Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
615.exe

Overview

General Information

Sample name:615.exe
(renamed file extension from none to exe)
Original sample name:615
Analysis ID:1428502
MD5:9874f93464760f8b7962945950ec67ae
SHA1:033f9854890961f9b962d088de8e3e84b0fd4018
SHA256:615ee113e8a5df5c2ec5367dc89837881783a0f53303e16bc2a6228d9ffa9a15
Infos:

Detection

NetWire
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: NetWire
Yara detected NetWire RAT
Yara detected Netwire RAT
Contains functionality to log keystrokes
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 615.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\615.exe" MD5: 9874F93464760F8B7962945950EC67AE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NetWire RC, NetWireNetwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF
  • APT33
https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
615.exeJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
    615.exeJoeSecurity_NetwireYara detected Netwire RATJoe Security
      615.exeWindows_Trojan_Netwire_1b43df38unknownunknown
      • 0x171d8:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d]
      • 0x17203:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d]
      • 0x17d60:$a2: \Login Data
      • 0x17d91:$a2: \Login Data
      • 0x1702a:$a3: SOFTWARE\NetWire
      615.exeMAL_unspecified_Jan18_1Detects unspecified malware sampleFlorian Roth
      • 0x170c0:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
      • 0x1688b:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1
      • 0x171c8:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
      • 0x168ee:$s4: start /b "" cmd /c del "%%~f0"&exit /b
      • 0x171fc:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
      • 0x16f87:$s6: %s\%s.bat
      • 0x168b0:$s7: DEL /s "%s" >nul 2>&1
      615.exenetwiredetect netwire in memoryJPCERT/CC Incident Response Group
      • 0x1688b:$ping: ping 192.0.2.2
      • 0x171c8:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_NetwireYara detected Netwire RATJoe Security
        00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpWindows_Trojan_Netwire_1b43df38unknownunknown
        • 0xfd8:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d]
        • 0xe2a:$a3: SOFTWARE\NetWire
        00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpMAL_unspecified_Jan18_1Detects unspecified malware sampleFlorian Roth
        • 0xec0:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
        • 0x68b:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1
        • 0xfc8:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
        • 0x6ee:$s4: start /b "" cmd /c del "%%~f0"&exit /b
        • 0xd87:$s6: %s\%s.bat
        • 0x6b0:$s7: DEL /s "%s" >nul 2>&1
        00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpnetwiredetect netwire in memoryJPCERT/CC Incident Response Group
        • 0x68b:$ping: ping 192.0.2.2
        • 0xfc8:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
        00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpWindows_Trojan_Netwire_1b43df38unknownunknown
        • 0x3:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d]
        • 0xb60:$a2: \Login Data
        • 0xb91:$a2: \Login Data
        Click to see the 10 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.615.exe.400000.0.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
          0.2.615.exe.400000.0.unpackJoeSecurity_NetwireYara detected Netwire RATJoe Security
            0.2.615.exe.400000.0.unpackWindows_Trojan_Netwire_1b43df38unknownunknown
            • 0x171d8:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d]
            • 0x17203:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d]
            • 0x17d60:$a2: \Login Data
            • 0x17d91:$a2: \Login Data
            • 0x1702a:$a3: SOFTWARE\NetWire
            0.2.615.exe.400000.0.unpackMAL_unspecified_Jan18_1Detects unspecified malware sampleFlorian Roth
            • 0x170c0:$s1: User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
            • 0x1688b:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1
            • 0x171c8:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
            • 0x168ee:$s4: start /b "" cmd /c del "%%~f0"&exit /b
            • 0x171fc:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
            • 0x16f87:$s6: %s\%s.bat
            • 0x168b0:$s7: DEL /s "%s" >nul 2>&1
            0.2.615.exe.400000.0.unpacknetwiredetect netwire in memoryJPCERT/CC Incident Response Group
            • 0x1688b:$ping: ping 192.0.2.2
            • 0x171c8:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
            Click to see the 7 entries

            Sigma Signatures

            AV Detection

            barindex
            Sigma detected: NetWire
            Source: Registry Key setAuthor: Joe Security: Data: Details: MACRO, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\615.exe, ProcessId: 7428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\NetWire\HostId

            E-Banking Fraud

            barindex
            Sigma detected: NetWire
            Source: Registry Key setAuthor: Joe Security: Data: Details: MACRO, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\615.exe, ProcessId: 7428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\NetWire\HostId

            Stealing of Sensitive Information

            barindex
            Sigma detected: NetWire
            Source: Registry Key setAuthor: Joe Security: Data: Details: MACRO, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\615.exe, ProcessId: 7428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\NetWire\HostId

            Remote Access Functionality

            barindex
            Sigma detected: NetWire
            Source: Registry Key setAuthor: Joe Security: Data: Details: MACRO, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\615.exe, ProcessId: 7428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\NetWire\HostId

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 615.exeAvira: detected
            Multi AV Scanner detection for domain / URL
            Source: winsec.warii.clubVirustotal: Detection: 11%Perma Link
            Source: boa.eimaragon.orgVirustotal: Detection: 5%Perma Link
            Multi AV Scanner detection for submitted file
            Source: 615.exeReversingLabs: Detection: 91%
            Source: 615.exeVirustotal: Detection: 75%Perma Link
            Machine Learning detection for sample
            Source: 615.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_0040F090 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_0040F090
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004101F0 CryptUnprotectData,LocalFree,0_2_004101F0
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_0040DEC0 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,LocalFree,RegQueryValueExA,RegQueryValueExA,RegQueryValueExA,0_2_0040DEC0
            Source: 615.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004074C0 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose,0_2_004074C0
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004080E0 GetFileAttributesA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,0_2_004080E0
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004078A0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,0_2_004078A0
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004159E0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,0_2_004159E0
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_0040FA80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen,0_2_0040FA80
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00407410 GetLogicalDriveStringsA,GetDriveTypeA,0_2_00407410
            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 103.224.212.210:3303
            Source: Joe Sandbox ViewIP Address: 103.224.212.210 103.224.212.210
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00407050 recv,WSAGetLastError,0_2_00407050
            Source: unknownDNS traffic detected: queries for: winsec.warii.club

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_0040AE80 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,0_2_0040AE80
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00413440 GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteDC,DeleteObject,free,GetDIBits,calloc,GetDIBits,0_2_00413440
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_0040AE80 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,0_2_0040AE80
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_0040B199 DefWindowProcA,RegisterRawInputDevices,GetRawInputData,malloc,GetRawInputData,PostQuitMessage,0_2_0040B199
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_0040AE80 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,GetKeyState,0_2_0040AE80

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 615.exe, type: SAMPLEMatched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
            Source: 615.exe, type: SAMPLEMatched rule: Detects unspecified malware sample Author: Florian Roth
            Source: 615.exe, type: SAMPLEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
            Source: 615.exe, type: SAMPLEMatched rule: Detects NetWire RAT Author: ditekSHen
            Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
            Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
            Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NetWire RAT Author: ditekSHen
            Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
            Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects unspecified malware sample Author: Florian Roth
            Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
            Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NetWire RAT Author: ditekSHen
            Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
            Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
            Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
            Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
            Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
            Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
            Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTRMatched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
            Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTRMatched rule: Detects unspecified malware sample Author: Florian Roth
            Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTRMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004038610_2_00403861
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004054200_2_00405420
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004034970_2_00403497
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00403D100_2_00403D10
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004031900_2_00403190
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00402D900_2_00402D90
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_0040BE800_2_0040BE80
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00402FCC0_2_00402FCC
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004033D00_2_004033D0
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004113F00_2_004113F0
            Source: 615.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
            Source: 615.exe, type: SAMPLEMatched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
            Source: 615.exe, type: SAMPLEMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 615.exe, type: SAMPLEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
            Source: 615.exe, type: SAMPLEMatched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
            Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
            Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
            Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
            Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
            Source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NetWire author = ditekSHen, description = Detects NetWire RAT
            Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
            Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
            Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
            Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
            Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTRMatched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
            Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTRMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTRMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/1
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00407130 SetErrorMode,GetLogicalDriveStringsA,GetDiskFreeSpaceExA,GetDriveTypeA,GetVolumeInformationA,0_2_00407130
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00402720 CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,0_2_00402720
            Source: C:\Users\user\Desktop\615.exeMutant created: \Sessions\1\BaseNamedObjects\-
            Source: 615.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\615.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 615.exeReversingLabs: Detection: 91%
            Source: 615.exeVirustotal: Detection: 75%
            Source: C:\Users\user\Desktop\615.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00409270 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,malloc,malloc,malloc,0_2_00409270
            Source: 615.exeStatic PE information: real checksum: 0x24fd8 should be: 0x23ab4

            Malware Analysis System Evasion

            barindex
            Found evasive API chain (may stop execution after checking mutex)
            Source: C:\Users\user\Desktop\615.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-8531
            Source: C:\Users\user\Desktop\615.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-8531
            Source: C:\Users\user\Desktop\615.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-8740
            Source: C:\Users\user\Desktop\615.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-8877
            Source: C:\Users\user\Desktop\615.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-8648
            Source: C:\Users\user\Desktop\615.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-8525
            Source: C:\Users\user\Desktop\615.exeAPI coverage: 4.0 %
            Source: C:\Users\user\Desktop\615.exe TID: 7432Thread sleep time: -750000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004074C0 SetErrorMode,FindFirstFileA,FindNextFileA,FileTimeToSystemTime,FindClose,0_2_004074C0
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004080E0 GetFileAttributesA,SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,0_2_004080E0
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004078A0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,0_2_004078A0
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004159E0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,0_2_004159E0
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_0040FA80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,strlen,0_2_0040FA80
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00407410 GetLogicalDriveStringsA,GetDriveTypeA,0_2_00407410
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00415150 GetVersionExA,GetSystemMetrics,GetVersionExA,GetSystemInfo,0_2_00415150
            Source: C:\Users\user\Desktop\615.exeThread delayed: delay time: 75000Jump to behavior
            Source: 615.exe, 00000000.00000002.2908644268.000000000069E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll::.
            Source: C:\Users\user\Desktop\615.exeAPI call chain: ExitProcess graph end nodegraph_0-8495
            Source: C:\Users\user\Desktop\615.exeAPI call chain: ExitProcess graph end nodegraph_0-8454
            Source: C:\Users\user\Desktop\615.exeAPI call chain: ExitProcess graph end nodegraph_0-8426
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00409270 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,malloc,malloc,malloc,malloc,malloc,malloc,malloc,0_2_00409270
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004138D0 keybd_event,0_2_004138D0
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00413900 SetCursorPos,mouse_event,mouse_event,mouse_event,0_2_00413900
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_004090E9 GetSystemTime,0_2_004090E9
            Source: C:\Users\user\Desktop\615.exeCode function: 0_2_00415150 GetVersionExA,GetSystemMetrics,GetVersionExA,GetSystemInfo,0_2_00415150

            Remote Access Functionality

            barindex
            Yara detected NetWire RAT
            Source: Yara matchFile source: 615.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR
            Yara detected Netwire RAT
            Source: Yara matchFile source: 615.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.615.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.615.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 615.exe PID: 7428, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts13
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Virtualization/Sandbox Evasion            		131
            Input Capture            		1
            System Time Discovery            		Remote Services1
            Screen Capture            		2
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            DLL Side-Loading            		LSASS Memory1
            Security Software Discovery            		Remote Desktop Protocol131
            Input Capture            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager11
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
            Process Discovery            		Distributed Component Object ModelInput Capture1
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
            File and Directory Discovery            		SSHKeylogging1
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials5
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            615.exe91%ReversingLabsWin32.Backdoor.NetWired
            615.exe75%VirustotalBrowse
            615.exe100%AviraTR/Spy.Gen
            615.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            winsec.warii.club11%VirustotalBrowse
            boa.eimaragon.org5%VirustotalBrowse

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            winsec.warii.club
            		103.224.212.210
            		truefalseunknown
            boa.eimaragon.org
            		unknown
            		unknowntrueunknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            103.224.212.210
            		winsec.warii.clubAustralia
            		133618TRELLIAN-AS-APTrellianPtyLimitedAUfalse

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1428502
            Start date and time:2024-04-19 03:32:15 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 5s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:5
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:615.exe
            (renamed file extension from none to exe)
            Original Sample Name:615
            Detection:MAL
            Classification:mal100.troj.spyw.evad.winEXE@1/0@6/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 13
            • Number of non-executed functions: 87

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information

            Simulations

            Behavior and APIs

            TimeTypeDescription
            03:33:26API Interceptor10x Sleep call for process: 615.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            103.224.212.210SecuriteInfo.com.FileRepMalware.26858.3313.exeGet hashmaliciousUnknownBrowse
            • www.aiweier.co/
            spug64.exeGet hashmaliciousSimda StealerBrowse
            • lyxynyx.com/login.php
            20231218_010.docGet hashmaliciousFormBookBrowse
            • www.amandaastburyillustration.com/4hc5/?2dol=yvahf&2dtL=gSDqYev5uB8qm0R0Aouvifh3Cjr1gIeW+4bMYqB5qKJQNZeIGRdjZcI6mS3zTVuhq3kEXQ==
            mZoYf6Nezj.exeGet hashmaliciousFormBookBrowse
            • www.bitxhesgiels.com/o07d/?txo8=6Tn9hzt6MXKUShX9vOOe9EkX4ZtpRzFJEKa4IfNm1uu2kZutT2Vad7d+2GiObgZelT3B&qPF=XvDXfbThHJLxaDup
            GCeHcfCef8.exeGet hashmaliciousFormBookBrowse
            • www.nightoracle.com/rs10/?s0=SxqHGPQdBS+BYer8hqwa4D8rXi7vUXAn+pZ+h1ux2Xs7o9rzQOK5UHTSqPoHiKM2C6Px&CB_=7nEpdJs
            3Fip115gvy.exeGet hashmaliciousFormBookBrowse
            • www.amandaastburyillustration.com/4hc5/?5j=tFNxItah5B1Ppp8&1bYL=gSDqYeuNyx9e7kEHeYuvifh3Cjr1gIeW+4DcEpd4uqJRNoyOBBMvPYw4l031L02pmBQlOudiow==
            jU0hAXFL0k.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • www.nightoracle.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=SxqHGPQaAl7yFZn58Kwa4D8rXi7vUXAn+pZ+h1ux2Xs7o9rzQOK5UHTSqMwI3eALG/2g
            DHL-081023.exeGet hashmaliciousFormBookBrowse
            • www.joeysdoor.com/hesf/?APG0=swh0B3mpDGfIoIkFkBMBaZWoEXPEWkdnCE+a2KvQ5fM7xuJWfY5mF8tuq1PLwLxVobF5&MPkP=tV98bPH

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            TRELLIAN-AS-APTrellianPtyLimitedAUhttp://www.outdooradventuresinc.comGet hashmaliciousUnknownBrowse
            • 103.224.182.238
            https://rxplusmart.su/Get hashmaliciousUnknownBrowse
            • 103.224.212.214
            http://www.outdooradventuresinc.comGet hashmaliciousUnknownBrowse
            • 103.224.182.238
            HTTP://PEPJOB.COM/JOBSEEKERS/TOOLS/VALUESTEST.HTMGet hashmaliciousUnknownBrowse
            • 103.224.182.240
            Dokument-99373.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • 103.224.212.217
            http://pepjob.com/jobseekers/tools/valuestest.htmGet hashmaliciousUnknownBrowse
            • 103.224.182.240
            http://engcabs.comGet hashmaliciousUnknownBrowse
            • 103.224.182.242
            http://rfq.engcabs.comGet hashmaliciousUnknownBrowse
            • 103.224.182.242
            http://dinnza.comGet hashmaliciousUnknownBrowse
            • 103.224.182.206
            http://ferzre.com/jr.php?gz=7yKckLKiU5w3zNnm7%2FYe%2BH49fi9DU2pINWZqNmxCK2l5YXdkbHRJaW94T2pNZUprR0VBT3VRdk94ZnU5dlJ2bFMwK3k0YVhZbWRrV2Fqa3grdXZVb0pRZFI3bFBZN2wxZnNUbmhZb2xIcDcwQ3NTR3pPUmtMM0tGSVlpQ1c1NEZwRVZ2a0JVeU5NMC9rT2hvQytIZFFrMWNRL2lvZkxncUNsNnd2MU5tVnVGYmhWdzkxa2RINllBQWRsaGoyY1A2UytTQTFKREhBd09CRHBxOGh0Z1ZIRDBaR2RnM2k1Vi9OZjFVSVNoeWNOVWtsZTZHRVJsMjB5enlRaS9hLzZTTHJ0eXprQU16YzRtV05OU0JSWlRsSEhoOW85SVdMMDRXak9OcXQzMjJYZlh3RGdRWjdYakVqTlhmNzllWGxVUjFoZEJRUlZ0UkJ1ZDQ1V1NmNVUyZzhsNUxudmcwZGJEU3g0b1kyUWExcFAxUE05SmRZU0RaOFN2dWQveC9XQWwvTWd4T0Y1K1ovUlNWY3JhTEVUTVJSTGJMOHZ1ZHcwQXFsa0xGblFiZWJ6RExoNWxWTld1TEUyazVkSzllczc0amRyTDA0azE4MkdSLytXdmpxSjBsMzZJVmxPTlprVkdaV1FUeVZUcDV0UytZSEZnVSt5S1NRQW5qdUcyMG5UQzBVY3F5eEM1MGZDQVdQeEZzYjkxNnBUUU1zeThqRGxjVXI1VUQwQ2ZZazlKZFZ4NGhtakovYWpHRldLV3pENisxb2MrVzV6ZkVISUFMNDhnNmJkeUNTV0QwckNXSUF1TTZTV1d1MUNrdC85cmJkZHd3bGZmSFozOEZZb2pHdlJIZ0NPM0ZsOXFtL1E4bU8zajBsYjJkMnNoYWZucE45NDA2Vm42SW0vNDltR0FzeGdhQUlyMm05VG8zblBxRldLRHZwZVhKNThYY3JaVUU0NWEwcnZEK1JOMWE3YUhmWTk2S2E1R2E5Snp1dE9LU0tuMnd0YnFDSzhtdzZNYjdLQmFKYzNEZHFXbTVuUzlFYit0NzdSeEpNUXZJa2EwZW05VGtseHREbjQxTEI1dTN2SFlpOG51elIxWlpITGRFSlBNaTdGZk9GNkdZVTRQNFJ4MmF1VkJLTGpOWmUvWjFHSm1oLzNQUk51UlpzdzYxMFhxc3F1UUJwU3RDblduYXRBbUxRYVJEVUZoTENhb2UwNEFBWTFWdVpHZnYvR0hLRWJhak9rc3dKZ0Vic0hPa205TWUwL3BNbWowdVZ0K1dRaz0%3D&vs=1593:790&ds=1920:1080&sl=0:0&os=f&nos=f&if=f&sc=f&gpu=Google%20Inc.%20(Intel)%20-%20ANGLE%20(Intel,%20Intel(R)%20UHD%20Graphics%20620%20(0x00003EA0)%20Direct3D11%20vs_5_0%20ps_5_0,%20D3D11)&anura_res=Get hashmaliciousUnknownBrowse
            • 103.224.182.206

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
            Entropy (8bit):6.207843568325573
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.94%
            • Win16/32 Executable Delphi generic (2074/23) 0.02%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:615.exe
            File size:109'056 bytes
            MD5:9874f93464760f8b7962945950ec67ae
            SHA1:033f9854890961f9b962d088de8e3e84b0fd4018
            SHA256:615ee113e8a5df5c2ec5367dc89837881783a0f53303e16bc2a6228d9ffa9a15
            SHA512:bb58b8ac0bf956b04aea2d2a54c7e8149d7b0958c69574dfff44c4cdda671c62db78fd6c1a6a66544edd92a1eb6049f0a44b3d9fa953ee595a74bb318db517f3
            SSDEEP:3072:ROzIy5XGViztldWl88Yed2DQuIAQvQ+d0aYiRX:Ro2ViztvWlvd2UuIAQvQ+yFiR
            TLSH:11B3F905E98BA0F6FE0F1C7092DBFBFF46399904C234CE62CF54AD82EA63D1A1149655
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......].................^...H...h..p%.......p....@..........................P.......O........ .........................;..

