Edit tour

Windows Analysis Report
125.exe

Overview

General Information

Sample name:	125.exe
Analysis ID:	1428867
MD5:	44b14057ff868e25ad444fac098d89f0
SHA1:	2dceab58c101c2f5e922e5a40adcc685b557ac53
SHA256:	5a54cda9e42baea3defa9f1024858f7c44f79242b8765c9e886a8f54db6e1934
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Potential time zone aware malware

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

125.exe (PID: 6812 cmdline: "C:\Users\user\Desktop\125.exe" MD5: 44B14057FF868E25AD444FAC098D89F0)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 125.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 125.exe

ReversingLabs: Detection: 25%

Source: 125.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 125.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Source: C:\Users\user\Desktop\125.exe

Code function: 0_2_00408950

0_2_00408950

Source: C:\Users\user\Desktop\125.exe

Code function: String function: 0040B6B0 appears 40 times

Source: 125.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal56.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\125.exe

Code function: 0_2_00401F36 GetLastError,fprintf,FormatMessageA,fprintf,strcat,strcat,LocalFree,fprintf,ShellExecuteA,

0_2_00401F36

Source: C:\Users\user\Desktop\125.exe

Code function: 0_2_0040206E fprintf,FindResourceExA,LoadResource,LockResource,fprintf,SetLastError,fputs,

0_2_0040206E

Source: 125.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\125.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 125.exe

ReversingLabs: Detection: 25%

Source: 125.exe	String found in binary or memory: JPHP-INF/launcher.confSV
Source: 125.exe	String found in binary or memory: php/runtime/launcher/PK
Source: 125.exe	String found in binary or memory: php/runtime/launcher/Launcher$1.class
Source: 125.exe	String found in binary or memory: %php/runtime/launcher/Launcher$1.class
Source: 125.exe	String found in binary or memory: php/runtime/launcher/Launcher.class
Source: 125.exe	String found in binary or memory: 3:#php/runtime/launcher/Launcher.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/PK
Source: 125.exe	String found in binary or memory: php/runtime/loader/compile/PK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/PK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/io/PK
Source: 125.exe	String found in binary or memory: php/runtime/loader/sourcemap/PK
Source: 125.exe	String found in binary or memory: php/runtime/launcher/LaunchException.class
Source: 125.exe	String found in binary or memory: *php/runtime/launcher/LaunchException.class
Source: 125.exe	String found in binary or memory: php/runtime/launcher/StandaloneLauncher.class
Source: 125.exe	String found in binary or memory: -php/runtime/launcher/StandaloneLauncher.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/RuntimeClassLoader.class
Source: 125.exe	String found in binary or memory: +php/runtime/loader/RuntimeClassLoader.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/StandaloneLoader$1.class
Source: 125.exe	String found in binary or memory: +php/runtime/loader/StandaloneLoader$1.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/StandaloneLoader$2.class
Source: 125.exe	String found in binary or memory: +php/runtime/loader/StandaloneLoader$2.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/StandaloneLoader$3.class
Source: 125.exe	String found in binary or memory: +php/runtime/loader/StandaloneLoader$3.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/StandaloneLoader$4.class
Source: 125.exe	String found in binary or memory: +php/runtime/loader/StandaloneLoader$4.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/StandaloneLoader.class
Source: 125.exe	String found in binary or memory: 1)php/runtime/loader/StandaloneLoader.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/compile/StandaloneCompiler$1.class
Source: 125.exe	String found in binary or memory: 5php/runtime/loader/compile/StandaloneCompiler$1.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/compile/StandaloneCompiler$2.class
Source: 125.exe	String found in binary or memory: 5php/runtime/loader/compile/StandaloneCompiler$2.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/compile/StandaloneCompiler.class
Source: 125.exe	String found in binary or memory: 83php/runtime/loader/compile/StandaloneCompiler.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/ClassDumper.class
Source: 125.exe	String found in binary or memory: /)php/runtime/loader/dump/ClassDumper.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/ClosureDumper.class
Source: 125.exe	String found in binary or memory: +php/runtime/loader/dump/ClosureDumper.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/ConstantDumper.class
Source: 125.exe	String found in binary or memory: ,php/runtime/loader/dump/ConstantDumper.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/Dumper.class
Source: 125.exe	String found in binary or memory: $php/runtime/loader/dump/Dumper.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/FunctionDumper.class
Source: 125.exe	String found in binary or memory: ,php/runtime/loader/dump/FunctionDumper.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/GeneratorDumper.class
Source: 125.exe	String found in binary or memory: -php/runtime/loader/dump/GeneratorDumper.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/MethodDumper.class
Source: 125.exe	String found in binary or memory: *php/runtime/loader/dump/MethodDumper.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/ModuleDumper.class
Source: 125.exe	String found in binary or memory: *php/runtime/loader/dump/ModuleDumper.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/ParameterDumper.class
Source: 125.exe	String found in binary or memory: -php/runtime/loader/dump/ParameterDumper.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/PropertyDumper.class
Source: 125.exe	String found in binary or memory: ,php/runtime/loader/dump/PropertyDumper.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/StandaloneLibrary$Module.class
Source: 125.exe	String found in binary or memory: 6php/runtime/loader/dump/StandaloneLibrary$Module.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/StandaloneLibrary.class
Source: 125.exe	String found in binary or memory: /php/runtime/loader/dump/StandaloneLibrary.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/StandaloneLibraryDumper.class
Source: 125.exe	String found in binary or memory: 5php/runtime/loader/dump/StandaloneLibraryDumper.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/Types.classM
Source: 125.exe	String found in binary or memory: #php/runtime/loader/dump/Types.classM
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/io/DumpException.class
Source: 125.exe	String found in binary or memory: .php/runtime/loader/dump/io/DumpException.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/io/DumpInputStream$1.class
Source: 125.exe	String found in binary or memory: 2php/runtime/loader/dump/io/DumpInputStream$1.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/io/DumpInputStream.class
Source: 125.exe	String found in binary or memory: 0php/runtime/loader/dump/io/DumpInputStream.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/io/DumpOutputStream$1.class
Source: 125.exe	String found in binary or memory: 3php/runtime/loader/dump/io/DumpOutputStream$1.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/io/DumpOutputStream.class
Source: 125.exe	String found in binary or memory: 1php/runtime/loader/dump/io/DumpOutputStream.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/sourcemap/SourceMap$Item.class
Source: 125.exe	String found in binary or memory: 1php/runtime/loader/sourcemap/SourceMap$Item.class
Source: 125.exe	String found in binary or memory: php/runtime/loader/sourcemap/SourceMap.class
Source: 125.exe	String found in binary or memory: ,php/runtime/loader/sourcemap/SourceMap.class
Source: 125.exe	String found in binary or memory: javax/mail/Address.classeP
Source: 125.exe	String found in binary or memory: javax/mail/internet/AddressException.class
Source: 125.exe	String found in binary or memory: *javax/mail/internet/AddressException.class
Source: 125.exe	String found in binary or memory: javax/mail/search/AddressStringTerm.class
Source: 125.exe	String found in binary or memory: )javax/mail/search/AddressStringTerm.class
Source: 125.exe	String found in binary or memory: javax/mail/search/AddressTerm.class}
Source: 125.exe	String found in binary or memory: #javax/mail/search/AddressTerm.class}
Source: 125.exe	String found in binary or memory: javassist/Loader.class
Source: 125.exe	String found in binary or memory: javassist/LoaderClassPath.class
Source: 125.exe	String found in binary or memory: javassist/tools/reflect/Loader.class
Source: 125.exe	String found in binary or memory: $javassist/tools/reflect/Loader.class
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/LoadBalanceExceptionChecker.class}
Source: 125.exe	String found in binary or memory: 0com/mysql/jdbc/LoadBalanceExceptionChecker.class}
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/LoadBalancedAutoCommitInterceptor.class
Source: 125.exe	String found in binary or memory: 6com/mysql/jdbc/LoadBalancedAutoCommitInterceptor.class
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/LoadBalancedConnection.class}P
Source: 125.exe	String found in binary or memory: +com/mysql/jdbc/LoadBalancedConnection.class}P
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/LoadBalancedConnectionProxy$NullLoadBalancedConnectionProxy.class
Source: 125.exe	String found in binary or memory: Pcom/mysql/jdbc/LoadBalancedConnectionProxy$NullLoadBalancedConnectionProxy.class
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/LoadBalancedConnectionProxy.class
Source: 125.exe	String found in binary or memory: O0com/mysql/jdbc/LoadBalancedConnectionProxy.class
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/LoadBalancedMySQLConnection.class
Source: 125.exe	String found in binary or memory: 0com/mysql/jdbc/LoadBalancedMySQLConnection.class
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/jmx/LoadBalanceConnectionGroupManager.class
Source: 125.exe	String found in binary or memory: :com/mysql/jdbc/jmx/LoadBalanceConnectionGroupManager.class
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/jmx/LoadBalanceConnectionGroupManagerMBean.class
Source: 125.exe	String found in binary or memory: ?com/mysql/jdbc/jmx/LoadBalanceConnectionGroupManagerMBean.class
Source: 125.exe	String found in binary or memory: JPHP-INF/launcher.confPK
Source: 125.exe	String found in binary or memory: php/runtime/launcher/Launcher$1.classPK
Source: 125.exe	String found in binary or memory: php/runtime/launcher/Launcher.classPK
Source: 125.exe	String found in binary or memory: php/runtime/launcher/LaunchException.classPK
Source: 125.exe	String found in binary or memory: !php/runtime/launcher/LaunchException.classPK
Source: 125.exe	String found in binary or memory: php/runtime/launcher/StandaloneLauncher.classPK
Source: 125.exe	String found in binary or memory: !php/runtime/launcher/StandaloneLauncher.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/RuntimeClassLoader.classPK
Source: 125.exe	String found in binary or memory: !php/runtime/loader/RuntimeClassLoader.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/StandaloneLoader$1.classPK
Source: 125.exe	String found in binary or memory: !php/runtime/loader/StandaloneLoader$1.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/StandaloneLoader$2.classPK
Source: 125.exe	String found in binary or memory: !php/runtime/loader/StandaloneLoader$2.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/StandaloneLoader$3.classPK
Source: 125.exe	String found in binary or memory: !php/runtime/loader/StandaloneLoader$3.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/StandaloneLoader$4.classPK
Source: 125.exe	String found in binary or memory: !php/runtime/loader/StandaloneLoader$4.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/StandaloneLoader.classPK
Source: 125.exe	String found in binary or memory: !php/runtime/loader/StandaloneLoader.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/compile/StandaloneCompiler$1.classPK
Source: 125.exe	String found in binary or memory: !php/runtime/loader/compile/StandaloneCompiler$1.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/compile/StandaloneCompiler$2.classPK
Source: 125.exe	String found in binary or memory: !php/runtime/loader/compile/StandaloneCompiler$2.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/compile/StandaloneCompiler.classPK
Source: 125.exe	String found in binary or memory: !php/runtime/loader/compile/StandaloneCompiler.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/ClassDumper.classPK
Source: 125.exe	String found in binary or memory: !php/runtime/loader/dump/ClassDumper.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/ClosureDumper.classPK
Source: 125.exe	String found in binary or memory: !php/runtime/loader/dump/ClosureDumper.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/ConstantDumper.classPK
Source: 125.exe	String found in binary or memory: "php/runtime/loader/dump/ConstantDumper.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/Dumper.classPK
Source: 125.exe	String found in binary or memory: "php/runtime/loader/dump/Dumper.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/FunctionDumper.classPK
Source: 125.exe	String found in binary or memory: "php/runtime/loader/dump/FunctionDumper.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/GeneratorDumper.classPK
Source: 125.exe	String found in binary or memory: "php/runtime/loader/dump/GeneratorDumper.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/MethodDumper.classPK
Source: 125.exe	String found in binary or memory: 9 "php/runtime/loader/dump/MethodDumper.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/ModuleDumper.classPK
Source: 125.exe	String found in binary or memory: R*"php/runtime/loader/dump/ModuleDumper.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/ParameterDumper.classPK
Source: 125.exe	String found in binary or memory: D7"php/runtime/loader/dump/ParameterDumper.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/PropertyDumper.classPK
Source: 125.exe	String found in binary or memory: >"php/runtime/loader/dump/PropertyDumper.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/StandaloneLibrary$Module.classPK
Source: 125.exe	String found in binary or memory: C"php/runtime/loader/dump/StandaloneLibrary$Module.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/StandaloneLibrary.classPK
Source: 125.exe	String found in binary or memory: H"php/runtime/loader/dump/StandaloneLibrary.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/StandaloneLibraryDumper.classPK
Source: 125.exe	String found in binary or memory: M"php/runtime/loader/dump/StandaloneLibraryDumper.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/Types.classPK
Source: 125.exe	String found in binary or memory: V"php/runtime/loader/dump/Types.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/io/DumpException.classPK
Source: 125.exe	String found in binary or memory: W"php/runtime/loader/dump/io/DumpException.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/io/DumpInputStream$1.classPK
Source: 125.exe	String found in binary or memory: TY"php/runtime/loader/dump/io/DumpInputStream$1.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/io/DumpInputStream.classPK
Source: 125.exe	String found in binary or memory: ["php/runtime/loader/dump/io/DumpInputStream.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/io/DumpOutputStream$1.classPK
Source: 125.exe	String found in binary or memory: e"php/runtime/loader/dump/io/DumpOutputStream$1.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/dump/io/DumpOutputStream.classPK
Source: 125.exe	String found in binary or memory: Nh"php/runtime/loader/dump/io/DumpOutputStream.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/sourcemap/SourceMap$Item.classPK
Source: 125.exe	String found in binary or memory: p"php/runtime/loader/sourcemap/SourceMap$Item.classPK
Source: 125.exe	String found in binary or memory: php/runtime/loader/sourcemap/SourceMap.classPK
Source: 125.exe	String found in binary or memory: Sr"php/runtime/loader/sourcemap/SourceMap.classPK
Source: 125.exe	String found in binary or memory: javax/mail/Address.classPK
Source: 125.exe	String found in binary or memory: }javax/mail/Address.classPK
Source: 125.exe	String found in binary or memory: javax/mail/internet/AddressException.classPK
Source: 125.exe	String found in binary or memory: ~javax/mail/internet/AddressException.classPK
Source: 125.exe	String found in binary or memory: javax/mail/search/AddressStringTerm.classPK
Source: 125.exe	String found in binary or memory: javax/mail/search/AddressTerm.classPK
Source: 125.exe	String found in binary or memory: javassist/Loader.classPK
Source: 125.exe	String found in binary or memory: javassist/LoaderClassPath.classPK
Source: 125.exe	String found in binary or memory: javassist/tools/reflect/Loader.classPK
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/LoadBalanceExceptionChecker.classPK
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/LoadBalancedAutoCommitInterceptor.classPK
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/LoadBalancedConnection.classPK
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/LoadBalancedConnectionProxy$NullLoadBalancedConnectionProxy.classPK
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/LoadBalancedConnectionProxy.classPK
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/LoadBalancedMySQLConnection.classPK
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/jmx/LoadBalanceConnectionGroupManager.classPK
Source: 125.exe	String found in binary or memory: com/mysql/jdbc/jmx/LoadBalanceConnectionGroupManagerMBean.classPK

