local\Microsoft\Edge\, xrefs: 0055C543

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: 3054657c66870970dd8b6a404d144ac5ae13ddd68d5c9780029169559907187d
Instruction ID: b34e6182f3551401127fc263e4a3eb3ce2381ae3f124dd9acc62cc9dc6c67171
Opcode Fuzzy Hash: 3054657c66870970dd8b6a404d144ac5ae13ddd68d5c9780029169559907187d
Instruction Fuzzy Hash: ECF0543190021A9A8B14B7F4986B8EF7F6CBD90742B000427BD02521C2EE646989C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 0055C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0055C5BC

Strings

\Opera Software\Opera Stable\, xrefs: 0055C5A6
AppData, xrefs: 0055C590

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: cb833ec47f8ff1bffaea39d91243179c9dbed830e8a2b198e41d9d39022e669c
Instruction ID: 50028488f338f0a7585b1e48b9aeaf038dd65396f1336b9fa8e586cc1e0de776
Opcode Fuzzy Hash: cb833ec47f8ff1bffaea39d91243179c9dbed830e8a2b198e41d9d39022e669c
Instruction Fuzzy Hash: 34F05E31A0031A9A8B04F6F49C6F8EF7F68BD90702B400427BD06621D2EE64A989C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 004036C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004036CB

Strings

.\QHImageHlp.c, xrefs: 004036DF, 00403701
WriteFile(), xrefs: 004036D5

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: FileWrite
String ID: .\QHImageHlp.c$WriteFile()
API String ID: 3934441357-642506210
Opcode ID: 235889d1a65ddb66482a612ad4d7e918c2c37313952fb2fc37993eef172bfc64
Instruction ID: 202be2d2f577f9c48df27ca0d14b2a50dfdd427c70a255348a94a199852964d9
Opcode Fuzzy Hash: 235889d1a65ddb66482a612ad4d7e918c2c37313952fb2fc37993eef172bfc64
Instruction Fuzzy Hash: 61E092B67507003EF628A670AD97FA72648C784B47F20883FB145E55C2F9EC9900256A

Uniqueness

Uniqueness Score: -1.00%

Function 0055B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0055B64B

Part of subcall function 0055A3E0: GetForegroundWindow.USER32(?,?,005C50F0), ref: 0055A416
Part of subcall function 0055A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0055A422
Part of subcall function 0055A3E0: GetKeyboardLayout.USER32(00000000), ref: 0055A429
Part of subcall function 0055A3E0: GetKeyState.USER32(00000010), ref: 0055A433
Part of subcall function 0055A3E0: GetKeyboardState.USER32(?,?,005C50F0), ref: 0055A43E
Part of subcall function 0055A3E0: ToUnicodeEx.USER32(005C5144,?,?,?,00000010,00000000,00000000), ref: 0055A461
Part of subcall function 0055A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0055A4C1

Part of subcall function 0055A636: SetEvent.KERNEL32(?,?,00000000,0055B20A,00000000), ref: 0055A662

Strings

[AltL], xrefs: 0055B68D
[AltR], xrefs: 0055B681

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 105421cb534a60379f181e9de87ccefa84a2ddeef5dc55516d56db40dac7afc9
Instruction ID: 0a8b3f7631ed10cd952b46ead10a8f4c3405dd70e88c57e223cb3975a42ac44a
Opcode Fuzzy Hash: 105421cb534a60379f181e9de87ccefa84a2ddeef5dc55516d56db40dac7afc9
Instruction Fuzzy Hash: 25E06D22700121139828323D693F6BD2E51AB82B52B82064FFC424B686DA9A4D0D43C3

Uniqueness

Uniqueness Score: -1.00%

Function 0059ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,0059EF75,?), ref: 0059ED17
GetACP.KERNEL32(00000000,?,?,0059EF75,?), ref: 0059ED2E