            File Icon

            Icon Hash:90cececece8e8eb0

            Static PE Info

            General

            Entrypoint:0x402570
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
            DLL Characteristics:NX_COMPAT
            Time Stamp:0x5D1D1514 [Wed Jul 3 20:50:28 2019 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:844b1e992f862088369589b7cf91ba21

            Entrypoint Preview

            Instruction
            push ebp
            push edi
            mov eax, 0003003Ch
            push esi
            push ebx
            call 00007FD598E4DBC7h
            sub esp, eax
            lea esi, dword ptr [esp+28h]
            lea ebx, dword ptr [esp+2Ch]
            lea edi, dword ptr [esp+30h]
            call 00007FD598E3DB74h
            call 00007FD598E486AFh
            call 00007FD598E3AFCAh
            call 00007FD598E4CBC5h
            call 00007FD598E41140h
            call 00007FD598E4152Bh
            mov dword ptr [esp+2Ch], FFFFFFFFh
            mov eax, FFFFFFFFh
            mov esi, esi
            lea edi, dword ptr [edi+00000000h]
            mov dword ptr [esp+08h], 00000004h
            mov dword ptr [esp+04h], esi
            mov dword ptr [esp], eax
            mov dword ptr [esp+28h], 00000000h
            call 00007FD598E3E339h
            test al, al
            je 00007FD598E398F2h
            mov edx, dword ptr [esp+28h]
            test edx, edx
            je 00007FD598E398DBh
            mov eax, dword ptr [esp+2Ch]
            cmp eax, dword ptr [00417738h]
            je 00007FD598E39948h
            cmp edx, 3Fh
            jne 00007FD598E3980Dh
            mov dword ptr [esp+08h], edx
            mov dword ptr [esp+04h], edi
            mov dword ptr [esp], eax
            call 00007FD598E3E300h
            test al, al
            je 00007FD598E39916h
            mov eax, dword ptr [esp+28h]
            cmp eax, 0002FFFFh
            jnbe 00007FD598E39857h
            mov byte ptr [esp+eax+30h], 00000000h
            movzx edx, byte ptr [esp+30h]
            mov ecx, dword ptr [esp+2Ch]
            mov dword ptr [eax+eax+00h], ecx

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x210000x3b.edata
            IMAGE_DIRECTORY_ENTRY_IMPORT0x220000x11b0.idata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x240000xdec.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x2233c0x274.idata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x15dcc0x15e00c6b6d9411a8bc82f53e522b0cd6da0fbFalse0.48238839285714286data5.921692220951306IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .data0x170000x24d40x26007508407bf5be1a285da6f8f56ce4fc06False0.5080180921052632data6.314040202718458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .bss0x1a0000x66840x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .edata0x210000x3b0x2009a4517026c115594c09ef8e00da685c9False0.1015625data0.6479056982136152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
            .idata0x220000x11b00x12008157ae3b9db0eca635677e13ddd59aefFalse0.4075520833333333data5.321807895962128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .reloc0x240000xdec0xe00b1b91cf5c39d821e79f2411effcbd8c1False0.8512834821428571data6.6542093802199584IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Imports

            DLLImport
            ADVAPI32.DLLCryptAcquireContextA, CryptCreateHash, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptReleaseContext, RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyExA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA
            CRYPT32.DLLCryptUnprotectData
            GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDIBits, SelectObject
            KERNEL32.dllCloseHandle, CreateDirectoryA, CreateFileA, CreateMutexA, CreatePipe, CreateProcessA, CreateToolhelp32Snapshot, DeleteFileA, EnterCriticalSection, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetComputerNameA, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetFileAttributesA, GetFileAttributesExA, GetLastError, GetLocalTime, GetLogicalDriveStringsA, GetModuleFileNameA, GetProcAddress, GetProcessTimes, GetStartupInfoA, GetSystemInfo, GetSystemTime, GetTickCount, GetVersionExA, GetVolumeInformationA, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LocalFree, MoveFileA, OpenProcess, PeekNamedPipe, Process32First, Process32Next, ReadFile, ReleaseMutex, ResumeThread, SetErrorMode, SetFileAttributesA, SetFilePointer, Sleep, TerminateProcess, WideCharToMultiByte, WriteFile
            msvcrt.dll_beginthreadex, _filelengthi64, _vscprintf, _vsnprintf, calloc, fclose, fflush, fgetpos, fgets, fopen, fread, free, fsetpos, fwrite, getenv, malloc, memcpy, realloc, sprintf, strchr, strlen
            NETAPI32.DLLNetApiBufferFree, NetWkstaGetInfo
            SHELL32.DLLSHFileOperationA, ShellExecuteA
            USER32.dllCreateWindowExA, DefWindowProcA, DispatchMessageA, EnumWindows, GetDC, GetDesktopWindow, GetForegroundWindow, GetKeyNameTextA, GetKeyState, GetKeyboardState, GetLastInputInfo, GetMessageA, GetSystemMetrics, GetWindowTextA, IsWindowVisible, MapVirtualKeyA, PostQuitMessage, RegisterClassExA, ReleaseDC, SendMessageA, SetCursorPos, SetWindowTextA, ShowWindow, ToAscii, TranslateMessage, keybd_event, mouse_event
            WS2_32.dllWSACleanup, WSAGetLastError, WSAIoctl, WSAStartup, __WSAFDIsSet, closesocket, connect, gethostbyname, gethostname, htons, inet_ntoa, ioctlsocket, ntohs, recv, select, send, setsockopt, shutdown, socket

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Apr 19, 2024 03:33:06.861501932 CEST497303303192.168.2.4103.224.212.210
            Apr 19, 2024 03:33:07.863689899 CEST497303303192.168.2.4103.224.212.210
            Apr 19, 2024 03:33:09.863578081 CEST497303303192.168.2.4103.224.212.210
            Apr 19, 2024 03:33:13.863715887 CEST497303303192.168.2.4103.224.212.210
            Apr 19, 2024 03:33:21.863662958 CEST497303303192.168.2.4103.224.212.210
            Apr 19, 2024 03:33:28.208256006 CEST497363303192.168.2.4103.224.212.210
            Apr 19, 2024 03:33:29.223145008 CEST497363303192.168.2.4103.224.212.210
            Apr 19, 2024 03:33:31.224575043 CEST497363303192.168.2.4103.224.212.210
            Apr 19, 2024 03:33:35.238893986 CEST497363303192.168.2.4103.224.212.210
            Apr 19, 2024 03:33:43.238728046 CEST497363303192.168.2.4103.224.212.210
            Apr 19, 2024 03:33:49.742217064 CEST497373303192.168.2.4103.224.212.210
            Apr 19, 2024 03:33:50.754254103 CEST497373303192.168.2.4103.224.212.210
            Apr 19, 2024 03:33:52.754312038 CEST497373303192.168.2.4103.224.212.210
            Apr 19, 2024 03:33:56.754331112 CEST497373303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:04.754296064 CEST497373303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:11.114381075 CEST497393303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:12.120085955 CEST497393303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:14.129290104 CEST497393303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:18.145104885 CEST497393303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:26.160553932 CEST497393303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:32.505042076 CEST497403303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:33.519956112 CEST497403303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:35.535702944 CEST497403303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:39.535572052 CEST497403303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:47.535610914 CEST497403303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:53.880271912 CEST497413303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:54.895122051 CEST497413303192.168.2.4103.224.212.210
            Apr 19, 2024 03:34:56.910878897 CEST497413303192.168.2.4103.224.212.210
            Apr 19, 2024 03:35:00.910621881 CEST497413303192.168.2.4103.224.212.210
            Apr 19, 2024 03:35:08.910850048 CEST497413303192.168.2.4103.224.212.210

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Apr 19, 2024 03:33:06.629522085 CEST6373353192.168.2.41.1.1.1
            Apr 19, 2024 03:33:06.857866049 CEST53637331.1.1.1192.168.2.4
            Apr 19, 2024 03:33:27.973505974 CEST5536453192.168.2.41.1.1.1
            Apr 19, 2024 03:33:28.091346979 CEST53553641.1.1.1192.168.2.4
            Apr 19, 2024 03:33:49.364428997 CEST6454053192.168.2.41.1.1.1
            Apr 19, 2024 03:33:49.624085903 CEST53645401.1.1.1192.168.2.4
            Apr 19, 2024 03:34:10.879933119 CEST5799053192.168.2.41.1.1.1
            Apr 19, 2024 03:34:10.999699116 CEST53579901.1.1.1192.168.2.4
            Apr 19, 2024 03:34:32.270709991 CEST6009753192.168.2.41.1.1.1
            Apr 19, 2024 03:34:32.389497042 CEST53600971.1.1.1192.168.2.4
            Apr 19, 2024 03:34:53.645585060 CEST6226253192.168.2.41.1.1.1
            Apr 19, 2024 03:34:53.763577938 CEST53622621.1.1.1192.168.2.4

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Apr 19, 2024 03:33:06.629522085 CEST192.168.2.41.1.1.10xe5bStandard query (0)winsec.warii.clubA (IP address)IN (0x0001)false
            Apr 19, 2024 03:33:27.973505974 CEST192.168.2.41.1.1.10xafcStandard query (0)boa.eimaragon.orgA (IP address)IN (0x0001)false
            Apr 19, 2024 03:33:49.364428997 CEST192.168.2.41.1.1.10x32e0Standard query (0)boa.eimaragon.orgA (IP address)IN (0x0001)false
            Apr 19, 2024 03:34:10.879933119 CEST192.168.2.41.1.1.10xfc94Standard query (0)boa.eimaragon.orgA (IP address)IN (0x0001)false
            Apr 19, 2024 03:34:32.270709991 CEST192.168.2.41.1.1.10x7df2Standard query (0)boa.eimaragon.orgA (IP address)IN (0x0001)false
            Apr 19, 2024 03:34:53.645585060 CEST192.168.2.41.1.1.10x86b7Standard query (0)boa.eimaragon.orgA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Apr 19, 2024 03:33:06.857866049 CEST1.1.1.1192.168.2.40xe5bNo error (0)winsec.warii.club103.224.212.210A (IP address)IN (0x0001)false
            Apr 19, 2024 03:33:28.091346979 CEST1.1.1.1192.168.2.40xafcName error (3)boa.eimaragon.orgnonenoneA (IP address)IN (0x0001)false
            Apr 19, 2024 03:33:49.624085903 CEST1.1.1.1192.168.2.40x32e0Name error (3)boa.eimaragon.orgnonenoneA (IP address)IN (0x0001)false
            Apr 19, 2024 03:34:10.999699116 CEST1.1.1.1192.168.2.40xfc94Name error (3)boa.eimaragon.orgnonenoneA (IP address)IN (0x0001)false
            Apr 19, 2024 03:34:32.389497042 CEST1.1.1.1192.168.2.40x7df2Name error (3)boa.eimaragon.orgnonenoneA (IP address)IN (0x0001)false
            Apr 19, 2024 03:34:53.763577938 CEST1.1.1.1192.168.2.40x86b7Name error (3)boa.eimaragon.orgnonenoneA (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            System Behavior