Source: C:\Users\user\Desktop\125.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\125.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\125.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\125.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\125.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\125.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\125.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\125.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\125.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\125.exe	Section loaded: wintypes.dll	Jump to behavior

Source: 125.exe

Static file information: File size 19177181 > 1048576

Source: 125.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Source: 125.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\125.exe	Code function: 0_2_00401803 push edi; mov dword ptr [esp], ebx	0_2_00401842
Source: C:\Users\user\Desktop\125.exe	Code function: 0_2_00401803 push eax; mov dword ptr [esp], 00000000h	0_2_00401A6A
Source: C:\Users\user\Desktop\125.exe	Code function: 0_2_00401803 push ebx; mov dword ptr [esp], eax	0_2_00401AEB
Source: C:\Users\user\Desktop\125.exe	Code function: 0_2_00401803 push esi; mov dword ptr [esp], ebx	0_2_00401BC8
Source: C:\Users\user\Desktop\125.exe	Code function: 0_2_00401F36 push ecx; mov dword ptr [esp], 00419168h	0_2_00401FF7
Source: C:\Users\user\Desktop\125.exe	Code function: 0_2_0040E827 push esi; ret	0_2_0040E83A
Source: C:\Users\user\Desktop\125.exe	Code function: 0_2_004015D0 push eax; mov dword ptr [esp], 00000000h	0_2_004016BB
Source: C:\Users\user\Desktop\125.exe	Code function: 0_2_0040DB23 push es; iretd	0_2_0040DC34

Source: C:\Users\user\Desktop\125.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\125.exe

Code function: 0_2_00401180 SetUnhandledExceptionFilter,GetCommandLineA,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,__getmainargs,

0_2_00401180

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
125.exe	25%	ReversingLabs
125.exe	100%	Avira	HEUR/AGEN.1340808

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428867
Start date and time:	2024-04-19 18:40:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	125.exe
Detection:	MAL
Classification:	mal56.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 20 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Reached maximum number of file to list during submission archive extraction
VT rate limit hit for: 125.exe

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.977616594150491
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	125.exe
File size:	19'177'181 bytes
MD5:	44b14057ff868e25ad444fac098d89f0
SHA1:	2dceab58c101c2f5e922e5a40adcc685b557ac53
SHA256:	5a54cda9e42baea3defa9f1024858f7c44f79242b8765c9e886a8f54db6e1934
SHA512:	6b2476a8b884c2eff0b9495e91f18a824e2c03e8ee9e96fe9346aea438b7984c7cb79a98c8a8730a058613d5fd916fff2e0482fd8981fdcd6d5e98277dcd2e68
SSDEEP:	393216:/00cmfacJqb6ZElIlTFGw0CKM8FZPG6IOyS/Uv/PhH1:/1cmBQ+8ITFGCkFOe0V
TLSH:	8B171223E0DA2031FD731633A8A26463393E59DCE48B286628F45BE3F972C495F97751
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..f.....................N....................@...................................$...@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x401590
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH
Time Stamp:	0x6617DF32 [Thu Apr 11 13:01:38 2024 UTC]
TLS Callbacks:	0x404b30, 0x404ae0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1f2702872592229d2f4cb1162cfbc55b

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [esp], 00000002h
call dword ptr [0041A36Ch]
call 00007FAB6D8BFED0h
lea esi, dword ptr [esi+00h]
lea edi, dword ptr [edi+00000000h]
mov eax, dword ptr [0041A3B4h]
jmp eax
mov esi, esi
lea edi, dword ptr [edi+00000000h]
mov eax, dword ptr [0041A398h]
jmp eax
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
sub esp, 18h
cmp dword ptr [0041000Ch], 00000000h
je 00007FAB6D8C0382h
mov eax, dword ptr [0040C000h]
test eax, eax
jne 00007FAB6D8C034Eh
mov eax, dword ptr [00410A24h]
mov dword ptr [esp+04h], 00000000h
mov dword ptr [0041000Ch], 00000000h
mov dword ptr [esp], eax
call 00007FAB6D8CA642h
cmp dword ptr [00410A20h], 00000000h
push eax
push eax
je 00007FAB6D8C034Bh
cmp dword ptr [00410A28h], 00000000h
je 00007FAB6D8C0342h
mov eax, dword ptr [ebp+08h]
mov dword ptr [esp+04h], 00000001h
mov dword ptr [esp], eax
call 00007FAB6D8CA623h
push eax
push eax
call 00007FAB6D8C0BF2h
mov dword ptr [esp], 00000000h
call 00007FAB6D8CA618h
push eax
jmp 00007FAB6D8C0319h
sub eax, 64h
cmp dword ptr [00410A20h], 00000000h
mov dword ptr [0040C000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a000	0xe28	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x8e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1c000	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a29c	0x210	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xab20	0xac00	33e576d4351c548351b72f32b07bda11	False	0.5520303415697675	data	6.253550416172067	IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xc000	0x28	0x200	88a2b3221ee6ae6c9e54a9a6f1b5ca29	False	0.0859375	data	0.3124291846600516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xd000	0xf18	0x1000	618daefd50bfb717d536c65b2b2a401c	False	0.42626953125	data	5.55669250689837	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram	0xe000	0x1d10	0x1e00	f9747eb26dfb3c00b741544776b88f4c	False	0.33450520833333336	data	4.883685988354517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x10000	0x9678	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1a000	0xe28	0x1000	f3f34beb12ab4e6fa44d8ec2bd39e3b3	False	0.369873046875	PGP symmetric key encrypted data - Plaintext or unencrypted data	4.922852717723951	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x1b000	0x18	0x200	37ec714908b8947c8236ff693ffd0138	False	0.046875	data	0.11836963125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1c000	0x20	0x200	686c4cfe6945a031ac65029366ab5de3	False	0.05078125	data	0.20448815743984491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1d000	0x8e0	0xa00	718231d4c0a1e48d8a5673ba7bdc09b5	False	0.371875	data	4.767686030127875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x1d1f0	0x7	ASCII text, with no line terminators	2.142857142857143
RT_RCDATA	0x1d1f8	0x2	data	5.0
RT_RCDATA	0x1d1fc	0x5	ASCII text, with no line terminators	2.6
RT_RCDATA	0x1d204	0x3	ASCII text, with no line terminators	3.6666666666666665
RT_RCDATA	0x1d208	0x32	data	1.16
RT_RCDATA	0x1d23c	0x36	data	1.1296296296296295
RT_RCDATA	0x1d274	0x35	ASCII text, with no line terminators	1.1320754716981132
RT_RCDATA	0x1d2ac	0x68	data	0.875
RT_MANIFEST	0x1d314	0x5c3	XML 1.0 document, ASCII text, with CRLF line terminators	0.41491525423728814

Imports

DLL	Import
advapi32.dll	RegCloseKey, RegEnumKeyExA, RegOpenKeyExA, RegQueryValueExA
kernel32.dll	CloseHandle, CreateMutexA, CreatePipe, CreateProcessA, DeleteCriticalSection, EnterCriticalSection, ExitProcess, FindResourceExA, FormatMessageA, GetCommandLineA, GetCurrentDirectoryA, GetCurrentProcess, GetEnvironmentVariableA, GetExitCodeProcess, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GlobalMemoryStatusEx, InitializeCriticalSection, InterlockedExchange, IsDBCSLeadByteEx, LeaveCriticalSection, LoadResource, LocalFree, LockResource, MultiByteToWideChar, ReadFile, SetEnvironmentVariableA, SetHandleInformation, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte
msvcrt.dll	_strdup, _stricoll
msvcrt.dll	__getmainargs, __mb_cur_max, __p__environ, __p__fmode, __set_app_type, _cexit, _chdir, _close, _errno, _findclose, _findfirst, _findnext, _fullpath, _iob, _itoa, _onexit, _open, _read, _setmode, _stat64, _stricmp, abort, atexit, atoi, calloc, fclose, fopen, fprintf, fputc, fputs, free, fwrite, getenv, isspace, localeconv, malloc, mbstowcs, memcpy, printf, puts, realloc, setlocale, signal, strcat, strchr, strcmp, strcoll, strcpy, strlen, strncat, strncpy, strpbrk, strrchr, strstr, strtok, tolower, vfprintf, wcslen, wcstombs
shell32.dll	ShellExecuteA
user32.dll	CreateWindowExA, DispatchMessageA, EnumWindows, FindWindowExA, GetMessageA, GetSystemMetrics, GetWindowLongA, GetWindowRect, GetWindowTextA, GetWindowThreadProcessId, KillTimer, LoadImageA, MessageBoxA, PostQuitMessage, SendMessageA, SetForegroundWindow, SetTimer, SetWindowPos, ShowWindow, TranslateMessage, UpdateWindow

Target ID:	0
Start time:	18:41:01
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\125.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\125.exe"
Imagebase:	0x400000
File size:	19'177'181 bytes
MD5 hash:	44B14057FF868E25AD444FAC098D89F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.4%
Total number of Nodes:	1364
Total number of Limit Nodes:	34

Executed Functions

Function 00401F36 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 66
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00401F3D
fprintf.MSVCRT ref: 00401F60
FormatMessageA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401F9F
fprintf.MSVCRT ref: 00401FC2
strcat.MSVCRT ref: 00401FD6
strcat.MSVCRT ref: 00401FE9
LocalFree.KERNEL32 ref: 00401FF1
fprintf.MSVCRT ref: 00402028
ShellExecuteA.SHELL32 ref: 0040205C

Strings

open, xrefs: 0040204D
Error:%s, xrefs: 00401FB3
Open URL:%s, xrefs: 0040201D
Error msg:%s, xrefs: 00401F55

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: fprintf$strcat$ErrorExecuteFormatFreeLastLocalMessageShell
String ID: Error msg:%s$Error:%s$Open URL:%s$open
API String ID: 623906192-1000128352
Opcode ID: 5f4cdfb2db64f69c1b8899a40e8c2b2d66c7cc82bdab6081b02c6d9a4eebe329
Instruction ID: 4e77a20fe357836db4f87170e554fce1a7aefb146fdc10bea6d1eb2dceec5710
Opcode Fuzzy Hash: 5f4cdfb2db64f69c1b8899a40e8c2b2d66c7cc82bdab6081b02c6d9a4eebe329
Instruction Fuzzy Hash: CA31C7B0908305AAD700EF65C58975FBBE4EF44748F00C82EE5846B291D7BD9888CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00401180 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 004011B5
GetCommandLineA.KERNEL32 ref: 004011D4

Strings

0K@, xrefs: 00401189
", xrefs: 004014E0

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: CommandExceptionFilterLineUnhandled
String ID: "$0K@
API String ID: 3189701131-323584478
Opcode ID: a5a68305bb49f081b96f97709e2557b44da817316e5f71f7a6d4df3e54b6700e
Instruction ID: 61333d1ad20d280aa045cae7d5b4021662dfe7b6fff250ac9cbde6683caa0fff
Opcode Fuzzy Hash: a5a68305bb49f081b96f97709e2557b44da817316e5f71f7a6d4df3e54b6700e
Instruction Fuzzy Hash: EF91AF71A04304CFDB20DFB9D88479E7BE1AB58344F19857EE844EB3A1E37C98458B4A

Uniqueness

Uniqueness Score: -1.00%

Function 00401803 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 258
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32 ref: 0040183B
SetForegroundWindow.USER32(00000000), ref: 00401845