Strings

uY, xrefs: 0059ED05

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID:
String ID: uY
API String ID: 0-4107422020
Opcode ID: 338136177684fa6d622e4afc92cf8e20452fcd7ded20532c5c94d49a6b275141
Instruction ID: c3517d0a44e41f53b3355352759fcda2e6c56c6eb773fef61fa1f53823d7b8cb
Opcode Fuzzy Hash: 338136177684fa6d622e4afc92cf8e20452fcd7ded20532c5c94d49a6b275141
Instruction Fuzzy Hash: 92F0AF31400704DFDB20DB68DC89B687B71BB21335F244748E4358E9E1D7B19849DF81

Uniqueness

Uniqueness Score: -1.00%

Function 0056618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 005661A8

Strings

open, xrefs: 005661A2
!DU, xrefs: 00567089

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: !DU$open
API String ID: 587946157-227320051
Opcode ID: 24c52c4c19e4530779d445c41990526949ece33a31e459d08bb298bf3366a06e
Instruction ID: 95122317e3fa0a09cb3a39b1dfb4b7d70eaeccbd2ebc92350d787ea0195b9264
Opcode Fuzzy Hash: 24c52c4c19e4530779d445c41990526949ece33a31e459d08bb298bf3366a06e
Instruction Fuzzy Hash: EFE06D712482065AC614EA70ECAAABA7F5CBF90352F400C2AB90642482EF30580C8625

Uniqueness

Uniqueness Score: -1.00%

Function 0055B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0055B6A5

Strings

[CtrlL], xrefs: 0055B6D3
[CtrlR], xrefs: 0055B6C2

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: ce2539aed282489aeaf38f27872e714e0b977109b8687ee7a329987e42b9470e
Instruction ID: d0f227f5452c5733cd706982b93f407db04d5663492f4270bbe10eb063b068e3
Opcode Fuzzy Hash: ce2539aed282489aeaf38f27872e714e0b977109b8687ee7a329987e42b9470e
Instruction Fuzzy Hash: 2FE0862170122117D924367D5A3F67D2E50BB52B52F41050FFC42875C5DE564D1853C2

Uniqueness

Uniqueness Score: -1.00%

Function 0055E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00584770: __onexit.LIBCMT ref: 00584776

__Init_thread_footer.LIBCMT ref: 00560F29

Strings

0k\, xrefs: 00560F31
,k\, xrefs: 00560F04

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: ,k\$0k\
API String ID: 1881088180-3847103375
Opcode ID: 4d6bbc8a9f410ed5c97c39151f97967dfab315e604d4c479aae594f9874038f3
Instruction ID: 40a3ffa0435c92f99a50e91438cded28740d4ca0ec46caf924ba0c240742976c
Opcode Fuzzy Hash: 4d6bbc8a9f410ed5c97c39151f97967dfab315e604d4c479aae594f9874038f3
Instruction Fuzzy Hash: 15E0DF31114D128EC228F328948AE5A3FD4BB59325B60152AF810E72C1CF62BD819B58

Uniqueness

Uniqueness Score: -1.00%

Function 00563A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0055D144,00000000,005C52D8,005C52F0,?,pth_unenc), ref: 00563A31
RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00563A45

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00563A2F

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: c3948b436a8e4fe105f9984aab6eb13edff2d9d8285fd66ef7e666115c4caeb3
Instruction ID: c0454e87042e52df65553d22cc64929d52d1a8f16e0ff79b1eadd5ee04f86428
Opcode Fuzzy Hash: c3948b436a8e4fe105f9984aab6eb13edff2d9d8285fd66ef7e666115c4caeb3
Instruction Fuzzy Hash: A1E0C23124421CBBEF104FB1DC0AFBA3B6CFB02B40F100298BA0692090C6628F08B660

Uniqueness

Uniqueness Score: -1.00%

Function 0055B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0055B876
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0055B8A1

Strings

pth_unenc, xrefs: 0055B869

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: pth_unenc
API String ID: 3325800564-4028850238
Opcode ID: 22ca88435987a3af62f9fc817c5c986ab2fec8829d5259b641b622fc50ef9bc3
Instruction ID: 3c331b27a23edb6f10be47f074e0514a7e97adbaf77f76f2b16ba38dc5ead96d
Opcode Fuzzy Hash: 22ca88435987a3af62f9fc817c5c986ab2fec8829d5259b641b622fc50ef9bc3
Instruction Fuzzy Hash: F5E08C7A110A225BCB10AB389C6CBD63B9CBF55312B00045BE89393511DF24AC0DD660