            General

            Target ID:0
            Start time:03:33:05
            Start date:19/04/2024
            Path:C:\Users\user\Desktop\615.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\615.exe"
            Imagebase:0x400000
            File size:109'056 bytes
            MD5 hash:9874F93464760F8B7962945950EC67AE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Netwire, Description: Yara detected Netwire RAT, Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Netwire_1b43df38, Description: unknown, Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, Author: unknown
            • Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, Author: Florian Roth
            • Rule: netwire, Description: detect netwire in memory, Source: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: Windows_Trojan_Netwire_1b43df38, Description: unknown, Source: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmp, Author: unknown
            • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Netwire, Description: Yara detected Netwire RAT, Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Netwire_1b43df38, Description: unknown, Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, Author: unknown
            • Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, Author: Florian Roth
            • Rule: netwire, Description: detect netwire in memory, Source: 00000000.00000000.1656153629.0000000000417000.00000008.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:2.1%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:23.1%
              Total number of Nodes:615
              Total number of Limit Nodes:18
              execution_graph 8945 406c49 8947 406c14 8945->8947 8948 406940 10 API calls 8947->8948 8949 406c2d 8947->8949 8952 408b20 Sleep 8947->8952 8948->8947 8950 4060e0 4 API calls 8949->8950 8951 406c3f 8950->8951 8952->8947 8746 409270 8747 40927e 8746->8747 8748 408df0 _vsnprintf 8747->8748 8749 40928c LoadLibraryA GetProcAddress 8748->8749 8750 408df0 _vsnprintf 8749->8750 8751 4092ba LoadLibraryA GetProcAddress 8750->8751 8752 4092e8 8751->8752 8757 4092de 8751->8757 8753 408df0 _vsnprintf 8752->8753 8754 4092f4 LoadLibraryA GetProcAddress 8753->8754 8755 409334 8754->8755 8756 40931a malloc 8754->8756 8758 40932d 8756->8758 8757->8752 8762 40971c 8757->8762 8758->8755 8759 409340 8758->8759 8760 4142b0 _vsnprintf 8759->8760 8761 409371 8760->8761 8763 413db0 strlen 8761->8763 8764 4142b0 _vsnprintf 8762->8764 8765 409389 8763->8765 8766 40974e 8764->8766 8767 409150 3 API calls 8765->8767 8768 413db0 strlen 8766->8768 8769 4093bf 8767->8769 8770 409766 8768->8770 8771 4098a0 malloc 8769->8771 8772 4093c7 8769->8772 8773 409150 3 API calls 8770->8773 8781 4098c5 8771->8781 8774 409150 3 API calls 8772->8774 8775 40979c 8773->8775 8776 40941a 8774->8776 8777 409910 malloc 8775->8777 8778 4097a4 8775->8778 8776->8755 8779 409422 malloc 8776->8779 8786 409935 8777->8786 8780 409150 3 API calls 8778->8780 8782 409447 8779->8782 8783 4097df 8780->8783 8785 409455 malloc 8782->8785 8783->8752 8784 4097e7 malloc 8783->8784 8787 40980c 8784->8787 8789 40948e 8785->8789 8788 40981a malloc 8787->8788 8790 409853 8788->8790 8789->8755 8790->8752 8790->8771 11244 4016d9 11263 40b970 11244->11263 11246 4016fa 11247 4017c9 11246->11247 11249 414f70 5 API calls 11246->11249 11281 408b20 Sleep 11247->11281 11251 40172b 11249->11251 11250 402447 11252 406900 2 API calls 11250->11252 11253 414ef0 2 API calls 11251->11253 11254 402456 11252->11254 11255 40173b 11253->11255 11254->11254 11273 415360 11255->11273 11259 40175b 11260 4142b0 _vsnprintf 11259->11260 11261 4017aa 11260->11261 11262 406d60 12 API calls 11261->11262 11262->11247 11264 40b7a0 strlen 11263->11264 11265 40b995 11264->11265 11266 40ba50 11265->11266 11269 40b9b5 11265->11269 11267 406900 2 API calls 11266->11267 11268 40ba5c 11267->11268 11268->11246 11270 40b9fd 11269->11270 11271 406d60 12 API calls 11269->11271 11270->11246 11272 40ba35 11271->11272 11272->11246 11274 415150 9 API calls 11273->11274 11275 415368 11274->11275 11276 4142b0 _vsnprintf 11275->11276 11277 40174b 11276->11277 11278 415020 GetForegroundWindow 11277->11278 11279 415036 GetWindowTextA 11278->11279 11280 415055 11278->11280 11279->11280 11280->11259 11281->11250 8822 411a90 RegOpenKeyExA 8823 411b30 RegOpenKeyExA 8822->8823 8824 411ac9 RegQueryValueExA 8822->8824 8827 411b23 8823->8827 8828 411b59 RegQueryValueExA 8823->8828 8825 411b14 RegCloseKey 8824->8825 8826 411b06 8824->8826 8825->8827 8826->8825 8829 411ba2 RegQueryValueExA 8826->8829 8828->8825 8828->8826 8829->8825 8375 409cb0 CreateMutexA 8376 409ce2 GetLastError 8375->8376 8377 409cef 8375->8377 8376->8377 8378 406940 8379 40695c 8378->8379 8380 406aa0 8379->8380 8381 406965 8379->8381 8382 406070 2 API calls 8380->8382 8386 406af2 socket connect 8380->8386 8390 4069d6 8380->8390 8383 40696f 8381->8383 8385 4069e2 8381->8385 8382->8380 8400 406070 gethostbyname 8383->8400 8388 406070 2 API calls 8385->8388 8385->8390 8394 406a2e socket connect 8385->8394 8395 406b30 8386->8395 8388->8385 8389 40698b socket 8389->8390 8392 4069b7 connect 8389->8392 8391 406900 2 API calls 8391->8395 8392->8390 8393 406bf7 8392->8393 8404 406900 8393->8404 8397 406a6c 8394->8397 8395->8380 8395->8391 8399 406b70 8395->8399 8397->8385 8397->8390 8398 406900 2 API calls 8397->8398 8398->8397 8399->8390 8399->8393 8401 406090 8400->8401 8402 4060d3 8400->8402 8403 4060a8 htons 8401->8403 8402->8389 8402->8390 8403->8402 8405 406932 8404->8405 8406 40690c 8404->8406 8405->8390 8406->8405 8407 406912 shutdown closesocket 8406->8407 8407->8405 8791 40b340 8792 408df0 _vsnprintf 8791->8792 8793 40b386 8792->8793 8812 408bd0 LoadLibraryA 8793->8812 8795 40b394 8813 408bf0 GetProcAddress 8795->8813 8797 40b3a0 8798 40b500 8797->8798 8799 408df0 _vsnprintf 8797->8799 8800 40b3b9 8799->8800 8814 408bd0 LoadLibraryA 8800->8814 8802 40b3c7 8815 408bf0 GetProcAddress 8802->8815 8804 40b3d3 8804->8798 8805 40b400 RegisterClassExA 8804->8805 8806 40b442 CreateWindowExA 8805->8806 8807 40b42f 8805->8807 8806->8807 8808 40b4a9 8806->8808 8809 40b4c6 GetMessageA 8808->8809 8810 40b4b0 TranslateMessage DispatchMessageA 8809->8810 8811 40b4ed 8809->8811 8810->8809 8812->8795 8813->8797 8814->8802 8815->8804 8816 408b40 _beginthreadex 8817 408b8d 8816->8817 8818 408b7d CloseHandle 8816->8818 8818->8817 9916 402164 9919 415610 9916->9919 9918 402173 9918->9918 9950 414f70 9919->9950 9923 415656 9969 415440 9923->9969 9928 4142b0 _vsnprintf 9929 41568e 9928->9929 9997 415390 GetTickCount 9929->9997 9932 408880 GetModuleFileNameA 9933 4156ad 9932->9933 9934 4158c3 9933->9934 9935 408fc0 3 API calls 9933->9935 9936 4156db 9935->9936 9937 415731 getenv getenv 9936->9937 10004 4154a0 9937->10004 9940 414240 3 API calls 9941 415853 9940->9941 9942 415891 9941->9942 9943 415858 9941->9943 9944 406d60 12 API calls 9942->9944 9945 406d60 12 API calls 9943->9945 9946 4158b8 9944->9946 9947 41587e 9945->9947 9946->9918 9948 408ba0 free 9947->9948 9949 415886 9948->9949 9949->9918 9951 408df0 _vsnprintf 9950->9951 9952 414f8b 9951->9952 10023 408bd0 LoadLibraryA 9952->10023 9954 414f93 9955 408df0 _vsnprintf 9954->9955 9956 414fa1 9955->9956 10024 408bf0 GetProcAddress 9956->10024 9958 414fad 9959 408df0 _vsnprintf 9958->9959 9960 414fbb getenv 9959->9960 9961 414fc7 9960->9961 9962 408c10 FreeLibrary 9961->9962 9963 414fdf 9961->9963 9962->9963 9964 414ef0 9963->9964 10025 414810 9964->10025 9966 414f11 gethostname 9967 414f30 GetComputerNameA 9966->9967 9968 414f28 9966->9968 9967->9968 9968->9923 9970 415461 9969->9970 9971 408df0 _vsnprintf 9970->9971 9972 41546d 9971->9972 9973 411a90 6 API calls 9972->9973 9974 41548d 9973->9974 9975 415150 9974->9975 9976 414810 9975->9976 9977 415184 GetVersionExA 9976->9977 9978 415251 GetVersionExA 9977->9978 9979 4151a1 9977->9979 9978->9979 9995 41526c 9978->9995 9980 408df0 _vsnprintf 9979->9980 9981 4151ad 9980->9981 9982 408df0 _vsnprintf 9981->9982 9983 4151bb 9982->9983 10027 408bd0 LoadLibraryA 9983->10027 9985 4151c3 10028 408bf0 GetProcAddress 9985->10028 9987 4151cf 9988 4152d1 GetSystemInfo 9987->9988 9989 4151d7 9987->9989 9988->9989 9990 415280 9989->9990 9992 415210 9989->9992 9989->9995 10029 4150f0 NetWkstaGetInfo 9990->10029 9994 415238 GetSystemMetrics 9992->9994 9992->9995 9993 4150f0 2 API calls 9993->9995 9994->9995 9995->9928 9998 408df0 _vsnprintf 9997->9998 9999 4153dc 9998->9999 10032 408bd0 LoadLibraryA 9999->10032 10001 4153ea 10033 408bf0 GetProcAddress 10001->10033 10003 4153f6 10003->9932 10005 408df0 _vsnprintf 10004->10005 10006 4154d0 10005->10006 10034 408bd0 LoadLibraryA 10006->10034 10008 4154de 10035 408bf0 GetProcAddress 10008->10035 10010 4154ea 10011 408df0 _vsnprintf 10010->10011 10012 4154f8 10011->10012 10036 408bd0 LoadLibraryA 10012->10036 10014 415506 10037 408bf0 GetProcAddress 10014->10037 10016 415512 10017 408df0 _vsnprintf 10016->10017 10018 415520 10017->10018 10038 408bd0 LoadLibraryA 10018->10038 10020 41552e 10039 408bf0 GetProcAddress 10020->10039 10022 41553a 10022->9940 10023->9954 10024->9958 10026 414825 10025->10026 10026->9966 10026->10026 10027->9985 10028->9987 10030 415120 NetApiBufferFree 10029->10030 10031 415146 10029->10031 10030->10031 10031->9993 10031->9995 10032->10001 10033->10003 10034->10008 10035->10010 10036->10014 10037->10016 10038->10020 10039->10022 8408 402570 8409 40257e 8408->8409 8424 4068b0 WSAStartup 8409->8424 8411 402591 8427 4113f0 GetTickCount GetCurrentProcessId GetCurrentThreadId 8411->8427 8413 402596 8428 409e90 8413->8428 8417 406900 shutdown closesocket 8418 4025aa 8417->8418 8418->8417 8420 4070c0 18 API calls 8418->8420 8423 408b20 Sleep 8418->8423 8497 401000 8418->8497 8503 406c10 8418->8503 8510 40b840 8418->8510 8420->8418 8423->8418 8425 4068d1 InitializeCriticalSection 8424->8425 8426 4068e7 ExitProcess 8424->8426 8425->8411 8427->8413 8520 409d40 8428->8520 8430 409ea1 malloc 8432 409ed1 8430->8432 8431 409f35 strlen 8431->8432 8432->8431 8433 409f4f malloc 8432->8433 8433->8432 8434 409f6f 8433->8434 8522 408ba0 8434->8522 8436 4025a5 8439 40a280 8436->8439 8437 409fb0 malloc 8438 409f7c 8437->8438 8438->8436 8438->8437 8525 408880 GetModuleFileNameA 8439->8525 8441 40a29d 8442 40a2a1 8441->8442 8527 414a90 8441->8527 8442->8418 8444 40a2e3 8445 40a4a0 8444->8445 8446 40a2fb 8444->8446 8576 409af0 8445->8576 8531 409cb0 CreateMutexA 8446->8531 8451 40a300 8454 40a3b8 ExitProcess 8451->8454 8477 40a308 8451->8477 8452 40a2cf 8452->8444 8455 40a410 8452->8455 8548 407e30 GetFileAttributesA 8452->8548 8552 407eb0 GetFileAttributesA 8452->8552 8554 408b20 Sleep 8452->8554 8555 4086e0 strlen 8455->8555 8459 40a5e5 8459->8418 8460 40a59e 8462 408df0 _vsnprintf 8460->8462 8461 40a418 8461->8444 8561 407f10 fopen 8461->8561 8463 40a5af 8462->8463 8466 4119d0 4 API calls 8463->8466 8465 40a520 8594 408df0 8465->8594 8467 40a5d3 8466->8467 8602 409270 8467->8602 8470 40a42c 8470->8444 8473 40a5ea 8470->8473 8474 40a44c 8470->8474 8471 40a500 fopen 8471->8465 8478 4142b0 _vsnprintf 8473->8478 8485 407eb0 GetFileAttributesA 8474->8485 8476 4142b0 _vsnprintf 8479 40a572 8476->8479 8477->8460 8477->8465 8477->8467 8477->8471 8480 40a4b0 8477->8480 8481 40a384 8477->8481 8482 40a60d 8478->8482 8483 408df0 _vsnprintf 8479->8483 8484 414a90 getenv 8480->8484 8534 40a0f0 8481->8534 8482->8482 8487 40a57e 8483->8487 8488 40a4cf 8484->8488 8489 40a473 8485->8489 8599 4119d0 RegCreateKeyExA 8487->8599 8591 408b40 _beginthreadex 8488->8591 8489->8444 8492 40a47b 8489->8492 8490 40a390 8490->8418 8575 407d00 ShellExecuteA 8492->8575 8495 40a48f ExitProcess 8495->8445 8498 40101d 8497->8498 8500 401063 8498->8500 8684 4159b0 8498->8684 8501 401073 8500->8501 8688 408b20 Sleep 8500->8688 8501->8418 8505 406c14 8503->8505 8506 406c2d 8505->8506 8689 406940 8505->8689 8719 408b20 Sleep 8505->8719 8711 4060e0 8506->8711 8508 406c3f 8508->8418 8511 40b869 8510->8511 8720 40b7a0 strlen 8511->8720 8513 40b950 8515 406900 2 API calls 8513->8515 8514 40b891 8514->8513 8517 40b8f2 8514->8517 8516 40b95a 8515->8516 8516->8418 8722 406d60 8517->8722 8521 409d63 8520->8521 8521->8430 8523 408bb6 8522->8523 8524 408bae free 8522->8524 8523->8438 8524->8523 8526 4088a8 8525->8526 8526->8441 8528 414b0c 8527->8528 8529 414aae 8527->8529 8528->8452 8529->8528 8530 414cde getenv 8529->8530 8530->8529 8532 409ce2 GetLastError 8531->8532 8533 409cef 8531->8533 8532->8533 8533->8451 8535 40a115 8534->8535 8647 411a90 RegOpenKeyExA 8535->8647 8538 40a145 8541 40a233 8538->8541 8655 408fc0 8538->8655 8539 411a90 6 API calls 8539->8538 8541->8490 8542 40a164 8543 4119d0 4 API calls 8542->8543 8544 40a1ed 8543->8544 8545 40a1f1 8544->8545 8546 4119d0 4 API calls 8544->8546 8545->8490 8547 40a268 8546->8547 8547->8490 8549 407e48 8548->8549 8550 407e4c DeleteFileA 8548->8550 8549->8550 8551 407e61 SetFileAttributesA 8549->8551 8550->8452 8551->8550 8553 407ecb 8552->8553 8553->8452 8554->8452 8556 4086ff 8555->8556 8557 408710 8555->8557 8556->8461 8558 4087a0 8557->8558 8559 40874a GetFileAttributesA 8557->8559 8560 408770 CreateDirectoryA 8557->8560 8558->8461 8559->8557 8559->8560 8560->8556 8560->8557 8562 407f33 fopen 8561->8562 8563 407f9d 8561->8563 8564 407f89 fclose 8562->8564 8565 407f4f 8562->8565 8563->8470 8567 407f91 8564->8567 8566 407f60 calloc 8565->8566 8570 407f7d fclose 8565->8570 8566->8565 8568 407fd0 fread 8566->8568 8569 407e30 3 API calls 8567->8569 8571 407fb0 fwrite 8568->8571 8572 407fee free fclose fclose 8568->8572 8569->8563 8570->8564 8571->8568 8573 408030 free 8571->8573 8572->8567 8574 408019 8572->8574 8573->8570 8574->8470 8574->8573 8575->8495 8578 409afe 8576->8578 8579 409b1e 8578->8579 8580 409b4c 8578->8580 8662 408950 8578->8662 8579->8418 8581 408950 GetCommandLineA 8580->8581 8582 409b6a 8581->8582 8582->8579 8583 407eb0 GetFileAttributesA 8582->8583 8584 409b76 8583->8584 8585 409b84 8584->8585 8586 409b7d 8584->8586 8666 407ee0 GetFileAttributesA 8585->8666 8587 407e30 3 API calls 8586->8587 8587->8579 8592 408b8d 8591->8592 8593 408b7d CloseHandle 8591->8593 8592->8471 8593->8592 8595 4142b0 _vsnprintf 8594->8595 8596 408f58 8595->8596 8597 4142b0 _vsnprintf 8596->8597 8598 40a556 8597->8598 8598->8476 8600 411a29 strlen RegSetValueExA RegCloseKey 8599->8600 8601 411a7c 8599->8601 8600->8601 8601->8460 8603 40927e 8602->8603 8604 408df0 _vsnprintf 8603->8604 8605 40928c LoadLibraryA GetProcAddress 8604->8605 8606 408df0 _vsnprintf 8605->8606 8607 4092ba LoadLibraryA GetProcAddress 8606->8607 8608 4092e8 8607->8608 8613 4092de 8607->8613 8609 408df0 _vsnprintf 8608->8609 8610 4092f4 LoadLibraryA GetProcAddress 8609->8610 8611 409334 8610->8611 8612 40931a malloc 8610->8612 8611->8459 8614 40932d 8612->8614 8613->8608 8618 40971c 8613->8618 8614->8611 8615 409340 8614->8615 8616 4142b0 _vsnprintf 8615->8616 8617 409371 8616->8617 8671 413db0 8617->8671 8620 4142b0 _vsnprintf 8618->8620 8622 40974e 8620->8622 8621 409389 8675 409150 8621->8675 8624 413db0 strlen 8622->8624 8626 409766 8624->8626 8625 4093bf 8627 4098a0 malloc 8625->8627 8628 4093c7 8625->8628 8629 409150 3 API calls 8626->8629 8637 4098c5 8627->8637 8630 409150 3 API calls 8628->8630 8631 40979c 8629->8631 8632 40941a 8630->8632 8633 409910 malloc 8631->8633 8634 4097a4 8631->8634 8632->8611 8635 409422 malloc 8632->8635 8642 409935 8633->8642 8636 409150 3 API calls 8634->8636 8638 409447 8635->8638 8639 4097df 8636->8639 8637->8459 8641 409455 malloc 8638->8641 8639->8608 8640 4097e7 malloc 8639->8640 8643 40980c 8640->8643 8645 40948e 8641->8645 8642->8459 8644 40981a malloc 8643->8644 8646 409853 8644->8646 8645->8611 8646->8608 8646->8627 8648 411b30 RegOpenKeyExA 8647->8648 8649 411ac9 RegQueryValueExA 8647->8649 8652 40a13d 8648->8652 8653 411b59 RegQueryValueExA 8648->8653 8650 411b14 RegCloseKey 8649->8650 8651 411b06 8649->8651 8650->8652 8651->8650 8654 411ba2 RegQueryValueExA 8651->8654 8652->8538 8652->8539 8653->8650 8653->8651 8654->8650 8656 408fe6 8655->8656 8657 4090f0 GetSystemTime 8656->8657 8658 408ff7 GetLocalTime 8656->8658 8659 408fff 8657->8659 8658->8659 8660 4142b0 _vsnprintf 8659->8660 8661 4090df 8660->8661 8661->8542 8663 40897d 8662->8663 8664 408998 GetCommandLineA 8663->8664 8665 4089b1 8664->8665 8665->8578 8667 407efb 8666->8667 8667->8579 8668 4087b0 strlen calloc memcpy SHFileOperationA free 8667->8668 8669 408850 GetFileAttributesA 8668->8669 8670 408847 8668->8670 8669->8670 8670->8579 8672 413dc6 8671->8672 8673 413e1c strlen 8672->8673 8674 413dec 8672->8674 8673->8621 8674->8621 8676 40917a 8675->8676 8677 409182 strlen 8676->8677 8683 4091db 8676->8683 8678 4091a2 8677->8678 8680 4091b1 8678->8680 8682 4091c0 calloc 8678->8682 8679 408ba0 free 8681 409226 8679->8681 8680->8625 8681->8625 8682->8680 8682->8683 8683->8679 8683->8680 8685 4158e0 8684->8685 8687 4158fd 8684->8687 8686 4158f5 fclose 8685->8686 8685->8687 8686->8687 8687->8498 8688->8501 8690 40695c 8689->8690 8691 406aa0 8690->8691 8692 406965 8690->8692 8693 406070 2 API calls 8691->8693 8697 406af2 socket connect 8691->8697 8701 4069d6 8691->8701 8694 40696f 8692->8694 8696 4069e2 8692->8696 8693->8691 8695 406070 2 API calls 8694->8695 8698 406983 8695->8698 8699 406070 2 API calls 8696->8699 8696->8701 8705 406a2e socket connect 8696->8705 8706 406b30 8697->8706 8700 40698b socket 8698->8700 8698->8701 8699->8696 8700->8701 8703 4069b7 connect 8700->8703 8701->8505 8702 406900 2 API calls 8702->8706 8703->8701 8704 406bf7 8703->8704 8707 406900 2 API calls 8704->8707 8708 406a6c 8705->8708 8706->8691 8706->8702 8710 406b70 8706->8710 8707->8701 8708->8696 8708->8701 8709 406900 2 API calls 8708->8709 8709->8708 8710->8701 8710->8704 8712 4061e0 ioctlsocket 8711->8712 8713 4060f7 8711->8713 8712->8508 8714 406140 setsockopt 8713->8714 8715 4060fc 8713->8715 8714->8715 8718 406174 WSAIoctl 8714->8718 8716 406131 8715->8716 8717 406101 setsockopt 8715->8717 8716->8508 8717->8716 8718->8715 8719->8505 8721 40b7c1 8720->8721 8721->8514 8721->8721 8723 406d77 8722->8723 8734 406dbf 8722->8734 8724 406ed0 strlen 8723->8724 8725 406d80 EnterCriticalSection 8723->8725 8724->8734 8738 406c70 8725->8738 8727 406e59 LeaveCriticalSection 8737 406e68 8727->8737 8728 406e8a malloc 8732 406ea5 8728->8732 8728->8734 8730 406e21 send 8733 406e49 WSAGetLastError 8730->8733 8730->8734 8731 408ba0 free 8731->8728 8732->8727 8733->8727 8733->8734 8734->8727 8734->8730 8735 406eb0 LeaveCriticalSection 8734->8735 8745 408b20 Sleep 8734->8745 8735->8737 8737->8418 8739 406ca3 select 8738->8739 8743 406ce1 select 8738->8743 8740 406d37 8739->8740 8741 406cd5 8739->8741 8740->8741 8744 406d44 __WSAFDIsSet 8740->8744 8741->8727 8741->8728 8741->8731 8741->8734 8743->8740 8744->8741 8745->8734 10049 402179 10050 406900 2 API calls 10049->10050 10051 40218f 10050->10051 10052 401000 2 API calls 10051->10052 10053 402194 10052->10053 10056 408b20 Sleep 10053->10056 10055 4021a0 10055->10055 10056->10055 11816 411b2c 11817 411b30 RegOpenKeyExA 11816->11817 11818 411b23 11817->11818 11819 411b59 RegQueryValueExA 11817->11819 11820 411b14 RegCloseKey 11819->11820 11821 411b94 11819->11821 11820->11818 11821->11820 11822 411ba2 RegQueryValueExA 11821->11822 11822->11820 8819 4119d0 RegCreateKeyExA 8820 411a29 strlen RegSetValueExA RegCloseKey 8819->8820 8821 411a7c 8819->8821 8820->8821 8830 40b199 8831 40b2f0 PostQuitMessage 8830->8831 8832 40b1b1 8830->8832 8833 40b2e5 8831->8833 8834 40b250 GetRawInputData 8832->8834 8835 40b1bc 8832->8835 8834->8833 8836 40b285 malloc 8834->8836 8837 40b1f0 RegisterRawInputDevices 8835->8837 8838 40b1c1 DefWindowProcA 8835->8838 8836->8833 8839 40b299 GetRawInputData 8836->8839 8840 40b23c 8837->8840 8838->8837 8841 40b2c5 8839->8841 8844 40b2d9 8839->8844 8841->8844 8845 40ae80 GetKeyState GetKeyState GetKeyState GetKeyState GetKeyboardState 8841->8845 8842 408ba0 free 8842->8833 8844->8842 8846 40b060 MapVirtualKeyA ToAscii 8845->8846 8847 40aeeb 8845->8847 8849 40b130 GetKeyState 8846->8849 8850 40b0a5 MapVirtualKeyA GetKeyNameTextA 8846->8850 8847->8846 8848 40aef2 8847->8848 8866 40af33 8847->8866 8852 408df0 _vsnprintf 8848->8852 8853 40b143 8849->8853 8854 40b0ff 8849->8854 8851 40b0de GetKeyState 8850->8851 8850->8866 8851->8854 8855 40b0f1 8851->8855 8857 40af09 8852->8857 8853->8854 8858 408df0 _vsnprintf 8853->8858 8856 4142b0 _vsnprintf 8854->8856 8855->8854 8862 408df0 _vsnprintf 8855->8862 8859 40b11f 8856->8859 8860 4142b0 _vsnprintf 8857->8860 8858->8854 8859->8844 8861 40af1d 8860->8861 8861->8866 8867 40adc0 GetForegroundWindow 8861->8867 8862->8854 8864 40af28 8875 40ab20 8864->8875 8866->8844 8868 40add4 GetLocalTime GetWindowTextA 8867->8868 8869 40ae0c 8867->8869 8868->8869 8870 40ae14 8868->8870 8869->8864 8871 4142b0 _vsnprintf 8870->8871 8872 40ae6d 8871->8872 8873 40ab20 14 API calls 8872->8873 8874 40ae78 8873->8874 8874->8864 8876 40acdd 8875->8876 8877 40ab38 GetLocalTime 8875->8877 8876->8866 8878 40ab5e 8877->8878 8879 40ab68 8877->8879 8878->8879 8881 40acf0 8878->8881 8880 40ab89 8879->8880 8883 40ab72 CloseHandle 8879->8883 8884 40ab7d 8879->8884 8882 40ac7e 8880->8882 8887 407ee0 GetFileAttributesA 8880->8887 8885 4142b0 _vsnprintf 8881->8885 8882->8876 8891 40acb3 WriteFile 8882->8891 8883->8884 8886 407e30 3 API calls 8884->8886 8888 40ad2f 8885->8888 8886->8880 8889 40aba9 8887->8889 8888->8880 8890 40ad3d CloseHandle 8888->8890 8892 40ad57 8889->8892 8893 40abb1 CreateFileA 8889->8893 8890->8880 8891->8876 8892->8876 8895 4086e0 3 API calls 8892->8895 8893->8892 8894 40abfe SetFilePointer 8893->8894 8896 4142b0 _vsnprintf 8894->8896 8897 40ad7c 8895->8897 8898 40ac73 8896->8898 8897->8866 8899 40ab20 8 API calls 8898->8899 8899->8882

              Executed Functions

              Function 00409270 Relevance: 66.9, APIs: 13, Strings: 25, Instructions: 358libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: AddressLibraryLoadProc$malloc
              • String ID: =$=$=$=$@$V}A$Y}A$c$c$h$h$k$k$o$o$p$p$s$s$s$s$t$t$t$t
              • API String ID: 1625907898-1438704041
              • Opcode ID: 58c077a38c14cdde4ede4da81629d506b64efd4e48f32cb2f6f33b901e503a40
              • Instruction ID: 2ac49b8970c5daad5fc49e71d5e977d3ec383ea7045882ca230d8ed27c462124
              • Opcode Fuzzy Hash: 58c077a38c14cdde4ede4da81629d506b64efd4e48f32cb2f6f33b901e503a40
              • Instruction Fuzzy Hash: 8E02D7B050C3808AE710EF65D18439ABBF0BF95744F45886EE5C88B392D7BD9984CB5B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040B199 Relevance: 9.1, APIs: 6, Instructions: 100registrywindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 154 40b199-40b1ab 155 40b2f0-40b30b PostQuitMessage 154->155 156 40b1b1-40b1b6 154->156 157 40b2e7-40b2eb 155->157 158 40b250-40b283 GetRawInputData 156->158 159 40b1bc-40b1bf 156->159 160 40b2e5 158->160 161 40b285-40b297 malloc 158->161 162 40b1f0-40b236 RegisterRawInputDevices 159->162 163 40b1c1-40b1e8 DefWindowProcA 159->163 160->157 161->160 164 40b299-40b2c3 GetRawInputData 161->164 165 40b310-40b320 162->165 166 40b23c-40b24a 162->166 163->162 167 40b2c5-40b2cf 164->167 168 40b2d9-40b2e0 call 408ba0 164->168 169 40b2d1-40b2d7 167->169 170 40b323-40b329 167->170 168->160 169->168 172 40b330-40b33c call 40ae80 169->172 170->169 173 40b32b-40b32c 170->173 172->168 173->172
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Input$Data$DevicesMessagePostProcQuitRegisterWindowmalloc
              • String ID:
              • API String ID: 313297285-0
              • Opcode ID: d68579ef48237cda221fcba407d4eaf41d8e6fe86f7519aac5b67c624f48df76
              • Instruction ID: 8ee57d0ab7e3f326a738b884e474d88929747b3e31dd1a6bd31e87e3409e1f6f
              • Opcode Fuzzy Hash: d68579ef48237cda221fcba407d4eaf41d8e6fe86f7519aac5b67c624f48df76
              • Instruction Fuzzy Hash: F741E5B15083048BD704EF65C58875BBBF0FB84304F11896EE89997391E379D994DB8A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040B340 Relevance: 28.1, APIs: 5, Strings: 11, Instructions: 97registrywindowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00408BD0: LoadLibraryA.KERNEL32(?,?,?,?,?,?,00414F93), ref: 00408BDA
                • Part of subcall function 00408BF0: GetProcAddress.KERNEL32 ref: 00408C02
              • RegisterClassExA.USER32 ref: 0040B422
              • CreateWindowExA.USER32 ref: 0040B49D
              • GetMessageA.USER32 ref: 0040B4E1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: AddressClassCreateLibraryLoadMessageProcRegisterWindow
              • String ID: 0$0$C$a$c$l$n$s$s$w$w
              • API String ID: 3801194884-2878183507
              • Opcode ID: 38ce1144a9385e4cfb7991bf0fb8f32a2c2949a87b0cfb77899f7bb9e85924e2
              • Instruction ID: 7fc620641debdb792a3e75362ef4ede4bac0a246e8e0b4dd7c7016e86a2aa0bd
              • Opcode Fuzzy Hash: 38ce1144a9385e4cfb7991bf0fb8f32a2c2949a87b0cfb77899f7bb9e85924e2
              • Instruction Fuzzy Hash: 1641FBB040D3808AE310AF25D59935FBFE0AF40748F45892EE5D45B282D7BE8549CBDB
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406940 Relevance: 9.2, APIs: 6, Instructions: 172networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 100 406940-40695f call 40a0b0 103 406aa0-406aa7 100->103 104 406965-40696d call 40a0b0 100->104 105 406aad-406ab5 103->105 106 406bbf-406bcb 103->106 113 4069e2-4069e9 104->113 114 40696f-406985 call 406070 104->114 108 406ad8-406af0 call 406070 105->108 106->105 109 406bd1 106->109 121 406ac0-406ad2 108->121 122 406af2-406b2e socket connect 108->122 112 4069d6 109->112 115 4069da-4069e1 112->115 116 406bd6-406be2 113->116 117 4069ef-4069f7 113->117 128 40698b-4069b1 socket 114->128 129 406bed-406bf2 114->129 116->117 123 406be8 116->123 120 406a14-406a2c call 406070 117->120 135 406a00-406a12 120->135 136 406a2e-406a6a socket connect 120->136 121->108 121->112 126 406b30-406b5c call 406820 122->126 127 406b5e-406b66 call 406900 122->127 123->112 126->127 142 406b92-406ba5 126->142 127->121 128->129 133 4069b7-4069d0 connect 128->133 129->115 133->112 134 406bf7-406bfe call 406900 133->134 144 406c03-406c08 134->144 135->112 135->120 140 406a91-406a99 call 406900 136->140 141 406a6c-406a8b call 406820 136->141 140->135 141->112 141->140 142->112 143 406bab-406bb3 142->143 147 406b70-406b7a 143->147 148 406bb5-406bbd 143->148 144->115 151 406b7e-406b90 call 406820 147->151 148->151 151->134 151->142
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: connectsocket$gethostbynamehtons
              • String ID:
              • API String ID: 2456471525-0
              • Opcode ID: 7de3402356a995d5942c79d6e21b3a8985624a7da4b64819a3cc3706cc4ac8c9
              • Instruction ID: 69b2738c5b0be7736de85009dc69143f11d4db7b58bbe4703e13044abf05d088
              • Opcode Fuzzy Hash: 7de3402356a995d5942c79d6e21b3a8985624a7da4b64819a3cc3706cc4ac8c9
              • Instruction Fuzzy Hash: 8D71F9B05083158FD700EF29D58165ABBF0BF84348F12C93EE89AA7391E779D4558B4B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00411A90 Relevance: 9.1, APIs: 6, Instructions: 84registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 176 411a90-411ac7 RegOpenKeyExA 177 411b30-411b57 RegOpenKeyExA 176->177 178 411ac9-411b04 RegQueryValueExA 176->178 181 411b23-411b2b 177->181 182 411b59-411b92 RegQueryValueExA 177->182 179 411b14-411b20 RegCloseKey 178->179 180 411b06-411b0e 178->180 179->181 180->179 183 411ba2-411bda RegQueryValueExA 180->183 182->179 184 411b94-411b9c 182->184 183->179 184->179 184->183
              APIs
              • RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0040A13D), ref: 00411ABD
              • RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411AFA
              • RegCloseKey.ADVAPI32 ref: 00411B1B
              • RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A13D), ref: 00411B4D
              • RegQueryValueExA.ADVAPI32 ref: 00411B88
              • RegQueryValueExA.ADVAPI32 ref: 00411BCD
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: QueryValue$Open$Close
              • String ID:
              • API String ID: 2855150075-0
              • Opcode ID: b05598d3df2425bf0636f3bd7add778bd61e61b6b2b4a5a27892c7a6c82e2144
              • Instruction ID: af9b9b99392209678625a8db789becc23485f98deaeae4877963dba0c31c0487
              • Opcode Fuzzy Hash: b05598d3df2425bf0636f3bd7add778bd61e61b6b2b4a5a27892c7a6c82e2144
              • Instruction Fuzzy Hash: 133193B15193419FD700EF29C58475BFBF0BB88758F41892EF98897215E379E9888F82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004119D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registrystringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 185 4119d0-411a27 RegCreateKeyExA 186 411a29-411a79 strlen RegSetValueExA RegCloseKey 185->186 187 411a7c-411a82 185->187 186->187
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: CloseCreateValuestrlen
              • String ID: ?
              • API String ID: 3793363457-1684325040
              • Opcode ID: 21fb25c37040cd0006073005a8721473989d21205661387b85737b4bf9d1b82a
              • Instruction ID: 8951ad88e5c34148974c8ba90219a2a838d7160c78e8b2e003249cd8c1ad4586
              • Opcode Fuzzy Hash: 21fb25c37040cd0006073005a8721473989d21205661387b85737b4bf9d1b82a
              • Instruction Fuzzy Hash: 9E114CB59093419FD740EF69C58571BFBE0BB88344F41892EF89887311E7B9D6888B86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00411B2C Relevance: 6.1, APIs: 4, Instructions: 52registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 188 411b2c 189 411b30-411b57 RegOpenKeyExA 188->189 190 411b23-411b2b 189->190 191 411b59-411b92 RegQueryValueExA 189->191 192 411b14-411b20 RegCloseKey 191->192 193 411b94-411b9c 191->193 192->190 193->192 194 411ba2-411bda RegQueryValueExA 193->194 194->192
              APIs
              • RegCloseKey.ADVAPI32 ref: 00411B1B
              • RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A13D), ref: 00411B4D
              • RegQueryValueExA.ADVAPI32 ref: 00411B88
              • RegQueryValueExA.ADVAPI32 ref: 00411BCD
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: QueryValue$CloseOpen
              • String ID:
              • API String ID: 1586453840-0
              • Opcode ID: 72607df8c8630feea03b6c060a1ee1b11ccac9cc98e29531e075c07e563986ef
              • Instruction ID: e1bca15ac22a89ac0cb18e219a3f96de63aac9b67a8ff417bd019fceda2b5000
              • Opcode Fuzzy Hash: 72607df8c8630feea03b6c060a1ee1b11ccac9cc98e29531e075c07e563986ef
              • Instruction Fuzzy Hash: 6E1177B15093019FD700EF29D54525BFBF0BB88758F41892EF99897214E379E5888F86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00409CB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 195 409cb0-409ce0 CreateMutexA 196 409ce2-409cec GetLastError 195->196 197 409cef-409cf2 195->197 196->197
              APIs
              • CreateMutexA.KERNEL32(?,?,?,?,?,?,?,0040A300), ref: 00409CCA
              • GetLastError.KERNEL32 ref: 00409CE2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: CreateErrorLastMutex
              • String ID: sA
              • API String ID: 1925916568-3791179695
              • Opcode ID: 6a3d7cc1492c56c154ed2a54211ad8d4287e56285b1a15cfec7309320b3a7a7c
              • Instruction ID: 5f04186f209d0110d83c86f514e9f69d60e879daa328788e74aeef7b5fa905d8
              • Opcode Fuzzy Hash: 6a3d7cc1492c56c154ed2a54211ad8d4287e56285b1a15cfec7309320b3a7a7c
              • Instruction Fuzzy Hash: 82D0127090C20146D7007F29C04538979F17B80304F45C57EF84887355D77DC4D4975B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004068B0 Relevance: 4.5, APIs: 3, Instructions: 17networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 198 4068b0-4068cf WSAStartup 199 4068d1-4068e6 InitializeCriticalSection 198->199 200 4068e7-4068f9 ExitProcess 198->200
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: CriticalExitInitializeProcessSectionStartup
              • String ID:
              • API String ID: 3456047655-0
              • Opcode ID: 081fa53c60724d29ad1dbc9ae13d3a0889034f7c5aa589846efcf8dced9f3315
              • Instruction ID: e74cc806e078bac1fe4d4f83749af9321de69f1f1d2933ae92666123b887df6f
              • Opcode Fuzzy Hash: 081fa53c60724d29ad1dbc9ae13d3a0889034f7c5aa589846efcf8dced9f3315
              • Instruction Fuzzy Hash: E7E04FB19053058AE700BF71D5063A9BBE0BF01304F42492ED8D557145E37CB15CC6D7
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406070 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 201 406070-40608e gethostbyname 202 406090-4060ce call 414810 htons 201->202 203 4060d3-4060d8 201->203 202->203
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: gethostbynamehtons
              • String ID:
              • API String ID: 2664724638-0
              • Opcode ID: b482fa5d77b5f6c3a99fef7ea1856f0077d455fcffcf54d1e724f4e87a0624d0
              • Instruction ID: ce80b052699ea2a75d7f84dff87a82949fa2b05c4fdf1cace5667dd736b218ad
              • Opcode Fuzzy Hash: b482fa5d77b5f6c3a99fef7ea1856f0077d455fcffcf54d1e724f4e87a0624d0
              • Instruction Fuzzy Hash: 28F049B49057508FCB10FF38D08564BBBF0EF08318F02896EE8858B355E238D884CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00408B40 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 206 408b40-408b7b _beginthreadex 207 408b8d-408b92 206->207 208 408b7d-408b8a CloseHandle 206->208 208->207
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: CloseHandle_beginthreadex
              • String ID:
              • API String ID: 788476133-0
              • Opcode ID: 9cfe4a110e9c3b0481e7d61d1115cbd41d60fec85a8a7f2f8a01873316ab31f7
              • Instruction ID: 6548f6923625ce3b4d0df659370cb11a78da6aaa68d4dd203d117f9babfdb6d5
              • Opcode Fuzzy Hash: 9cfe4a110e9c3b0481e7d61d1115cbd41d60fec85a8a7f2f8a01873316ab31f7
              • Instruction Fuzzy Hash: 14E052B4A083418FD740EF29C55535BBBF1AB84304F45892EE8D887794E77EDA498B83
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406900 Relevance: 3.0, APIs: 2, Instructions: 20COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 209 406900-40690a 210 406938-40693c 209->210 211 40690c-406910 209->211 212 406932 211->212 213 406912-40692f shutdown closesocket 211->213 212->210 213->212
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: closesocketshutdown
              • String ID:
              • API String ID: 572888783-0
              • Opcode ID: 7ea51384508546e98059d5ea3927f76879e8169b2b1a9b6cdc919d491c6f9012
              • Instruction ID: 141393b97e9cf99b52998b07e3b2fb87fa5db297e3677c8b2c7e7cf7164b04c8
              • Opcode Fuzzy Hash: 7ea51384508546e98059d5ea3927f76879e8169b2b1a9b6cdc919d491c6f9012
              • Instruction Fuzzy Hash: 8DE04FF06003104BDB00BF78D5C96093BF4AB01314F81066DE8C05F285E738D4648B43
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00408B20 Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 214 408b20-408b35 Sleep
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 8bd6e9a1890a76a08547d97539bd5a18ad4ae0f53fff64cc7ba5d22e5db24b1d
              • Instruction ID: edb8f17d1ed5b35af60f70507896de7f3616c9094573bcb5cc092cbd14c9aff2
              • Opcode Fuzzy Hash: 8bd6e9a1890a76a08547d97539bd5a18ad4ae0f53fff64cc7ba5d22e5db24b1d
              • Instruction Fuzzy Hash: 5EB092F5D0464047C600BF3C814712ABAE07A44204FC60AADE88443206F938D3684A97
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 0040DEC0 Relevance: 81.3, APIs: 45, Strings: 1, Instructions: 841registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 226 40dec0-40df16 RegOpenKeyExA 227 40e360-40e390 RegOpenKeyExA 226->227 228 40df1c-40df38 226->228 229 40e060-40e06e 227->229 230 40e396-40e3ab 227->230 231 40df48-40df88 RegEnumKeyExA 228->231 232 40e3b8-40e3f8 RegEnumKeyExA 230->232 233 40e051-40e05d RegCloseKey 231->233 234 40df8e-40dfe5 call 4142b0 RegOpenKeyExA 231->234 232->233 235 40e3fe-40e463 call 4142b0 RegOpenKeyExA 232->235 233->229 239 40df40 234->239 240 40dfeb-40e03b call 408df0 RegQueryValueExA 234->240 243 40e3b0 235->243 244 40e469-40e4b9 call 408df0 RegQueryValueExA 235->244 239->231 247 40e070-40e0bd call 408df0 RegQueryValueExA 240->247 248 40e03d-40e04c RegCloseKey 240->248 243->232 251 40e580-40e5c9 call 408df0 RegQueryValueExA 244->251 252 40e4bf-40e4ce RegCloseKey 244->252 256 40e210-40e259 call 408df0 RegQueryValueExA 247->256 257 40e0c3-40e16b call 408df0 RegQueryValueExA call 408df0 RegQueryValueExA 247->257 248->239 258 40e855-40e89a call 408df0 RegQueryValueExA 251->258 259 40e5cf-40e66b call 408df0 RegQueryValueExA call 408df0 RegQueryValueExA 251->259 252->243 267 40e4d3-40e576 call 408df0 RegQueryValueExA call 408df0 RegQueryValueExA 256->267 268 40e25f-40e2a8 call 408df0 RegQueryValueExA 256->268 282 40e17b-40e1bd 257->282 283 40e16d-40e175 257->283 271 40e8a0-40e8e5 call 408df0 RegQueryValueExA 258->271 272 40ea14-40eaab call 408df0 RegQueryValueExA call 408df0 RegQueryValueExA 258->272 288 40e67b-40e6b9 259->288 289 40e66d-40e675 259->289 267->251 290 40e70c-40e755 call 408df0 RegQueryValueExA 268->290 291 40e2ae-40e354 call 408df0 RegQueryValueExA call 408df0 RegQueryValueExA 268->291 298 40ec79-40ecbe call 408df0 RegQueryValueExA 271->298 299 40e8eb-40e982 call 408df0 RegQueryValueExA call 408df0 RegQueryValueExA 271->299 317 40eab3-40eb56 call 408df0 RegQueryValueExA call 408df0 RegQueryValueExA 272->317 286 40e1c1 call 414240 282->286 283->282 284 40ebde-40ec3e CryptUnprotectData 283->284 284->282 294 40ec44-40ec74 call 414830 LocalFree 284->294 296 40e1c6-40e1cd 286->296 301 40e6bd call 414240 288->301 289->288 300 40ed63-40edc3 CryptUnprotectData 289->300 290->317 318 40e75b-40e7a4 call 408df0 RegQueryValueExA 290->318 294->282 305 40e1d3-40e207 call 414310 296->305 306 40e98a-40e9c5 296->306 330 40ecc4-40ed5b call 408df0 RegQueryValueExA call 408df0 RegQueryValueExA 298->330 331 40edfa-40ee3f call 408df0 RegQueryValueExA 298->331 299->306 300->288 311 40edc9-40edf5 call 414830 LocalFree 300->311 310 40e6c2-40e6c9 301->310 305->248 305->256 321 40e9c9 call 414240 306->321 322 40eb5e-40eb95 310->322 323 40e6cf-40e707 call 414310 310->323 311->288 317->322 318->248 344 40e7aa-40e84d call 408df0 RegQueryValueExA call 408df0 RegQueryValueExA 318->344 332 40e9ce-40e9d1 321->332 333 40eb99 call 414240 322->333 323->252 330->300 331->252 349 40ee45-40eedc call 408df0 RegQueryValueExA call 408df0 RegQueryValueExA 331->349 332->248 341 40e9d7-40ea0f call 414310 332->341 342 40eb9e-40eba3 333->342 341->248 342->252 348 40eba9-40ebd9 call 414310 342->348 344->258 348->252
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: OpenQueryValue$Close$Enum$_vsnprintf
              • String ID: ?
              • API String ID: 1489640361-1684325040
              • Opcode ID: 3ca1fa97115e751909c291799f78db4065032210dab97709320b23b24a74d0de
              • Instruction ID: 83962a6cc2245fd34b9083c4c6fc66d9d4e810ff86ebfe61599f3b83e1930880
              • Opcode Fuzzy Hash: 3ca1fa97115e751909c291799f78db4065032210dab97709320b23b24a74d0de
              • Instruction Fuzzy Hash: 47926AB44193419FD300EF69C58475BFBE0AF88748F508D2EE8D897391D7B995888F86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004074C0 Relevance: 77.2, APIs: 5, Strings: 39, Instructions: 207filetimeCOMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32 ref: 004074D1
              • FindFirstFileA.KERNEL32 ref: 004074EE
                • Part of subcall function 00413AE0: malloc.MSVCRT ref: 00413AF0
              • FileTimeToSystemTime.KERNEL32 ref: 004075ED
                • Part of subcall function 00408BA0: free.MSVCRT ref: 00408BB1
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
              • FindNextFileA.KERNEL32 ref: 004075CB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: File$FindTime$ErrorFirstModeNextSystem_vsnprintffreemalloc
              • String ID: $ $%$%$%$%$%$%$%$%$%$%$.$.$.$.$.$/$/$2$2$2$2$2$4$6$:$:$I$d$d$d$d$d$d$d$s$s$u
              • API String ID: 732996934-1832224625
              • Opcode ID: 8596371b65ec5d996e31fdf1bb4ad4d6035f1bf18e26367da18c114c64642150
              • Instruction ID: 315cf900878f9423c0ca532d5b5cb35969cea518b5f58902741365eab2ece38d
              • Opcode Fuzzy Hash: 8596371b65ec5d996e31fdf1bb4ad4d6035f1bf18e26367da18c114c64642150
              • Instruction Fuzzy Hash: 3EB1A0B040C7C09AD321DF29C14879BBFE4AF95748F04886EE5D887392D7B99588CB67
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004080E0 Relevance: 66.8, APIs: 5, Strings: 33, Instructions: 289fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesA.KERNEL32 ref: 00408140
                • Part of subcall function 00407BF0: fopen.MSVCRT ref: 00407C2E
                • Part of subcall function 00407BF0: fread.MSVCRT ref: 00407C83
                • Part of subcall function 00407BF0: fclose.MSVCRT ref: 00407CE7
                • Part of subcall function 004080A0: GetFileAttributesExA.KERNEL32 ref: 004080BA
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
                • Part of subcall function 00406D60: EnterCriticalSection.KERNEL32 ref: 00406D8A
                • Part of subcall function 00406D60: send.WS2_32 ref: 00406E3A
                • Part of subcall function 00406D60: WSAGetLastError.WS2_32 ref: 00406E49
                • Part of subcall function 00406D60: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000003,?,00406FE7), ref: 00406E60
              • SetErrorMode.KERNEL32 ref: 004082CA
              • FindFirstFileA.KERNEL32 ref: 0040830F
              • FindNextFileA.KERNEL32 ref: 00408339
              • FindClose.KERNEL32 ref: 004084A3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: File$Find$AttributesCriticalErrorSection$CloseEnterFirstLastLeaveModeNext_vsnprintffclosefopenfreadsend
              • String ID: !$%$%$%$%$%$%$%$%$%$%$%$%$%$4$4$6$6$I$I$d$d$d$s$s$s$s$s$s$s$s$u$u
              • API String ID: 3945138924-1376929949
              • Opcode ID: e8247a97ad3f711a7f793698c08f02a209cf979d8590932182e92e129a6380f1
              • Instruction ID: b4799ddaa91a4508e6089e2a4415ef3763b117d831867de5693055ad3b46d2b7
              • Opcode Fuzzy Hash: e8247a97ad3f711a7f793698c08f02a209cf979d8590932182e92e129a6380f1
              • Instruction Fuzzy Hash: 2EE1D4B050D7819EE321DF29D58879BBBE0AF85348F04886EE4C887392D7B99448CB57
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004090E9 Relevance: 52.6, APIs: 1, Strings: 29, Instructions: 56timeCOMMON
              Download Yara Rule
              APIs
              • GetSystemTime.KERNEL32 ref: 004090F0
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: SystemTime_vsnprintf
              • String ID: $%$%$%$%$%$%$-$-$.$.$.$.$.$.$2$2$2$2$2$4$:$:$d$d$d$d$d$d
              • API String ID: 1798290392-2341610465
              • Opcode ID: a0e7db28a41d5fb361ccc98f9ac71180497fa7ea913442710f08612e35c1cbd4
              • Instruction ID: 6f8e69cd4fbe5ec700c930ee095c089469ce28359f850add503cd70ddfc46767
              • Opcode Fuzzy Hash: a0e7db28a41d5fb361ccc98f9ac71180497fa7ea913442710f08612e35c1cbd4
              • Instruction Fuzzy Hash: 7A316D6404D3C0C9E362CB69D00831BFFE16BA6748F48589EB6C04A282D7FE8589C767
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00413440 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 213windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: BitsCompatibleCreateDeleteMetricsObjectSystem$BitmapDesktopReleaseSelectWindowcallocfree
              • String ID: $($($6
              • API String ID: 3075093512-402759177
              • Opcode ID: 90bdf3cbd92690b404faaf805642dcc63cb68282d66821871edbacb2245434eb
              • Instruction ID: db8eff0a1238e6d03ae7f00aa867a14d09d2b1d4b8e6a6dadf2d3f31bb0a3fb3
              • Opcode Fuzzy Hash: 90bdf3cbd92690b404faaf805642dcc63cb68282d66821871edbacb2245434eb
              • Instruction Fuzzy Hash: E491ACB06093409FD350EF69D18575BBBF0AF84744F41992EE8888B351E7B9D9888B86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040AE80 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 153keyboardCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: State$Virtual$AsciiKeyboardNameText
              • String ID: $
              • API String ID: 2992186895-227171996
              • Opcode ID: 3b9dcf6bfdcf865dc433ad9602df26d7bfff6af647bf41d982f77f9190967750
              • Instruction ID: 558a5d88e4f3a1dba9351138159287804638510cf8bd672643fff5ea4b7416fd
              • Opcode Fuzzy Hash: 3b9dcf6bfdcf865dc433ad9602df26d7bfff6af647bf41d982f77f9190967750
              • Instruction Fuzzy Hash: 0F51E7B04087158AD300BF25C5452AFBEE0EB44344F12892FE5C56A286DBBC85D99BCF
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407130 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00413AE0: malloc.MSVCRT ref: 00413AF0
              • SetErrorMode.KERNEL32 ref: 00407155
              • GetLogicalDriveStringsA.KERNEL32 ref: 0040716F
              • GetDiskFreeSpaceExA.KERNEL32 ref: 004071BB
              • GetDriveTypeA.KERNEL32 ref: 00407218
              • GetVolumeInformationA.KERNEL32 ref: 00407311
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Drive$DiskErrorFreeInformationLogicalModeSpaceStringsTypeVolumemalloc
              • String ID: @
              • API String ID: 4103324456-2766056989
              • Opcode ID: 32283d354fccaf0a1ecf41031ab690158f65c18ef284fc86d2b6b5f49d8b6286
              • Instruction ID: 692a8d01a58b4b3205cc426c73f44a13f502de8cc8758fc8126941a140152011
              • Opcode Fuzzy Hash: 32283d354fccaf0a1ecf41031ab690158f65c18ef284fc86d2b6b5f49d8b6286
              • Instruction Fuzzy Hash: 15717FB48093449BE310AF25C18579BBBE4BF84744F018D2EE8C997391E7B9D5889B87
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040F090 Relevance: 9.1, APIs: 6, Instructions: 106encryptionCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Crypt$Hash$AcquireContextCreateDataParam
              • String ID:
              • API String ID: 389087340-0
              • Opcode ID: a1ccf01c51958771cf5bf1198cd77dce9d8e859d4e403291823425e0cd0ebe5c
              • Instruction ID: adae99ae79f91870270ef32c5b65ca5d7874e28c35830493ffd3c8b6ed5432e8
              • Opcode Fuzzy Hash: a1ccf01c51958771cf5bf1198cd77dce9d8e859d4e403291823425e0cd0ebe5c
              • Instruction Fuzzy Hash: 4F41F5F15083009FD700EF26D58875BBBE4AB84758F01C92EF88897341D779D9888F96
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402720 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56processCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
              • String ID: yA
              • API String ID: 420147892-454502181
              • Opcode ID: 259fd280d10b6cbf1cec652b2d72dd1e5f7ad8d54e79c5ba12c88a8766fac142
              • Instruction ID: ee43cff23996acb4d33ce8104e2c22d7a6cdcd402f8b8cfac064e73a99f72d78
              • Opcode Fuzzy Hash: 259fd280d10b6cbf1cec652b2d72dd1e5f7ad8d54e79c5ba12c88a8766fac142
              • Instruction Fuzzy Hash: 3D1126B49093009BC720AF25DA4539FBBF4AF85755F01882EE8C893281E7789588CB97
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040FA80 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32 ref: 0040FA91
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
              • FindFirstFileA.KERNEL32 ref: 0040FAD7
              • FindNextFileA.KERNEL32 ref: 0040FB07
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: FileFind$ErrorFirstModeNext_vsnprintf
              • String ID:
              • API String ID: 3715251812-0
              • Opcode ID: 29fb8a3ce45bf9e1b640ddcfa0eaae2f0dbf724cea7d3eae7b99d966bedd16e1
              • Instruction ID: 9b6a4bb82898ccd2e248898662b406030a8ef59cade6693f1530015cb4681316
              • Opcode Fuzzy Hash: 29fb8a3ce45bf9e1b640ddcfa0eaae2f0dbf724cea7d3eae7b99d966bedd16e1
              • Instruction Fuzzy Hash: C441D9B090C7459BC720AF25D18529FBBE0AF84354F01893EE4D887281E778A589DF4B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00415150 Relevance: 6.1, APIs: 4, Instructions: 131COMMON
              Download Yara Rule
              APIs
              • GetVersionExA.KERNEL32 ref: 0041518F
              • GetVersionExA.KERNEL32 ref: 0041525C
                • Part of subcall function 00408BD0: LoadLibraryA.KERNEL32(?,?,?,?,?,?,00414F93), ref: 00408BDA
                • Part of subcall function 00408BF0: GetProcAddress.KERNEL32 ref: 00408C02
              • GetSystemMetrics.USER32 ref: 0041523F
              • GetSystemInfo.KERNEL32 ref: 004152D8
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: SystemVersion$AddressInfoLibraryLoadMetricsProc
              • String ID:
              • API String ID: 3976804913-0
              • Opcode ID: 02d4889bf21d59b638505668df4199c6b2af5ad0b8bd37e9501e9d9fb6455266
              • Instruction ID: ac7aaa4ad25b9cc5d3d37e28d546d3b0f870e8f7046e034bcf1dad2251c9457e
              • Opcode Fuzzy Hash: 02d4889bf21d59b638505668df4199c6b2af5ad0b8bd37e9501e9d9fb6455266
              • Instruction Fuzzy Hash: 47413A72908B41CAD720AF74C5453EFBAE0AB85344F09496FE88197252D3BDC9C9CA4B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004159E0 Relevance: 6.1, APIs: 4, Instructions: 115fileCOMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32 ref: 004159FC
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
              • FindFirstFileA.KERNEL32 ref: 00415A42
              • FindNextFileA.KERNEL32 ref: 00415A6A
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: FileFind$ErrorFirstModeNext_vsnprintf
              • String ID:
              • API String ID: 3715251812-0
              • Opcode ID: a1c77e02a249aadf8242d30eedbc220607d6c84f2893349293137fb25c0ed5a2
              • Instruction ID: f13f226f91b60d42abe92a62fb634ed75d6de956ed53335b1847762c6485aa87
              • Opcode Fuzzy Hash: a1c77e02a249aadf8242d30eedbc220607d6c84f2893349293137fb25c0ed5a2
              • Instruction Fuzzy Hash: 1151C3B090D7419AC720EF25D18429FBBE0AFC4754F408E2EE4D887341D778A989CB97
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004078A0 Relevance: 6.1, APIs: 4, Instructions: 106fileCOMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32 ref: 004078B7
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
              • FindFirstFileA.KERNEL32 ref: 004078FC
              • FindNextFileA.KERNEL32 ref: 0040791C
              • FindClose.KERNEL32 ref: 00407B23
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Find$File$CloseErrorFirstModeNext_vsnprintf
              • String ID:
              • API String ID: 3730131509-0
              • Opcode ID: 9d8d53727b84cbaf57168f9f9ee1b05b2a87196113d2441b5bbc4720001b0f6c
              • Instruction ID: 56f04567fc9cb04996585f3bf0517f4e804b2eeb1285018d8178ddcab02ef305
              • Opcode Fuzzy Hash: 9d8d53727b84cbaf57168f9f9ee1b05b2a87196113d2441b5bbc4720001b0f6c
              • Instruction Fuzzy Hash: 5B4126B090D3449FD720AF25D58569BBBE0BF80398F45892EE8C897381E739A584CB47
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00413900 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: mouse_event$Cursor
              • String ID:
              • API String ID: 930491299-0
              • Opcode ID: 95f85990f3760cc972b3db4cf916fcd06496eef67075d3aa73dba86d9e6c9b32
              • Instruction ID: 7c4e8ed3e2753513eba66ee058e865f5b0c708bad5d9a988d7cfc6fbf1a8f8af
              • Opcode Fuzzy Hash: 95f85990f3760cc972b3db4cf916fcd06496eef67075d3aa73dba86d9e6c9b32
              • Instruction Fuzzy Hash: 8611C9F54093009AD344EF29C15936FBEE1AB80304FC5890DE4C806385E7BE86989B97
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405420 Relevance: 5.7, APIs: 4, Instructions: 730COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: malloc
              • String ID:
              • API String ID: 2803490479-0
              • Opcode ID: 9009041b7f5df44da1cf1fa08308358f7dcde39d387c9efe467c21ed79a9a93f
              • Instruction ID: f7abbca32be5be796c11d4431a3b092742e54ea1c619fa15a34730c023b0506a
              • Opcode Fuzzy Hash: 9009041b7f5df44da1cf1fa08308358f7dcde39d387c9efe467c21ed79a9a93f
              • Instruction Fuzzy Hash: 9E72537050A3818FC311CF28D984A92BFE1BB9934CF09C56ED5884B363D73A9959CB5E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402D90 Relevance: 5.3, Strings: 4, Instructions: 308COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $D{A$D{A$D{A
              • API String ID: 0-1513198533
              • Opcode ID: cdbcab517d1df1adcc420b01107ab5ecbed3e5dd0fe2e3a8b07cbb842717cb7d
              • Instruction ID: 474bfc2852f59469a034800a28ab5cb30e0450e971770128ced20e38f28fe790
              • Opcode Fuzzy Hash: cdbcab517d1df1adcc420b01107ab5ecbed3e5dd0fe2e3a8b07cbb842717cb7d
              • Instruction Fuzzy Hash: F6C1A6756146615FD350CF3EC880266BBE0EF89305B58CA7EE498CB342D739E912DB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004113F0 Relevance: 4.6, APIs: 3, Instructions: 59threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Current$CountProcessThreadTick
              • String ID:
              • API String ID: 416392089-0
              • Opcode ID: 6a08132f00469b5a9b8c2fc97c5ff3410099a82e4619d23927c6f53f081ef5af
              • Instruction ID: e6716bf3537c3d700bbc37ec31a9c7105d109be00ecd9ef1a9f8d24c3d3874ea
              • Opcode Fuzzy Hash: 6a08132f00469b5a9b8c2fc97c5ff3410099a82e4619d23927c6f53f081ef5af
              • Instruction Fuzzy Hash: 78112531B487044B9718FFBBAC89187B7F7A7C8250355C23EC90A87365DEB45416C648
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004101F0 Relevance: 3.2, APIs: 2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d12ac023e1c6465c1b008624645d731268cb319b5edada928b0a9e5898b5c4d2
              • Instruction ID: 609a7137c323b4780522a9f7df0c9f68a0d610301ce3cecb3b87524c1b81430b
              • Opcode Fuzzy Hash: d12ac023e1c6465c1b008624645d731268cb319b5edada928b0a9e5898b5c4d2
              • Instruction Fuzzy Hash: DD8116B15083448FD310DF28C48479BBBE0BB89358F158D2EF8D987350D7B9D9888B8A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407410 Relevance: 3.0, APIs: 2, Instructions: 50COMMON
              Download Yara Rule
              APIs
              • GetLogicalDriveStringsA.KERNEL32 ref: 0040742E
              • GetDriveTypeA.KERNEL32 ref: 0040744E
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Drive$LogicalStringsType
              • String ID:
              • API String ID: 1630765265-0
              • Opcode ID: 766f53f209f0bedd860bbe2abfa9c45f6e00727fa1c7e75e00f0ed1673c1bc08
              • Instruction ID: ec7d3aced5cca68eafedd55e2b0f4d2685d75ffe17e4e88921a52428ffeb24a7
              • Opcode Fuzzy Hash: 766f53f209f0bedd860bbe2abfa9c45f6e00727fa1c7e75e00f0ed1673c1bc08
              • Instruction Fuzzy Hash: 211151B190C3809AE721AF28D48539ABFE0AF84358F05892EF8C557245D2BD94889B97
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407050 Relevance: 3.0, APIs: 2, Instructions: 31networkCOMMON
              Download Yara Rule
              APIs
              • recv.WS2_32 ref: 00407072
              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,004070F8), ref: 00407095
                • Part of subcall function 00406900: shutdown.WS2_32 ref: 0040691D
                • Part of subcall function 00406900: closesocket.WS2_32 ref: 0040692A
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLastclosesocketrecvshutdown
              • String ID:
              • API String ID: 1486353823-0
              • Opcode ID: 0d7f8df3f72c61056f4e43e24d108096f18c338989ce50fcc83e34dcc212278b
              • Instruction ID: 7e666f86b749f409cf823d99ab4fd5a07cac91e9d381686b68589a0d01e354ed
              • Opcode Fuzzy Hash: 0d7f8df3f72c61056f4e43e24d108096f18c338989ce50fcc83e34dcc212278b
              • Instruction Fuzzy Hash: 6EF0E774A087444BD700EF39C54521A76E0AB88328F854A6EE898D7391E23CD6948A47
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040BE80 Relevance: 1.9, Strings: 1, Instructions: 624COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 1953f6b418fd24431a0c75016562caf048ad0b1c0051c3561efc605ddad96590
              • Instruction ID: 253b73397eb4d009a70c3da27fbc1d5c5bfb649881e26866289a7d5a0e173934
              • Opcode Fuzzy Hash: 1953f6b418fd24431a0c75016562caf048ad0b1c0051c3561efc605ddad96590
              • Instruction Fuzzy Hash: 9722A677B447194BCB1CDEA5DC911D5B3E2FB88210B0AC13C9E16D7705EBB8BA1A86C4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403D10 Relevance: 1.8, Strings: 1, Instructions: 584COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: |
              • API String ID: 0-2343686810
              • Opcode ID: 3656e70d12ee28340c9747b36516bcd92df743ee1b5561340b752923ac661184
              • Instruction ID: 3f506982c68fb25ff58ac028284780d931a23e12a90ffcb2c28cbf894bfbc3a0
              • Opcode Fuzzy Hash: 3656e70d12ee28340c9747b36516bcd92df743ee1b5561340b752923ac661184
              • Instruction Fuzzy Hash: 920224B2B043250BE71C5869C8A83E7B6C19BD4350F49463ECF89A73C2E6BD9C45D2C8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004138D0 Relevance: 1.5, APIs: 1, Instructions: 10keyboardCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: keybd_event
              • String ID:
              • API String ID: 2665452162-0
              • Opcode ID: 257c66ec35e9e79c7ec7175fcd49a90c84f2b35b6fb02ec41739fb578036b44f
              • Instruction ID: 8843d17267e8bdbd0270007df3b3aee6676eec7fb323226eb1270624aa876780
              • Opcode Fuzzy Hash: 257c66ec35e9e79c7ec7175fcd49a90c84f2b35b6fb02ec41739fb578036b44f
              • Instruction Fuzzy Hash: C1D0E9B58087545AD700BF29C15A32ABEE0BB84308F85899DE8D846256E27E82589F97
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004033D0 Relevance: .3, Instructions: 327COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d2b0347f6652eaca22ee7bdf749a20fc61dd75c92ab03947f0f8320c6e4b07a
              • Instruction ID: 97c4e50c214c2aeb39b38864cfea2f294096cbbc012730bc9b2746aabf7f3d19
              • Opcode Fuzzy Hash: 8d2b0347f6652eaca22ee7bdf749a20fc61dd75c92ab03947f0f8320c6e4b07a
              • Instruction Fuzzy Hash: 44D1CB31A043B04BD340DF2EDC844A6F7E1AB99211B8ACA7EED9457362C634E916D7D4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403861 Relevance: .3, Instructions: 299COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: faa6d00f6e85c410fe2fedced35d2820964f3f75eb94c0022f40c1f204396d52
              • Instruction ID: 51d69794d514508a11510dc74c23027117c47c9d4f2a99d5bfd4b052b851042c
              • Opcode Fuzzy Hash: faa6d00f6e85c410fe2fedced35d2820964f3f75eb94c0022f40c1f204396d52
              • Instruction Fuzzy Hash: F1C10635A042A14BC354DF3EDCD00AAF7E1EF89301B49CA7EE9D557392C638A911DBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403497 Relevance: .3, Instructions: 263COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6f0d64a9b1011d3816496290e49afb394830c5d134eda43cba0151ca2583f4ae
              • Instruction ID: c6c461564a8ae81f195d434b3384b981ffbc3931d03d38e94f2f51a48921c664
              • Opcode Fuzzy Hash: 6f0d64a9b1011d3816496290e49afb394830c5d134eda43cba0151ca2583f4ae
              • Instruction Fuzzy Hash: 7EB18436A142654BC340DF2EDCC44A5F7E1AB59310B8ACA7AED8497362C634EC26D7D8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403190 Relevance: .1, Instructions: 141COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 655d45bfb7b6b520a600711c61d9adf80c9e29777fbe4e0cfe4840d812926966
              • Instruction ID: 335fa1c164169b4f65fc3ed2b5b92c2ff5dee02a54a7d1ca15b5bde8516d082c
              • Opcode Fuzzy Hash: 655d45bfb7b6b520a600711c61d9adf80c9e29777fbe4e0cfe4840d812926966
              • Instruction Fuzzy Hash: BF6132789043A58FC750DF2ED4844A6BBE0FB59311B888D7AFD94873A1D334E814DB69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402FCC Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f5a6a275c557d9957b75f48062fc4cfbfb775fc302826763d0ef7b287585ebb6
              • Instruction ID: 9f821669947cf8e208bb7cb98172f8d9ee1d9c6eea4dc5cdb2727e6acfb4b1be
              • Opcode Fuzzy Hash: f5a6a275c557d9957b75f48062fc4cfbfb775fc302826763d0ef7b287585ebb6
              • Instruction Fuzzy Hash: F5114CBA6106108FC740CF2CD980666B7E0EF58305B65C87EE988CB312D736E812CB84
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040BA70 Relevance: 75.5, APIs: 5, Strings: 38, Instructions: 207libraryloadertimeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00413AE0: malloc.MSVCRT ref: 00413AF0
              • LoadLibraryA.KERNEL32 ref: 0040BAA5
              • GetProcAddress.KERNEL32 ref: 0040BACA
              • GetProcAddress.KERNEL32 ref: 0040BAE7
              • GetProcAddress.KERNEL32 ref: 0040BB04
              • FileTimeToSystemTime.KERNEL32 ref: 0040BBA9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: AddressProc$Time$FileLibraryLoadSystemmalloc
              • String ID: $%$%$%$%$%$%$%$%$%$%$%$.$.$.$.$.$/$/$2$2$2$2$2$:$:$S$S$S$S$d$d$d$d$d$d$l$u
              • API String ID: 3728084834-1159048168
              • Opcode ID: 118e115fbf2ec2a55ef625a633fc9acb04d8e0562b005ce07bac96bab9aae22f
              • Instruction ID: 96a0a8135d8f82c2cbbf00e45f45fb6c15b008b8f887b70a6ded2dbdbf53838e
              • Opcode Fuzzy Hash: 118e115fbf2ec2a55ef625a633fc9acb04d8e0562b005ce07bac96bab9aae22f
              • Instruction Fuzzy Hash: 70B1B27050C7C48AD321AF29C54879BBFE1AF96348F04896EE4C84B382D7B99548CB97
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00408FC0 Relevance: 54.3, APIs: 2, Strings: 29, Instructions: 73timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Time$LocalSystem
              • String ID: $%$%$%$%$%$%$-$-$.$.$.$.$.$.$2$2$2$2$2$4$:$:$d$d$d$d$d$d
              • API String ID: 1098363292-2341610465
              • Opcode ID: 9fb94c94049f67cb5a3be1079521267e0245445335c423bfb8c9f4ecf7568587
              • Instruction ID: 3a34a91b62ec68920af99d9cdcffc8139af314eb331fb78c97806db6b7c0f7f7
              • Opcode Fuzzy Hash: 9fb94c94049f67cb5a3be1079521267e0245445335c423bfb8c9f4ecf7568587
              • Instruction Fuzzy Hash: 3931827440D3C0C9E322DB69D04871BFFE46BA6748F48589EF5C04A286D6FAC589CB67
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402800 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 322networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00413AE0: malloc.MSVCRT ref: 00413AF0
                • Part of subcall function 00408BD0: LoadLibraryA.KERNEL32(?,?,?,?,?,?,00414F93), ref: 00408BDA
                • Part of subcall function 00408BF0: GetProcAddress.KERNEL32 ref: 00408C02
              • malloc.MSVCRT ref: 00402A27
              • htons.WS2_32 ref: 00402AB7
              • inet_ntoa.WS2_32 ref: 00402AC7
              • htons.WS2_32 ref: 00402B08
              • inet_ntoa.WS2_32 ref: 00402B18
              • malloc.MSVCRT ref: 00402BF7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: malloc$htonsinet_ntoa$AddressLibraryLoadProc
              • String ID: %s:%u$@$Ed590WYd66XlCnd_4idLCldD$Ed5jf5dRSdSqYsqCVid$Ed5jf5dRSdSuSsqCVid$gzA$iphlpapi.dll$kernel32.dll$psapi.dll
              • API String ID: 1706494821-220619896
              • Opcode ID: b1c5582a7b073aa12d2c794fd34c4e918e737b4eb705cfbfb52a9fc955697af4
              • Instruction ID: 824e91504babdf6e31eb75b5e184fd1fa3b78a72f6b44bbdb3a78911f2bfe4d9
              • Opcode Fuzzy Hash: b1c5582a7b073aa12d2c794fd34c4e918e737b4eb705cfbfb52a9fc955697af4
              • Instruction Fuzzy Hash: 10E193B45087409BD710EF29C18965FBBF0BF84754F01892EE9C897392E779D984CB8A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401AB4 Relevance: 29.8, APIs: 3, Strings: 14, Instructions: 99COMMON
              Download Yara Rule
              APIs
              • malloc.MSVCRT ref: 00401ABB
                • Part of subcall function 004149E0: strlen.MSVCRT ref: 00414A13
              • getenv.MSVCRT ref: 00401C17
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
                • Part of subcall function 00408B40: _beginthreadex.MSVCRT ref: 00408B72
                • Part of subcall function 00408B40: CloseHandle.KERNEL32 ref: 00408B80
              • getenv.MSVCRT ref: 004024D7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: getenv$CloseHandle_beginthreadex_vsnprintfmallocstrlen
              • String ID: %$%$%$%$%$.$TEMP$\$\$s$s$s$s$s
              • API String ID: 158340558-726152300
              • Opcode ID: d6f8dde2864a40153136ce778c6358c8e53e337316036045dc0aa7cfcb00769b
              • Instruction ID: 780f69211fa895d5fa94552aa46486404d3ac62203b46dc2202c40ffc15864bc
              • Opcode Fuzzy Hash: d6f8dde2864a40153136ce778c6358c8e53e337316036045dc0aa7cfcb00769b
              • Instruction Fuzzy Hash: C65174B040D7819AE311AF25C54879AFFE0BF84748F04895EE5D887282D7BD91889B9B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004124A0 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 260registryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Value$Close$Open$DeleteQuery$Createcalloc
              • String ID: ?
              • API String ID: 314794983-1684325040
              • Opcode ID: dcfc1d9412ae884dab0a25bac9c2d63284d8ce174f0a421f87b575d1d9292794
              • Instruction ID: e3f2abe2c274c3059b3f30d5762ee56c2c8371fd3807c3f0b4660d36b9969644
              • Opcode Fuzzy Hash: dcfc1d9412ae884dab0a25bac9c2d63284d8ce174f0a421f87b575d1d9292794
              • Instruction Fuzzy Hash: 83C192B0509341AFD750EF69C28465BFBE4BF84744F418D2EF89887341E7B9D9888B86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00412930 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 204pipeprocessCOMMON
              Download Yara Rule
              APIs
              • getenv.MSVCRT ref: 0041294F
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
                • Part of subcall function 00407EB0: GetFileAttributesA.KERNEL32 ref: 00407EBA
              • CreatePipe.KERNEL32 ref: 004129FB
              • CreatePipe.KERNEL32 ref: 00412A2A
              • GetStartupInfoA.KERNEL32 ref: 00412A3D
              • CreateProcessA.KERNEL32 ref: 00412ABA
              • CloseHandle.KERNEL32 ref: 00412AD3
              • PeekNamedPipe.KERNEL32 ref: 00412B47
              • CloseHandle.KERNEL32 ref: 00412B78
              • CloseHandle.KERNEL32 ref: 00412B88
              • TerminateProcess.KERNEL32 ref: 00412B9F
              • CloseHandle.KERNEL32 ref: 00412AE2
                • Part of subcall function 00406D60: EnterCriticalSection.KERNEL32 ref: 00406D8A
                • Part of subcall function 00406D60: send.WS2_32 ref: 00406E3A
                • Part of subcall function 00406D60: WSAGetLastError.WS2_32 ref: 00406E49
                • Part of subcall function 00406D60: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000003,?,00406FE7), ref: 00406E60
              • getenv.MSVCRT ref: 00412C17
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: CloseHandle$CreatePipe$CriticalProcessSectiongetenv$AttributesEnterErrorFileInfoLastLeaveNamedPeekStartupTerminate_vsnprintfsend
              • String ID: D
              • API String ID: 3631463726-2746444292
              • Opcode ID: 5cc898af186a12920982b6ff967f006247b6d4564aaadffe2d42b8c9f46b6a74
              • Instruction ID: 11c6307d225b3adac28f801ad80820a9cb30ddcf42f45134e71721bd706a1115
              • Opcode Fuzzy Hash: 5cc898af186a12920982b6ff967f006247b6d4564aaadffe2d42b8c9f46b6a74
              • Instruction Fuzzy Hash: 399190B05083409BD710EF69C18579FBBE0AF84358F01892EE5D887391E7B9D498CB8B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407F10 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84fileCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: fclose$fopen$callocfreadfree
              • String ID: }A
              • API String ID: 2353572724-1825783036
              • Opcode ID: 44fc3c08fa3ae9dfb6a69d571c344d566449d95e76faa51bfa8980a16bd3e108
              • Instruction ID: 0408b534fde7f460ff78fd18612ccd19e43f49938c9279c70b0037427efe1f8b
              • Opcode Fuzzy Hash: 44fc3c08fa3ae9dfb6a69d571c344d566449d95e76faa51bfa8980a16bd3e108
              • Instruction Fuzzy Hash: 1D31EB7590D7158FC700AF26D58525EFBE4EF84358F02882FE8C887342E63DE8858B86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00410FC0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 198processtimeCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 00410FD9
              • Process32First.KERNEL32 ref: 0041100B
              • CloseHandle.KERNEL32 ref: 004112C7
                • Part of subcall function 00413AE0: malloc.MSVCRT ref: 00413AF0
                • Part of subcall function 00408BD0: LoadLibraryA.KERNEL32(?,?,?,?,?,?,00414F93), ref: 00408BDA
                • Part of subcall function 00408BF0: GetProcAddress.KERNEL32 ref: 00408C02
              • OpenProcess.KERNEL32(?), ref: 00411198
              • GetProcessTimes.KERNEL32 ref: 004111E6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Process$AddressCloseCreateFirstHandleLibraryLoadOpenProcProcess32SnapshotTimesToolhelp32malloc
              • String ID: $
              • API String ID: 3088964457-227171996
              • Opcode ID: fca2c387ab6f97d2a0a357e2bb25faff9dac99cbcbf7f0d7dea9569a45bff624
              • Instruction ID: 3683d1d7321218b32d5661fda82e066eb0b39a85db28d98ad0f7e55a5853282e
              • Opcode Fuzzy Hash: fca2c387ab6f97d2a0a357e2bb25faff9dac99cbcbf7f0d7dea9569a45bff624
              • Instruction Fuzzy Hash: D291B2B49093419AD710AF66C1852AFBBE4AF84744F418D2EF9C887352E77CD988CB47
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00413070 Relevance: 18.2, APIs: 12, Instructions: 174networkCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: recv$connecthtonsselectsendsocket
              • String ID:
              • API String ID: 4009471611-0
              • Opcode ID: d987eee3dc560ca767a335011884104430ac101fb8c585d02330f2a72d444780
              • Instruction ID: 1738cfc3be5efdd37c792d5924aaa3cfdd44fce956832a1c0709617aff05bc42
              • Opcode Fuzzy Hash: d987eee3dc560ca767a335011884104430ac101fb8c585d02330f2a72d444780
              • Instruction Fuzzy Hash: 9281A1B45093409FD710EF29C18979ABBE4AF84708F418D1EF8D88B295E7B9D588CB47
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040F5F0 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 273registryfileCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: CloseOpenfclosefopenfread
              • String ID: $/$K$L$R
              • API String ID: 975277256-2977038367
              • Opcode ID: 120c4980ab583d1e5569d92c140d7340685ecaf804a68a538ff83bb213821709
              • Instruction ID: 37e758aef5509e0e304816d139887ed2a029794013afa7a11117c5657b9a5718
              • Opcode Fuzzy Hash: 120c4980ab583d1e5569d92c140d7340685ecaf804a68a538ff83bb213821709
              • Instruction Fuzzy Hash: 33C1F2B08083909ED720DF29C48466BFBE1AFC5344F04893EE9D897392E779D549CB86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040A7E0 Relevance: 15.2, APIs: 10, Instructions: 180networkCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: socket
              • String ID:
              • API String ID: 98920635-0
              • Opcode ID: cc2e10a41993b8713f2ba603fec02fea51fe5b0a57bab0e4f2e43146e4a02017
              • Instruction ID: 5ec384563f30eb6e4e9bae99310346f5ec85169a32784c1d778e538543e57d51
              • Opcode Fuzzy Hash: cc2e10a41993b8713f2ba603fec02fea51fe5b0a57bab0e4f2e43146e4a02017
              • Instruction Fuzzy Hash: 6E71E5B19083409FD710AF29C5857ABBBF0AF84388F11892EF4D897391D7B9D8958B47
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00412D40 Relevance: 15.2, APIs: 10, Instructions: 167networkCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: mallocrecvselectsend
              • String ID:
              • API String ID: 3540711034-0
              • Opcode ID: 88e38ea4e1258f5f3bfbc705facb9b6e3eef6a217f89d5b6c7f1f3094296ff50
              • Instruction ID: 3afeaded34d95688b370d9fdc54bec7ebe14d3cd787fc03d0ff3a8fc6cf24bc6
              • Opcode Fuzzy Hash: 88e38ea4e1258f5f3bfbc705facb9b6e3eef6a217f89d5b6c7f1f3094296ff50
              • Instruction Fuzzy Hash: 6561F6B15087459FD720EF79D68939ABBF0AF84308F11892EE89CC3340E7B9D4959B46
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406D60 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119networkstringCOMMON
              Download Yara Rule
              APIs
              • EnterCriticalSection.KERNEL32 ref: 00406D8A
                • Part of subcall function 00406C70: select.WS2_32 ref: 00406CC9
              • send.WS2_32 ref: 00406E3A
              • WSAGetLastError.WS2_32 ref: 00406E49
              • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000003,?,00406FE7), ref: 00406E60
              • malloc.MSVCRT ref: 00406E8D
              • strlen.MSVCRT ref: 00406ED3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: CriticalSection$EnterErrorLastLeavemallocselectsendstrlen
              • String ID: <
              • API String ID: 342982654-4251816714
              • Opcode ID: 6b604a12cf123e9b456ad6bbc55d084c5bac939ae44457bb9b6248daa5ffe686
              • Instruction ID: 9d5447a2f3ede1b8b0597d616ebb0371f25c1f8337b619142e55ef3f3280511d
              • Opcode Fuzzy Hash: 6b604a12cf123e9b456ad6bbc55d084c5bac939ae44457bb9b6248daa5ffe686
              • Instruction Fuzzy Hash: C64160B5A08305CFC710AF69D48425ABBE0AF44314F06853FE9A997382D77D98548B9B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004063B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97networkstringCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: strlen$htonsrecvselectsend
              • String ID: Z
              • API String ID: 2614828971-1505515367
              • Opcode ID: d544cf2bae33b119ec993427ae15135ab6af507724c84694186baf3e55a40cca
              • Instruction ID: 778d83cc24f0e46e33c5c377c48470763d98fec0822e0760ce4cca3bec5a5eb3
              • Opcode Fuzzy Hash: d544cf2bae33b119ec993427ae15135ab6af507724c84694186baf3e55a40cca
              • Instruction Fuzzy Hash: DD41D5B450C7809BD721AF25D58939FBBE4BF84708F418C2EE8C887251D7B9D5888B97
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00411F10 Relevance: 13.8, APIs: 9, Instructions: 252registryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: CloseEnumOpenValue
              • String ID:
              • API String ID: 4012628704-0
              • Opcode ID: e9ca8d73938a5350f41ed4ca9b885910452ce2dce0bcfa023a4d83bbfab6390f
              • Instruction ID: 6cc8a9d151994a97811e403deca94e82df6ef4fcbd7d225d2f31f25bea636be2
              • Opcode Fuzzy Hash: e9ca8d73938a5350f41ed4ca9b885910452ce2dce0bcfa023a4d83bbfab6390f
              • Instruction Fuzzy Hash: E0C19EB09093419FD710EF69C64429BBBE4BF88744F508D2EF99487250E7B9D988CB86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040AB20 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 133filetimeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: File$CloseHandle$CreateLocalPointerTimeWrite
              • String ID: C:\Users\user\AppData\Roaming\Logs\
              • API String ID: 135652592-2342584341
              • Opcode ID: 009d9970165136dfe75479b87bdfd6be78fdfc5e649b028408434286e91ab2e2
              • Instruction ID: bd2560e18e5c473abd3edcc5763fef0ceca2773bbe9c66f4e0f9c13d182b8030
              • Opcode Fuzzy Hash: 009d9970165136dfe75479b87bdfd6be78fdfc5e649b028408434286e91ab2e2
              • Instruction Fuzzy Hash: A25116B04083008BC710AF69D44526BBBF1AB84358F118A2EF5E5873D1E77D9889DB9B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040B05C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47keyboardCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: StateVirtual$AsciiNameText
              • String ID: $
              • API String ID: 549327720-227171996
              • Opcode ID: 86fa092a612055f41d1f231e575a5147586cb42e177b5421198e0b1261581704
              • Instruction ID: 7a112b08f381bfbd57b6ec573e2e0d53fe677a17af50379cc0b98e53db52cf57
              • Opcode Fuzzy Hash: 86fa092a612055f41d1f231e575a5147586cb42e177b5421198e0b1261581704
              • Instruction Fuzzy Hash: 1A1106B18087119AD700BF25C58939FBAE0FF84744F42C92EE8D897241E779D5899BCB
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00408CD0 Relevance: 12.1, APIs: 8, Instructions: 77fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: fclosefsetpos$fgetposfopenfreadmallocrealloc
              • String ID:
              • API String ID: 2851980312-0
              • Opcode ID: d6a355e1e6903570ea38de7c4a4f9f08a20507acf691c3c3a15f729755aa9c00
              • Instruction ID: 4c9a12a5964198182a0a671c20afb577896782fbf52e5144d1b24d29e0d92f4d
              • Opcode Fuzzy Hash: d6a355e1e6903570ea38de7c4a4f9f08a20507acf691c3c3a15f729755aa9c00
              • Instruction Fuzzy Hash: D531F9B050D3119BD710AF26C68435BBBF4AF94748F01892EE4C8D7381EB79D884CB86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040C7D0 Relevance: 12.1, APIs: 8, Instructions: 68libraryloaderCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: AddressProc$Library$FreeLoad
              • String ID:
              • API String ID: 2449869053-0
              • Opcode ID: 9df97b9a848fc11ec61dad588ccb58813a1c5e8ddfb69370ff21a94d42869808
              • Instruction ID: c98fd12d71d8aae6e04fac90b4cc3339e326e0fda5e9eef2d83bec07ca442463
              • Opcode Fuzzy Hash: 9df97b9a848fc11ec61dad588ccb58813a1c5e8ddfb69370ff21a94d42869808
              • Instruction Fuzzy Hash: C32128F1E15601CEC700FF79A98669A3FE1AB40344F45C93ED8849B350EB79E4849B4E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040A280 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 181COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: FileModuleName
              • String ID: sA$C:\Users\user\AppData\Roaming\Logs\$O~A
              • API String ID: 514040917-666522140
              • Opcode ID: 967b6d89ed0207373a4729bfdca4463ef26f800dcd0228e4883af6337781d473
              • Instruction ID: fbdd4c152aeb4cec933760ba89a10c24b1b86b5e31d2cd7ecd5a59d5e9584e19
              • Opcode Fuzzy Hash: 967b6d89ed0207373a4729bfdca4463ef26f800dcd0228e4883af6337781d473
              • Instruction Fuzzy Hash: 5E71D6B180C7009AD710BF55D4852AEBBE0AF84748F01886FE9C56B282C7BD94C5DB9B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004120F7 Relevance: 10.6, APIs: 7, Instructions: 148registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumValueA.ADVAPI32 ref: 00411FA4
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
              • RegQueryValueExA.ADVAPI32 ref: 0041212F
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Value$EnumQuery_vsnprintf
              • String ID:
              • API String ID: 1581506651-0
              • Opcode ID: 032804fb7d15152fe87d2dd5475635c93938c98ffe96da8c71eb41a089048330
              • Instruction ID: e2db9a587d88d986e76e3dfe867541584b57ee5379580fecd31c08f193c13435
              • Opcode Fuzzy Hash: 032804fb7d15152fe87d2dd5475635c93938c98ffe96da8c71eb41a089048330
              • Instruction Fuzzy Hash: 1E7149B09093419BD710EF29C65439BFBF4BF88744F508D1EF99487250E7B9D9888B86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00411FCC Relevance: 10.6, APIs: 7, Instructions: 147registryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Value$EnumQuery
              • String ID:
              • API String ID: 1576479698-0
              • Opcode ID: ff09d234048877d13f5b64edcc690e51faaed52ec74d4c1a29648752e1b8cecd
              • Instruction ID: f5ce57b162db5aa0f9bd5864aba91a746dabc0761ae6b92578e37f6c0b75741e
              • Opcode Fuzzy Hash: ff09d234048877d13f5b64edcc690e51faaed52ec74d4c1a29648752e1b8cecd
              • Instruction Fuzzy Hash: BE7149B09093419BD710EF29C65439BFBF4AF88744F508D1EF99487250E7B9D9888B86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00411C50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102registryCOMMON
              Download Yara Rule
              APIs
              • RegDeleteKeyA.ADVAPI32 ref: 00411C9F
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Delete_vsnprintf
              • String ID: @
              • API String ID: 2236851195-2766056989
              • Opcode ID: 9d2e135685c12aa74ae09c5e9899e7d05da0139c0b2af1b9c7119cd29eba3b66
              • Instruction ID: 7eb8f24725227facece891ce6deeb04e663456007d48e891ae69a2a66444f10e
              • Opcode Fuzzy Hash: 9d2e135685c12aa74ae09c5e9899e7d05da0139c0b2af1b9c7119cd29eba3b66
              • Instruction Fuzzy Hash: 3A4107B15083048FD710EF2AD58839BFBE0ABC8358F10892EE59887350D379D688CB97
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040DB20 Relevance: 10.6, APIs: 7, Instructions: 89fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: getenv$AttributesFile_vsnprintffclosefopenfreadmalloc
              • String ID:
              • API String ID: 3413689201-0
              • Opcode ID: 18fda11c7da042cc550c479e34ecf5c0d78a636cb2852b14567da7b55b707b29
              • Instruction ID: 82e0c317d399a7eaf1732ea2fa073a8ec4ad34c9a14c4c565afaeeed754366c7
              • Opcode Fuzzy Hash: 18fda11c7da042cc550c479e34ecf5c0d78a636cb2852b14567da7b55b707b29
              • Instruction Fuzzy Hash: 4A31D9B050C7019FD700AF65D58526EFBE4AF94348F02886EE4C49B392EB7CD485DB9A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00412FEC Relevance: 10.6, APIs: 7, Instructions: 89networkCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Sleeprecvselectsend
              • String ID:
              • API String ID: 518705664-0
              • Opcode ID: cc91afba2d59bb12db6d833627a208658a36802fcca9ecc7cf4f8748d13bac40
              • Instruction ID: 6c983014703ea0194a52a75756f26fbf26c375f7f8407a6dca76a25fa37f9c20
              • Opcode Fuzzy Hash: cc91afba2d59bb12db6d833627a208658a36802fcca9ecc7cf4f8748d13bac40
              • Instruction Fuzzy Hash: C74185B15087409BD720EF39D68939ABAF0AF88304F51892EE898C7341E7B9D4959B46
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00408AA0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35fileCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: fclose$fopenfread
              • String ID: }A$MZ
              • API String ID: 3873288765-3734752965
              • Opcode ID: 2e03ab8fbb6e0daaa4a731aff21a77a8954a7388c79a68bfd6d7f794dfeb350c
              • Instruction ID: 85fa830b7530112738aa4bdc7e01cf51e275effbb73953bf96fafdd9e6f4a6b2
              • Opcode Fuzzy Hash: 2e03ab8fbb6e0daaa4a731aff21a77a8954a7388c79a68bfd6d7f794dfeb350c
              • Instruction Fuzzy Hash: B7F012B560D3509BDB10EF65A58519BFAE0AB44354F02882FF5C4C7341E639D8C4CB86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00409E90 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 123stringCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: malloc$strlen
              • String ID: :$@
              • API String ID: 832207080-1367939426
              • Opcode ID: 48bf4e5f90d5a5dc35be2c169d6a4eb915b8ceeb5cb984f5020c6838b4af8fa4
              • Instruction ID: 320e8a23b6d60a8e3530f9061976e5f73403f8a8a144ea0217e99b5035913f73
              • Opcode Fuzzy Hash: 48bf4e5f90d5a5dc35be2c169d6a4eb915b8ceeb5cb984f5020c6838b4af8fa4
              • Instruction Fuzzy Hash: 9A51D7B09093049FD310EF66D48529ABBE4FF84748F41882EE9D887352D77DA589CF4A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406585 Relevance: 9.1, APIs: 6, Instructions: 98networkstringCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: recvsend$htonsstrlen
              • String ID:
              • API String ID: 3106893768-0
              • Opcode ID: 080534a14c34ed3c688949e457934d3bd201a7ba418427617ac8e292f485c63f
              • Instruction ID: fd5e114baa45020d495021e0d219a6262c1dea596646f43758e90ea51f543c93
              • Opcode Fuzzy Hash: 080534a14c34ed3c688949e457934d3bd201a7ba418427617ac8e292f485c63f
              • Instruction Fuzzy Hash: 74413DB140C3919AD710AF29D54539FBFE0AF84308F058C1EE4C957282D779D698CB97
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00413109 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
              Download Yara Rule
              APIs
              • recv.WS2_32 ref: 0041312D
              • recv.WS2_32 ref: 00413164
              • htons.WS2_32 ref: 004131B4
                • Part of subcall function 00406070: gethostbyname.WS2_32 ref: 00406080
                • Part of subcall function 00406070: htons.WS2_32 ref: 004060C2
              • socket.WS2_32 ref: 004131F6
              • connect.WS2_32 ref: 0041321E
              • send.WS2_32 ref: 00413251
                • Part of subcall function 00412D40: malloc.MSVCRT ref: 00412D51
                • Part of subcall function 00412D40: select.WS2_32 ref: 00412DF8
                • Part of subcall function 00412D40: __WSAFDIsSet.WS2_32 ref: 00412E1C
                • Part of subcall function 00412D40: __WSAFDIsSet.WS2_32 ref: 00412E3A
                • Part of subcall function 00412D40: __WSAFDIsSet.WS2_32 ref: 00412E58
                • Part of subcall function 00412D40: recv.WS2_32 ref: 00412E8A
                • Part of subcall function 00412D40: send.WS2_32 ref: 00412EC8
                • Part of subcall function 00412D40: __WSAFDIsSet.WS2_32 ref: 00412EFB
              • recv.WS2_32 ref: 00413288
              • send.WS2_32 ref: 00413320
              • send.WS2_32 ref: 00413362
              • send.WS2_32 ref: 00413392
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: send$recv$htons$connectgethostbynamemallocselectsocket
              • String ID:
              • API String ID: 1005117442-0
              • Opcode ID: 2fffc88721347fbf2a807189023ff825c872598b151b1ffd945d297bc6591ffb
              • Instruction ID: 474d7ff942a44d711838af954ac6c7d2f539dc384a1ddbca144a82a1b8c0c05b
              • Opcode Fuzzy Hash: 2fffc88721347fbf2a807189023ff825c872598b151b1ffd945d297bc6591ffb
              • Instruction Fuzzy Hash: 1031B2B44093009ED700EF29D1857AABBE0AF84308F418A1EF8D88B255D7B9D588DB87
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004087B0 Relevance: 9.1, APIs: 6, Instructions: 56stringCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: File$AttributesOperationcallocfreememcpystrlen
              • String ID:
              • API String ID: 2466659502-0
              • Opcode ID: 2b00e2a8b0a37e26bf85164fc3307e07a4b7d3516d94b75d375a40cc7a3f27ee
              • Instruction ID: fdf34fd399e660fa2ba6c95ce5da6d1637b22bf6741781889e55062f5465c31d
              • Opcode Fuzzy Hash: 2b00e2a8b0a37e26bf85164fc3307e07a4b7d3516d94b75d375a40cc7a3f27ee
              • Instruction Fuzzy Hash: 5D110DB251C3104AD700BF69D58539FBAE0EF84328F15492EE4C897381E77D95898B8B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00415610 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 142COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00414F70: getenv.MSVCRT ref: 00414FBE
                • Part of subcall function 00414EF0: gethostname.WS2_32 ref: 00414F1B
                • Part of subcall function 00415150: GetVersionExA.KERNEL32 ref: 0041518F
                • Part of subcall function 00415150: GetSystemMetrics.USER32 ref: 0041523F
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
                • Part of subcall function 00415390: GetTickCount.KERNEL32 ref: 004153C2
                • Part of subcall function 00408880: GetModuleFileNameA.KERNEL32 ref: 0040889C
                • Part of subcall function 00408FC0: GetLocalTime.KERNEL32 ref: 00408FF7
              • getenv.MSVCRT ref: 0041573C
              • getenv.MSVCRT ref: 0041574F
                • Part of subcall function 00414240: _vscprintf.MSVCRT ref: 00414255
                • Part of subcall function 00414240: calloc.MSVCRT ref: 0041426C
                • Part of subcall function 00414240: _vsnprintf.MSVCRT ref: 0041428A
                • Part of subcall function 00406D60: EnterCriticalSection.KERNEL32 ref: 00406D8A
                • Part of subcall function 00406D60: send.WS2_32 ref: 00406E3A
                • Part of subcall function 00406D60: WSAGetLastError.WS2_32 ref: 00406E49
                • Part of subcall function 00406D60: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000003,?,00406FE7), ref: 00406E60
                • Part of subcall function 00408BA0: free.MSVCRT ref: 00408BB1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: getenv$CriticalSection_vsnprintf$CountEnterErrorFileLastLeaveLocalMetricsModuleNameSystemTickTimeVersion_vscprintfcallocfreegethostnamesend
              • String ID: $@tA$C:\Users\user\AppData\Roaming\Logs\
              • API String ID: 654636669-43763068
              • Opcode ID: 0e4f074f8ff66c6dfc511ce142009815966d483aa904d061e59a395ae96ffb03
              • Instruction ID: 30800e052284e2a412ce5f38aad38b891c09875b22338b23afc4dee832911476
              • Opcode Fuzzy Hash: 0e4f074f8ff66c6dfc511ce142009815966d483aa904d061e59a395ae96ffb03
              • Instruction Fuzzy Hash: 6D718BB49087849FD320EF65C18469EFBE0AFC8348F50892EE5D887351D77895898F97
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406209 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00406070: gethostbyname.WS2_32 ref: 00406080
                • Part of subcall function 00406070: htons.WS2_32 ref: 004060C2
              • send.WS2_32 ref: 004062D1
              • select.WS2_32 ref: 00406337
              • __WSAFDIsSet.WS2_32 ref: 00406355
              • recv.WS2_32 ref: 00406383
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: gethostbynamehtonsrecvselectsend
              • String ID: Z
              • API String ID: 3406712544-1505515367
              • Opcode ID: 4cad56574baa9241a7ee56c842dd62932cfe7c1286437da1b4dcfb1829834a3d
              • Instruction ID: 4feca3826c962e3c47ddb72112c3bbea4fce81701a968678238cfd5e3bc0a671
              • Opcode Fuzzy Hash: 4cad56574baa9241a7ee56c842dd62932cfe7c1286437da1b4dcfb1829834a3d
              • Instruction Fuzzy Hash: C94192B4509340AEE710EF25D58979BBBE0AF85308F418C6EE8C897341E37AD5988B57
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406249 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: recvselectsend
              • String ID: Z
              • API String ID: 3514348486-1505515367
              • Opcode ID: 96dc7f00861427ff32b04b7be45782f791bc05bd5e67dc6ef3a20d7e184f0971
              • Instruction ID: bab3b30927078cb1ddc7c5397370e633a14f928b1f74b9e2799d8ec6a1c8f425
              • Opcode Fuzzy Hash: 96dc7f00861427ff32b04b7be45782f791bc05bd5e67dc6ef3a20d7e184f0971
              • Instruction Fuzzy Hash: FE31A2B44093809EE710EF25D58939BBBE0BF85708F418C6EE8C897341D3BAD5988B47
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00411DF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExA.ADVAPI32 ref: 00411E27
              • RegEnumKeyExA.ADVAPI32 ref: 00411E8C
              • RegCloseKey.ADVAPI32 ref: 00411EE7
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: CloseEnumOpen_vsnprintf
              • String ID: @$@
              • API String ID: 2247870055-149943524
              • Opcode ID: 8203e84d2d432e7cf134987673214164e9df676925325f7b0c156df5a5c2cc61
              • Instruction ID: 7defacda34d79bf4f383f2e6c7c8ab184948a2e7a70ffee2219e14ba76117f65
              • Opcode Fuzzy Hash: 8203e84d2d432e7cf134987673214164e9df676925325f7b0c156df5a5c2cc61
              • Instruction Fuzzy Hash: E521F4B15083419FD710EF6AC48439BBBE4AB84358F00892EE99897250D379D5898F87
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52processCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: CloseHandle$CreateProcess
              • String ID: D$D
              • API String ID: 2922976086-143366177
              • Opcode ID: ce21638969cdfdb60707b5a8a367188f0c1bc5859266e7dc0dd1022471604759
              • Instruction ID: 8d68f1bf846eb382954540d2dfcda2d908fca08fe2a98eb40890928ec37ba40c
              • Opcode Fuzzy Hash: ce21638969cdfdb60707b5a8a367188f0c1bc5859266e7dc0dd1022471604759
              • Instruction Fuzzy Hash: 7521CEB49093409EE310EF25D58875BBBF0AF84708F11892EE99887281D7B9D5888F87
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00415DE0 Relevance: 7.8, APIs: 5, Instructions: 307fileCOMMON
              Download Yara Rule
              APIs
              • fopen.MSVCRT ref: 00415E19
              • fgetpos.MSVCRT ref: 00415E5A
                • Part of subcall function 004158E0: fclose.MSVCRT ref: 004158F8
              • fopen.MSVCRT ref: 00416272
                • Part of subcall function 00408C30: fsetpos.MSVCRT ref: 00408C68
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: fopen$fclosefgetposfsetpos
              • String ID:
              • API String ID: 2935428632-0
              • Opcode ID: 00778b8561ba04344850e081f9d4848a1f2073158400be9097ff5a9086b7b947
              • Instruction ID: eccbfaf677e8e2e1745f5c3fc6820c765b362ab31e420c38e9a6f93a425d6049
              • Opcode Fuzzy Hash: 00778b8561ba04344850e081f9d4848a1f2073158400be9097ff5a9086b7b947
              • Instruction Fuzzy Hash: 71E12C745097419FC324DF65C1987AABBE1BF88304F15897EE49987352D738D8818F46
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040A949 Relevance: 7.6, APIs: 5, Instructions: 90filenetworkCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: fclosefwriterecv$fopen
              • String ID:
              • API String ID: 3111182090-0
              • Opcode ID: d50af286c53e4d4bb03e9e96882110676917c4242fce55724d65f3b8b9b69078
              • Instruction ID: 4175ecfa2b5a00874e7fa84cf7a34cf9ddd81c274cfd000223d1f469d2f61392
              • Opcode Fuzzy Hash: d50af286c53e4d4bb03e9e96882110676917c4242fce55724d65f3b8b9b69078
              • Instruction Fuzzy Hash: A43107B15083409ED710AF29C5843ABBBE0AF84348F05892EF8D997381D7B9D8858B47
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00409980 Relevance: 7.6, APIs: 5, Instructions: 79fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: getenv$_vsnprintffclosefopenfwrite
              • String ID:
              • API String ID: 3159630692-0
              • Opcode ID: e2cbfad8009a2c04514242a6336467951f8a299174ef6bc9dcaf7c22b231f246
              • Instruction ID: ebd2894e2c69a570ed5eac3a54861c4e854d949df915eaaf9bb0b6637666f45c
              • Opcode Fuzzy Hash: e2cbfad8009a2c04514242a6336467951f8a299174ef6bc9dcaf7c22b231f246
              • Instruction Fuzzy Hash: 5231D4B550D7409FD310AF65D48529EBBE4AF84358F01CC2EE4D887342D77C85888F9A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040E359 Relevance: 7.6, APIs: 5, Instructions: 72registryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: QueryValue$CloseOpen$Enum_vsnprintf
              • String ID:
              • API String ID: 3738255988-0
              • Opcode ID: 77732c1f24c3d66d83b35fb9e17d6b772ba5429fba8b04f3d43b2d7b26737e76
              • Instruction ID: 7e8c3162260614c09e7e5ea78c75e252becb97866253bc9afc36bafd1f9a71ea
              • Opcode Fuzzy Hash: 77732c1f24c3d66d83b35fb9e17d6b772ba5429fba8b04f3d43b2d7b26737e76
              • Instruction Fuzzy Hash: 50319EB0418345CFD310EF66C54839BFBE0BB84308F118D2EE89897281E7B9D5898F86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004118D0 Relevance: 7.6, APIs: 5, Instructions: 66registryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: QueryValue$CloseOpencalloc
              • String ID:
              • API String ID: 2181437829-0
              • Opcode ID: a7acfad0c3ffde6c2763764348cbd10c2458e5a3df18f499c74a602f8c924cff
              • Instruction ID: 5c834e190d77697839394bb20ed56bc58be89c9513be7994af6b1f406887c0fc
              • Opcode Fuzzy Hash: a7acfad0c3ffde6c2763764348cbd10c2458e5a3df18f499c74a602f8c924cff
              • Instruction Fuzzy Hash: 3021B4B09093018BD700EF29D58575BBBE0BF88748F01892EE8D897311E379DA84CF86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407FA7 Relevance: 7.5, APIs: 5, Instructions: 36fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: fclose$free$freadfwrite
              • String ID:
              • API String ID: 4290617892-0
              • Opcode ID: 23296cebd285c30a05ef662138f99a0bd866c38d903c224b4ad39b20873e3976
              • Instruction ID: 419ec76e99f40306215be8eb5320d1f54d14990e60ca9c3cbbd985319fa96b20
              • Opcode Fuzzy Hash: 23296cebd285c30a05ef662138f99a0bd866c38d903c224b4ad39b20873e3976
              • Instruction Fuzzy Hash: 3101C2B59097159FD710AF19D08125EF7E4EF84358F02882FE8D897341D779A8858B86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00416460 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92processthreadCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00407EB0: GetFileAttributesA.KERNEL32 ref: 00407EBA
                • Part of subcall function 00408AA0: fopen.MSVCRT ref: 00408AB6
                • Part of subcall function 00408AA0: fread.MSVCRT ref: 00408ADC
                • Part of subcall function 00408AA0: fclose.MSVCRT ref: 00408AE9
              • CreateProcessA.KERNEL32 ref: 0041653B
              • ResumeThread.KERNEL32 ref: 00416566
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: AttributesCreateFileProcessResumeThreadfclosefopenfread
              • String ID: D
              • API String ID: 1412337596-2746444292
              • Opcode ID: 4df731e5dc4cf443cd32dc67811e079416e19c549d8e0066188e1f9b03ae0836
              • Instruction ID: 2e3769b39a33d987c7143b16364ba9ba7c51eff55e3b6e138262cb77c0651449
              • Opcode Fuzzy Hash: 4df731e5dc4cf443cd32dc67811e079416e19c549d8e0066188e1f9b03ae0836
              • Instruction Fuzzy Hash: 3541C1B45087449FD710EF25D18939EBBE0BF84308F42886EE4C85B242D7BDD5898B9B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407199 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
              Download Yara Rule
              APIs
              • GetDiskFreeSpaceExA.KERNEL32 ref: 004071BB
              • GetDriveTypeA.KERNEL32 ref: 00407218
              • GetVolumeInformationA.KERNEL32 ref: 00407311
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: DiskDriveFreeInformationSpaceTypeVolume
              • String ID: @
              • API String ID: 544750276-2766056989
              • Opcode ID: 07cfe75f9768497a6f570cfaac068c4bb9f923468f9f7b1d116d5016f25e4148
              • Instruction ID: 4b3892258b0338859cb09cbc6b34571504413dd0e7148579214fda4bf1caef49
              • Opcode Fuzzy Hash: 07cfe75f9768497a6f570cfaac068c4bb9f923468f9f7b1d116d5016f25e4148
              • Instruction Fuzzy Hash: 444169B48083459FE310EF25C18438BFBE4BF84748F508D2EE89897250E7B9D5898F86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407BF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73fileCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: fclosefopenfread
              • String ID: }A
              • API String ID: 2679521937-1825783036
              • Opcode ID: 173eaedf90ece9ae82a0f34dc2e154b0f2dc6cbc14e5c5dae78df562b9e09c89
              • Instruction ID: 6c1a2844476e823e9ff81666f4a50ae43ec5bc2d849c620cb53807d9b677e4b5
              • Opcode Fuzzy Hash: 173eaedf90ece9ae82a0f34dc2e154b0f2dc6cbc14e5c5dae78df562b9e09c89
              • Instruction Fuzzy Hash: D3214D7550D7449ED320AF25D8817AEBBE0AF84714F01C92EE8C897392DB3DD4888B97
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004015AC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
              Download Yara Rule
              APIs
              • malloc.MSVCRT ref: 004015B7
              • getenv.MSVCRT ref: 00401678
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
                • Part of subcall function 00408B40: _beginthreadex.MSVCRT ref: 00408B72
                • Part of subcall function 00408B40: CloseHandle.KERNEL32 ref: 00408B80
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: CloseHandle_beginthreadex_vsnprintfgetenvmalloc
              • String ID: %6\%6.dfd$TEMP
              • API String ID: 32720251-3655689890
              • Opcode ID: cc2855e945a5bedd8b18cbd10d3c7b1b6718a0d33e0daf4f48cd4ba6c1b1c981
              • Instruction ID: 4cdecaa56be3e56f56472a33f0ea66846a33d664b414c9530934c7ee66b388b4
              • Opcode Fuzzy Hash: cc2855e945a5bedd8b18cbd10d3c7b1b6718a0d33e0daf4f48cd4ba6c1b1c981
              • Instruction Fuzzy Hash: 353180F04087419ED310AF66C04539AFBE1BF88748F01882EE5E887251D7B995888F8A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004086E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58stringCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: AttributesFilestrlen
              • String ID: \
              • API String ID: 4289135656-2967466578
              • Opcode ID: 3dd533c084a02abdeaccfbff1a11ed4754c06c0ce0f0477c876c94cb325f7af4
              • Instruction ID: d81fbafdfb93d6b389e2dfdb10c05abffd24249c88044b5e7282e879a19bfa65
              • Opcode Fuzzy Hash: 3dd533c084a02abdeaccfbff1a11ed4754c06c0ce0f0477c876c94cb325f7af4
              • Instruction Fuzzy Hash: 8911C4B18087108AE7206F28EDC43ABBBD0AF80354F15493FD8D4AB38AD73D98458797
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00411D59 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00411C50: RegDeleteKeyA.ADVAPI32 ref: 00411C9F
              • RegEnumKeyExA.ADVAPI32 ref: 00411DB3
              • RegCloseKey.ADVAPI32 ref: 00411DC6
              • RegDeleteKeyA.ADVAPI32 ref: 00411DD5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Delete$CloseEnum
              • String ID: @
              • API String ID: 3704205641-2766056989
              • Opcode ID: 99b5923fbdd2c06918289c2766b1e0378890943072768d739ede5e9531a807ae
              • Instruction ID: b2eac96957cee4f4e2c1cbbef79a485e8df46f82a2b06d9b6f5d83ae7b99357a
              • Opcode Fuzzy Hash: 99b5923fbdd2c06918289c2766b1e0378890943072768d739ede5e9531a807ae
              • Instruction Fuzzy Hash: 3301D6B15087018BD700AF2AD28535BFBE0BF88748F01892EE98897350D77AD5888F87
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00414E71 Relevance: 6.3, APIs: 5, Instructions: 37stringCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: memcpystrlen$calloc
              • String ID:
              • API String ID: 1064886663-0
              • Opcode ID: 7f28dc8018228759931ba0ba983b2e3e9a065167cf9cba96952d11d1fd83c9ee
              • Instruction ID: 927845e78818d88442d1470dceed03f556548ed66b83bbbcd38a196681229adf
              • Opcode Fuzzy Hash: 7f28dc8018228759931ba0ba983b2e3e9a065167cf9cba96952d11d1fd83c9ee
              • Instruction Fuzzy Hash: EFF01DB15097159BC700AF69C48459AFBE4EF84754F42892EF48CC7301E739E4808B4A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040FCB0 Relevance: 6.2, APIs: 4, Instructions: 209COMMON
              Download Yara Rule
              APIs
              • WideCharToMultiByte.KERNEL32 ref: 0040FDE3
              • WideCharToMultiByte.KERNEL32 ref: 0040FE28
              • WideCharToMultiByte.KERNEL32 ref: 0040FE74
              • WideCharToMultiByte.KERNEL32 ref: 0040FF25
                • Part of subcall function 00414240: _vscprintf.MSVCRT ref: 00414255
                • Part of subcall function 00414240: calloc.MSVCRT ref: 0041426C
                • Part of subcall function 00414240: _vsnprintf.MSVCRT ref: 0041428A
                • Part of subcall function 00414310: realloc.MSVCRT ref: 0041437F
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: ByteCharMultiWide$_vscprintf_vsnprintfcallocrealloc
              • String ID:
              • API String ID: 594968963-0
              • Opcode ID: db9aec1ff42db3d5cd918db2bc3584f5bcc96604ab684354938d29dbda5345f3
              • Instruction ID: 6fbcdf29dccf147259426ff8634fff422f5723212564bbd137f6d769f33115ec
              • Opcode Fuzzy Hash: db9aec1ff42db3d5cd918db2bc3584f5bcc96604ab684354938d29dbda5345f3
              • Instruction Fuzzy Hash: 19A1AFB09093459FD710EF29D58879BBBF4BF84354F10892EE89887390E779D5888F86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040FD1C Relevance: 6.2, APIs: 4, Instructions: 171COMMON
              Download Yara Rule
              APIs
              • WideCharToMultiByte.KERNEL32 ref: 0040FDE3
              • WideCharToMultiByte.KERNEL32 ref: 0040FE28
              • WideCharToMultiByte.KERNEL32 ref: 0040FE74
              • WideCharToMultiByte.KERNEL32 ref: 0040FF25
                • Part of subcall function 00414240: _vscprintf.MSVCRT ref: 00414255
                • Part of subcall function 00414240: calloc.MSVCRT ref: 0041426C
                • Part of subcall function 00414240: _vsnprintf.MSVCRT ref: 0041428A
                • Part of subcall function 00414310: realloc.MSVCRT ref: 0041437F
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: ByteCharMultiWide$_vscprintf_vsnprintfcallocrealloc
              • String ID:
              • API String ID: 594968963-0
              • Opcode ID: ba46f447ace3102972dd0a878e7fcc3a52cd228bf17d9e87dae9d16a2765dde2
              • Instruction ID: a65bebd2deabd5a47e345c3ee72c51c58a824a6a7f334516f6af188ebbd23c7f
              • Opcode Fuzzy Hash: ba46f447ace3102972dd0a878e7fcc3a52cd228bf17d9e87dae9d16a2765dde2
              • Instruction Fuzzy Hash: B5817EB49093459FD710EF69D58875BBBF0BF84354F00892EE8A487390E779D5888F86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040DCA0 Relevance: 6.1, APIs: 4, Instructions: 99fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: _vsnprintffclosefgetsfopengetenv
              • String ID:
              • API String ID: 3106633423-0
              • Opcode ID: fea7a0b38c08f73aaf707cd97b884f86bf34d8f3a7c2bd6e748588769ad17fcf
              • Instruction ID: c37ed729d1a15838e2c4c7d5dd86520eb8ba06292caecd9e6bee63a3161225a7
              • Opcode Fuzzy Hash: fea7a0b38c08f73aaf707cd97b884f86bf34d8f3a7c2bd6e748588769ad17fcf
              • Instruction Fuzzy Hash: B8411BB050C7019BC710AF69D58425EBBE0AF84368F118A2FE4E8973D2D77CC5849B4B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004167C0 Relevance: 6.1, APIs: 4, Instructions: 76windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: Window$Show$MessageSendText
              • String ID:
              • API String ID: 4231609552-0
              • Opcode ID: c8133903086b0f8d97c21994b478eb35b0abb7cb6450226703264030b01fcd31
              • Instruction ID: b6b02ee0af26a2f9f9dba88fbf6b0e06ee2a26dddaec93c5a1e994377a4bdba1
              • Opcode Fuzzy Hash: c8133903086b0f8d97c21994b478eb35b0abb7cb6450226703264030b01fcd31
              • Instruction Fuzzy Hash: 7E210EB180D3509AD710BF29E59939EFBE0EB84318F418D2EE4C447245D37E85C9CB86
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040E20C Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: fcf201779a74541abf806198c853a07d8c5a0d1f7c0b46e7079c3e68f6ddd7c5
              • Instruction ID: 14d3c6ec26efa9fafca0196781f059ef3b11f363a73f6a1c3999940cf0825f8b
              • Opcode Fuzzy Hash: fcf201779a74541abf806198c853a07d8c5a0d1f7c0b46e7079c3e68f6ddd7c5
              • Instruction Fuzzy Hash: 08315BB44093419FD304EF69C58435BFFE0AF88354F108D2EE8D897296DBB895889B87
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004060E0 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: setsockopt$Ioctlioctlsocket
              • String ID:
              • API String ID: 1196899187-0
              • Opcode ID: 640701d73306819af72254381fb4124ed1a188ec663c1c3c1e31cacc3902aa8f
              • Instruction ID: b412f58492587fe6ecb07491a57e6c9f78388da9e3f115cca4eee68852c48cfe
              • Opcode Fuzzy Hash: 640701d73306819af72254381fb4124ed1a188ec663c1c3c1e31cacc3902aa8f
              • Instruction Fuzzy Hash: 7221D8B04093419EE340EF19D14935BBFF4AF84748F41992EF8C557292D3BAD5988B87
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00408C30 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: _filelengthi64fflushfgetposfsetpos
              • String ID:
              • API String ID: 3378604764-0
              • Opcode ID: 14839a85110a914350cc1dec25f0045532a84fc180fb4232bd02a1507b236825
              • Instruction ID: 934898ac1802d66d330880ed045a3456258a9a57fb44c9d79101dedbee866b58
              • Opcode Fuzzy Hash: 14839a85110a914350cc1dec25f0045532a84fc180fb4232bd02a1507b236825
              • Instruction Fuzzy Hash: F71157B190D3118BC310EF2A858005FBBF4EEE4354F15482FE8D443362E639D9888BA6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040D3D7 Relevance: 6.0, APIs: 4, Instructions: 47fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: fclosegetenv$AttributesFilefopenfreadfreemalloc
              • String ID:
              • API String ID: 2618293754-0
              • Opcode ID: 89caa9c1aa1c7ad5103870d52c3a0411a9e3189d0d1c8a53e5fa79417ba437d2
              • Instruction ID: b26dcdace313f5b6bfc971a396727ff32f6819fcbb1c39d9ee64a5d322394e99
              • Opcode Fuzzy Hash: 89caa9c1aa1c7ad5103870d52c3a0411a9e3189d0d1c8a53e5fa79417ba437d2
              • Instruction Fuzzy Hash: 4D1106B1909B559FC310AF2AC58166EBBE4AF84748F014C2EE4C897351DB38E885CB4A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00409A49 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON
              Download Yara Rule
              APIs
              • fopen.MSVCRT ref: 00409A5D
              • fwrite.MSVCRT ref: 00409A7B
              • fclose.MSVCRT ref: 00409A83
              • getenv.MSVCRT ref: 00409A8F
                • Part of subcall function 004142B0: _vsnprintf.MSVCRT ref: 004142D4
                • Part of subcall function 00407D00: ShellExecuteA.SHELL32 ref: 00407D32
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: ExecuteShell_vsnprintffclosefopenfwritegetenv
              • String ID:
              • API String ID: 1296341528-0
              • Opcode ID: f0362a143352ec6dd908a5d171e32590b8d104205dea57a615edbe5854ff04d3
              • Instruction ID: 0e04abdb2be02fd5504e06b262e008ffeb5553eb1a4a9b0b2e52fa7e393c9fe0
              • Opcode Fuzzy Hash: f0362a143352ec6dd908a5d171e32590b8d104205dea57a615edbe5854ff04d3
              • Instruction Fuzzy Hash: E901C4B140D7049FD300AF65D0843AEFBE0AF84348F01C82EE4D887342D7BD95848B5A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004164B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessA.KERNEL32 ref: 0041653B
                • Part of subcall function 00406900: shutdown.WS2_32 ref: 0040691D
                • Part of subcall function 00406900: closesocket.WS2_32 ref: 0040692A
              • ResumeThread.KERNEL32 ref: 00416566
              • ExitProcess.KERNEL32 ref: 00416584
                • Part of subcall function 00409CB0: CreateMutexA.KERNEL32(?,?,?,?,?,?,?,0040A300), ref: 00409CCA
                • Part of subcall function 00409CB0: GetLastError.KERNEL32 ref: 00409CE2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: CreateProcess$ErrorExitLastMutexResumeThreadclosesocketshutdown
              • String ID: D
              • API String ID: 1560394624-2746444292
              • Opcode ID: 824fb35c9ad8760d1e8b46525beb5089171056d3c9e801b84947da63205810c8
              • Instruction ID: ebe3bacf1e706cf391e3642c02fab7f804021de0d285e9a14fbccc64ea8d86d9
              • Opcode Fuzzy Hash: 824fb35c9ad8760d1e8b46525beb5089171056d3c9e801b84947da63205810c8
              • Instruction Fuzzy Hash: 611192B15093419EE710AF65D15939FBBE0BF80748F018C1EE5C85B281C7BA9589CB8B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004150F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2908457790.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.2908438461.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908476730.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908494293.0000000000418000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908511896.000000000041D000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908534010.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908553471.0000000000423000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908570467.0000000000424000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_615.jbxd
              Yara matches
              Similarity
              • API ID: BufferFreeInfoWksta
              • String ID: f
              • API String ID: 773480902-1993550816
              • Opcode ID: 73e3e37e755aea28be91af37c2b62f354c5b620a29fb6e9f68d6754e59a1955d
              • Instruction ID: 274cdba6c64390607e09a43deab3c3569326e151a25569745e02422739504029
              • Opcode Fuzzy Hash: 73e3e37e755aea28be91af37c2b62f354c5b620a29fb6e9f68d6754e59a1955d
              • Instruction Fuzzy Hash: 64F0D4B46083018FD704EF25C18575BBBF2AB88304F41896DE8848B344E379D989CB82
              Uniqueness

              Uniqueness Score: -1.00%