Part of subcall function 00401D21: fclose.MSVCRT ref: 00401D33

strstr.MSVCRT ref: 0040187E
strstr.MSVCRT ref: 004018C7
CreateWindowExA.USER32 ref: 00401945
atoi.MSVCRT ref: 00401985
strstr.MSVCRT ref: 004019CD
LoadImageA.USER32 ref: 00401A1B

Strings

Exit code:%d, xrefs: 00401C2D
--l4j-no-splash, xrefs: 00401873
Exit code:%d, restarting the application!, xrefs: 00401BF3
STATIC, xrefs: 00401936
--l4j-dont-wait, xrefs: 004018BC
--l4j-no-splash-err, xrefs: 004019C2
Exit code:0, xrefs: 00401B7B
@, xrefs: 004019EB
d, xrefs: 00401B16

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: Windowstrstr$CreateForegroundImageLoadShowatoifclose
String ID: --l4j-dont-wait$--l4j-no-splash$--l4j-no-splash-err$@$Exit code:%d$Exit code:%d, restarting the application!$Exit code:0$STATIC$d
API String ID: 326098631-3010709316
Opcode ID: 71006dd15c9589b11793186ed7002b1537a19481e705ea02c5fe79c148959134
Instruction ID: 72a7c9eecd2e3a16443941ac5411f74ee8e4eaa653dba962b344c2f5b50a4983
Opcode Fuzzy Hash: 71006dd15c9589b11793186ed7002b1537a19481e705ea02c5fe79c148959134
Instruction Fuzzy Hash: B8B10AB05093059AE710AF66D58575BBBF4EF84348F00C83EE484A72A1D7BDD984CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040449F Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 160
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 004044CE
fputs.MSVCRT ref: 00404512
fprintf.MSVCRT ref: 0040457B
strtok.MSVCRT ref: 00404591
strrchr.MSVCRT ref: 004045B6
strrchr.MSVCRT ref: 004045C8
_stricmp.MSVCRT(00000001,00000000,000000B7,?,00404874,?,?,00000000,?,00401822), ref: 004045E2
_stricmp.MSVCRT(00000001,00000000,000000B7,?,00404874,?,?,00000000,?,00401822), ref: 00404608
strncpy.MSVCRT ref: 00404624
strcpy.MSVCRT(00000001,00000000,000000B7,?,00404874,?,?,00000000,?,00401822), ref: 00404632
strcpy.MSVCRT(00000001,00000000,000000B7,?,00404874,?,?,00000000,?,00401822), ref: 00404669
strncpy.MSVCRT ref: 00404685
strcpy.MSVCRT ref: 004046F2
strtok.MSVCRT ref: 0040470D

Strings

JRE:Cannot use 64-bit runtime on 32-bit OS., xrefs: 0040450B
JRE paths:%s, xrefs: 00404570
pathJreSearch(), xrefs: 004044C7
/bin, xrefs: 004045FD
:, xrefs: 00404655
", xrefs: 00404637
\bin, xrefs: 004045D7

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strcpy$_stricmpfputsstrncpystrrchrstrtok$fprintf
String ID: "$/bin$:$JRE paths:%s$JRE:Cannot use 64-bit runtime on 32-bit OS.$\bin$pathJreSearch()
API String ID: 851780383-2650538546
Opcode ID: 3de3fb3bba5b853eafdd9d637f89fe3f8979661adada45f13b6b3113cbb4ed2f
Instruction ID: 6f46c27e20929ee5c7d3c1125aed8da9d786691eb957c796904ee7d45a0181c0
Opcode Fuzzy Hash: 3de3fb3bba5b853eafdd9d637f89fe3f8979661adada45f13b6b3113cbb4ed2f
Instruction Fuzzy Hash: EE615BB05097049ACB10AF65D54469ABBE0AF84748F00C87FE6C8A7390DBBD9985CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00405880 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 448
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00405894
memcpy.MSVCRT ref: 004058B8

Part of subcall function 00405F80: setlocale.MSVCRT ref: 00405F9B
Part of subcall function 00405F80: _strdup.MSVCRT ref: 00405FA9
Part of subcall function 00405F80: setlocale.MSVCRT ref: 00405FBF
Part of subcall function 00405F80: wcstombs.MSVCRT ref: 00405FE4
Part of subcall function 00405F80: realloc.MSVCRT ref: 00405FF8
Part of subcall function 00405F80: wcstombs.MSVCRT ref: 00406011
Part of subcall function 00405F80: setlocale.MSVCRT ref: 00406021
Part of subcall function 00405F80: free.MSVCRT ref: 00406029

Part of subcall function 004054D0: malloc.MSVCRT ref: 004054ED

strlen.MSVCRT ref: 00405944
_strdup.MSVCRT ref: 0040598C

Strings

\, xrefs: 00405E43

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: setlocale$_strdupstrlenwcstombs$freemallocmemcpyrealloc
String ID: \
API String ID: 1024038994-2967466578
Opcode ID: 39444ab6decfba6020a935124d071cd8fefbe59c871d0c9cd141de2c4125da59
Instruction ID: 4287339195e3f7e94b6462b235a1bab2e6cc6bb2b88dd4a0ec02ebb05ac0f211
Opcode Fuzzy Hash: 39444ab6decfba6020a935124d071cd8fefbe59c871d0c9cd141de2c4125da59
Instruction Fuzzy Hash: 8E025971A04A588FDB14DFA9D4846AFBBF1EF45304F58853ED885BB381E73898418F89

Uniqueness

Uniqueness Score: -1.00%

Function 00405F80 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setlocale.MSVCRT ref: 00405F9B
_strdup.MSVCRT ref: 00405FA9
setlocale.MSVCRT ref: 00405FBF
wcstombs.MSVCRT ref: 00405FE4
realloc.MSVCRT ref: 00405FF8
wcstombs.MSVCRT ref: 00406011
setlocale.MSVCRT ref: 00406021
free.MSVCRT ref: 00406029

Strings

/, xrefs: 0040633C

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: setlocale$wcstombs$_strdupfreerealloc
String ID: /
API String ID: 2293806352-2043925204
Opcode ID: 29e91a94cf8195a66427f98936d0d7a7a54ffaebb185864eb6c49eaef6982715
Instruction ID: ef4eae34b22c620e36e37fd6ba4cd3e3be8c918c437f2af2aaa4e50c12e44e23
Opcode Fuzzy Hash: 29e91a94cf8195a66427f98936d0d7a7a54ffaebb185864eb6c49eaef6982715
Instruction Fuzzy Hash: D9B16E70904215CACB20EFA9C4456AEB7F1FF54344F46847FE486BB391E3789891CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401D3A Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 75
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableA.KERNEL32(?,00000000,?,?,004048EF,?,?,00000000,?,00401822), ref: 00401D7A
strstr.MSVCRT ref: 00401D8D
strstr.MSVCRT ref: 00401DA1
strstr.MSVCRT ref: 00401DCD
strstr.MSVCRT ref: 00401DE6
fprintf.MSVCRT ref: 00401E14
fprintf.MSVCRT ref: 00401E35

Strings

Launch4j, xrefs: 00401D73
3.50, xrefs: 00401E01
--l4j-debug, xrefs: 00401D82
debug-all, xrefs: 00401DDB
CmdLine:%s %s, xrefs: 00401E2A
Version:%s, xrefs: 00401E09
debug, xrefs: 00401D96
--l4j-debug-all, xrefs: 00401DC2

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strstr$fprintf$EnvironmentVariable
String ID: Version:%s$--l4j-debug$--l4j-debug-all$3.50$CmdLine:%s %s$Launch4j$debug$debug-all
API String ID: 1078084263-4240183270
Opcode ID: 1a11980bc902c4222af1090661621f2c8b4f1336e07e54acdfb659ed28657474
Instruction ID: 240118571c359228ea942c7fd67ea7bcf76378698847c1fa79b3b71b01140d31
Opcode Fuzzy Hash: 1a11980bc902c4222af1090661621f2c8b4f1336e07e54acdfb659ed28657474
Instruction Fuzzy Hash: 12214BB09093059BD710AF76C54455EBBE4EF84348F00C83FE888A7391D7BDD8499B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402657 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 165
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy.MSVCRT ref: 0040269E
_stat64.MSVCRT ref: 004026B8
fprintf.MSVCRT ref: 004027C0
SetLastError.KERNEL32 ref: 004027D0
strcpy.MSVCRT ref: 004027FA
_stat64.MSVCRT ref: 0040281C
fprintf.MSVCRT ref: 00402924

Strings

Check launcher:%s %s, xrefs: 004027B5
(OK), xrefs: 0040279E, 00402902
Check javac:%s %s, xrefs: 00402919
bin\javac.exe, xrefs: 004027FF
(not found), xrefs: 004027A5, 00402909

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: _stat64fprintfstrcpy$ErrorLast
String ID: (OK)$(not found)$Check javac:%s %s$Check launcher:%s %s$bin\javac.exe
API String ID: 2531230949-2473518738
Opcode ID: 6b6e4e039725007883f195c48bb8c95687a85f23a6bde72dc0c748ae1f542035
Instruction ID: 24c5410039ecfdee54c700dd89ae99862b86a9d0cd2a4f3f9ec375766abd04bf
Opcode Fuzzy Hash: 6b6e4e039725007883f195c48bb8c95687a85f23a6bde72dc0c748ae1f542035
Instruction Fuzzy Hash: A9811774D056288BCB60DF25C98869AB7F1BF98310F1086EAD84CA3390D7749EC5CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00404890 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401C58: GetModuleHandleA.KERNEL32 ref: 00401C6D
Part of subcall function 00401C58: strcpy.MSVCRT ref: 00401C8B

fprintf.MSVCRT ref: 00404920
fprintf.MSVCRT ref: 0040498C

Strings

Args length:%d/32768 chars, xrefs: 00404AB2
Launcher:%s, xrefs: 00404A6B
Startup error message not defined., xrefs: 00404979
JNI:%s, xrefs: 0040490E
Launcher args:%s, xrefs: 00404A8C
Error:%s, xrefs: 00404981
Yes, xrefs: 00404904

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: fprintf$HandleModulestrcpy
String ID: Args length:%d/32768 chars$Error:%s$JNI:%s$Launcher args:%s$Launcher:%s$Startup error message not defined.$Yes
API String ID: 3713479259-1718269414
Opcode ID: 8ac4680c3350026231faa1d904766670af036b00e5e1b23834d43dad823cb963
Instruction ID: f520fc6a28f52f7e025b69a1e60a886e88e346874c2c6fec5a8b2c45fb7fc856
Opcode Fuzzy Hash: 8ac4680c3350026231faa1d904766670af036b00e5e1b23834d43dad823cb963
Instruction Fuzzy Hash: 32513FB1A087049AD710BF76C54515EBAE4AF80744F11CC3EA588AB3C1DBBCC985CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00404726 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 0040474A
fprintf.MSVCRT ref: 00404788
fprintf.MSVCRT ref: 004047C6
fprintf.MSVCRT ref: 0040480F
fprintf.MSVCRT ref: 00404858

Strings

Requires 64-Bit: %s, xrefs: 004047BB
Java min ver:%s, xrefs: 00404804
Java max ver:%s, xrefs: 0040484D
Requires JDK:%s, xrefs: 0040477D
Yes, xrefs: 0040476C, 004047AA
jreSearch(), xrefs: 00404743

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: fprintf$fputs
String ID: Java max ver:%s$Java min ver:%s$Requires 64-Bit: %s$Requires JDK:%s$Yes$jreSearch()
API String ID: 1801251168-2968954267
Opcode ID: cf3487a34a4ca02be2a690f590e53343f7e3c1de17e3423f8611410f7b1d396e
Instruction ID: 0c6fb1b8f60470863c9a64685e8f5e014fedd77521014e1acee72daa591faa3e
Opcode Fuzzy Hash: cf3487a34a4ca02be2a690f590e53343f7e3c1de17e3423f8611410f7b1d396e
Instruction Fuzzy Hash: 0131EDB06053049AD704BF75D54565EBAE4AF84748F01C83EE588AB3D1DBBCC8849B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00406380 Relevance: 16.6, APIs: 11, Instructions: 149
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fullpath.MSVCRT ref: 004063B7
malloc.MSVCRT ref: 00406409
memcpy.MSVCRT ref: 0040642C
_findfirst.MSVCRT ref: 0040643F
strncpy.MSVCRT ref: 004064AC
_errno.MSVCRT ref: 00406581
_errno.MSVCRT ref: 004065B2

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: _errno$_findfirst_fullpathmallocmemcpystrncpy
String ID:
API String ID: 114964343-0
Opcode ID: ac5dd1818a9ecdf6e06c42feb85a9514df4bdb9c2b0a224e921110a678da1f4c
Instruction ID: d87042495fe416e8182163f5e03ef9be9330b6b8c10a74b619a4bde9b2285889
Opcode Fuzzy Hash: ac5dd1818a9ecdf6e06c42feb85a9514df4bdb9c2b0a224e921110a678da1f4c
Instruction Fuzzy Hash: 83517D701147008BD360DF29C88539AB7E1EF89304F458A3ED89AD7295D77CA459CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004065D0 Relevance: 10.6, APIs: 7, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.MSVCRT ref: 004065FF
_findnext.MSVCRT ref: 00406617
strncpy.MSVCRT ref: 00406672
strlen.MSVCRT ref: 0040667E
GetLastError.KERNEL32 ref: 004066EF
_errno.MSVCRT ref: 004066FB
_errno.MSVCRT ref: 0040671D