Uniqueness

Uniqueness Score: -1.00%

Function 00403750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 0040375F

Strings

SetFilePointerEx(), xrefs: 00403769
.\QHImageHlp.c, xrefs: 00403773

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: FilePointer
String ID: .\QHImageHlp.c$SetFilePointerEx()
API String ID: 973152223-3914906174
Opcode ID: 71aa2a270ad45ce6d700e5ebd6e43204d34a3929848bd06162dfb3f87a5cca2d
Instruction ID: 8f8977cb2d0b4ccc0947b00c7427ef8ecbdd6a3768c7b386d57dae8b174c95d6
Opcode Fuzzy Hash: 71aa2a270ad45ce6d700e5ebd6e43204d34a3929848bd06162dfb3f87a5cca2d
Instruction Fuzzy Hash: CCD05EB87803003AE61097309D86F2B329897C8F07F14886D7544F15D0F9FCE8006619

Uniqueness

Uniqueness Score: -1.00%

Function 00403720 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32 ref: 00403722

Strings

GetFileSizeEx(), xrefs: 0040372C
.\QHImageHlp.c, xrefs: 00403736

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: FileSize
String ID: .\QHImageHlp.c$GetFileSizeEx()
API String ID: 3433856609-1331291865
Opcode ID: 0e9640600f9e4dc9bf96171d40720cf617bf7f8c4e8108b68e31724e6f487238
Instruction ID: 7fe57b970132a0c306ad1d3e9a418fe7e91df63075c9b023bc58e2ed1317afab
Opcode Fuzzy Hash: 0e9640600f9e4dc9bf96171d40720cf617bf7f8c4e8108b68e31724e6f487238
Instruction Fuzzy Hash: 92C08CE4B9070436EA2827311F8BF6721896790F0BF4488BA7900E15C2FEFEC400602B

Uniqueness

Uniqueness Score: -1.00%

Function 00403790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32 ref: 00403791

Strings

SetEndOfFile(), xrefs: 0040379B
.\QHImageHlp.c, xrefs: 004037A5

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: File
String ID: .\QHImageHlp.c$SetEndOfFile()
API String ID: 749574446-4247281097
Opcode ID: 55f561706e4913504b1659c232cbceeeed4d33d718c83365b8535eeb1c4e46c9
Instruction ID: 7b9951fb71824a071ea30372aa77385de4241c8a4e0098c10b8b1c0498ba7ca4
Opcode Fuzzy Hash: 55f561706e4913504b1659c232cbceeeed4d33d718c83365b8535eeb1c4e46c9
Instruction Fuzzy Hash: 60C08CB4B8070126EA2076312E4BF2B20899BE4F47F8488BAB404F25C2F9FCC5005019

Uniqueness

Uniqueness Score: -1.00%

Function 00562850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,0055F8C8), ref: 00562860
WaitForSingleObject.KERNEL32(000000FF), ref: 00562873

Strings

pth_unenc, xrefs: 00562850

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 528699d59d53b29c1586698837dfa111184bde0f6fca63f1a977325572296d4e
Instruction ID: b7bcd0ec600fb6f9cab2cde5e0631598386c3291876c9d54ead2a182a9becddb
Opcode Fuzzy Hash: 528699d59d53b29c1586698837dfa111184bde0f6fca63f1a977325572296d4e
Instruction Fuzzy Hash: F7D01238189722BFD7350B64ED48F443B98AB36322F148205F422552F0C7A5442DFA20

Uniqueness

Uniqueness Score: -1.00%

Function 00590C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00551D55), ref: 00590D27
GetLastError.KERNEL32 ref: 00590D35
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00590D90