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: _errno$ErrorLast_findnextstrlenstrncpy
String ID:
API String ID: 2306919634-0
Opcode ID: 52ebd991032f233f5bd36e8415cb99fdac9675b4ae3ad357f5c6709db5c6e44e
Instruction ID: c191b308396b233c4953d4c892610c2755b5371d9e2fa7c251b53b0bd6301074
Opcode Fuzzy Hash: 52ebd991032f233f5bd36e8415cb99fdac9675b4ae3ad357f5c6709db5c6e44e
Instruction Fuzzy Hash: 3F416E715042018FCB10DF68C4C129AB7E5EF85314F168A7EEC49AF386D339D955CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004012B9 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_setmode.MSVCRT ref: 004013AB
_setmode.MSVCRT ref: 004013BF
_setmode.MSVCRT ref: 004013D3
__p__fmode.MSVCRT ref: 004013D8
__p__environ.MSVCRT ref: 004013F2
_cexit.MSVCRT ref: 00401415
ExitProcess.KERNEL32 ref: 0040141D
__getmainargs.MSVCRT ref: 0040153C

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: _setmode$ExitProcess__getmainargs__p__environ__p__fmode_cexit
String ID:
API String ID: 2438820944-0
Opcode ID: f6ba04b6fc30baa5b6245b36c1b88902cb96308c7c9d07e3cdfd209005c5df17
Instruction ID: 058210b3582aba625fc543f68b2c5d40d01c40b01c4658391f06578e9241cf30
Opcode Fuzzy Hash: f6ba04b6fc30baa5b6245b36c1b88902cb96308c7c9d07e3cdfd209005c5df17
Instruction Fuzzy Hash: B6412970A05304CFDB10DF79D980B5E7BE1AB58354F49897EE848E73A1E7399880CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004030D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32 ref: 0040310E

Part of subcall function 0040206E: fprintf.MSVCRT ref: 0040209D
Part of subcall function 0040206E: FindResourceExA.KERNEL32 ref: 004020C1
Part of subcall function 0040206E: LoadResource.KERNEL32 ref: 004020D9
Part of subcall function 0040206E: LockResource.KERNEL32 ref: 004020E7
Part of subcall function 0040206E: fprintf.MSVCRT ref: 00402124

strncpy.MSVCRT ref: 00403140

Part of subcall function 004025E6: strcat.MSVCRT(?,?,?,?,00403151,?,?), ref: 00402612

_chdir.MSVCRT ref: 00403154
fprintf.MSVCRT ref: 00403171

Strings

Working dir:%s, xrefs: 00403166

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: Resourcefprintf$CurrentDirectoryFindLoadLock_chdirstrcatstrncpy
String ID: Working dir:%s
API String ID: 3319590416-1807235602
Opcode ID: e1ebbde09c7e8ab75b28734c72d5f03353e95ae769957cef5839753ce583c119
Instruction ID: 026808b7f3a3021f0a290c55733d0e83f8868061d30f2bb03267eebfdc7edaac
Opcode Fuzzy Hash: e1ebbde09c7e8ab75b28734c72d5f03353e95ae769957cef5839753ce583c119
Instruction Fuzzy Hash: D41130B1508308ABD710AF69C98459EFBF8FF84344F41CC7EE488A7350D7B899848B56

Uniqueness

Uniqueness Score: -1.00%

Function 00405E70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004054D0: malloc.MSVCRT ref: 004054ED

strlen.MSVCRT ref: 00405EC1
_strdup.MSVCRT ref: 00405F0B

Strings

glob-1.0-mingw32, xrefs: 00405E7F, 00405E8E

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: _strdupmallocstrlen
String ID: glob-1.0-mingw32
API String ID: 3776109042-3253302226
Opcode ID: c7ef10c8fc13bf167dd354e22faae44c63f79e58ca2daf120f64f145e82a65e3
Instruction ID: d86937e87039ef58bea2ee39f29534f121709ac59445a58f53545eef5f8ad5e5
Opcode Fuzzy Hash: c7ef10c8fc13bf167dd354e22faae44c63f79e58ca2daf120f64f145e82a65e3
Instruction Fuzzy Hash: 68112CB2A046044BCB10AF65D8412AFBB65EE50314F54857FECD0673C2E3399A05CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 00401ED3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25windowCOMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 00401F01
MessageBoxA.USER32 ref: 00401F2C

Strings

%s: %s, xrefs: 00401EFA

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: Messageprintf
String ID: %s: %s
API String ID: 351756659-482213395
Opcode ID: 086f5f872b72dbeab95df6729747531053729a0a7f1dba4ad9aba4c4c80d5050
Instruction ID: b0629b8bc2cc43963ad4c0c639e18c244297bc65686ed069ee9f23447f2e332f
Opcode Fuzzy Hash: 086f5f872b72dbeab95df6729747531053729a0a7f1dba4ad9aba4c4c80d5050
Instruction Fuzzy Hash: F6F0FE70409306EAD700AF24C45539E7FE0AB45348F50C93FE49966291D7B98588CB9F

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA30 Relevance: 4.6, APIs: 3, Instructions: 80COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 0040BA48
GetStartupInfoA.KERNEL32 ref: 0040BA55
GetModuleHandleA.KERNEL32 ref: 0040BABB

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: CommandHandleInfoLineModuleStartup
String ID:
API String ID: 1628297973-0
Opcode ID: 782236e8eab9c404dd8503ebedad9de7f052c1e6ef67b9c544d33eb725333c1b
Instruction ID: 683c93da681822c8bdd4e68fe4fc45ae700913e2caeef5859a1f0bbddea9d15c
Opcode Fuzzy Hash: 782236e8eab9c404dd8503ebedad9de7f052c1e6ef67b9c544d33eb725333c1b
Instruction Fuzzy Hash: 8921D8B2A4431849DF3066A984853BA7BA1DB16304F84007BDCD0662D5E37D59469EDF

Uniqueness

Uniqueness Score: -1.00%

Function 00406730 Relevance: 4.5, APIs: 3, Instructions: 23COMMON

Download Yara Rule

APIs

_findclose.MSVCRT ref: 00406746
free.MSVCRT(?,?,00000000,?,00405C08), ref: 00406754
_errno.MSVCRT ref: 00406761

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: _errno_findclosefree
String ID:
API String ID: 531968878-0
Opcode ID: 59e2543e3a3937255b6a4c2bb656510cb1fb118bf1359fa9f59c552fbdc37ce2
Instruction ID: 6de2fcfc115aca7985e5ca6cb23da726c403cdd58cecdb5da52348a5a23120c8
Opcode Fuzzy Hash: 59e2543e3a3937255b6a4c2bb656510cb1fb118bf1359fa9f59c552fbdc37ce2
Instruction Fuzzy Hash: E7E0DFB16043404BCB007E3998C021636D4AF00368F0206BEEC81AB3C2E7388800839A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAE9 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0040BABB

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9a6efc2665252e5eb1cd645efb8eab484d636dad40cbae3b16522a6a17c96558
Instruction ID: a41649d6ece103326572959801aa9f277788500120c795674a13f6bd8a530fc3
Opcode Fuzzy Hash: 9a6efc2665252e5eb1cd645efb8eab484d636dad40cbae3b16522a6a17c96558
Instruction Fuzzy Hash: A301F2B390436849DF205BA994853EABBE0EB05304F48446BDCD1622C5D37D19859B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00401590 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0040159A

Part of subcall function 00401180: SetUnhandledExceptionFilter.KERNEL32 ref: 004011B5
Part of subcall function 00401180: GetCommandLineA.KERNEL32 ref: 004011D4

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: CommandExceptionFilterLineUnhandled__set_app_type
String ID:
API String ID: 3309298700-0
Opcode ID: d269e840212fe75b084e826f1cc98449c70ccffee4adaabc4c65867a7fe14721
Instruction ID: b22718cabd537c8ca27e3a27ecb8edd54fc76a2934aa30c17b0dddcd1df9cfe8
Opcode Fuzzy Hash: d269e840212fe75b084e826f1cc98449c70ccffee4adaabc4c65867a7fe14721
Instruction Fuzzy Hash: 29C09B314005159BC7047F24D405394F7B4FF04344F45852CD9A937051C77435198BE6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040206E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 0040209D
FindResourceExA.KERNEL32 ref: 004020C1
LoadResource.KERNEL32 ref: 004020D9
LockResource.KERNEL32 ref: 004020E7
fprintf.MSVCRT ref: 00402124
SetLastError.KERNEL32 ref: 00402132
fputs.MSVCRT ref: 0040215A

Strings

%s, xrefs: 00402119
<NULL>, xrefs: 00402153
Resource %d:, xrefs: 00402092

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: Resource$fprintf$ErrorFindLastLoadLockfputs
String ID: %s$<NULL>$Resource %d:
API String ID: 2361679423-125972688
Opcode ID: 6e32c59fbe76ed510b56d79a5f7784b44f2d46ab26867308757d5ae487f133e5
Instruction ID: b2b282bdc40890864b5b2746fa73940b38df57dd9ecf847a3767f3fc8689b533
Opcode Fuzzy Hash: 6e32c59fbe76ed510b56d79a5f7784b44f2d46ab26867308757d5ae487f133e5
Instruction Fuzzy Hash: 91217171A083119BD700BF66CA487577BE4EB04744F04C87EEA84AB3D1D7B88841CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408950 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 1317COMMON

Download Yara Rule

Strings

9, xrefs: 00409CCF
Infinity, xrefs: 00408AD0
, xrefs: 00409CEC
NaN, xrefs: 00408A9C

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID:
String ID: $9$Infinity$NaN
API String ID: 0-197352145
Opcode ID: 2956a404b131339b250372750b6c8a1ac7e7600f652435563cff51a4aeb64e12
Instruction ID: dbb76cab8b1b16f7cf5d09354f639944b109cbe710cde7c6d68a2bfea417b997
Opcode Fuzzy Hash: 2956a404b131339b250372750b6c8a1ac7e7600f652435563cff51a4aeb64e12
Instruction Fuzzy Hash: D4C237B1A083419FD714DF29C58421BBBE0BB84354F148D2EE8D9A7392E779D8458F8B

Uniqueness

Uniqueness Score: -1.00%

Function 004034B3 Relevance: 52.7, APIs: 20, Strings: 10, Instructions: 243stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00402168: strcmp.MSVCRT ref: 00402198

Part of subcall function 0040206E: fprintf.MSVCRT ref: 0040209D
Part of subcall function 0040206E: FindResourceExA.KERNEL32 ref: 004020C1
Part of subcall function 0040206E: LoadResource.KERNEL32 ref: 004020D9
Part of subcall function 0040206E: LockResource.KERNEL32 ref: 004020E7
Part of subcall function 0040206E: fprintf.MSVCRT ref: 00402124

Part of subcall function 0040206E: SetLastError.KERNEL32 ref: 00402132
Part of subcall function 0040206E: fputs.MSVCRT ref: 0040215A

fprintf.MSVCRT ref: 00403566
fputs.MSVCRT ref: 00403593
strcat.MSVCRT(?,00000000,?,?,00404A4F,?,?,00000000,?,00401822), ref: 004035C7
strtok.MSVCRT ref: 0040360B
fprintf.MSVCRT ref: 00403632
strpbrk.MSVCRT ref: 00403642
strrchr.MSVCRT ref: 0040365A
strncpy.MSVCRT ref: 00403684
_findfirst.MSVCRT ref: 004036A7
strncpy.MSVCRT ref: 00403735
strcpy.MSVCRT(?,00000000,?,?,00404A4F,?,?,00000000,?,00401822), ref: 00403747
fprintf.MSVCRT ref: 00403774
_findnext.MSVCRT ref: 00403786
_findclose.MSVCRT ref: 004037A4
strncpy.MSVCRT ref: 0040381A
strcat.MSVCRT(?,00000000,?,?,00404A4F,?,?,00000000,?,00401822), ref: 0040387A
strcat.MSVCRT(?,00000000,?,?,00404A4F,?,?,00000000,?,00401822), ref: 004038A0
strcat.MSVCRT(?,00000000,?,?,00404A4F,?,?,00000000,?,00401822), ref: 004038B0
strcat.MSVCRT(?,00000000,?,?,00404A4F,?,?,00000000,?,00401822), ref: 004038B7
strncat.MSVCRT ref: 004038D1

Part of subcall function 004025E6: strcat.MSVCRT(?,?,?,?,00403151,?,?), ref: 00402612

Strings

\, xrefs: 0040364F
0A, xrefs: 0040387F
-classpath ", xrefs: 004035B8
0A, xrefs: 0040352E
0A, xrefs: 00403553
-jar ", xrefs: 0040388F
" :%s, xrefs: 00403769
Main class:%s, xrefs: 0040355B
Info:Classpath not defined., xrefs: 0040358C
Add classpath:%s, xrefs: 00403627

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strcat$fprintf$Resourcestrncpy$fputs$ErrorFindLastLoadLock_findclose_findfirst_findnextstrcmpstrcpystrncatstrpbrkstrrchrstrtok
String ID: " :%s$-classpath "$-jar "$0A$0A$0A$Add classpath:%s$Info:Classpath not defined.$Main class:%s$\
API String ID: 613304418-2540393707
Opcode ID: 6564128a6cc528ec5cb1b9d027dc0a7a37f9b8b73ccbb25743e7080770cadeb0
Instruction ID: bf63dada7832985e1febaaf2b1d8cbe36adb275f95a9fc3bdd2783700abf1d5b
Opcode Fuzzy Hash: 6564128a6cc528ec5cb1b9d027dc0a7a37f9b8b73ccbb25743e7080770cadeb0
Instruction Fuzzy Hash: 84B1EEB09153189BCB209F65C9849DEBBF4BF44704F0089AEE5C8A7391D7B896C4CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00402A7B Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 152stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00402ACE
strchr.MSVCRT ref: 00402AFD
strncat.MSVCRT ref: 00402B25
strncat.MSVCRT ref: 00402B4D
strcmp.MSVCRT ref: 00402B6A
strncat.MSVCRT ref: 00402B84
strcmp.MSVCRT ref: 00402B99
strcmp.MSVCRT ref: 00402BB5
GetCurrentDirectoryA.KERNEL32 ref: 00402BC9
strcmp.MSVCRT ref: 00402BE0
strcat.MSVCRT ref: 00402C7F
fprintf.MSVCRT ref: 00402CA0
strcat.MSVCRT(?,00000000,?,?,00404563,00000001,00000000,000000B7,?,00404874,?,?,00000000,?,00401822), ref: 00402CB8

Strings

%, xrefs: 00402AE6
OLDPWD, xrefs: 00402BD5
EXEFILE, xrefs: 00402B8E
PWD, xrefs: 00402BAA
HKEY, xrefs: 00402C14
EXEDIR, xrefs: 00402B59
JREHOMEDIR, xrefs: 00402BF6
Substitute:%s = %s, xrefs: 00402C95

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strcmp$strncat$strcatstrchr$CurrentDirectoryfprintf
String ID: %$EXEDIR$EXEFILE$HKEY$JREHOMEDIR$OLDPWD$PWD$Substitute:%s = %s
API String ID: 54753763-2002562290
Opcode ID: 94fd70767d738fff143135af240ead0c608938e38743d25e844e5498d7beb604
Instruction ID: a8c3753f6e64bff7cb0e6b833eb0b3127f56a9d06cf8f1ab9b577b30a68fd9b8
Opcode Fuzzy Hash: 94fd70767d738fff143135af240ead0c608938e38743d25e844e5498d7beb604
Instruction Fuzzy Hash: 39511DB09087059BD754AF25C94815EBBE4FF84344F00C87FE488A73C1DBB8D9899B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004021DE Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 105stringregistryCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 004021F5
strstr.MSVCRT ref: 00402209
strstr.MSVCRT ref: 0040221D
strstr.MSVCRT ref: 00402231
strstr.MSVCRT ref: 00402247
strchr.MSVCRT ref: 00402280
strrchr.MSVCRT ref: 00402293
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004022C6
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,00000000,?,?,00404563,00000001,00000000,000000B7,?), ref: 004022F2
RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00404563), ref: 0040232B
RegCloseKey.ADVAPI32 ref: 00402343

Strings

HKEY_CURRENT_USER, xrefs: 004021FE
HKEY_CURRENT_CONFIG, xrefs: 0040223A
HKEY_USERS, xrefs: 00402226
HKEY_CLASSES_ROOT, xrefs: 004021EA
HKEY_LOCAL_MACHINE, xrefs: 00402212
\, xrefs: 00402288

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strstr$Open$CloseQueryValuestrchrstrrchr
String ID: HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$\
API String ID: 356245303-3439841907
Opcode ID: b68e94b4651e59875c23cbe767a162237a3e38a7b6a04e1972fb8d4ce0db7f60
Instruction ID: 099114257f5834d4dfd9dfbf971b1345a1aa800c6043e63931d92b8a70d085bf
Opcode Fuzzy Hash: b68e94b4651e59875c23cbe767a162237a3e38a7b6a04e1972fb8d4ce0db7f60
Instruction Fuzzy Hash: 68414F71909705DFC700AFA5C58475EBBE4AB44344F01897FE885AB381D7BD88448F9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040425D Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 135stringpipeCOMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004042BA
CreatePipe.KERNEL32 ref: 00404302
fputs.MSVCRT ref: 00404322
SetHandleInformation.KERNEL32(?,?,?,?,00404874,?,?,00000000,?,00401822), ref: 00404347
fputs.MSVCRT ref: 00404367
CloseHandle.KERNEL32 ref: 00404375
strcpy.MSVCRT ref: 004043AC
fputs.MSVCRT ref: 00404405
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00404874,?,?,00000000,?,00401822), ref: 00404413
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00404874,?,?,00000000,?,00401822), ref: 00404464

Strings

Cannot set handle information, xrefs: 00404360
Check Java Version: %s min=%s max=%s, xrefs: 004042AF
Cannot run java(w) -version, xrefs: 004043FE
Cannot create pipe, xrefs: 0040431B
"%s" -version, xrefs: 004043C3

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: Handle$Closefputs$CreateInformationPipefprintfstrcpy
String ID: "%s" -version$Cannot create pipe$Cannot run java(w) -version$Cannot set handle information$Check Java Version: %s min=%s max=%s
API String ID: 571126077-3734277957
Opcode ID: 6ff35bc699c4434bbcb055b598f65245645bea7e341e1a5a77471e3fc549a602
Instruction ID: 01e741dbff6da5ac0ed7ecf63647694fc58ce104bdfefedce5b9c8226379a9fd
Opcode Fuzzy Hash: 6ff35bc699c4434bbcb055b598f65245645bea7e341e1a5a77471e3fc549a602
Instruction Fuzzy Hash: EF512EB1915B149BCB10AF65C44469EBBF4FF84344F00C87EE988A7380D7789A84CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 004023B8 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 141stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004047F3,?,?,00000000,?,00401822), ref: 004023CF

Part of subcall function 00402356: strchr.MSVCRT ref: 00402377
Part of subcall function 00402356: strchr.MSVCRT ref: 00402389

strncpy.MSVCRT ref: 0040243B
strcpy.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004047F3,?,?,00000000,?,00401822), ref: 00402462
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004047F3,?,?,00000000,?,00401822), ref: 00402481
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004047F3,?,?,00000000,?,00401822), ref: 004024A7
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004047F3,?,?,00000000,?,00401822), ref: 004024C3
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004047F3,?,?,00000000,?,00401822), ref: 004024E9
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004047F3,?,?,00000000,?,00401822), ref: 004024FE
fputs.MSVCRT ref: 00402545
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004047F3,?,?,00000000,?,00401822), ref: 0040255E
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004047F3,?,?,00000000,?,00401822), ref: 0040256E
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004047F3,?,?,00000000,?,00401822), ref: 0040257E
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004047F3,?,?,00000000,?,00401822), ref: 0040258E

Strings

1.0_, xrefs: 00402457

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strcat$strchrstrcpy$fputsstrncpy
String ID: 1.0_
API String ID: 2030749601-2140295588
Opcode ID: 34745bde1229345fe57035e0c9f1bdb61a38b0e33f141d83ce7dc8e3bef02a45
Instruction ID: c8cc6dbe12c22dde379ee278e671de4d24285e3bd24e64302c9b55a0a8e8a779
Opcode Fuzzy Hash: 34745bde1229345fe57035e0c9f1bdb61a38b0e33f141d83ce7dc8e3bef02a45
Instruction Fuzzy Hash: 6D5167708042089ECB10EFA5C9845AEBBF1FF44318F10C93EE895BB2C1D77898468F4A

Uniqueness

Uniqueness Score: -1.00%

Function 00403B64 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 99stringfileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00403BAA
fprintf.MSVCRT ref: 00403BED
strchr.MSVCRT ref: 00403C03
strchr.MSVCRT ref: 00403C34
fputs.MSVCRT ref: 00403C6E
strstr.MSVCRT ref: 00403C8E
strstr.MSVCRT ref: 00403CA7

Strings

", xrefs: 00403C29
Cannot get version string: cannot find quote, xrefs: 00403C1D
64-bit, xrefs: 00403C9C
Java version output: %s, xrefs: 00403BE2
Cannot get version string: missing end quote, xrefs: 00403C4A
64-Bit, xrefs: 00403C83
Cannot get version string: data too large, xrefs: 00403C67

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strchrstrstr$FileReadfprintffputs
String ID: "$64-Bit$64-bit$Cannot get version string: cannot find quote$Cannot get version string: data too large$Cannot get version string: missing end quote$Java version output: %s
API String ID: 654744459-1675060857
Opcode ID: 156e2843adf327391821868efd350f7fbfbdc8521a23d9965e68f5c8307a01cc
Instruction ID: e8aa2acd962ab2fd5c8c0fc22ee4c0e01d98c506ce6ea6c951ee3204a80167ad
Opcode Fuzzy Hash: 156e2843adf327391821868efd350f7fbfbdc8521a23d9965e68f5c8307a01cc
Instruction Fuzzy Hash: C1413071A083059BD710AF39C94479ABBE8EF44745F01C87EE884F7381D778D9849B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403E88 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 128registrystringCOMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00403ECC
RegOpenKeyExA.ADVAPI32 ref: 00403EFC
RegEnumKeyExA.ADVAPI32 ref: 00403F83
strcpy.MSVCRT ref: 00403FA3
fprintf.MSVCRT ref: 00403FCC
strcpy.MSVCRT ref: 0040401D
fprintf.MSVCRT ref: 00404042
fprintf.MSVCRT ref: 00404067
RegCloseKey.ADVAPI32 ref: 0040408A

Strings

Match:%s, xrefs: 00404037
%s-bit search:%s..., xrefs: 00403EC1
Ignore:%s, xrefs: 0040405C
Check:%s, xrefs: 00403FC1

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: fprintf$strcpy$CloseEnumOpen
String ID: %s-bit search:%s...$Check:%s$Ignore:%s$Match:%s
API String ID: 3338988320-103288940
Opcode ID: 2de5386d3749ffbcccdce159ddb5600dcbeeb1ab2c6bc441cb082d33776583ec
Instruction ID: b939c929f63a7de0fdb388904b3839f18005a212951f29d3dd11f867c2209be8
Opcode Fuzzy Hash: 2de5386d3749ffbcccdce159ddb5600dcbeeb1ab2c6bc441cb082d33776583ec
Instruction Fuzzy Hash: FB51EAB09043199BCB10DF65C98469ABBF8FF84744F40C87EE988A7351D7789A85CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00405C6C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00405944
_strdup.MSVCRT ref: 0040598C
strlen.MSVCRT ref: 00405A47

Strings

\, xrefs: 004059E0

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strlen$_strdup
String ID: \
API String ID: 2848476203-2967466578
Opcode ID: 40266cb6b7e606f28f1ce6d171f8b793c7301e699fe6d1beae70279d47884b78
Instruction ID: 338fe63d1142efbbd1dd2a8cbea8508b5e0bced79ebd2ed05883e858327e80fd
Opcode Fuzzy Hash: 40266cb6b7e606f28f1ce6d171f8b793c7301e699fe6d1beae70279d47884b78
Instruction Fuzzy Hash: 8E9149B1A046088FDB14EF65D4847AEB7F1EF44314F55852EE845BB381E738A841CF89

Uniqueness

Uniqueness Score: -1.00%

Function 004040F7 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 61stringCOMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 0040411A
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,0040487D,?,?,00000000,?), ref: 004041CE
fprintf.MSVCRT ref: 00404208

Strings

SOFTWARE\IBM\Java Development Kit, xrefs: 0040417F, 004041A9
SOFTWARE\IBM\Java Runtime Environment, xrefs: 00404173
SOFTWARE\JavaSoft\JDK, xrefs: 00404155
Runtime used:%s (%s-bit), xrefs: 004041FD
SOFTWARE\JavaSoft\JRE, xrefs: 00404149
SOFTWARE\IBM\Java2 Runtime Environment, xrefs: 0040419D
SOFTWARE\JavaSoft\Java Development Kit, xrefs: 00404134
findRegistryJavaHome(), xrefs: 00404113
SOFTWARE\JavaSoft\Java Runtime Environment, xrefs: 00404128

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: fprintffputsstrcpy
String ID: Runtime used:%s (%s-bit)$SOFTWARE\IBM\Java Development Kit$SOFTWARE\IBM\Java Runtime Environment$SOFTWARE\IBM\Java2 Runtime Environment$SOFTWARE\JavaSoft\JDK$SOFTWARE\JavaSoft\JRE$SOFTWARE\JavaSoft\Java Development Kit$SOFTWARE\JavaSoft\Java Runtime Environment$findRegistryJavaHome()
API String ID: 1909795467-63838366
Opcode ID: 1c50ead3fb921290a0689db3b6edd9f7bed6fd35e6df379523e7a12ee7c8669d
Instruction ID: d12f84050712283ef0caac45d72fbda2f43e63f73d6c3a0a72d72ebe76e6f0a8
Opcode Fuzzy Hash: 1c50ead3fb921290a0689db3b6edd9f7bed6fd35e6df379523e7a12ee7c8669d
Instruction Fuzzy Hash: 4F2187B09153049ADB107FA5D80535A7BE0AB91308F41C93FA6847A3D5DBBD48C8CF9E

Uniqueness

Uniqueness Score: -1.00%

Function 00402E9D Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040206E: fprintf.MSVCRT ref: 0040209D
Part of subcall function 0040206E: FindResourceExA.KERNEL32 ref: 004020C1
Part of subcall function 0040206E: LoadResource.KERNEL32 ref: 004020D9
Part of subcall function 0040206E: LockResource.KERNEL32 ref: 004020E7
Part of subcall function 0040206E: fprintf.MSVCRT ref: 00402124

strcat.MSVCRT ref: 00402ED1
strncpy.MSVCRT ref: 00402F02
strcat.MSVCRT ref: 00402F12
_open.MSVCRT ref: 00402F22
fprintf.MSVCRT ref: 00402F4C
_read.MSVCRT ref: 00402F82
strcat.MSVCRT ref: 00402FE3
_close.MSVCRT ref: 00402FF1

Strings

l4j.ini, xrefs: 00402F07
Loading:%s, xrefs: 00402F41

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: Resourcefprintfstrcat$FindLoadLock_close_open_readstrncpy
String ID: Loading:%s$l4j.ini
API String ID: 1951458220-28774081
Opcode ID: 6500996f953e90d402b07531e7880fd30e7e77e9bb9eaf60c5882c14693f788e
Instruction ID: e6a59ccfb4348ae7fdfb3dc021d56774ebb656fd3bd48e1e1ba4922efda9210c
Opcode Fuzzy Hash: 6500996f953e90d402b07531e7880fd30e7e77e9bb9eaf60c5882c14693f788e
Instruction Fuzzy Hash: 144194709043059BD7109F75C6483AEBBE0EF45394F54897EE988A73C1D7BCD8809B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404CC0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 87memoryfileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00404CEC
vfprintf.MSVCRT ref: 00404D00
abort.MSVCRT(?,?,?,00400000,?,00404DF3), ref: 00404D05
VirtualQuery.KERNEL32 ref: 00404D31
memcpy.MSVCRT ref: 00404D54
VirtualProtect.KERNEL32 ref: 00404D85
memcpy.MSVCRT ref: 00404D9E
VirtualProtect.KERNEL32 ref: 00404DCB

Strings

@, xrefs: 00404D70
Mingw runtime failure:, xrefs: 00404CDE

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: Virtual$Protectmemcpy$Queryabortfwritevfprintf
String ID: @$Mingw runtime failure:
API String ID: 978211760-2549925133
Opcode ID: 202b3489fbe21ffe6074641cc2764324021f8920e8ce36e99d4c120ec63bf990
Instruction ID: 9884236dd0ff3e00766b16e33be4efd070c970773d2926e11ecf1e6f517b4ba2
Opcode Fuzzy Hash: 202b3489fbe21ffe6074641cc2764324021f8920e8ce36e99d4c120ec63bf990
Instruction Fuzzy Hash: D231F4B5905308EFDB00EF6AD48459EFBF4EF88354F00882EE998A3351D77898448F86

Uniqueness

Uniqueness Score: -1.00%

Function 00403CC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 74processCOMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00403D21
CreateProcessA.KERNEL32 ref: 00403D6C
fprintf.MSVCRT ref: 00403D92
CloseHandle.KERNEL32 ref: 00403D9F
CloseHandle.KERNEL32(00000000), ref: 00403DAB
CloseHandle.KERNEL32(?,00000000), ref: 00403DB7

Strings

D, xrefs: 00403CF0
Create process: %s, xrefs: 00403D13
Cannot create process %s, xrefs: 00403D87

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: CloseHandle$fprintf$CreateProcess
String ID: Cannot create process %s$Create process: %s$D
API String ID: 991247836-3672066502
Opcode ID: 44a9ebc4f29dd275e19e668eb4d94abdf4c185c4c056473b7187bfc6ca55a02d
Instruction ID: 3006a752ac1b2f0d7f8f9d526bed630b8ad66a9ddf4ed0f0844996f609aba220
Opcode Fuzzy Hash: 44a9ebc4f29dd275e19e668eb4d94abdf4c185c4c056473b7187bfc6ca55a02d
Instruction Fuzzy Hash: 0431CBB1904304DBDB00EF69D45479EBBF8FF88348F00882EE958A7391D77995488F9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040603C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

mbstowcs.MSVCRT ref: 00406056
mbstowcs.MSVCRT ref: 0040608A
wcstombs.MSVCRT ref: 00406166
realloc.MSVCRT ref: 0040617A
wcstombs.MSVCRT ref: 00406194
wcstombs.MSVCRT ref: 00406279
setlocale.MSVCRT ref: 00406292
free.MSVCRT ref: 0040629A

Strings

/, xrefs: 0040613A

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: wcstombs$mbstowcs$freereallocsetlocale
String ID: /
API String ID: 2027400679-2043925204
Opcode ID: 06c86813c71c67ec2b1ef2b73ab138173f94e706e0f547e821152b96c49dd03f
Instruction ID: dbdb09d2e49c637d055f1a091daabc9124cb30004860345a232a416a3289bb7a
Opcode Fuzzy Hash: 06c86813c71c67ec2b1ef2b73ab138173f94e706e0f547e821152b96c49dd03f
Instruction Fuzzy Hash: C84129759042198BCB10EF69C0416AEF7F1FF88340F45856FE885B7391E77898518B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403A11 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00403A69
strcat.MSVCRT ref: 00403A79
strcat.MSVCRT ref: 00403A89
strcat.MSVCRT ref: 00403A99
CreateProcessA.KERNEL32 ref: 00403AE6
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,00000000,?,00401B58), ref: 00403B08
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00403B1B

Part of subcall function 004039ED: CloseHandle.KERNEL32 ref: 004039FB
Part of subcall function 004039ED: CloseHandle.KERNEL32(00000000), ref: 00403A09

Strings

D, xrefs: 00403A48

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strcat$CloseHandleProcess$CodeCreateExitObjectSingleWaitstrcpy
String ID: D
API String ID: 3105771607-2746444292
Opcode ID: 8a3474058418f01a79e41f1e2f626a7043a5e5ccd7006143ff001d79813bd500
Instruction ID: 3df40940e8432ce9284b6fea613a2f7888b8acc634e22e3942a9b99661cca235
Opcode Fuzzy Hash: 8a3474058418f01a79e41f1e2f626a7043a5e5ccd7006143ff001d79813bd500
Instruction Fuzzy Hash: B6312DB14093049FD710AF15C54436FBBF4EB84318F40C92EE488AB391DB799989CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4D Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00401E5B
GetProcAddress.KERNEL32 ref: 00401E6C
GetCurrentProcess.KERNEL32 ref: 00401E79
fprintf.MSVCRT ref: 00401EBA

Strings

IsWow64Process, xrefs: 00401E61
WOW64:%s, xrefs: 00401EA8
kernel32, xrefs: 00401E54
Yes, xrefs: 00401E9E

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcessfprintf
String ID: IsWow64Process$WOW64:%s$Yes$kernel32
API String ID: 24026888-2598006572
Opcode ID: 4d68c35bc7673b327c6e9748294b050cf96d391d96f91c4c823ca62e5cf1f564
Instruction ID: 0dbb2e1e3f4b8ff3b0d60c87df776afcaeee342ada2e56ea3d16539466c2c780
Opcode Fuzzy Hash: 4d68c35bc7673b327c6e9748294b050cf96d391d96f91c4c823ca62e5cf1f564
Instruction Fuzzy Hash: E8F01DB05043489ED7047FB5D84551B7AE8EB84708F10C83EE548A7291D779D884575E

Uniqueness

Uniqueness Score: -1.00%

Function 00403903 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 63stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040206E: fprintf.MSVCRT ref: 0040209D
Part of subcall function 0040206E: FindResourceExA.KERNEL32 ref: 004020C1
Part of subcall function 0040206E: LoadResource.KERNEL32 ref: 004020D9
Part of subcall function 0040206E: LockResource.KERNEL32 ref: 004020E7
Part of subcall function 0040206E: fprintf.MSVCRT ref: 00402124

strcat.MSVCRT(?,00000000,?,?,00404A5A,?,?,00000000,?,00401822), ref: 00403950
strcat.MSVCRT(?,00000000,?,?,00404A5A,?,?,00000000,?,00401822), ref: 00403960
strcpy.MSVCRT(?,00000000,?,?,00404A5A,?,?,00000000,?,00401822), ref: 00403971
strstr.MSVCRT ref: 00403981
strchr.MSVCRT ref: 00403997
strcat.MSVCRT ref: 004039CD
strcat.MSVCRT ref: 004039DD

Strings

, xrefs: 0040398C
--l4j-, xrefs: 00403976

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strcat$Resource$fprintf$FindLoadLockstrchrstrcpystrstr
String ID: $--l4j-
API String ID: 3962799999-2912585538
Opcode ID: 324bd260140970f8cb80dcf07fa8b1b48f5031bab3856de975eef6cf38d9d5e5
Instruction ID: d86d6bac42e11a723af3e38eb1e774dd3d214982ac7ad35cb17906f1e13af449
Opcode Fuzzy Hash: 324bd260140970f8cb80dcf07fa8b1b48f5031bab3856de975eef6cf38d9d5e5
Instruction Fuzzy Hash: 1A214FB04093049AD7206F66854436EBEE8AF81714F05C87FA4C8A72C1D7BD8988DB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040319C Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 55stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040206E: fprintf.MSVCRT ref: 0040209D
Part of subcall function 0040206E: FindResourceExA.KERNEL32 ref: 004020C1
Part of subcall function 0040206E: LoadResource.KERNEL32 ref: 004020D9
Part of subcall function 0040206E: LockResource.KERNEL32 ref: 004020E7
Part of subcall function 0040206E: fprintf.MSVCRT ref: 00402124

strcat.MSVCRT ref: 004031D6
strcat.MSVCRT ref: 004031EA
strcat.MSVCRT ref: 00403207
strcat.MSVCRT ref: 0040321B
strcat.MSVCRT ref: 00403238
strcat.MSVCRT ref: 0040327E
strcat.MSVCRT ref: 0040328E

Strings

- , xrefs: 004031F8
(64-bit), xrefs: 00403229

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strcat$Resource$fprintf$FindLoadLock
String ID: (64-bit)$ -
API String ID: 2267084178-2895498852
Opcode ID: 73a27253a1d9cce557c46d00cb91e28e8f48ed9c1a34b081921d08c64a598965
Instruction ID: 09907799204a2b68986263d62de9c25d620fdfe5dfd06028c6549d32c673b362
Opcode Fuzzy Hash: 73a27253a1d9cce557c46d00cb91e28e8f48ed9c1a34b081921d08c64a598965
Instruction Fuzzy Hash: 4621B6B0819341AAE7116F5595192AEBAE4AF80708F01C86FD5C4272D1CBFD49C8DBAF

Uniqueness

Uniqueness Score: -1.00%

Function 004033D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040206E: fprintf.MSVCRT ref: 0040209D
Part of subcall function 0040206E: FindResourceExA.KERNEL32 ref: 004020C1
Part of subcall function 0040206E: LoadResource.KERNEL32 ref: 004020D9
Part of subcall function 0040206E: LockResource.KERNEL32 ref: 004020E7
Part of subcall function 0040206E: fprintf.MSVCRT ref: 00402124

strtok.MSVCRT ref: 00403424
strchr.MSVCRT ref: 0040343A

Part of subcall function 00402A7B: strchr.MSVCRT ref: 00402ACE
Part of subcall function 00402A7B: strchr.MSVCRT ref: 00402AFD
Part of subcall function 00402A7B: strncat.MSVCRT ref: 00402B25
Part of subcall function 00402A7B: strncat.MSVCRT ref: 00402B4D
Part of subcall function 00402A7B: strcmp.MSVCRT ref: 00402B6A
Part of subcall function 00402A7B: strncat.MSVCRT ref: 00402B84
Part of subcall function 00402A7B: strcmp.MSVCRT ref: 00402B99
Part of subcall function 00402A7B: strcat.MSVCRT ref: 00402C7F
Part of subcall function 00402A7B: fprintf.MSVCRT ref: 00402CA0
Part of subcall function 00402A7B: strcat.MSVCRT(?,00000000,?,?,00404563,00000001,00000000,000000B7,?,00404874,?,?,00000000,?,00401822), ref: 00402CB8

fprintf.MSVCRT ref: 00403480
SetEnvironmentVariableA.KERNEL32(?,?), ref: 0040348C
strtok.MSVCRT ref: 004034A2

Strings

Set var:%s = %s, xrefs: 00403475
=, xrefs: 0040342F

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: fprintf$Resourcestrchrstrncat$strcatstrcmpstrtok$EnvironmentFindLoadLockVariable
String ID: =$Set var:%s = %s
API String ID: 3861738652-24686798
Opcode ID: ef20f33879f290eaae31b3fd09d33172aef78c4e4380af2f2bfc46b0946ee58f
Instruction ID: 3ec13cc95b499d9f319ec9d1fe1beb8d0880a979b0ad09246d7046286d1adb68
Opcode Fuzzy Hash: ef20f33879f290eaae31b3fd09d33172aef78c4e4380af2f2bfc46b0946ee58f
Instruction Fuzzy Hash: 07212F718087189FC711AF25C48468EBBF4FF84754F01C87EE489A7381D7B88A459BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00403001 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0040206E: fprintf.MSVCRT ref: 0040209D
Part of subcall function 0040206E: FindResourceExA.KERNEL32 ref: 004020C1
Part of subcall function 0040206E: LoadResource.KERNEL32 ref: 004020D9
Part of subcall function 0040206E: LockResource.KERNEL32 ref: 004020E7
Part of subcall function 0040206E: fprintf.MSVCRT ref: 00402124

fprintf.MSVCRT ref: 0040305A
CreateMutexA.KERNEL32 ref: 00403092
GetLastError.KERNEL32 ref: 0040309A
fprintf.MSVCRT ref: 004030C7

Strings

Instance already exists., xrefs: 004030B4
Error:%s, xrefs: 004030BC
Create mutex:%s, xrefs: 0040304F

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: fprintf$Resource$CreateErrorFindLastLoadLockMutex
String ID: Create mutex:%s$Error:%s$Instance already exists.
API String ID: 891584312-2614424452
Opcode ID: 8038696ccd142a534505979f791e031c8a291c32fdb7ed26f7ee5de89c305d0e
Instruction ID: 1f4c1eaa82f4060830f2c0f32ca48a780e5aa8165ae46bea8d59ee0f5803b43f
Opcode Fuzzy Hash: 8038696ccd142a534505979f791e031c8a291c32fdb7ed26f7ee5de89c305d0e
Instruction Fuzzy Hash: 62114F719053088AE720AF75C84574EBBF5EF80704F00C87ED48CB7395D7B99A888B4A

Uniqueness

Uniqueness Score: -1.00%

Function 00402CCE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004021AB: atoi.MSVCRT ref: 004021D3

fprintf.MSVCRT ref: 00402D81
fprintf.MSVCRT ref: 00402DC3
strcat.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,00402E6A), ref: 00402DD5
_itoa.MSVCRT ref: 00402DFC

Strings

Heap %s:Requested %d MB / %d%%, Available: %d MB, Heap size: %d MB, xrefs: 00402DB4
Heap limit:Reduced %d MB heap size to 32-bit maximum %d MB, xrefs: 00402D76

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: fprintf$_itoaatoistrcat
String ID: Heap %s:Requested %d MB / %d%%, Available: %d MB, Heap size: %d MB$Heap limit:Reduced %d MB heap size to 32-bit maximum %d MB
API String ID: 2922754228-3040617333
Opcode ID: 918653d39c195f357f14f90cc5a83aee57f61a1c160bdbb060af1e2d2a3e4856
Instruction ID: b96a5499c86e2501b1b4687ab3327843e8a336129cde26e5737633cb2b7b499e
Opcode Fuzzy Hash: 918653d39c195f357f14f90cc5a83aee57f61a1c160bdbb060af1e2d2a3e4856
Instruction Fuzzy Hash: 5041F9B5A047099BCB04DF69C58469EBBF4EF88354F10C83EE944A7390D778D8458FA5

Uniqueness

Uniqueness Score: -1.00%

Function 004015D0 Relevance: 10.6, APIs: 7, Instructions: 62timewindowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00401606
KillTimer.USER32(00000000,00000000), ref: 0040162D

Part of subcall function 00401F36: GetLastError.KERNEL32 ref: 00401F3D
Part of subcall function 00401F36: fprintf.MSVCRT ref: 00401F60
Part of subcall function 00401F36: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401F9F
Part of subcall function 00401F36: fprintf.MSVCRT ref: 00401FC2
Part of subcall function 00401F36: strcat.MSVCRT ref: 00401FD6
Part of subcall function 00401F36: strcat.MSVCRT ref: 00401FE9
Part of subcall function 00401F36: LocalFree.KERNEL32 ref: 00401FF1
Part of subcall function 00401F36: fprintf.MSVCRT ref: 00402028
Part of subcall function 00401F36: ShellExecuteA.SHELL32 ref: 0040205C

PostQuitMessage.USER32(00000000), ref: 00401640
EnumWindows.USER32 ref: 00401668
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0040167F
KillTimer.USER32 ref: 004016B4
PostQuitMessage.USER32(00000000), ref: 004016C2

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: Messagefprintf$KillPostQuitTimerstrcat$CodeEnumErrorExecuteExitFormatFreeLastLocalProcessShellShowWindowWindows
String ID:
API String ID: 3625041480-0
Opcode ID: 58dfb5ebc8f86ec5701fb2e5a533e7cf4fe2df1a8f8ff1d809d73ff33d617007
Instruction ID: 50cd0177247bc64fdd0427adbd308ef8a0a0659d826e296ea7324a0b65c46f2b
Opcode Fuzzy Hash: 58dfb5ebc8f86ec5701fb2e5a533e7cf4fe2df1a8f8ff1d809d73ff33d617007
Instruction Fuzzy Hash: 0B21E8B0105305DBD710AF25ED49B6A7BE8EB14348F04893EE480A72E1D7BD9884CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403352 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 0040337C
strcat.MSVCRT ref: 0040338C

Part of subcall function 004032B9: GetEnvironmentVariableA.KERNEL32(?,00000000,?,?,00403399), ref: 004032F5
Part of subcall function 004032B9: strcat.MSVCRT(?,?,00403399), ref: 00403324
Part of subcall function 004032B9: strcat.MSVCRT(?,?,00403399), ref: 00403333
Part of subcall function 004032B9: SetEnvironmentVariableA.KERNEL32(?,?,00403399), ref: 00403343

fprintf.MSVCRT ref: 004033BE

Strings

Error:%s, xrefs: 004033B3
appendToPathVar failed., xrefs: 004033AB
\bin, xrefs: 00403381

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strcat$EnvironmentVariable$fprintfstrcpy
String ID: Error:%s$\bin$appendToPathVar failed.
API String ID: 4002749114-3685084685
Opcode ID: 32c48cab8f2bb47bb4a523018c08e237e67254d927d0fffb13c59598ce9b388a
Instruction ID: a6e49bf5e468cc694fd20e402aa1819437a355fb40fcd76aae32b06a45a3a6aa
Opcode Fuzzy Hash: 32c48cab8f2bb47bb4a523018c08e237e67254d927d0fffb13c59598ce9b388a
Instruction Fuzzy Hash: E9F044715183044BD710AF65D5412AE7BE59FC1704F01C83ED9886B380DBBD95998B8B

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00401034
signal.MSVCRT ref: 00401091
signal.MSVCRT ref: 004010C9
signal.MSVCRT ref: 00401112

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: d1ee1be7c3420bf09eeede14ca8e6c34e224ea776cae3f46f88c592e957151fa
Instruction ID: 4cadb046b36af996b1d1f2cf527b2353056622184eb83a27ca2ebd8e6865ad1e
Opcode Fuzzy Hash: d1ee1be7c3420bf09eeede14ca8e6c34e224ea776cae3f46f88c592e957151fa
Instruction Fuzzy Hash: 3F21EC701082448AD7106F79858472B76D0AF46328F114A3BE5E9E77E1C7BEC8C59B5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040293E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00402992
RegQueryValueExA.ADVAPI32 ref: 004029F2
RegCloseKey.ADVAPI32 ref: 00402A1C
strcpy.MSVCRT(00000000), ref: 00402A31

Strings

JavaHome, xrefs: 004029DD

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: CloseOpenQueryValuestrcpy
String ID: JavaHome
API String ID: 1410419071-2033683150
Opcode ID: a81f4f9dc3a1d61cc8afe0be9ae05c1be234e21f248e322f42947556999d8126
Instruction ID: bd454ce830a56a602a8766d1f7cd4e947d2f03486a263cfd597384e2f0d6c919
Opcode Fuzzy Hash: a81f4f9dc3a1d61cc8afe0be9ae05c1be234e21f248e322f42947556999d8126
Instruction Fuzzy Hash: A02175705053199FDB20DF69D98479AFBF4EB48304F00887EE988A3340D7B899898F96

Uniqueness

Uniqueness Score: -1.00%

Function 00403DC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00403DEA
strcmp.MSVCRT ref: 00403E09
fprintf.MSVCRT ref: 00403E79

Strings

Ignore, xrefs: 00403E46
Version string: %s / %s-Bit (%s), xrefs: 00403E6E

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strcmp$fprintf
String ID: Ignore$Version string: %s / %s-Bit (%s)
API String ID: 512415533-1929821993
Opcode ID: a083bb2088dd92846d9d0cc6c5db1bfa6cb82e22ea4d85e67aa72f732297f2c9
Instruction ID: a308aaa70cdc7c99e6cc35e3197b585a9af99593057eae588ba8e59894b27b33
Opcode Fuzzy Hash: a083bb2088dd92846d9d0cc6c5db1bfa6cb82e22ea4d85e67aa72f732297f2c9
Instruction Fuzzy Hash: 36115171605745ABD7105FAAD884357BEE8AB84309F04C53FE988573D0D7B8C9888BCE

Uniqueness

Uniqueness Score: -1.00%

Function 004032B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49stringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(?,00000000,?,?,00403399), ref: 004032F5
strcat.MSVCRT(?,?,00403399), ref: 00403324
strcat.MSVCRT(?,?,00403399), ref: 00403333
SetEnvironmentVariableA.KERNEL32(?,?,00403399), ref: 00403343

Strings

Path, xrefs: 004032EE, 0040333C

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: EnvironmentVariablestrcat
String ID: Path
API String ID: 194762557-2875597873
Opcode ID: 4e501c9781179ad70e6ec4900027c91821c103ba319cf1e7f9fd3aefabda63be
Instruction ID: 9ee655bba7f4b95a13a94f6b6184e2646f9d4ed479972dc6f58929c70fabdcf9
Opcode Fuzzy Hash: 4e501c9781179ad70e6ec4900027c91821c103ba319cf1e7f9fd3aefabda63be
Instruction Fuzzy Hash: 5A018472D052149BC710BF69D84545EBBE8EF80750F00C93EF888B7281CB7999448BD6

Uniqueness

Uniqueness Score: -1.00%

Function 00405AFC Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

_strdup.MSVCRT ref: 00405B2B
_stricoll.MSVCRT ref: 00405B91
malloc.MSVCRT ref: 00405BB1
free.MSVCRT ref: 00405C27
free.MSVCRT ref: 00405C3C

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: free$_strdup_stricollmalloc
String ID:
API String ID: 1482192206-0
Opcode ID: fa1a3a1c7293af21a5bdabd5d85a8924aee9ec680419855745ef2d36f71ba0b9
Instruction ID: 0c6198cb73fcb15dcbff579bc24d052ca6a8ea50e1a1f1f35e22a27e58772e65
Opcode Fuzzy Hash: fa1a3a1c7293af21a5bdabd5d85a8924aee9ec680419855745ef2d36f71ba0b9
Instruction Fuzzy Hash: F241F571E056188FDB14AF65D8807AEBBF1FF54704F15842EE895AB381E738A840CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A720 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32 ref: 0040A773
InitializeCriticalSection.KERNEL32 ref: 0040A786
InitializeCriticalSection.KERNEL32 ref: 0040A795
EnterCriticalSection.KERNEL32 ref: 0040A7C0

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterExchangeInterlocked
String ID:
API String ID: 33273390-0
Opcode ID: 9094809fcfd36ec149a913ec7d06249b0405fa4375e1a0609fcf41aa07456243
Instruction ID: 8978e4663f07e4eabd78e94cf7698e3e81c016ad33f91651ac53295973909b3b
Opcode Fuzzy Hash: 9094809fcfd36ec149a913ec7d06249b0405fa4375e1a0609fcf41aa07456243
Instruction Fuzzy Hash: D10170F09113008ADB10BB65968665F7AB1AB40308F10C03ED5816B796E3BCD9D8CB9F

Uniqueness

Uniqueness Score: -1.00%

Function 0040A261 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 0040A2A6
strchr.MSVCRT ref: 0040A2B6
atoi.MSVCRT ref: 0040A2CD

Strings

., xrefs: 0040A2AB

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 3270f91f7922ab3b5d7aa57701077556a37b0b53f039c661556303982f2fd5de
Instruction ID: 59b94eea45fc45cca61a0dd7a439114e1de0c739a0487efca54ac24f97a75736
Opcode Fuzzy Hash: 3270f91f7922ab3b5d7aa57701077556a37b0b53f039c661556303982f2fd5de
Instruction Fuzzy Hash: 1C41E4B5A083058FC710DFA9D88461BFBE0EB84754F04883EE89997340E7B9D9549B8B

Uniqueness

Uniqueness Score: -1.00%

Function 00409EF9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00409F1C
strchr.MSVCRT ref: 00409F2C
atoi.MSVCRT ref: 00409F3B

Strings

., xrefs: 00409F21

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: a8b9106fde2d983b4bf634a459b582d0d7432c50519f31b79c7f225c892b1153
Instruction ID: 3ec6e69c29ba00536f2ce63c0d32a49914501dcd30d8e5bff3086fc1ab73a18b
Opcode Fuzzy Hash: a8b9106fde2d983b4bf634a459b582d0d7432c50519f31b79c7f225c892b1153
Instruction Fuzzy Hash: CC414EB66083058BC3109FA9D48066BF7E4EB88354F19483FF988D7391E2B9DC459B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 0040A204
strchr.MSVCRT ref: 0040A214
atoi.MSVCRT ref: 0040A225

Strings

., xrefs: 0040A209

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: d3af92e3cc376c7eea1e32a94e1db5e082592ef3f1495720b547aee6e6023a19
Instruction ID: 3ca11e63642a12c279f462a5a6fb6f23286a3cfc4b697b85424e89a509c2f3a4
Opcode Fuzzy Hash: d3af92e3cc376c7eea1e32a94e1db5e082592ef3f1495720b547aee6e6023a19
Instruction Fuzzy Hash: 3B0113B5A083048FC700AF2AD48561BFBE4FFC9754F01882EE88897350D779D8408B86

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 0040A406
strchr.MSVCRT ref: 0040A416
atoi.MSVCRT ref: 0040A427

Strings

., xrefs: 0040A40B

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 3fd6088e8158c89e5a3430864840c513b01eb40df900bbc371d7f266f049c3b6
Instruction ID: a7ef87725b9dcf44717deb7ffc122926462050dec49db7d39ec114503dfababd
Opcode Fuzzy Hash: 3fd6088e8158c89e5a3430864840c513b01eb40df900bbc371d7f266f049c3b6
Instruction Fuzzy Hash: FC01C4B8A093048FC700AF29D48521BBBE4BF89304F01892EF889D7350E779D9448B87

Uniqueness

Uniqueness Score: -1.00%

Function 00409E80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00409EAD
strchr.MSVCRT ref: 00409EBD
atoi.MSVCRT ref: 00409ECE

Strings

., xrefs: 00409EB2

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ba61b7d8ee88fea6a6b806d43f20f11430b8b353efbf4e71f162ba6863726cdf
Instruction ID: 5ba0300438d0ac068fe45ac81f85b4fbc570726fa1613f38a85816e8b9f6d1c2
Opcode Fuzzy Hash: ba61b7d8ee88fea6a6b806d43f20f11430b8b353efbf4e71f162ba6863726cdf
Instruction Fuzzy Hash: 43F0A9B2A093049FD700AF6AD48521BBBE4FFC4314F04882EF48897381D778D840DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00402E1F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00402E36

Part of subcall function 00402CCE: fprintf.MSVCRT ref: 00402D81
Part of subcall function 00402CCE: fprintf.MSVCRT ref: 00402DC3
Part of subcall function 00402CCE: strcat.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,00402E6A), ref: 00402DD5
Part of subcall function 00402CCE: _itoa.MSVCRT ref: 00402DFC

Strings

-Xms, xrefs: 00402E4D
-Xmx, xrefs: 00402E73
@, xrefs: 00402E2F

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: fprintf$GlobalMemoryStatus_itoastrcat
String ID: -Xms$-Xmx$@
API String ID: 1064291243-2676391021
Opcode ID: 071b1f9e0216fa77da666e2e75bcce91bc5b84a573770bc5839819a6b47cd2c1
Instruction ID: bc242c044632792b171e6d0f9fa9c1d09a4762a676b1e6f1e2c00bedfff1742a
Opcode Fuzzy Hash: 071b1f9e0216fa77da666e2e75bcce91bc5b84a573770bc5839819a6b47cd2c1
Instruction Fuzzy Hash: D40184B0909309AFDB00EF95D18564EBBF4AF88308F10882DE588A7380D3B899499B56

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25stringfileCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 00401CF3
strcat.MSVCRT ref: 00401D03
fopen.MSVCRT ref: 00401D13

Strings

\launch4j.log, xrefs: 00401CFB

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: fopenstrcatstrncpy
String ID: \launch4j.log
API String ID: 1410583167-1044402884
Opcode ID: eb22b3b9a31237926c538f78d3858c95965968eae31f3f570c49f1244c93e501
Instruction ID: 6ef1316ed9d2cad65e71f5130712ffe27c73cf4c172c8ebb0c53ab12c04cd51b
Opcode Fuzzy Hash: eb22b3b9a31237926c538f78d3858c95965968eae31f3f570c49f1244c93e501
Instruction Fuzzy Hash: 9FF01CB59043089FC720AF69D4411ADFBE4EF94308F01CC2EA58CA7351D7B999998B8B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A050 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 0040A0A1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A25A), ref: 0040A0E0
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A25A), ref: 0040A180

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: Byte$CharMultiWide$Lead
String ID:
API String ID: 2933009993-0
Opcode ID: 4cc1ac304da61fa0f05acc38741b36de605b1d562b0ba7cbf89b49dbb5342f41
Instruction ID: f878ae1d2f86e9673b3fc4fe241f4898e596f67a39ad2dcb2de0cfc4edaf13fb
Opcode Fuzzy Hash: 4cc1ac304da61fa0f05acc38741b36de605b1d562b0ba7cbf89b49dbb5342f41
Instruction Fuzzy Hash: F9416C759083059FDB10DF69C44039EBBE0EF45368F00856EE8989B380D379D964CB87

Uniqueness

Uniqueness Score: -1.00%

Function 00406780 Relevance: 6.1, APIs: 4, Instructions: 87stringCOMMON

Download Yara Rule

APIs

_findclose.MSVCRT ref: 0040679D
_errno.MSVCRT ref: 004067A6
_findfirst.MSVCRT ref: 004067D1
strncpy.MSVCRT ref: 00406828

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: _errno_findclose_findfirststrncpy
String ID:
API String ID: 1756046557-0
Opcode ID: 47e5dec0858019fab288049e4bde0f5d8ec638908c8f914f36d308cd68aa0a68
Instruction ID: f1a5818ff41c5277f722d0bf63fffd872353918378df782a456789fb1828a578
Opcode Fuzzy Hash: 47e5dec0858019fab288049e4bde0f5d8ec638908c8f914f36d308cd68aa0a68
Instruction Fuzzy Hash: 5F318DB69153008BCB10EF24C481296BBE1AF88314F158A7EEC899F386E778D554CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00408150 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00408172
wcslen.MSVCRT ref: 004086BD

Strings

(null), xrefs: 0040882B
(null), xrefs: 004086AB

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: strlenwcslen
String ID: (null)$(null)
API String ID: 803329031-1601437019
Opcode ID: 755b17e9435e443b416313464ba19ab178ffaaa3ad23898636c58324f7eff690
Instruction ID: e1d2258b7b43fd080b19de6069f7093c7622ad11fda81158090099896dc83125
Opcode Fuzzy Hash: 755b17e9435e443b416313464ba19ab178ffaaa3ad23898636c58324f7eff690
Instruction Fuzzy Hash: DE116D706087458BC710DF24C5C062BB7E1AF88300F504A3EE9D1AB3C2DB39D90A8B56

Uniqueness

Uniqueness Score: -1.00%

Function 0040173C Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040206E: fprintf.MSVCRT ref: 0040209D
Part of subcall function 0040206E: FindResourceExA.KERNEL32 ref: 004020C1
Part of subcall function 0040206E: LoadResource.KERNEL32 ref: 004020D9
Part of subcall function 0040206E: LockResource.KERNEL32 ref: 004020E7
Part of subcall function 0040206E: fprintf.MSVCRT ref: 00402124

FindWindowExA.USER32 ref: 0040179D
GetWindowTextA.USER32 ref: 004017BA
strstr.MSVCRT ref: 004017C9
FindWindowExA.USER32 ref: 004017ED

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: FindResourceWindow$fprintf$LoadLockTextstrstr
String ID:
API String ID: 2277964966-0
Opcode ID: 85f9ae7a374bb356a8490ad1413b21033b20bafa4b6f5419c7aa4fcb7108217d
Instruction ID: 0206b14cbbe15eff5e0745b06f001f13997dc788e4fb818a840818c5a2b78433
Opcode Fuzzy Hash: 85f9ae7a374bb356a8490ad1413b21033b20bafa4b6f5419c7aa4fcb7108217d
Instruction Fuzzy Hash: 5C115EB19083059AE710AF69C54539FFBE4EF84348F00883EE988A7291D7BD95489F97

Uniqueness

Uniqueness Score: -1.00%

Function 00404D10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00404D31
memcpy.MSVCRT ref: 00404D54
VirtualProtect.KERNEL32 ref: 00404D85
memcpy.MSVCRT ref: 00404D9E
VirtualProtect.KERNEL32 ref: 00404DCB

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00404DE7

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: Virtual$Protectmemcpy$Query
String ID: VirtualQuery failed for %d bytes at address %p
API String ID: 228986436-2206166143
Opcode ID: 599342b8fcc1dac55810bcf0207243e2523d629254a73455696a29d7d9e59f67
Instruction ID: f07a9ee0f6d5a40c0601b72032257670a0e4f463a0d257c6d32f085c030ec0f2
Opcode Fuzzy Hash: 599342b8fcc1dac55810bcf0207243e2523d629254a73455696a29d7d9e59f67
Instruction Fuzzy Hash: 77014FB19043059BD710AF65D48179EFBE8FFC4744F45883FE988A3251D778E8448B96

Uniqueness

Uniqueness Score: -1.00%

Function 00401C58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23stringCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00401C6D
strcpy.MSVCRT ref: 00401C8B

Strings

Launch4j, xrefs: 00401C7C

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: HandleModulestrcpy
String ID: Launch4j
API String ID: 122033455-841392896
Opcode ID: b498556efc7d9145b01c0ca6f2fcb3ae92a60ca972750d71c2624420ce5232a1
Instruction ID: f1b9d722f4717ffcde7627e04545aae764529b60bc994cd72755b13e78f56b46
Opcode Fuzzy Hash: b498556efc7d9145b01c0ca6f2fcb3ae92a60ca972750d71c2624420ce5232a1
Instruction Fuzzy Hash: 1AF0C0B06053448AE700AF25D9557967FE4E704308F40C43ED8849B3A1EBBDC9889BDE

Uniqueness

Uniqueness Score: -1.00%

Function 004025A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,00000000,?,00401822), ref: 004025BE
strrchr.MSVCRT ref: 004025D5

Strings

\, xrefs: 004025CA

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: FileModuleNamestrrchr
String ID: \
API String ID: 3219412323-2967466578
Opcode ID: f9a69eec61a8ea6980a1876ce36b37117878024588dbd4712645da03dfd326de
Instruction ID: bf9ae0b5b0848c05b8397682a605a95d708ec562a16bdae5073891b22b41f200
Opcode Fuzzy Hash: f9a69eec61a8ea6980a1876ce36b37117878024588dbd4712645da03dfd326de
Instruction Fuzzy Hash: 28E092B050470AABCB00FF39CEC550A7FE4AB04358F00853EE989572C1C374D844CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405180 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 004051A7
free.MSVCRT ref: 004051EF
LeaveCriticalSection.KERNEL32 ref: 004051FB

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 06dbfda76d716d931dadb8ba255f964557a56025f829b788966d99287c466e03
Instruction ID: 2133d77c9e8ea4f0574ce106fd9849bc4c6ee41edb9da7885afa25666f5e1d1f
Opcode Fuzzy Hash: 06dbfda76d716d931dadb8ba255f964557a56025f829b788966d99287c466e03
Instruction Fuzzy Hash: 460152707002058FC700EF64D48165ABBE0EB49308B15857ED545DB342EB78DD84DF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405080 Relevance: 5.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0040508F
TlsGetValue.KERNEL32 ref: 004050A6
GetLastError.KERNEL32 ref: 004050B0
LeaveCriticalSection.KERNEL32 ref: 004050D3

Memory Dump Source

Source File: 00000000.00000002.1709224570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1709206276.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709244602.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709259872.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1709274791.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_125.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: f840290e0bba7e48b91d022f11001495e6362a08620a308d21ff9fde98c485d2
Instruction ID: 31649562a132b46b638d4c03626ff8e6658f0501274e78c704d307552a7e6c75
Opcode Fuzzy Hash: f840290e0bba7e48b91d022f11001495e6362a08620a308d21ff9fde98c485d2
Instruction Fuzzy Hash: B0F0C2B15007048BDB007FB594C159FBFA4DE05304F00083ADE449B346D738A8888ADE

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 125.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 125.exePID: 6812, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: 125.exePID: 6812, Parent PID: 2580COMMON

Execution Graph

Graph

Executed Functions

Function 00401F36 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 66stringwindowCOMMON

Control-flow Graph

Function 00401180 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 230COMMON

Control-flow Graph

Function 00401803 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 258stringCOMMON

Control-flow Graph

Function 0040449F Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 160stringCOMMON

Control-flow Graph

Windows Analysis Report
125.exe

Function 00401F36 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 66
stringwindowCOMMON

Function 00401180 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 230
COMMON

Function 00401803 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 258
stringCOMMON

Function 0040449F Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 160
stringCOMMON

Function 00405880 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 448
stringCOMMON

Function 00405F80 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282
COMMON

Function 00401D3A Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 75
stringCOMMON

Function 00402657 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 165
stringCOMMON

Function 00404890 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 143
COMMON

Function 00404726 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 84
COMMON

Function 00406380 Relevance: 16.6, APIs: 11, Instructions: 149
stringCOMMON

Function 004065D0 Relevance: 10.6, APIs: 7, Instructions: 109
stringCOMMON

Function 004012B9 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Function 004030D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47
stringCOMMON

Function 00405E70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
stringCOMMON