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: efa3e573b8d22aa6730b537cec99352a2ba145af2323927fbf0e5fe67080fe85
Instruction ID: a850119d4ae21dc4409c83e8ebbe061ba72125f3189a5d32e986579efb6da3b6
Opcode Fuzzy Hash: efa3e573b8d22aa6730b537cec99352a2ba145af2323927fbf0e5fe67080fe85
Instruction Fuzzy Hash: D141E435600316AFDF219FA5C8447AABFB8FF41310F249969F955AB2E1DB30AD41C790

Uniqueness

Uniqueness Score: -1.00%

Function 00561B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00561EF0), ref: 00561B8C
IsBadReadPtr.KERNEL32(?,00000014,00561EF0), ref: 00561C58
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00561C7A
SetLastError.KERNEL32(0000007E,00561EF0), ref: 00561C91

Memory Dump Source

Source File: 00000005.00000002.4576038274.0000000000550000.00000040.00000400.00020000.00000000.sdmp, Offset: 00550000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_550000_tu.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: c5eba0a3f530e5de7dd466025d9735105982b775cf3618d6f27b400017f85ce4
Instruction ID: 1ecff133f8826c01c52668ef3aa4f67f2776ed43b1c0df61279bc9ac487b96fd
Opcode Fuzzy Hash: c5eba0a3f530e5de7dd466025d9735105982b775cf3618d6f27b400017f85ce4
Instruction Fuzzy Hash: BB419B752447059FE7248F18DD84B3ABBE8FF48710F08482DE98A8B651EB31ED04DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00408950 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00408AFA,?,?,00000000,?,00403DA0,00403DA0,.\QHImageHlp.c,000000F9,SetFilePointerEx(),?,00403F3C,00000000), ref: 00408953
SetLastError.KERNEL32(00000000,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 00408960

Part of subcall function 00408380: GetLastError.KERNEL32(00000005,?,00065844,?,00408984,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040), ref: 00408395
Part of subcall function 00408380: SetLastError.KERNEL32(00000000,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 004083B9
Part of subcall function 00408380: GetLastError.KERNEL32(?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 004083DA
Part of subcall function 00408380: _wcsrchr.LIBCMT ref: 00408443
Part of subcall function 00408380: _wcsncpy.LIBCMT ref: 00408472

SetLastError.KERNEL32(?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 00408999

Part of subcall function 00432DB5: __getptd_noexit.LIBCMT ref: 00432DB5

SetLastError.KERNEL32(?,?,?,?,?,?,00403F3C,00000000,00000000,00000CCC,00000040,?,00004000), ref: 004089DA

Memory Dump Source

Source File: 00000005.00000002.4570950134.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.4570408781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4572028478.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4573951122.0000000000467000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.4574149945.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tu.jbxd

Similarity

API ID: ErrorLast$__getptd_noexit_wcsncpy_wcsrchr
String ID:
API String ID: 2296084122-0
Opcode ID: 0d298b0919d4d87294302c951d50e0ecb365de6b4711658db1946db0a2c4a62c
Instruction ID: 0ce4ff69a4c326d3965e6ec2f1d0d00c710584094203b3b5be746183993221b1
Opcode Fuzzy Hash: 0d298b0919d4d87294302c951d50e0ecb365de6b4711658db1946db0a2c4a62c
Instruction Fuzzy Hash: 8B114FB56006009FC614EB99D9C09ABB3E9EBC8311F10482EF695D7351CB38EC45CBAA

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

C:\Users\user\Documents\ChromeUpdate\SentinelOne.exe

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
tu.exe

Function 00411F13 Relevance: 47.6, APIs: 1, Strings: 26, Instructions: 321
COMMON

Function 004124AF Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 293
memoryCOMMON

Function 0041236C Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 314
memoryCOMMON

Function 00429B6A Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 292
memoryCOMMON

Function 00429A53 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 254
COMMON

Function 0042991A Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 222
memoryCOMMON

Function 00412583 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 371
memoryCOMMON

Function 0042B525 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 259
COMMON

Function 0041209C Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 231
COMMON

Function 0041213B Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 217
COMMON

Function 004120DD Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 216
COMMON

Function 00412151 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 207
COMMON

Function 00412341 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 205
COMMON

Function 00429A69 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 172
COMMON

Function 004298D2 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 164
memoryCOMMON

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre