Edit tour

Windows Analysis Report
Uqt8tDIQYk.exe

Overview

General Information

Sample name:	Uqt8tDIQYk.exe renamed because original name is a hash value
Original sample name:	26422abceca3d5ce14d064e290678221.exe
Analysis ID:	1430596
MD5:	26422abceca3d5ce14d064e290678221
SHA1:	9bde1cf1e554872705cc38c9591b77b59c3aa597
SHA256:	495a744f783348c8a6ef1c048ea3e62d3903b00c66e9be21bb374d59d18b682e
Tags:	exeLummaStealer
Infos:

Detection

LummaC Stealer

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found API chain indicative of sandbox detection

Machine Learning detection for sample

PE file contains section with special chars

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Uqt8tDIQYk.exe (PID: 6628 cmdline: "C:\Users\user\Desktop\Uqt8tDIQYk.exe" MD5: 26422ABCECA3D5CE14D064E290678221)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["blockbeerman.fun"], "Build Id": "GRAKRA--SHELL"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Uqt8tDIQYk.exe	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2877797183.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Uqt8tDIQYk.exe.400000.0.unpack	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
0.0.Uqt8tDIQYk.exe.400000.0.unpack	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Uqt8tDIQYk.exe

Avira: detected

Antivirus detection for URL or domain

Source: blockbeerman.fun

Avira URL Cloud: Label: malware

Found malware configuration

Source: Uqt8tDIQYk.exe

Malware Configuration Extractor: LummaC {"C2 url": ["blockbeerman.fun"], "Build Id": "GRAKRA--SHELL"}

Multi AV Scanner detection for submitted file

Source: Uqt8tDIQYk.exe

ReversingLabs: Detection: 84%

Machine Learning detection for sample

Source: Uqt8tDIQYk.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00439948 _strlen,CryptStringToBinaryA,CryptStringToBinaryA,

0_2_00439948

Source: Uqt8tDIQYk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: storagewmi_passthru.pdbGCTL source: Uqt8tDIQYk.exe
Source:	Binary string: storagewmi_passthru.pdb source: Uqt8tDIQYk.exe

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00457BCC FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00457BCC

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: blockbeerman.fun

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_0043A3A3 GetProcAddress,InternetQueryDataAvailable,GetProcAddress,GetProcAddress,InternetReadFile,GetModuleHandleW,GetProcAddress,GetProcAddress,_strlen,InternetQueryDataAvailable,GetProcAddress,GetProcAddress,

0_2_0043A3A3

System Summary

PE file contains section with special chars

Source: Uqt8tDIQYk.exe

Static PE information: section name: .'w(

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_0040B3D2 LoadLibraryA,GetProcAddress,NtRaiseHardError,ExitProcess,

0_2_0040B3D2

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004258A1	0_2_004258A1
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040AAA8	0_2_0040AAA8
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040B3D2	0_2_0040B3D2
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00417059	0_2_00417059
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0045E000	0_2_0045E000
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0041980D	0_2_0041980D
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00411828	0_2_00411828
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0041B0E3	0_2_0041B0E3
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0041494F	0_2_0041494F
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0044E960	0_2_0044E960
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00414918	0_2_00414918
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0042313B	0_2_0042313B
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004351E0	0_2_004351E0
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004309FA	0_2_004309FA
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0043D195	0_2_0043D195
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00440A50	0_2_00440A50
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00431A18	0_2_00431A18
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004242CB	0_2_004242CB
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00421AEE	0_2_00421AEE
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004632E8	0_2_004632E8
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00403AEF	0_2_00403AEF
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00447293	0_2_00447293
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0044F2BB	0_2_0044F2BB
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0043EB69	0_2_0043EB69
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040C332	0_2_0040C332
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004063F8	0_2_004063F8
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00425383	0_2_00425383
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0043A3A3	0_2_0043A3A3
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040E3BC	0_2_0040E3BC
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00420C54	0_2_00420C54
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00444C74	0_2_00444C74
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00426C70	0_2_00426C70
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004284D0	0_2_004284D0
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00439CD6	0_2_00439CD6
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004044DC	0_2_004044DC
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00433C90	0_2_00433C90
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00418D43	0_2_00418D43
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040EDD3	0_2_0040EDD3
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004165A5	0_2_004165A5
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00454E54	0_2_00454E54
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0043DE6F	0_2_0043DE6F
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004466CF	0_2_004466CF
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004186EB	0_2_004186EB
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_004226F8	0_2_004226F8
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00411E8E	0_2_00411E8E
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0045BF5E	0_2_0045BF5E
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00413F74	0_2_00413F74
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00415F39	0_2_00415F39
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00419FE1	0_2_00419FE1
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040D78C	0_2_0040D78C
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00443FB4	0_2_00443FB4

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: String function: 00440310 appears 50 times

Source: Uqt8tDIQYk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Command line argument: ~&E

0_2_004525D0

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Uqt8tDIQYk.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

File read: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Jump to behavior

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Section loaded: wininet.dll	Jump to behavior

Source:	Binary string: storagewmi_passthru.pdbGCTL source: Uqt8tDIQYk.exe
Source:	Binary string: storagewmi_passthru.pdb source: Uqt8tDIQYk.exe

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_0040B3D2 LoadLibraryA,GetProcAddress,NtRaiseHardError,ExitProcess,

0_2_0040B3D2

Source: Uqt8tDIQYk.exe	Static PE information: section name: .'w(
Source: Uqt8tDIQYk.exe	Static PE information: section name: ucnttp

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0040192C push eax; mov dword ptr [esp], 00000000h		0_2_00401931
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00458378 push ecx; ret		0_2_0045838B

Source: Uqt8tDIQYk.exe	Static PE information: section name: .text entropy: 6.8318134628828755
Source: Uqt8tDIQYk.exe	Static PE information: section name: .'w( entropy: 7.197097448912549

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

graph_0-36389

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: Sleep,Sleep,GetCursorPos,Sleep,GetCursorPos,GetCursorPos,GetCursorPos,

0_2_004258A1

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,

0_2_004226F8

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

API coverage: 2.7 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00457BCC FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_00457BCC

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	API call chain: ExitProcess graph end node			graph_0-36405
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	API call chain: ExitProcess graph end node			graph_0-36394

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00440135 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00440135

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_0040B3D2 LoadLibraryA,GetProcAddress,NtRaiseHardError,ExitProcess,

0_2_0040B3D2

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_0043EB69 mov eax, dword ptr fs:[00000030h]	0_2_0043EB69
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00449B9A mov ecx, dword ptr fs:[00000030h]	0_2_00449B9A
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00455725 mov eax, dword ptr fs:[00000030h]	0_2_00455725

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00431A18 GetProcessHeap,GetDIBits,ReleaseDC,GetProcessHeap,GetObjectW,GetProcessHeap,HeapAlloc,GetDC,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapFree,HeapFree,GetProcessHeap,HeapFree,

0_2_00431A18

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00440129 SetUnhandledExceptionFilter,	0_2_00440129
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00440135 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00440135
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00440640 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00440640
Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe	Code function: 0_2_00453F4B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00453F4B

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00440358 cpuid

0_2_00440358

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_0044C351 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_0044C351

Source: C:\Users\user\Desktop\Uqt8tDIQYk.exe

Code function: 0_2_00459824 GetTimeZoneInformation,

0_2_00459824

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Uqt8tDIQYk.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Uqt8tDIQYk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Uqt8tDIQYk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2877797183.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Uqt8tDIQYk.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Uqt8tDIQYk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Uqt8tDIQYk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2877797183.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Uqt8tDIQYk.exe	84%	ReversingLabs	Win32.Trojan.Lumma
Uqt8tDIQYk.exe	100%	Avira	TR/Spy.Agent.npisw
Uqt8tDIQYk.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
blockbeerman.fun	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
blockbeerman.fun	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430596
Start date and time:	2024-04-23 23:16:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Uqt8tDIQYk.exe renamed because original name is a hash value
Original Sample Name:	26422abceca3d5ce14d064e290678221.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 90
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Uqt8tDIQYk.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.755955465919674
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Uqt8tDIQYk.exe
File size:	468'992 bytes
MD5:	26422abceca3d5ce14d064e290678221
SHA1:	9bde1cf1e554872705cc38c9591b77b59c3aa597
SHA256:	495a744f783348c8a6ef1c048ea3e62d3903b00c66e9be21bb374d59d18b682e
SHA512:	c42c47ee1a54d684e179aa03a07c8912900c2e8c7fa85d4591f1e3616099bbc36c4517c5ca0f959ac4e153ced6a011cb8d54b146af24f5ab50e87308d701fdf6
SSDEEP:	6144:PVrxFkLFRewJDAA9gJX4Lbsi0tgSh7Z2cEnMBmXgmmA5ab1v5tUmfqlJFKe7RiXI:PORRjW7dVBcTn5ab1htUKqlJFMDEt
TLSH:	62A4AE11B9D2C0F1D823153101A9EB779A79B931CD719CCBFBD41D7CAA3A2C0972A61E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......N.................,..........,.............@..........................P..............................................p......

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x43fd2c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4ED8D106 [Fri Dec 2 13:22:14 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	f4a5c656336c7917052b7f56b0f839f4

Entrypoint Preview

Instruction
call 00007F42E0C9165Bh
jmp 00007F42E0C9127Fh
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F42E0C9140Fh
neg eax
pop ecx
sbb eax, eax
neg eax
dec eax
pop ebp
ret
push ebp
mov ebp, esp
cmp dword ptr [00471304h], FFFFFFFFh
push dword ptr [ebp+08h]
jne 00007F42E0C91409h
call 00007F42E0C9BD55h
jmp 00007F42E0C9140Dh
push 00471304h
call 00007F42E0C9BCD8h
pop ecx
neg eax
pop ecx
sbb eax, eax
not eax
and eax, dword ptr [ebp+08h]
pop ebp
ret
push 00000008h
push 0046F408h
call 00007F42E0C91991h
and dword ptr [ebp-04h], 00000000h
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
jne 00007F42E0C9145Fh
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F42E0C9144Eh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F42E0C91440h
mov eax, dword ptr [ebp+08h]
mov ecx, 00400000h
sub eax, ecx
push eax
push ecx
call 00007F42E0C91582h
pop ecx
pop ecx
test eax, eax
je 00007F42E0C91429h
cmp dword ptr [eax+24h], 00000000h
jl 00007F42E0C91423h
mov dword ptr [ebp-04h], FFFFFFFEh
mov al, 01h
jmp 00007F42E0C91421h
mov eax, dword ptr [ebp-14h]
mov eax, dword ptr [eax]
xor ecx, ecx
cmp dword ptr [eax], C0000005h
sete cl
mov eax, ecx
ret
mov esp, dword ptr [ebp-18h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6e470	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x66db8	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6e774	0x23c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x62adc	0x62c00	491034f9253c14f48853797a3e39002e	False	0.5850178006329114	data	6.8318134628828755	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x64000	0xbc84	0xbe00	08a3cbdd913d9f5270e8667cc5da496d	False	0.5384046052631579	data	5.803243867262695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x70000	0x2046	0x2200	15b62468664188a856243dd886546d96	False	0.28239889705882354	data	3.061137691854057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.'w(	0x73000	0x700	0x800	f4ab99cd6abd7835a7a147673f8d60eb	False	0.8525390625	data	7.197097448912549	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
ucnttp	0x74000	0x1000	0x1000	e566b9122d5d315a56e4910dcab70db3	False	0.532470703125	data	5.315801635866745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.dll	CloseHandle, CompareStringW, CreateFileA, CreateFileW, CreateProcessW, DecodePointer, DeleteCriticalSection, DeleteFileW, EncodePointer, EnterCriticalSection, ExitProcess, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetComputerNameExA, GetComputerNameW, GetConsoleMode, GetConsoleOutputCP, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetDriveTypeW, GetEnvironmentStringsW, GetFileInformationByHandle, GetFileSizeEx, GetFileType, GetFullPathNameW, GetLastError, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetTimeZoneInformation, GetVolumeInformationW, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, K32EnumProcesses, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, MultiByteToWideChar, PeekNamedPipe, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetFileTime, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, Sleep, SystemTimeToFileTime, SystemTimeToTzSpecificLocalTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TzSpecificLocalTimeToSystemTime, UnhandledExceptionFilter, WideCharToMultiByte, WinExec, WriteConsoleW, WriteFile, lstrcatW, lstrcmpW, lstrcmpiW, lstrlenW
USER32.dll	EnumDisplayDevicesA, GetCursorPos, GetDC, GetDesktopWindow, GetSystemMetrics, ReleaseDC, SystemParametersInfoW, wsprintfW
ADVAPI32.dll	GetCurrentHwProfileW, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, RegQueryValueExW
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, CreateDCW, DeleteDC, DeleteObject, GetDIBits, GetObjectW, SelectObject
SHLWAPI.dll	PathFileExistsW
WINHTTP.dll	WinHttpCloseHandle, WinHttpConnect, WinHttpCrackUrl, WinHttpOpen, WinHttpOpenRequest, WinHttpQueryDataAvailable, WinHttpReadData, WinHttpReceiveResponse, WinHttpSendRequest
IPHLPAPI.DLL	GetAdaptersInfo
WININET.dll	InternetQueryDataAvailable, InternetReadFile
CRYPT32.dll	CryptStringToBinaryA

Target ID:	0
Start time:	23:16:52
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\Uqt8tDIQYk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Uqt8tDIQYk.exe"
Imagebase:	0x400000
File size:	468'992 bytes
MD5 hash:	26422ABCECA3D5CE14D064E290678221
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2877797183.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.9%
Total number of Nodes:	87
Total number of Limit Nodes:	2

Executed Functions

Function 004258A1 Relevance: 18.7, APIs: 6, Strings: 4, Instructions: 1181sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000012C), ref: 00425AD7
GetCursorPos.USER32(?), ref: 00426008
GetCursorPos.USER32(?), ref: 00426638

Strings

"*2y, xrefs: 00425ABC
D@D, xrefs: 00426744
"*2y, xrefs: 004262BF
D@D, xrefs: 004261DF

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: Cursor$Sleep
String ID: "*2y$"*2y$D@D$D@D
API String ID: 1847515627-1961528830
Opcode ID: 7d208546aa7372ec9cda2454a3750df24d0b09df75eabd327da6626289fa60cf
Instruction ID: 36a8b34e5a8a4bf1e9d918135b26f6c6ed7c0c893caca49331eddd75843c55c4
Opcode Fuzzy Hash: 7d208546aa7372ec9cda2454a3750df24d0b09df75eabd327da6626289fa60cf
Instruction Fuzzy Hash: D0A2FB70700B218BC7389F29E59552A77E1EF44300BA58D1FD4DBCBBA0D67CE8959B0A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3D2 Relevance: 16.5, APIs: 4, Strings: 5, Instructions: 765libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0040BBAA
ExitProcess.KERNEL32 ref: 0040C0B9

Strings

=9, xrefs: 0040B91F
=9, xrefs: 0040C094
(y, xrefs: 0040B6DD
=9, xrefs: 0040B607
)y, xrefs: 0040B6F3

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: ExitLibraryLoadProcess
String ID: (y$)y$=9$=9$=9
API String ID: 2206315515-2863778377
Opcode ID: 59fd08bb195867e467f9ab2f55d3156aed2ae4208ecfac142941998f14155073
Instruction ID: d9d9974ce218a68a4ec360943db58de04a453fd01b206e408f3160920bf8324f
Opcode Fuzzy Hash: 59fd08bb195867e467f9ab2f55d3156aed2ae4208ecfac142941998f14155073
Instruction Fuzzy Hash: C1529E71E05209CBDF24DB98C9C55AEBAB0EB14304F24452BE915FB3D1E3799A418BCE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AAA8 Relevance: 16.3, APIs: 7, Strings: 2, Instructions: 527fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0040ACF5
CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0040AD0F
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0040AFDE
FindCloseChangeNotification.KERNELBASE(?), ref: 0040AFE8
ExitProcess.KERNEL32 ref: 0040B3A6

Strings

f)=, xrefs: 0040AE54
f)=, xrefs: 0040AE34

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: File$ChangeCloseCreateExitFindModuleNameNotificationProcessRead
String ID: f)=$f)=
API String ID: 334541424-683314369
Opcode ID: 7412decdecfea77165534239207f6d139f09c8bf7037708802802b27c4e0a769
Instruction ID: 36b19d474cf83a8e84833a5a4cd8e8b4b818bbaf8670955f1133408452245f2f
Opcode Fuzzy Hash: 7412decdecfea77165534239207f6d139f09c8bf7037708802802b27c4e0a769
Instruction Fuzzy Hash: 4012D3716493058BD7249F18C98552EB6D1EB94310F25493FE48AEB3E0E778C891EB4F

Uniqueness

Uniqueness Score: -1.00%

Function 0045477F Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,0040E684,?,?,0040E684,00000018,?,?,?,?,?,?,?,?,?,00000000), ref: 004547B1

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2051ef454142b9c719e65dbadabdd5f24a6bb581d06d07ab3bc9835502e74267
Instruction ID: 6fac073c6cfc7c0a25c64c14d3e37d538a53716d2e1191aa653a6e1be1f2e80b
Opcode Fuzzy Hash: 2051ef454142b9c719e65dbadabdd5f24a6bb581d06d07ab3bc9835502e74267
Instruction Fuzzy Hash: C4E0653514561057E72136669C04B5B36C89BCB7AFF164123EC059F2D2EB5CCCC581AE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004284D0 Relevance: 87.2, APIs: 13, Strings: 33, Instructions: 6676processlibraryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,00000200), ref: 00429DC1
LoadLibraryW.KERNEL32(?), ref: 0042A2EE
_strlen.LIBCMT ref: 0042ADE5
_strlen.LIBCMT ref: 0042B2B7
_strlen.LIBCMT ref: 0042E10B
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0042E2E7
CloseHandle.KERNEL32(?), ref: 0042E2F2
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0042EFB1
CloseHandle.KERNEL32(?), ref: 0042EFBC
_strlen.LIBCMT ref: 0042F11C

Strings

"*2y, xrefs: 00429081
#<4S, xrefs: 0042BDF9
$<gg, xrefs: 0042FAA5
D@D, xrefs: 0042C08F
}C?g, xrefs: 0042C348
vTT, xrefs: 0042EA53
?h.x, xrefs: 00429DA0
"*2y, xrefs: 0042DD4C
Yu<, xrefs: 0042C391
Sw;, xrefs: 004297FA
"*2y, xrefs: 0042F240
$<gg, xrefs: 0042CEE4
Zc, xrefs: 0042CDB9
Zc, xrefs: 0042F508
vTT, xrefs: 0042C09A
gfff, xrefs: 0042F1ED
Z`Y, xrefs: 0042AA03
"*2y, xrefs: 0042BCD3
!Z`Y, xrefs: 0042C2A5
E;0, xrefs: 0042A748
-p(R, xrefs: 0042B241
>h.x, xrefs: 0042924A
?h.x, xrefs: 0042AFA3
Pc>2, xrefs: 0042A753
Pc>2, xrefs: 00429831
Tw;, xrefs: 0042C386
!Z`Y, xrefs: 0042A2B3
D;0, xrefs: 00428A43
C@D, xrefs: 0042A875
"*2y, xrefs: 0042AFFF
U%3j, xrefs: 0042977C
!*2y, xrefs: 00429D95
"*2y, xrefs: 0042BEB5

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _strlen$CloseCreateHandleProcess$EnvironmentExpandLibraryLoadStrings
String ID: Z`Y$!*2y$!Z`Y$!Z`Y$"*2y$"*2y$"*2y$"*2y$"*2y$"*2y$#<4S$$<gg$$<gg$-p(R$>h.x$?h.x$?h.x$C@D$D;0$D@D$E;0$Pc>2$Pc>2$Sw;$Tw;$U%3j$Zc$Zc$gfff$vTT$vTT$}C?g$Yu<
API String ID: 4049275943-957601847
Opcode ID: 2683371ac047e3aaa10475918fabcbdffd6a8598984ad170ebe2df58e43a3be3
Instruction ID: 60bdfde20bb21090f5db709c388c41fb5c0c33a226f09a740ac59f9d55d07230
Opcode Fuzzy Hash: 2683371ac047e3aaa10475918fabcbdffd6a8598984ad170ebe2df58e43a3be3
Instruction Fuzzy Hash: 14C31871701B118BD7349F29E98562B77E0AB54304FA4C82FE45BDB7A0E638E845CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDD3 Relevance: 81.1, APIs: 14, Strings: 31, Instructions: 2373stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00006233), ref: 0040F173
lstrcatW.KERNEL32(?,?), ref: 0040F1F7
lstrcatW.KERNEL32(?,?), ref: 0040F1FF

Strings

z+B*, xrefs: 004109DC
k>`5, xrefs: 00410B03
z+B*, xrefs: 0040F513
]z6, xrefs: 0040EE8C
z+B*, xrefs: 00411434
,Q=, xrefs: 00410C26
p9lY, xrefs: 0040F977
y+B*, xrefs: 0040F508
,Q=, xrefs: 0041060F
8U[, xrefs: 0040FF0D
p9lY, xrefs: 0040FBEB
p9lY, xrefs: 00410205
p9lY, xrefs: 00411061
,Q=, xrefs: 00410995
K\eW, xrefs: 0040F144
D#b, xrefs: 00411363
,Q=, xrefs: 0040F239
p9lY, xrefs: 00410588
g/2Xs, xrefs: 0040F1C3
8U[, xrefs: 0040FB5B
p9lY, xrefs: 00411573
]z6, xrefs: 004100DB
p9lY, xrefs: 0040FDEB
5}L, xrefs: 004107C8
k>`5, xrefs: 0040F9E9
L\eW, xrefs: 0040FBD5
5}L, xrefs: 0040F944
D#b, xrefs: 0040FA90
D#b, xrefs: 0040F5CC
,Q=, xrefs: 00410C4F
]z6, xrefs: 0040FFF4

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: lstrcat$lstrlen
String ID: ,Q=$,Q=$,Q=$,Q=$,Q=$5}L$5}L$D#b$D#b$D#b$K\eW$L\eW$g/2Xs$k>`5$k>`5$p9lY$p9lY$p9lY$p9lY$p9lY$p9lY$p9lY$y+B*$z+B*$z+B*$z+B*$8U[$8U[$]z6$]z6$]z6
API String ID: 751011610-3334075263
Opcode ID: 2053d8b5c02679e3cce0c9dc2c7c81f7a196dc212a1eaa284665b7a7adfc8312
Instruction ID: 29d8e477c7ee15bb013927451de4879324014eba4a79fc1a37501d3d49276190
Opcode Fuzzy Hash: 2053d8b5c02679e3cce0c9dc2c7c81f7a196dc212a1eaa284665b7a7adfc8312
Instruction Fuzzy Hash: E4130971E002069BDF289F59C8456FE76B5EF55304F24092BE606FB3E0D37889919B8B

Uniqueness

Uniqueness Score: -1.00%

Function 0043A3A3 Relevance: 74.2, APIs: 12, Strings: 29, Instructions: 2498libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 0043B97D

Part of subcall function 00439948: _strlen.LIBCMT ref: 00439A8B

GetProcAddress.KERNEL32(?,?), ref: 0043BDC6

Strings

xk]S, xrefs: 0043AB69
e_, xrefs: 0043B187
xG%, xrefs: 0043A621
[Q, xrefs: 0043BCB3
eA/,, xrefs: 0043AC1E
[X, xrefs: 0043AC5D
S_(v, xrefs: 0043B3C0
Qcz, xrefs: 0043C607
GRAKRA--SHELL, xrefs: 0043C1F3
3e77fd4ee81c8ba7166e0052a4ba579d, xrefs: 0043C1EE
Qcz, xrefs: 0043CE0A
*, xrefs: 0043B2E7
Qcz, xrefs: 0043CC27
K]T, xrefs: 0043C53B
\X, xrefs: 0043B64A
), xrefs: 0043A66F
\X, xrefs: 0043CC8D
az5T, xrefs: 0043B58B
Qcz, xrefs: 0043B50E
*, xrefs: 0043C478
`z5T, xrefs: 0043AB48
eA/,, xrefs: 0043C45F
*, xrefs: 0043AC68
Pcz, xrefs: 0043AAC2
S_(v, xrefs: 0043AA39
e_, xrefs: 0043B211
[Q, xrefs: 0043B0D6
K]T, xrefs: 0043A69B
*, xrefs: 0043CEB3

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: AddressProc$_strlen
String ID: )$*$*$*$*$3e77fd4ee81c8ba7166e0052a4ba579d$GRAKRA--SHELL$K]T$K]T$Pcz$Qcz$Qcz$Qcz$Qcz$S_(v$S_(v$[X$[Q$[Q$\X$\X$`z5T$az5T$eA/,$eA/,$xG%$xk]S$e_$e_
API String ID: 3492427664-118966181
Opcode ID: 57f0007741709a615ce01329de2a0422a5e3eb82ceab0e13ce6937a72f4af21c
Instruction ID: 55d063d2b1dacadc73ba57abae9bb67512cd7f599c2c52ded2cd1a32f2e06443
Opcode Fuzzy Hash: 57f0007741709a615ce01329de2a0422a5e3eb82ceab0e13ce6937a72f4af21c
Instruction Fuzzy Hash: 69230871D402198BDF24DF58C8866BEBAB1EB0C300F24552BE915FB391D7789E518B8B

Uniqueness

Uniqueness Score: -1.00%

Function 004351E0 Relevance: 68.9, APIs: 22, Strings: 15, Instructions: 4120COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00435B6E
_strlen.LIBCMT ref: 00435C75
_strlen.LIBCMT ref: 00435DF9
GetComputerNameExA.KERNEL32(00000004,?,?), ref: 00435EF1
GetComputerNameExA.KERNEL32(00000002,?,?), ref: 0043611E
_strlen.LIBCMT ref: 00436818
_strlen.LIBCMT ref: 004369B0
EnumDisplayDevicesA.USER32(00000000,00000000,?,00000000), ref: 00436DFD
_strlen.LIBCMT ref: 00437195
_strlen.LIBCMT ref: 00437309
GetComputerNameExA.KERNEL32(00000004,?,?), ref: 00437344
_strlen.LIBCMT ref: 00437383
_strlen.LIBCMT ref: 004383A4
GetComputerNameExA.KERNEL32(00000004,?,?), ref: 0043851A
_strlen.LIBCMT ref: 00438559
_strlen.LIBCMT ref: 00438754
_strlen.LIBCMT ref: 00438945
_strlen.LIBCMT ref: 00438E1A
_strlen.LIBCMT ref: 00439176
_strlen.LIBCMT ref: 004391F6
_strlen.LIBCMT ref: 00439335
_strlen.LIBCMT ref: 00439799

Strings

Pc>2, xrefs: 0043634C
vTT, xrefs: 0043703F
Sw;, xrefs: 00435CFB
Zc, xrefs: 00435A9F
"*2y, xrefs: 00439507
uTT, xrefs: 00435A89
Tw;, xrefs: 00437128
Tw;, xrefs: 00435D06
}C?g, xrefs: 00435ED5
Tw;, xrefs: 00435720
GRAKRA--SHELL, xrefs: 00435B5B
"*2y, xrefs: 00435386
D@D, xrefs: 0043784B
Oc>2, xrefs: 00435202
Yc, xrefs: 00435A94

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _strlen$ComputerName$DevicesDisplayEnum
String ID: "*2y$"*2y$D@D$GRAKRA--SHELL$Oc>2$Pc>2$Sw;$Tw;$Tw;$Tw;$Yc$Zc$uTT$vTT$}C?g
API String ID: 2597915589-668131169
Opcode ID: 33c386fb304f063266a47a4185e7d533cb780e0acaeed3c2cfaf005a9c993a58
Instruction ID: 1248470f6c2aae9b7cd794e544a5f23d6b51165a0772df6271fe26959d49b261
Opcode Fuzzy Hash: 33c386fb304f063266a47a4185e7d533cb780e0acaeed3c2cfaf005a9c993a58
Instruction Fuzzy Hash: 8973C7B0900B019FDB349F28C945B26B7E0FB59704F14DA1FE4ABDB791D678E8518B0A

Uniqueness

Uniqueness Score: -1.00%

Function 004063F8 Relevance: 45.1, APIs: 9, Strings: 16, Instructions: 1398stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 0040678D
lstrcatW.KERNEL32(?,?), ref: 0040688A
lstrcatW.KERNEL32(?,?), ref: 00406B56
lstrcatW.KERNEL32(?,?), ref: 00406E5A

Strings

O, xrefs: 00407239
(ZSw, xrefs: 00406DB5
:qz, xrefs: 004079D0
(ZSw, xrefs: 0040701E
:qz, xrefs: 00406D3D
RDw, xrefs: 004066BA
~u?2, xrefs: 00406C18
!RDw, xrefs: 00407013
~u?2, xrefs: 00406E95
e2V^, xrefs: 00407B6F
:qz, xrefs: 0040729C
O, xrefs: 00406A97
!RDw, xrefs: 00407A23
}u?2, xrefs: 0040670F
e2V^, xrefs: 00406A46
9qz, xrefs: 004066A4

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: lstrcat
String ID: RDw$!RDw$!RDw$(ZSw$(ZSw$9qz$:qz$:qz$:qz$e2V^$e2V^$}u?2$~u?2$~u?2$ O$ O
API String ID: 4038537762-2776103441
Opcode ID: 6f0e3ff25f142b09a3a3306728feb65ecc1deff1eea04d338aceb14482fedf5e
Instruction ID: a8e017b14754d303074a60105710d0e8968a39c238a4d6c0da5f626c05c84e4f
Opcode Fuzzy Hash: 6f0e3ff25f142b09a3a3306728feb65ecc1deff1eea04d338aceb14482fedf5e
Instruction Fuzzy Hash: AEC2C5B0D042198BDF28CF58C8916BEBAB1BB44304F24453BE516FB3D1D279A9518F6B

Uniqueness

Uniqueness Score: -1.00%

Function 004044DC Relevance: 40.4, APIs: 8, Strings: 14, Instructions: 1861COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00405042

Strings

i1Z, xrefs: 00405064
i4[W, xrefs: 004048AD
s-, xrefs: 004046C8
i1Z, xrefs: 00405E34
!s-, xrefs: 00405807
DSg, xrefs: 004048EA
ESg, xrefs: 00405F27
(sI, xrefs: 00404522
!s-, xrefs: 00405DCE
(sI, xrefs: 00404805
oXs, xrefs: 00404E3B
ESg, xrefs: 00404BF1
(sI, xrefs: 004060AA
oXs, xrefs: 00404514

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _strlen
String ID: oXs$oXs$ s-$!s-$!s-$DSg$ESg$ESg$i1Z$i1Z$i4[W$(sI$(sI$(sI
API String ID: 4218353326-2604516359
Opcode ID: 34008b0209e9c006d396b0c867ac8cf6d3fae772eb93ad17c84e6b724806ed61
Instruction ID: f571fa6c2a945a9a65a7a94172c501959071e976b5a509e38c11bb4b6beb5d7d
Opcode Fuzzy Hash: 34008b0209e9c006d396b0c867ac8cf6d3fae772eb93ad17c84e6b724806ed61
Instruction Fuzzy Hash: E2E2E7B0D002099BDF249F98DD8567E7AB0EB95304F24453BE606FB3E1D3788A518B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00433C90 Relevance: 39.7, APIs: 11, Strings: 11, Instructions: 1199registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00434128
RegCloseKey.ADVAPI32(?), ref: 004341B0
RegCloseKey.ADVAPI32(?), ref: 0043467B
RegCloseKey.ADVAPI32(?), ref: 00434903
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 00434922

Strings

t^Xr, xrefs: 004343BC
`wJl, xrefs: 00434F02
1&&i, xrefs: 00434153
t^Xr, xrefs: 00434E15
qBhf, xrefs: 00434CD1
`wJl, xrefs: 0043415E
BbA, xrefs: 00433D4A
t^Xr, xrefs: 0043409C
D, xrefs: 00435100
qBhf, xrefs: 0043462C
[-/M, xrefs: 00434035

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: Close$EnumQueryValue
String ID: BbA$1&&i$D$[-/M$`wJl$`wJl$qBhf$qBhf$t^Xr$t^Xr$t^Xr
API String ID: 1459336213-482656368
Opcode ID: b389801f49643c911d36b15eab864b021b5c3d4c71edb2e54e637dc7f68c43ab
Instruction ID: 6c810bf793e794518a605d234d7c09e08cac0d3976cf57b002ee6a7c4435d3e9
Opcode Fuzzy Hash: b389801f49643c911d36b15eab864b021b5c3d4c71edb2e54e637dc7f68c43ab
Instruction Fuzzy Hash: 22A2E8B1D003099BDF28CF98C9856BE7AB0BB59316F24251BE111FB351D37D9A418B8B

Uniqueness

Uniqueness Score: -1.00%

Function 00411E8E Relevance: 36.8, APIs: 6, Strings: 14, Instructions: 1766stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 00412543
lstrcatW.KERNEL32(?,?), ref: 00412A7A

Strings

}C?g, xrefs: 00412A66
:@, xrefs: 00413DC2, 00413980, 004129E6, 00413515, 0041322C
"*2y, xrefs: 00412DBE
!*2y, xrefs: 00411F47
vTT, xrefs: 0041250A
:@, xrefs: 00412EDD, 004122BC
}C?g, xrefs: 004136EF
Pc>2, xrefs: 00412475
Pc>2, xrefs: 0041258A
vTT, xrefs: 00413B66
D@D, xrefs: 004124FF
Q{Bm, xrefs: 00413995
D@D, xrefs: 00413BF7
"*2y, xrefs: 004139D4

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: lstrcat
String ID: !*2y$"*2y$"*2y$D@D$D@D$Pc>2$Pc>2$vTT$vTT$}C?g$}C?g$Q{Bm$:@$:@
API String ID: 4038537762-1767481706
Opcode ID: 3d8baf7dbb8f7a8e259c237f4362e8aba7691beb1c2aba0df190b62fe7bb0d03
Instruction ID: 0532541ee652278b232bc72844c04ff6687263447cc8b982d4e38a174d60b19c
Opcode Fuzzy Hash: 3d8baf7dbb8f7a8e259c237f4362e8aba7691beb1c2aba0df190b62fe7bb0d03
Instruction Fuzzy Hash: C7E2E870D003199BDF249F98C945AFE7AB1AB14305F24451BEA05FB3A0D7798AC18B9F

Uniqueness

Uniqueness Score: -1.00%

Function 00431A18 Relevance: 34.3, APIs: 14, Strings: 5, Instructions: 1004memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,00000000,?), ref: 00432C1B
GetProcessHeap.KERNEL32 ref: 00432C1D
HeapFree.KERNEL32(00000000,00000000,?), ref: 00432C29

Strings

e)=, xrefs: 00431A3B
BM, xrefs: 00432872
!F$, xrefs: 00431E13
:1x, xrefs: 00432144
f)=, xrefs: 004321FF

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: Heap$Free$Process
String ID: :1x$BM$e)=$f)=$!F$
API String ID: 2719409998-4091005946
Opcode ID: 7c029beb92f0600d4e0218531521e4cd23396c6170769776977fa899a129e730
Instruction ID: 7c41d46b581d714237d39b704605010d922f2773ba39c601ee96b04954dfa5e4
Opcode Fuzzy Hash: 7c029beb92f0600d4e0218531521e4cd23396c6170769776977fa899a129e730
Instruction Fuzzy Hash: B482C3715093019FDB289F18C68562EB7E4FB98311F24AD1FE599CB3A0D778D8819B0B

Uniqueness

Uniqueness Score: -1.00%

Function 00403AEF Relevance: 14.1, APIs: 9, Instructions: 596stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 00403C3C
lstrcatW.KERNEL32(?,?), ref: 004043FC
lstrcatW.KERNEL32(?,?), ref: 0040443D
lstrcatW.KERNEL32(?,?), ref: 00404445
PathFileExistsW.SHLWAPI(?), ref: 0040444A

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: lstrcat$ExistsFilePath
String ID:
API String ID: 3040671737-0
Opcode ID: 9c649788c3d97c2546c7783bd5e216b89aa002e64b3d0159fc023ffb5e73bbef
Instruction ID: d0f24afad8fb4e365ddcf88971e7c02e60b68fa5009ffcf7e5143fea73b999b3
Opcode Fuzzy Hash: 9c649788c3d97c2546c7783bd5e216b89aa002e64b3d0159fc023ffb5e73bbef
Instruction Fuzzy Hash: D322C4B1E001069BDF248F98CD465BEBA74AB84304F24053BE615FB3E1D3799E508B9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D78C Relevance: 13.0, APIs: 4, Strings: 3, Instructions: 726COMMON

Download Yara Rule

Strings

[-/M, xrefs: 0040D896
`wJl, xrefs: 0040DC97
[-/M, xrefs: 0040E270

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: [-/M$[-/M$`wJl
API String ID: 493641738-1947821042
Opcode ID: 411f9331f7c6efd178ae3138c61ee418095919c8e561b33e63b0c6da938fb2e9
Instruction ID: d4ecf0d71f9aba687a304c16a1e9de49591f69cbab48592e746a56285f5178e4
Opcode Fuzzy Hash: 411f9331f7c6efd178ae3138c61ee418095919c8e561b33e63b0c6da938fb2e9
Instruction Fuzzy Hash: 8742B571D002099BDF24DB98CC866BEBAB0AB14314F24093BF511FB3D5D3798A558B9B

Uniqueness

Uniqueness Score: -1.00%

Function 004226F8 Relevance: 12.8, APIs: 2, Strings: 5, Instructions: 580COMMON

Download Yara Rule

APIs

GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00422CED
GetAdaptersInfo.IPHLPAPI(?,?), ref: 00422FAE

Strings

[-/M, xrefs: 00422AE4
`wJl, xrefs: 00422997
`wJl, xrefs: 004229B9
[-/M, xrefs: 00422C9D
Z-/M, xrefs: 0042288B

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: AdaptersInfo
String ID: Z-/M$[-/M$[-/M$`wJl$`wJl
API String ID: 3177971545-2075493074
Opcode ID: df7775b90730e759941d23139ef8820586af53b6d198f2803dbffbed1740324d
Instruction ID: 23482db236c4debe6eb8582dd537a53b386d7e8a87b8b547ab47c0d402afe64e
Opcode Fuzzy Hash: df7775b90730e759941d23139ef8820586af53b6d198f2803dbffbed1740324d
Instruction Fuzzy Hash: 4232BA70E04229ABCF14CF98EA816BE77B0FB54304FA4051BE411FB354D7B99A41DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0045E000 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0045E1E4

Strings

1#QNAN, xrefs: 0045E113
1#SNAN, xrefs: 0045E10C
1#INF, xrefs: 0045E136
1#IND, xrefs: 0045E105

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f34341b29f5aea4557c68842a3917208cacaa027d08b2b5ebc253b6443867a85
Instruction ID: 3da354e7a80a5fd463913490483f168a8ba6a02c966666d547a6c1a3a8eeac63
Opcode Fuzzy Hash: f34341b29f5aea4557c68842a3917208cacaa027d08b2b5ebc253b6443867a85
Instruction Fuzzy Hash: 75D23E71E082289FDB29CE25CD407EAB7B5EB45306F1441EBD80DE7241E778AE898F45

Uniqueness

Uniqueness Score: -1.00%

Function 00426C70 Relevance: 10.1, Strings: 7, Instructions: 1305COMMON

Download Yara Rule

Strings

1&&i, xrefs: 00426EBE
`wJl, xrefs: 00428115
[-/M, xrefs: 00426F08
t^Xr, xrefs: 004271C3
0&&i, xrefs: 00426D0D
`wJl, xrefs: 00426EC9
[-/M, xrefs: 0042731C

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID: 0&&i$1&&i$[-/M$[-/M$`wJl$`wJl$t^Xr
API String ID: 0-1109958471
Opcode ID: d6bc17d7a9ad85df3183d0af2af6ac371b3073f612e3bb4de41f1461e085b69d
Instruction ID: f19ea2322cb8ccb8bd619b0daf081565c39049b94ce9c9998a1c7c463fcfeab6
Opcode Fuzzy Hash: d6bc17d7a9ad85df3183d0af2af6ac371b3073f612e3bb4de41f1461e085b69d
Instruction Fuzzy Hash: 36A24CB1F002258BEF24AB59ED4267E76B0EB14304FA5051BE505FB3E1E77C89518B8B

Uniqueness

Uniqueness Score: -1.00%

Function 0040C332 Relevance: 9.5, Strings: 6, Instructions: 1975COMMON

Download Yara Rule

Strings

vmz, xrefs: 0040D2F0
vmz, xrefs: 0040D34E
vmz, xrefs: 0040D2F7
vmz, xrefs: 0040D493
vmz, xrefs: 0040D470
vmz, xrefs: 0040D371

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID: vmz$vmz$vmz$vmz$vmz$vmz
API String ID: 0-2631656845
Opcode ID: 1afdaaae3841cfea759a3e029d5645fa2e01477f47c6c5e14a5a5b40943efff7
Instruction ID: 814cfd6e617f88223a1c428d37f449d9079544bee563000e8d4b46818cfec7de
Opcode Fuzzy Hash: 1afdaaae3841cfea759a3e029d5645fa2e01477f47c6c5e14a5a5b40943efff7
Instruction Fuzzy Hash: 43D27FB7B893144BD308CE59EC9129AF2D3ABD4624F1F943DE889D3301EE79D9074689

Uniqueness

Uniqueness Score: -1.00%

Function 0043DE6F Relevance: 9.5, APIs: 1, Strings: 4, Instructions: 703COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0043E669

Strings

"*2y, xrefs: 0043E301
D@D, xrefs: 0043E58E
!*2y, xrefs: 0043E049
C@D, xrefs: 0043E205

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _strlen
String ID: !*2y$"*2y$C@D$D@D
API String ID: 4218353326-2138878619
Opcode ID: bf611bf3e1a8b1a20b8e4750e23f806396848a45077fdaaba05bba7a59412e8d
Instruction ID: f59546a1d3121b11ea93e2b7864f0d4a744313ab2bfa1412557ab64e5677a338
Opcode Fuzzy Hash: bf611bf3e1a8b1a20b8e4750e23f806396848a45077fdaaba05bba7a59412e8d
Instruction Fuzzy Hash: 24528FB090D7558FD7249F29D58162EBBE0AF98300F246D1FF499CB3A0D238D9819B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00439948 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00439A8B

Strings

f)=, xrefs: 00439BA3
f)=, xrefs: 004399D1

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _strlen
String ID: f)=$f)=
API String ID: 4218353326-683314369
Opcode ID: 834047686e6a86475a857cc766a9dc817c6fb6fd654ba2decd912eeb96b7d168
Instruction ID: b9027d619558730b84c391b855c0a5fdcb35b13cd279dbc6e1fdab09075fc041
Opcode Fuzzy Hash: 834047686e6a86475a857cc766a9dc817c6fb6fd654ba2decd912eeb96b7d168
Instruction Fuzzy Hash: 468190B1D0420D9FEF148F99C8846AEB6B5BF0C320F15262BE515EB350D3B89D41DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043EB69 Relevance: 8.0, APIs: 1, Strings: 4, Instructions: 528stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?), ref: 0043F094

Strings

xG%, xrefs: 0043F329
Qcz, xrefs: 0043EDFA
xG%, xrefs: 0043EC7B
wG%, xrefs: 0043EC65

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: lstrcmpi
String ID: Qcz$wG%$xG%$xG%
API String ID: 1586166983-2700436762
Opcode ID: 8af76d4213850ce856a0dcaebeac49eb24a6e84b4a99dba61fdb092af06e099b
Instruction ID: d92dfe40a90a5d5c2db3ab84f75cee9a16e047908af538d603d3cdd89da06637
Opcode Fuzzy Hash: 8af76d4213850ce856a0dcaebeac49eb24a6e84b4a99dba61fdb092af06e099b
Instruction Fuzzy Hash: AA12A671D011098FDF24DB99C89657EBA71AF6C300F24252BE412FB7A1D3389E458B8B

Uniqueness

Uniqueness Score: -1.00%

Function 00454E54 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00454EE1

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 91e4e0450cd7f7c2b0a4103fe4eb945bef8e81c5d9e2a69fc8a02340262eab64
Instruction ID: d4162c583e0f5be117d7722da008214262ef1f2dbdf2460d412367f93a33d3e6
Opcode Fuzzy Hash: 91e4e0450cd7f7c2b0a4103fe4eb945bef8e81c5d9e2a69fc8a02340262eab64
Instruction Fuzzy Hash: 51B13432D006459FDB118F68C8A17FEBBA5EF45305F14816BEC05AB383D2389D49CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00457BCC Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00457C67
FindNextFileW.KERNEL32(00000000,?), ref: 00457CE2
FindClose.KERNEL32(00000000), ref: 00457D04
FindClose.KERNEL32(00000000), ref: 00457D27

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: b3f33da593891c279bce3369291d8d5159f24b887e4b79c3adef99028769f942
Instruction ID: 1e113a5a77a055cf5cae008db1716c30780006d383c16b82ddf2d714e26e6f62
Opcode Fuzzy Hash: b3f33da593891c279bce3369291d8d5159f24b887e4b79c3adef99028769f942
Instruction Fuzzy Hash: 4641D871904219AEDB21DF69ED8CDBBB3B9EF44306F1041A6E80597241E7389E888B59

Uniqueness

Uniqueness Score: -1.00%

Function 00419FE1 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 837COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0041A1BD

Strings

8, xrefs: 0041A8DA
0, xrefs: 0041A8E2

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _strlen
String ID: 0$8
API String ID: 4218353326-46163386
Opcode ID: 89175405be11e4d77e4d9234e301a928218f5f20102cbcd9dadbcc7a411519fd
Instruction ID: 0805c121e974aa6a483316602e6e146a6a4096bfaf5a837403357704f790475a
Opcode Fuzzy Hash: 89175405be11e4d77e4d9234e301a928218f5f20102cbcd9dadbcc7a411519fd
Instruction Fuzzy Hash: 5F725871609340AFC714CF19C880BABBBE2AF88354F14892EF99887351D779D994CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00440135 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00440141
IsDebuggerPresent.KERNEL32 ref: 0044020D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0044022D
UnhandledExceptionFilter.KERNEL32(?), ref: 00440237

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 968e97dfc20801a877cb722b9b7d5318178242d0daedda30b9775c22ad68776f
Instruction ID: eb7eb8a771a686bcfe83a783da0628e089ebf2bbe5bf505f3aff53d7fc40b16d
Opcode Fuzzy Hash: 968e97dfc20801a877cb722b9b7d5318178242d0daedda30b9775c22ad68776f
Instruction Fuzzy Hash: E2312D75D01218DBEB10EFA5D989BCDBBF8BF04304F1040EAE50DAB250EB755A848F45

Uniqueness

Uniqueness Score: -1.00%

Function 0042313B Relevance: 6.0, Strings: 4, Instructions: 1009COMMON

Download Yara Rule

Strings

)y, xrefs: 00423A87
&, xrefs: 00423E50
=9, xrefs: 0042335C
=9, xrefs: 00424079

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID: &$)y$=9$=9
API String ID: 0-654770253
Opcode ID: 5848eeced63ebf62b0da70964aae80558cb696419ca7ad14b05694af4021b354
Instruction ID: b4a3fee72ee0d9e6be8e90227fbd58b13d2897c0e5b4c1b325c5355384ee6baf
Opcode Fuzzy Hash: 5848eeced63ebf62b0da70964aae80558cb696419ca7ad14b05694af4021b354
Instruction Fuzzy Hash: 8982E570F002298BDF28CF98E9855BEBBB0EB54305FA4451BE515EB390D37C8B518B5A

Uniqueness

Uniqueness Score: -1.00%

Function 004309FA Relevance: 5.8, Strings: 4, Instructions: 802COMMON

Download Yara Rule

Strings

[/, xrefs: 00430A69
\/, xrefs: 004312D9
Gr.', xrefs: 0043100C
\/, xrefs: 00430BDF

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID: Gr.'$[/$\/$\/
API String ID: 0-554860034
Opcode ID: 30e8e77db60cbad6e89189ad58068a3bbf52ae4af6e52c211855450fb843ab09
Instruction ID: a0e2f22a6a3f7e206e775114c45e476e486dbe9b5451df120b99d5b913458d58
Opcode Fuzzy Hash: 30e8e77db60cbad6e89189ad58068a3bbf52ae4af6e52c211855450fb843ab09
Instruction Fuzzy Hash: 9C5209B1D002499BDF149B98DC6667EB671EB58304F281A1BE111FB3B1D37C89428F9B

Uniqueness

Uniqueness Score: -1.00%

Function 0043D195 Relevance: 5.7, Strings: 4, Instructions: 724COMMON

Download Yara Rule

Strings

`wJl, xrefs: 0043D349
[-/M, xrefs: 0043D845
BbA, xrefs: 0043D1E1
[-/M, xrefs: 0043D47D

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID: BbA$[-/M$[-/M$`wJl
API String ID: 0-3534660569
Opcode ID: 248a979842fdf2fc07c9d5f3878acc933eca6ed6dc1a5947e45e06975474fde8
Instruction ID: 63622f877ee031114859241f7e2ea447f32fa1573e39c46ad8935505619ab642
Opcode Fuzzy Hash: 248a979842fdf2fc07c9d5f3878acc933eca6ed6dc1a5947e45e06975474fde8
Instruction Fuzzy Hash: 3D42B5B1D18701CBCF14DA18E99652EBAF0ABAC314F25A81FE185CF394D738D9419B4B

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3BC Relevance: 5.6, Strings: 4, Instructions: 605COMMON

Download Yara Rule

Strings

=9, xrefs: 0040E65C
=9, xrefs: 0040E651
)y, xrefs: 0040E47C
=9, xrefs: 0040EC6F

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID: )y$=9$=9$=9
API String ID: 0-3124619640
Opcode ID: 677f076c12dcd144cdddcce6bd4e64de0a88b2981ba7303fe1a63ff458cbd59a
Instruction ID: 0df76aec36a0f41ff280b0ffb41bc72cf2dab3feac103fc5fac1a54315e14466
Opcode Fuzzy Hash: 677f076c12dcd144cdddcce6bd4e64de0a88b2981ba7303fe1a63ff458cbd59a
Instruction Fuzzy Hash: D42219B1E002099BDF249B9B8C465BE7A71AB54304F240D3BF515FB3D0E27D8A61879B

Uniqueness

Uniqueness Score: -1.00%

Function 00453F4B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00454043
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0045404D
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 0045405A

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 4e43a152cfeae818d005a9bf8434bc5d4398d03ec1e88cad6466892193f3459e
Instruction ID: 99666442cd97fcf9f171af4d9eb5249f56363c0e72e8b283c95d7083039b1523
Opcode Fuzzy Hash: 4e43a152cfeae818d005a9bf8434bc5d4398d03ec1e88cad6466892193f3459e
Instruction Fuzzy Hash: 4531D4749012189BDB21DF25D988B9DBBF8BF08315F5041EAE80CA7291E7749F858F49

Uniqueness

Uniqueness Score: -1.00%

Function 00411828 Relevance: 4.1, Strings: 3, Instructions: 368COMMON

Download Yara Rule

Strings

f)=, xrefs: 00411DD7
f)=, xrefs: 00411A3E
f)=, xrefs: 004119EA

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _wcsrchr
String ID: f)=$f)=$f)=
API String ID: 1752292252-3239493788
Opcode ID: ea5389d2a179444b72e9b9c1aeb74c93be843cc33b4821f8f6fbf9b85ac6235e
Instruction ID: 066726e2e05c43f0821209f8166b6b71d2c8d6dde72c0b842e813b26876215ff
Opcode Fuzzy Hash: ea5389d2a179444b72e9b9c1aeb74c93be843cc33b4821f8f6fbf9b85ac6235e
Instruction Fuzzy Hash: DBD106719183458BCB14AF1985800BEB6E0EB56310F55892FE6DADB370E238DDC1DB4B

Uniqueness

Uniqueness Score: -1.00%

Function 004242CB Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 471COMMON

Download Yara Rule

Strings

EM%, xrefs: 00424312

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID: EM%
API String ID: 0-1407036242
Opcode ID: 67e988459a49aa939898d9ff7a43162aa5477c2edc5375f5ce44c8762a488bbc
Instruction ID: 75d7bf8ebae46f47138d2171ecde690c40c6dd0687ac209de1a129132d550e7d
Opcode Fuzzy Hash: 67e988459a49aa939898d9ff7a43162aa5477c2edc5375f5ce44c8762a488bbc
Instruction Fuzzy Hash: 44022671F00139CACF248A99E8456AEB674FB85300FE5051BF115EF391D7B989418BBB

Uniqueness

Uniqueness Score: -1.00%

Function 0041980D Relevance: 3.9, Strings: 3, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

Strings

UUUU, xrefs: 00419859
UUUU, xrefs: 0041988D
3333, xrefs: 00419862

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID: 3333$UUUU$UUUU
API String ID: 0-1588839328
Opcode ID: efba45d241d0f52071cda3d0870ed78c4ca8c8c9b3e851d8953339fc65376d36
Instruction ID: d1b7f37b2ea666f60bdfb189bbd867ea5cc85303ea493e94c66f19f49d3d4ea9
Opcode Fuzzy Hash: efba45d241d0f52071cda3d0870ed78c4ca8c8c9b3e851d8953339fc65376d36
Instruction Fuzzy Hash: 8A41B0B1A242048BCB189F19C89479277E1BF89320F59816AE9058F38AD7B9CD85CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0044E960 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2222f3a3d6a913613eae35c6862abf10bfdc6bf6cd88911747dedeb70353b5
Instruction ID: 1379c56ca3eec02fa59c9d39c239cb0aa8bed0802506fe828fe134465fbe30e4
Opcode Fuzzy Hash: 9b2222f3a3d6a913613eae35c6862abf10bfdc6bf6cd88911747dedeb70353b5
Instruction Fuzzy Hash: C1F12F71E002199FEF14CF69D980AAEF7B1FF88314F15826AE915AB381D734AD05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0044C351 Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(0041C7E7,FFFFFFF9,0E5CCD23,?,?,?,0041C7E7,00000000), ref: 0044C366
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044C385

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: 3fe40198a38a422c672ee5a5dbb90a51271e5f9400dc39d4e6b1adcb3c2a5531
Instruction ID: 27f698f4cdd5437931be634b194d56ca7c7a9d902b3e9012aa2ec16f7a872e06
Opcode Fuzzy Hash: 3fe40198a38a422c672ee5a5dbb90a51271e5f9400dc39d4e6b1adcb3c2a5531
Instruction Fuzzy Hash: 3FF0F4B5A02214BB9B649F6EC84489FBEE9EBC4760729825AFC09D3344E975CD01C698

Uniqueness

Uniqueness Score: -1.00%

Function 00425383 Relevance: 2.8, Strings: 2, Instructions: 306COMMON

Download Yara Rule

Strings

BbA, xrefs: 004253FE
-V, xrefs: 00425448

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID: BbA$-V
API String ID: 0-3809955518
Opcode ID: 1b2d38d1e3b605a952596961b677f9a00d51841c5b29a9ed7cbc69f4a507caeb
Instruction ID: dc0b5188f1afb384efd2f348d115cc14fa508202ac94fcf1270c46230676865c
Opcode Fuzzy Hash: 1b2d38d1e3b605a952596961b677f9a00d51841c5b29a9ed7cbc69f4a507caeb
Instruction Fuzzy Hash: 8AC19F71A08B219BC714DF19D48412EBBE0EB94350F919D2FE899D73A0E778C9518F8B

Uniqueness

Uniqueness Score: -1.00%

Function 00413F74 Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

rA1, xrefs: 00413F75
rA1, xrefs: 00413F77

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID: rA1$rA1
API String ID: 0-1067413765
Opcode ID: efbb6fb98ee96def9dd8d1e0065d46e41e3023d5ad887b9a4026ef5383adf29c
Instruction ID: 0f2c39b535e627a914370d6953791e0e4ce5231357eeacb8a2176ba7154c97bf
Opcode Fuzzy Hash: efbb6fb98ee96def9dd8d1e0065d46e41e3023d5ad887b9a4026ef5383adf29c
Instruction Fuzzy Hash: 8F11CA37A182B107D716CEB658D002AE752ABC731270F4276EE81AB241D160AC5182E5

Uniqueness

Uniqueness Score: -1.00%

Function 0041B0E3 Relevance: 2.4, APIs: 1, Instructions: 917COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0041B20C

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 81b6c9f8dd858e0575a21273f910148f5f9b3018c130845560e755093bb2e4d2
Instruction ID: c69bad69c9650cc23ecbbb10ef9dce891f31e76b51468f57f18fd9f67a02415b
Opcode Fuzzy Hash: 81b6c9f8dd858e0575a21273f910148f5f9b3018c130845560e755093bb2e4d2
Instruction Fuzzy Hash: 13822371608341AFDB14CF19C880AABBBE1FF88344F44892EF99987351D739D994CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004632E8 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00463243,?,?,00000008,?,?,004628E0,00000000), ref: 00463515

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2de6cfb0ff4a72139af26f99067b21693e90c6c09101b5cfe456c9cc314c36ad
Instruction ID: 46e702be2e14e1c7ea3a083daac46fe654c2f59b887735ef056f0537b62b1649
Opcode Fuzzy Hash: 2de6cfb0ff4a72139af26f99067b21693e90c6c09101b5cfe456c9cc314c36ad
Instruction Fuzzy Hash: CDB18D31210644DFD715CF28C486B657BE0FF04365F258659E89ACF3A1D739EA82CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00418D43 Relevance: 1.7, Strings: 1, Instructions: 471COMMON

Download Yara Rule

Strings

a, xrefs: 00418DA4

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID: a
API String ID: 0-3904355907
Opcode ID: 22adeaec1f4aa4427f2fd75e2a797e1863b0547b07efddce6337872882d6f34b
Instruction ID: fa2e706a8ce1b4874a0f7c8179fb513e0e163648afb64f82ed63889311d57075
Opcode Fuzzy Hash: 22adeaec1f4aa4427f2fd75e2a797e1863b0547b07efddce6337872882d6f34b
Instruction Fuzzy Hash: 701214706083019FD764CF19C894BABBBE2BB88304F14892EF59987390D779ED85CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00439CD6 Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

BbA, xrefs: 00439F55

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID: BbA
API String ID: 0-4129302092
Opcode ID: d4c306d473e9abee8ba03c08537d78c956c4b24f53863bdf1d710410e9463831
Instruction ID: 9b589efcd643ce06c087a3a5f1e7c205f060a46c530c5da3065031165be25a4c
Opcode Fuzzy Hash: d4c306d473e9abee8ba03c08537d78c956c4b24f53863bdf1d710410e9463831
Instruction Fuzzy Hash: 38E1D3B1E4410A8BCF248B9888815BF76B5BB6D315F24252BD442EB360D3B98D119B9F

Uniqueness

Uniqueness Score: -1.00%

Function 00440358 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0044036E

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 356cedec560b61747e734f351c2d7cee1900a7d0f73b36dcc76ed125cba7798f
Instruction ID: a2202421c7d43c7c44685b9093a77a3869744c678983edcef80afba564b2c5d9
Opcode Fuzzy Hash: 356cedec560b61747e734f351c2d7cee1900a7d0f73b36dcc76ed125cba7798f
Instruction Fuzzy Hash: 1F514E71A01215DBFB68CF99D8857AAB7F4FB48310F24847ADA09EB360D3789990CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004186EB Relevance: 1.6, Strings: 1, Instructions: 352COMMON

Download Yara Rule

Strings

a, xrefs: 00418794

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID: a
API String ID: 0-3904355907
Opcode ID: c5ea65371dcad18d39016b021c08cdbd70822c6c2722b132fc2f5378d9cc01d2
Instruction ID: a1075f817fd7cc3f7814354a4a1db2357214d01691858b369329b9f05171e3ff
Opcode Fuzzy Hash: c5ea65371dcad18d39016b021c08cdbd70822c6c2722b132fc2f5378d9cc01d2
Instruction Fuzzy Hash: A6E13B716083419FD720CF19C884BABB7E1BF84354F14892EF59987350DB78E989CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00459824 Relevance: 1.6, APIs: 1, Instructions: 81timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00453E34: HeapFree.KERNEL32(00000000,00000000,?,00457171,?,00000000,?,?,0045708D,?,00000007,?,?,004577C9,?,?), ref: 00453E4A
Part of subcall function 00453E34: GetLastError.KERNEL32(?,?,00457171,?,00000000,?,?,0045708D,?,00000007,?,?,004577C9,?,?), ref: 00453E55

GetTimeZoneInformation.KERNEL32 ref: 00459846

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3335090040-0
Opcode ID: 465af64d01cb5bf269fcfe6c1cbf59db2ec674240fde68a8510aaed291382a60
Instruction ID: 83584015ad3354e1473e426f47074551544ae6ff77f5a2d824aafdad77519c98
Opcode Fuzzy Hash: 465af64d01cb5bf269fcfe6c1cbf59db2ec674240fde68a8510aaed291382a60
Instruction Fuzzy Hash: 7221E171910111EBDB10AFBACD4265EBF60EF05311B1481ABFC08AB2B2E7799D44CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00440129 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00040253,0043FBA3), ref: 0044012E

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5d7f60071a7a357792143b2bfc5289f02b303e810947aa6ebcae9ed27293c0d5
Instruction ID: f038b7e9c132db3ec742f0495448b622a0d310ee9f95716751d1e1cd1bf57bd1
Opcode Fuzzy Hash: 5d7f60071a7a357792143b2bfc5289f02b303e810947aa6ebcae9ed27293c0d5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004165A5 Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d89aba4d668fce2eb44ce70dd846f8b0ff78849bd6d1151861dcef515fce1f
Instruction ID: a3b7084fbdfe11c8eacb09f2c79e2b3bebb649b7c631925d18ca0386633e7346
Opcode Fuzzy Hash: 72d89aba4d668fce2eb44ce70dd846f8b0ff78849bd6d1151861dcef515fce1f
Instruction Fuzzy Hash: 866280356087518FC715DF19C080AAAB7F1FF89314F158A6EE4CA8B352D739E886CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00420C54 Relevance: .5, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86e733c957ad818f0a5a64066e21ff8c0fd192cc6da0df8d624fb0f487f81bb
Instruction ID: 7f1d227e81058240fefc9ce2e7881f356ce04caaa4cd566e4625a4282b784914
Opcode Fuzzy Hash: b86e733c957ad818f0a5a64066e21ff8c0fd192cc6da0df8d624fb0f487f81bb
Instruction Fuzzy Hash: E912BF702087508FC324DF28D58066BB7E2FF95310F944E2EE5D687B92E379A845CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00415F39 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344e3994ff8b8d302067ea1c434afd7038ce7f4f31709be841778334474cb02c
Instruction ID: f47bd9da15e5f273d482ff521561176b22dacf300fafdc73ccb339a9324ef8fc
Opcode Fuzzy Hash: 344e3994ff8b8d302067ea1c434afd7038ce7f4f31709be841778334474cb02c
Instruction Fuzzy Hash: 4C126D75A087059FC714CF29C5806AAFBE1FF88304F15892EE89987351D778EC95CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00417059 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca4ead15992c50c81b45c437b349bc6c2ce5574fdc5981c1436be462613f052
Instruction ID: cf4510a9fb9a17c05484002ebd9ffdaa7b2e5eb0357794f45be513f7ec182c0a
Opcode Fuzzy Hash: dca4ead15992c50c81b45c437b349bc6c2ce5574fdc5981c1436be462613f052
Instruction Fuzzy Hash: B3020470518B508FC338CF29C6905A6BBF1FF45710B944A2EDAA787B90D739B885CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00447293 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17954181ad1bfa07e195440818c843ca059a124ac0f03909e53e4f2b1a5f8e8b
Instruction ID: 4852fc99dede2de8c07b1ce6f38178f8f74b56e8af0a05e5bd4a490d1d0891ff
Opcode Fuzzy Hash: 17954181ad1bfa07e195440818c843ca059a124ac0f03909e53e4f2b1a5f8e8b
Instruction Fuzzy Hash: 5DE1BB706086058FEB24CF68C480AABB7F2FF45314B244A5EE8569B790D738AD43DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00444C74 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa6efcdf8f36bebee9a36831b339b6fd598d102e837ebe592fc0ccf64c4c128
Instruction ID: 5300cd6ae49d8dbe9984fbe377353a52d1cf92bd768e72ae2b68b1244187a3f9
Opcode Fuzzy Hash: cfa6efcdf8f36bebee9a36831b339b6fd598d102e837ebe592fc0ccf64c4c128
Instruction Fuzzy Hash: 46E1BBB4A00A058FEB24CF28C180BAFB7F1FF89314B24465ED4569B791D738AD46CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00421AEE Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe52bac06ce16e9f08cb5d1657a55b984f032921874ae6b4bfe86344577606a7
Instruction ID: a1926ac00d3af7b2d59ac37bfc72cc0e44c362c41eb0cb9e191a4dde01baca61
Opcode Fuzzy Hash: fe52bac06ce16e9f08cb5d1657a55b984f032921874ae6b4bfe86344577606a7
Instruction Fuzzy Hash: 47E10275B043228FC714CF18D8D066AB3E2FFA9710F95892EE99587361D239EC46CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004466CF Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d84bca4c30aa5539cc3b23a61abace4eda1baf78668d3b6f8f4e28cd3912e37
Instruction ID: bb97e952bf6128600cf32c7039b0c21f980668a69e724898758963aa6774178a
Opcode Fuzzy Hash: 7d84bca4c30aa5539cc3b23a61abace4eda1baf78668d3b6f8f4e28cd3912e37
Instruction Fuzzy Hash: 63C1D170A006458FEB24CF68C49067BBBA1EF07318F16461FD896A7391C739AD46CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00443FB4 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480b7a3807bdec40eb1781685a0957e977cf92e650f85c080a9217fa238dc8bc
Instruction ID: 03e01b99a3ea4d98bd077c1f71beaba728474dfaaaff8be342414f03e7018773
Opcode Fuzzy Hash: 480b7a3807bdec40eb1781685a0957e977cf92e650f85c080a9217fa238dc8bc
Instruction Fuzzy Hash: A9C10F306006068FEB24CF68C48477FB7A1BF85304F24461FDA5697792C779AC86CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041494F Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a249e8036389ca2a94441644932b39595e3d331b0a1c1fbadceed0361bbadf
Instruction ID: 8de42448238a9bd9dfb0f6da8befdbe85df30ec9e27c252b50282187906eccb1
Opcode Fuzzy Hash: 22a249e8036389ca2a94441644932b39595e3d331b0a1c1fbadceed0361bbadf
Instruction Fuzzy Hash: F1C15D716087518BC728CF2DC4907AEB7E2AFC4310F19CA2EE899D7795D6389841CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0045BF5E Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd68c9bd32a6e6089eb0a04c845385284089b00ffda1fbd1fb62c7a2d090b34
Instruction ID: 33d213110c5a6b565e9bda116bccd1b313e5870d458404ff94cf22743a74c644
Opcode Fuzzy Hash: cbd68c9bd32a6e6089eb0a04c845385284089b00ffda1fbd1fb62c7a2d090b34
Instruction Fuzzy Hash: 60B10020E2AF414DC6239639C871336B64CAFBB2C5F51D72BFC2670D62FBA289834145

Uniqueness

Uniqueness Score: -1.00%

Function 00414918 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39a2fe1fb783dc0ebd96aaa4b09021d3a3dec2b0e9adff76d855defd5a20da3
Instruction ID: 7f49d05cf51cb1df92f9f4c22161da5d1b824da537386caa73c3e113169bc4e9
Opcode Fuzzy Hash: a39a2fe1fb783dc0ebd96aaa4b09021d3a3dec2b0e9adff76d855defd5a20da3
Instruction Fuzzy Hash: 73819D716086518FC728CF2DD8906AEFBE2AFC4310F19CA2EE8D9D7795D6349841CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0044F2BB Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac7b1aa96306a8500b12fae9c55f076ce975f64dbe0489b0a98f9252826224e
Instruction ID: 2a85ae27e9abd1518985109b3de5b099e6583462fcbdc878e980ebc407922004
Opcode Fuzzy Hash: 1ac7b1aa96306a8500b12fae9c55f076ce975f64dbe0489b0a98f9252826224e
Instruction Fuzzy Hash: 53517271E00219AFDF14CF99C941AAEBBB2EF88314F19806DE815AB241C7349E54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00440A50 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 04161d24e210b282f1801bcb76d898ca36c1aebdde0c8bb232035fa6fcb03425
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 54115B7734038243F614C63DD4B86BBA7A5EBF532072C837BD3826B744D13AD9659A08

Uniqueness

Uniqueness Score: -1.00%

Function 00455725 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5466edf919cf6453cb3fe632e64b7bc90129a20e483f7dfcae3dbb783ead61c5
Instruction ID: d45551658c9705659fe91fd25da5fd67e75fcf6d94e8ca675f06846c1b1ef9cc
Opcode Fuzzy Hash: 5466edf919cf6453cb3fe632e64b7bc90129a20e483f7dfcae3dbb783ead61c5
Instruction Fuzzy Hash: DDE08C32911228EBCB24DB89C904D9AF3FCEB49B56F11009BB901D3202C274DE04C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 00449B9A Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3afd9e53fbe4f72f84671ef79b91c3ecb84e580b6f34f6fcc9017cb2d47eaa73
Instruction ID: 9885d8effbfe0ff0fdcaaaae0265c276ac2dca6ef0719e03e370b0a5cf67cbe2
Opcode Fuzzy Hash: 3afd9e53fbe4f72f84671ef79b91c3ecb84e580b6f34f6fcc9017cb2d47eaa73
Instruction Fuzzy Hash: 67C08C34000980C6DE298911B6713BB33A5F3957CAF8004CFC8420BB83C71EAD86E644

Uniqueness

Uniqueness Score: -1.00%

Function 00403596 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 332
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,?), ref: 0040366D
lstrcatW.KERNEL32(?,?), ref: 00403675
lstrcatW.KERNEL32(?,?), ref: 0040384D
lstrcatW.KERNEL32(?,26CFC4F5), ref: 00403855
lstrcatW.KERNEL32(?,?), ref: 004038AD
lstrcatW.KERNEL32(?,?), ref: 004038C9
lstrcatW.KERNEL32(?,?), ref: 004039F0
lstrcatW.KERNEL32(?,?), ref: 00403A0D

Strings

Qcz, xrefs: 004036D0
Qcz, xrefs: 004037CB
xG%, xrefs: 004037D6
xG%, xrefs: 0040371A

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: lstrcat
String ID: Qcz$Qcz$xG%$xG%
API String ID: 4038537762-1429512164
Opcode ID: 9be91e2508c1e15b1789d6a0a0412c6c219981e28901ded71ef246b491064337
Instruction ID: 4878c853b4d5a6c812cbc114ba151b085e6c8ba745f01b2c624c4d7a811a5224
Opcode Fuzzy Hash: 9be91e2508c1e15b1789d6a0a0412c6c219981e28901ded71ef246b491064337
Instruction Fuzzy Hash: 2BC1D471D00219EADF209F98CC85AAEBEB4AF14301F244577F511F63E0D3B98B519B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042FF13 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 315
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,?), ref: 0042FF84
lstrcatW.KERNEL32(?,0000326A), ref: 0042FF8C
lstrcatW.KERNEL32(00431704,?), ref: 00430035
lstrcatW.KERNEL32(00431704,0000326A), ref: 004300AB
lstrcatW.KERNEL32(?,?), ref: 004301EE
lstrcatW.KERNEL32(?,?), ref: 00430276
lstrcatW.KERNEL32(?,?), ref: 004302C2
lstrcatW.KERNEL32(00431704,0000326A), ref: 0043039F

Strings

=9, xrefs: 0042FF9F
=9, xrefs: 0043005D
)y, xrefs: 0042FF65
=9, xrefs: 004303FE

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: lstrcat
String ID: )y$=9$=9$=9
API String ID: 4038537762-3124619640
Opcode ID: f030b9c4477342b9bdc48660ac90e06d751428325ada5cb7c4d2204976886d3f
Instruction ID: e519decdd3ce253de89407dbf8649a3a5ec18651a50e18e1cfbc0e89ecb9ccf7
Opcode Fuzzy Hash: f030b9c4477342b9bdc48660ac90e06d751428325ada5cb7c4d2204976886d3f
Instruction Fuzzy Hash: 54C1FFB1E102199FCF109F98DD515AEBAB4FF09304F661637E414F63A0DB798D448B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0041F3BB Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WideCharToMultiByte.KERNEL32 ref: 0041F6C1
WideCharToMultiByte.KERNEL32 ref: 0041F7DA

Strings

Eb, xrefs: 0041F472
Y<, xrefs: 0041F60A
0N, xrefs: 0041F5FA
', xrefs: 0041F892
_2, xrefs: 0041F88A
:@, xrefs: 0041F3BB
tL, xrefs: 0041F89A

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: '$0N$Eb$Y<$_2$tL$:@
API String ID: 626452242-2264350277
Opcode ID: 35620b76cd7eb60ebe6dfa00f721888ff0dbdb95e30fad49da4e546f73c4563c
Instruction ID: 6b0cbdd544f82dc4c58476b5f157a1645fbfa2b23c24b1863356214a3f4bca1a
Opcode Fuzzy Hash: 35620b76cd7eb60ebe6dfa00f721888ff0dbdb95e30fad49da4e546f73c4563c
Instruction Fuzzy Hash: DDB18FB05087458BD7289F58C48416EBBE0BF94314F144A2FF4A9DA3A1D778C98ACB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB8 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00401FD8

Strings

wr, xrefs: 00401EB0, 00401F28, 004020A5, 0040219C
BF, xrefs: 00402029
BF, xrefs: 0040222B
false, xrefs: 00401F63
null, xrefs: 00401DE6
[,]{: }, xrefs: 00401EEB
%1.17g, xrefs: 00401E33

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _strlen
String ID: wr$%1.17g$[,]{: }$false$null$BF$BF
API String ID: 4218353326-3269087201
Opcode ID: 908a62677b8ca64f96e232a64f15dfa901e837643ddf367af2bc110f6864cace
Instruction ID: 0c250f3d4f756a126ef77eb0c0b7d1b14d5667675eaa96361a206e1d9e62a699
Opcode Fuzzy Hash: 908a62677b8ca64f96e232a64f15dfa901e837643ddf367af2bc110f6864cace
Instruction Fuzzy Hash: 98C1F3727043015BD701A66A8E4462BB2DA9FD4348F19853FED5AE33E1FABDDC01825B

Uniqueness

Uniqueness Score: -1.00%

Function 004200E3 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 0042015B
_strlen.LIBCMT ref: 0042016F
_strlen.LIBCMT ref: 00420247
_strlen.LIBCMT ref: 0042025B
_strlen.LIBCMT ref: 0042033E
_strlen.LIBCMT ref: 00420352

Strings

ykqs_jk*n}ob, xrefs: 004202C8
file, xrefs: 004201CC

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _strlen
String ID: file$ykqs_jk*n}ob
API String ID: 4218353326-323892159
Opcode ID: 1c50cf2c04d4a5d951112a15154896223c931624481b2a82f6f5c9bd8b49e8f1
Instruction ID: 285f5179f204fbcc5615ef4ec5ecd657932cc1d2d5792005b9c654004b0af578
Opcode Fuzzy Hash: 1c50cf2c04d4a5d951112a15154896223c931624481b2a82f6f5c9bd8b49e8f1
Instruction Fuzzy Hash: 8E81E6B6900215EFD721DF25DC82A977BB4EF19318B184469FC0C9B303E235A915C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 0045A27D Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0045A729: CreateFileW.KERNEL32(00000000,00000000,?,0045A326,?,?,00000000,?,0045A326,00000000,0000000C), ref: 0045A746

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001EFB), ref: 0045A391
__dosmaperr.LIBCMT ref: 0045A398
GetFileType.KERNEL32(00000000), ref: 0045A3A4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001EFB), ref: 0045A3AE
__dosmaperr.LIBCMT ref: 0045A3B7
CloseHandle.KERNEL32(00000000), ref: 0045A3D7
CloseHandle.KERNEL32(00000000), ref: 0045A524
GetLastError.KERNEL32 ref: 0045A556
__dosmaperr.LIBCMT ref: 0045A55D

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 55320916d828ae0cd40da7d50a2e62aa374f4779e3897207c8b692d5ec426c28
Instruction ID: d686bd5d26923eca63759877139bb571ce72897651dc559e2e2611c40fd98f83
Opcode Fuzzy Hash: 55320916d828ae0cd40da7d50a2e62aa374f4779e3897207c8b692d5ec426c28
Instruction Fuzzy Hash: 3DA16872A101149FDF099F68DC46BAE3BA0AB06315F14025EFC01DF3A2D738986AC75B

Uniqueness

Uniqueness Score: -1.00%

Function 00401A6D Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00401FD8

Strings

wr, xrefs: 00401EB0, 004020A5
BF, xrefs: 00402029
BF, xrefs: 0040222B
null, xrefs: 00401DE6
,]{: }, xrefs: 0040207F
%1.17g, xrefs: 00401E33

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _strlen
String ID: wr$%1.17g$,]{: }$null$BF$BF
API String ID: 4218353326-2456199790
Opcode ID: 3dfd42b57767dc8270ba4dc7648a312b6cebebe134f354f52bc026d4dca15a1d
Instruction ID: 46e47a4cd59045c846db78e3bba410f39dddad80144ed0f5791ee4b301c79d68
Opcode Fuzzy Hash: 3dfd42b57767dc8270ba4dc7648a312b6cebebe134f354f52bc026d4dca15a1d
Instruction Fuzzy Hash: 94B1CDA2B043015BE70076765E8662B61DA9F90348F18453FED4AF33E2FA7DDD11829B

Uniqueness

Uniqueness Score: -1.00%

Function 0045FE6F Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 0045FF8E
CatchIt.LIBVCRUNTIME ref: 004600ED
_UnwindNestedFrames.LIBCMT ref: 004601EE
CallUnexpected.LIBVCRUNTIME ref: 00460209

Strings

csm, xrefs: 0045FFC5
csm, xrefs: 0045FEAC
csm, xrefs: 0045FF19

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: CallCatchFramesNestedUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2332921423-393685449
Opcode ID: 2090d5bb0acad8684a595240ae2f87c6eff5326107e89bc7c1ff7f0c72ce1e33
Instruction ID: 2b3abcc206f024861a136704ea370c9ed85d4f450db034c067ab4b26c105e929
Opcode Fuzzy Hash: 2090d5bb0acad8684a595240ae2f87c6eff5326107e89bc7c1ff7f0c72ce1e33
Instruction Fuzzy Hash: DFB18932800209EFCF14DFA5D9819AFB7B5BF05305B14406BEC116B212E379DA59CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00432E62 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(00000000), ref: 00432E6D
CreateDCW.GDI32(00000000,00000000,00000000,00000000), ref: 00433153
GetSystemMetrics.USER32(00000001), ref: 00433204
DeleteDC.GDI32(?), ref: 00433250

Strings

xG%, xrefs: 0043312B
xG%, xrefs: 004331F6
xG%, xrefs: 00432EB8

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: MetricsSystem$CreateDelete
String ID: xG%$xG%$xG%
API String ID: 1043530637-1616704207
Opcode ID: 704ab9ae53338d9c11fc060a0fac058ebf6f65491b83a0fa5fa0adda410b95e9
Instruction ID: 809d23d9da762772d83b57479b3c5423d1b44b0536bc0b36b4e4cd74ecdcf2b6
Opcode Fuzzy Hash: 704ab9ae53338d9c11fc060a0fac058ebf6f65491b83a0fa5fa0adda410b95e9
Instruction Fuzzy Hash: 4C917871E002098BDF249F98C98657FBA71AB9C311F246517E411E7390D7BD8B40CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00433918 Relevance: 12.2, APIs: 8, Instructions: 182
processfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0043392B
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 0043393E
GetCurrentProcessId.KERNEL32 ref: 004339BF
CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00433B6E
GetFileSizeEx.KERNEL32(?,?), ref: 00433B7E
CloseHandle.KERNEL32(?), ref: 00433B91
WinExec.KERNEL32(?,00000000), ref: 00433BDE
ExitProcess.KERNEL32 ref: 00433BE5

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: File$HandleModuleProcess$CloseCreateCurrentExecExitNameSize
String ID:
API String ID: 3992844039-0
Opcode ID: 5d50565b87c74c25e674ebbb3917f5898fd203779ab18c8b2297214b87599f5b
Instruction ID: 42f2e7484e317dff0cded6fa20739e2dbf8c3365bc58c627dfe3ab1d9c72692e
Opcode Fuzzy Hash: 5d50565b87c74c25e674ebbb3917f5898fd203779ab18c8b2297214b87599f5b
Instruction Fuzzy Hash: 7B513FB0500702DBEF305E298C49B277AE8EB09316F10592BF56BD7661D25CEA414F4B

Uniqueness

Uniqueness Score: -1.00%

Function 00452B25 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00452C32,?,004547C2,0040E684,00000000,00000000,?,004529E6,00000021,FlsSetValue,00468EBC,FlsSetValue,0040E684), ref: 00452BE6

Strings

api-ms-, xrefs: 00452B7C
ext-ms-, xrefs: 00452B90

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 0817c6fdddb93c04141847eff1b073e1fa4e6ce4b27c88aac43368bc9e15ce19
Instruction ID: 6976ddfbd8caaaab8d9eba1252bcab6e0a937b58ea562e8a41fe0d7736555f76
Opcode Fuzzy Hash: 0817c6fdddb93c04141847eff1b073e1fa4e6ce4b27c88aac43368bc9e15ce19
Instruction Fuzzy Hash: 9C212772A00111ABDB219F25DD81A5B3798DB423A1F240227FD05A73D2E7F8FD09C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 00432C39 Relevance: 10.6, APIs: 7, Instructions: 68windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,?,?), ref: 00432C8D
SelectObject.GDI32(?,?), ref: 00432CA6
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00432CBF
SelectObject.GDI32(?,?), ref: 00432CCD
CreateCompatibleDC.GDI32(?), ref: 00432CD7
DeleteDC.GDI32 ref: 00432CFC
DeleteObject.GDI32(?), ref: 00432D06

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: Object$CompatibleCreateDeleteSelect$Bitmap
String ID:
API String ID: 1142853709-0
Opcode ID: 5e6de1d900ebce608c7af7884446a37b8f8acb441115ef96ab31e7277cecc51a
Instruction ID: b686beea4571f1d93e00d5ed4cbe06049545703ddf7aa3d0d622d75235c18fb1
Opcode Fuzzy Hash: 5e6de1d900ebce608c7af7884446a37b8f8acb441115ef96ab31e7277cecc51a
Instruction Fuzzy Hash: AB214D74008301AFCA205B16CE48C2FBFE5EF8A754F10A92AF54996230D276CC15DF5B

Uniqueness

Uniqueness Score: -1.00%

Function 004585AE Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4298f341c87ad7ecc65fc2515203ce02bb884cc00d73e76c464ceaa9f44a691
Instruction ID: 535c8b7328ef8ee6fbffdb1d368c7309bd8b452e2aa5fc4b7a8846e5273e53cb
Opcode Fuzzy Hash: e4298f341c87ad7ecc65fc2515203ce02bb884cc00d73e76c464ceaa9f44a691
Instruction Fuzzy Hash: BFB1E6B0A40245AFDB01EF9AC880BAE7BB1FF45305F14415EE904A7353CF789949CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0044B961 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0044BAF4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044BB10
__allrem.LIBCMT ref: 0044BB27
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044BB45
__allrem.LIBCMT ref: 0044BB5C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044BB7A

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 42e732099961271773518375950b9bbbde2696299b357054213fd541dae8fcab
Instruction ID: ef365a049af607343f8be8b3212049103782158540b08e4f71d0ca1a46f63308
Opcode Fuzzy Hash: 42e732099961271773518375950b9bbbde2696299b357054213fd541dae8fcab
Instruction Fuzzy Hash: 0881E8B16007069BF7209E6ACC42B6B73A9EF44364F14452FF911D67C2E778E9048798

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF56 Relevance: 9.1, APIs: 6, Instructions: 146COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0041FFC5
_strlen.LIBCMT ref: 0041FFD9
_strlen.LIBCMT ref: 00420042
_strlen.LIBCMT ref: 00420056
_strlen.LIBCMT ref: 004200AF
_strlen.LIBCMT ref: 004200C3

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 1279646038f4eb41b2bd07993c26e31ef37e16e72cf87688ed1b97db0c92eb2e
Instruction ID: 31a46be2a31faabc304eb1bdf659b1fcc976e09cf6aa6257a5c0f96d6c47ac14
Opcode Fuzzy Hash: 1279646038f4eb41b2bd07993c26e31ef37e16e72cf87688ed1b97db0c92eb2e
Instruction Fuzzy Hash: 3641E8B6901615AFD711AF25EC82EAB37A4AF5A31CB040069FC0867303E7357915C7EB

Uniqueness

Uniqueness Score: -1.00%

Function 004523E4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004523DB,00440746,00440297), ref: 004523F2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00452400
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00452419
SetLastError.KERNEL32(00000000,004523DB,00440746,00440297), ref: 0045246B

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6d7a42854ded5e81f902fb76ef248f452ca56cf4c94cbb179f9564bdfd7eb750
Instruction ID: 597ddafc9b9e2fbb5cd57ad523608a9298ce0246d25c5e9403f95b32d94ef4aa
Opcode Fuzzy Hash: 6d7a42854ded5e81f902fb76ef248f452ca56cf4c94cbb179f9564bdfd7eb750
Instruction Fuzzy Hash: 8001F53260A6119EA729267A6E8A55B2784DB0373A720023FFD14811F3EAE95849955C

Uniqueness

Uniqueness Score: -1.00%

Function 0044CAED Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0044CB2F

Strings

.bat, xrefs: 0044CB5E
.cmd, xrefs: 0044CB4D
.com, xrefs: 0044CB6F
.exe, xrefs: 0044CB3C

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: bf0b226e64b7cfe6f3ea0fe735921e0758539ee7ac38937f75869f14156e00cf
Instruction ID: 36138afea54e0842e8f31e780b47815ef1dff893f306121da2e1b7db6d1727af
Opcode Fuzzy Hash: bf0b226e64b7cfe6f3ea0fe735921e0758539ee7ac38937f75869f14156e00cf
Instruction Fuzzy Hash: 9201CE27605B6121B6545029BC43B371298CB82BB972A022FFC80F77C1FE5CED4251AD

Uniqueness

Uniqueness Score: -1.00%

Function 00449B18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A2592230,0040126C,?,00000000,00463A1B,000000FF,?,00449BE2,00449A7D,?,00449C9D,00000000), ref: 00449B4D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00449B5F
FreeLibrary.KERNEL32(00000000,?,00000000,00463A1B,000000FF,?,00449BE2,00449A7D,?,00449C9D,00000000), ref: 00449B81

Strings

mscoree.dll, xrefs: 00449B46
CorExitProcess, xrefs: 00449B57

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b4d226edc4749f5c4451dcd5bd984346dff06116924e798a03c91685db550508
Instruction ID: 00473055117681dd4dade9d2ba92c4763d954cf16130cf2196dd6efc935b9a4d
Opcode Fuzzy Hash: b4d226edc4749f5c4451dcd5bd984346dff06116924e798a03c91685db550508
Instruction Fuzzy Hash: A301DF31940659ABDB018F50DC04FEFB7F8FB04B16F004236E812A2390EBB8AC00CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0044C43F Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3256c3a026bf27264cba199f2fb18a9f09c8de035dfd3c98c395692d3a7f1a
Instruction ID: 07b4ae62025cfa2ab7cebcdc06eacc2ede3ae4cb009f71dee31f2ce0e74a9c58
Opcode Fuzzy Hash: 7c3256c3a026bf27264cba199f2fb18a9f09c8de035dfd3c98c395692d3a7f1a
Instruction Fuzzy Hash: A951877990121DAEDF00EFE5D940AEEB7B8EF08710F14401BE915E7250E734DA41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0044CED4 Relevance: 7.6, APIs: 5, Instructions: 143pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000006,00000000,00004E30), ref: 0044CEF6
GetFileInformationByHandle.KERNEL32(?,?), ref: 0044CF50
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0044CDF9,00000006), ref: 0044CFDE
__dosmaperr.LIBCMT ref: 0044CFE5
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0044D022

Part of subcall function 0044CB9B: __dosmaperr.LIBCMT ref: 0044CBD0

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 6582b9a8b11f24c48ac9f52b36256c1f576d1258e3a4620e80b8f8e1ec7abe00
Instruction ID: bd4d03b9a771159d5fef617030593d0560d8a05a51b5bf4aa89a7dea884668b4
Opcode Fuzzy Hash: 6582b9a8b11f24c48ac9f52b36256c1f576d1258e3a4620e80b8f8e1ec7abe00
Instruction Fuzzy Hash: 0D416175900604AFEB24DF66DC859ABBBF9EF88304B04492EF856D3650EB389845CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00460294 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0046019A,?,?,00000000,00000000,00000000,?), ref: 004602B9
CatchIt.LIBVCRUNTIME ref: 0046039F

Strings

RCC, xrefs: 004602D3
MOC, xrefs: 004602CB

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: ac7d6af183050187c71f16ffe7246f96f2fe5b68b95ce09ed853238f4b720782
Instruction ID: d395cb6d3643f747b4f1ed03c217f0cf3e407a9dee712a73095eddbd861a0f34
Opcode Fuzzy Hash: ac7d6af183050187c71f16ffe7246f96f2fe5b68b95ce09ed853238f4b720782
Instruction Fuzzy Hash: 85415972900209EFCF16DF94CD81AAF7BB5BF48305F14809AFD04A7221E3799990DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0045D201 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0045D29D,0040126C,00000000,00000000,?,?,?,0045D0E5,00000000,FlsAlloc,00469F00,00469F08), ref: 0045D20E
GetLastError.KERNEL32(?,0045D29D,0040126C,00000000,00000000,?,?,?,0045D0E5,00000000,FlsAlloc,00469F00,00469F08,0040126C,?,00452392), ref: 0045D218
LoadLibraryExW.KERNEL32(?,00000000,00000000,0040126C,?,00452392,00452476,00000003,00452E96), ref: 0045D240

Strings

api-ms-, xrefs: 0045D225

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: e2333dca0049899a034056aca4725402997ce5ec5efa653afd9e8b28abf10914
Instruction ID: 2f8e1eed1b80e3f53c297ac97a4cb6e7ce7407ae9afc80613234471b12a125ca
Opcode Fuzzy Hash: e2333dca0049899a034056aca4725402997ce5ec5efa653afd9e8b28abf10914
Instruction Fuzzy Hash: FAE04830680204B7EF302B62EC06B593B959F50B56F144171FD0CA55E1E7A5E855855E

Uniqueness

Uniqueness Score: -1.00%

Function 0045635A Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(A2592230,0045A462,00000000,?), ref: 004563BD

Part of subcall function 00458E13: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0045DB6E,?,00000000,-00000008), ref: 00458EBF

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00456618
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00456660
GetLastError.KERNEL32 ref: 00456703

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 9688f8e74edcdb5a3ac1c3708623ac9e564f5d8f12358ac89904943cb75c7869
Instruction ID: 1e2e37625c27f31410b472735243b7557da6028281b411b2d6bd2d62629f044e
Opcode Fuzzy Hash: 9688f8e74edcdb5a3ac1c3708623ac9e564f5d8f12358ac89904943cb75c7869
Instruction Fuzzy Hash: 83D18AB5D00248AFCF11CFE8D8809ADBBB5FF08315F59452AE816E7352E634A946CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00433323 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00433548
HeapFree.KERNEL32(00000000,00000000,?), ref: 00433554

Part of subcall function 00432E62: GetSystemMetrics.USER32(00000000), ref: 00432E6D

Part of subcall function 00432D18: GetDesktopWindow.USER32 ref: 00432D5A
Part of subcall function 00432D18: GetDC.USER32(00000000), ref: 00432D61
Part of subcall function 00432D18: SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00432DAE

Strings

rA1, xrefs: 004335FB
rA1, xrefs: 004333C8

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: HeapSystem$DesktopFreeInfoMetricsParametersProcessWindow
String ID: rA1$rA1
API String ID: 2787761496-1067413765
Opcode ID: 5a4700ff93160020465b4f5b8e585966a08a18ddb5dea9776d12ed82fbcf6752
Instruction ID: a981ae49f0fa2f3a87aaa150ee95751289bc2fc848a7d7049935d0dc7cf0988e
Opcode Fuzzy Hash: 5a4700ff93160020465b4f5b8e585966a08a18ddb5dea9776d12ed82fbcf6752
Instruction Fuzzy Hash: 02A13CB1C00309DBDF248F98CC826BE7664EB18315F24A92BE511FA391D77D9B418B5B

Uniqueness

Uniqueness Score: -1.00%

Function 0045FB96 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0045FC5D
___AdjustPointer.LIBCMT ref: 0045FC80
___AdjustPointer.LIBCMT ref: 0045FD1C

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: cabf343da66962419476e86db718fbbbff32d26141bceb274d6e4343c333b25a
Instruction ID: 013a60d334ea8d57af88b4ac8e385ded791458be1aa6c3f4d8da466b4dcd3ffb
Opcode Fuzzy Hash: cabf343da66962419476e86db718fbbbff32d26141bceb274d6e4343c333b25a
Instruction Fuzzy Hash: 3251C17250020A9FEB2A8F55C841BAA73A4FF01716F14443FED1547292E739EC4DCB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004593E0 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069da7ea26a0592ea2c6dd369b41f9c3e03cf53d43b37528806a8031e2738322
Instruction ID: ebb2b29dabbf547231e61ec3e76356dd2a8ff96ace66229c97dfb8df07e710a4
Opcode Fuzzy Hash: 069da7ea26a0592ea2c6dd369b41f9c3e03cf53d43b37528806a8031e2738322
Instruction Fuzzy Hash: 92410BB2A00348FFD7259F39C841B5A7BA8EB44715F10852FF911DB282E7799D198788

Uniqueness

Uniqueness Score: -1.00%

Function 00456B51 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,0044E464,00000001,?,0044E464,004011D8,?,00000000), ref: 00456B67
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,004011D8,00000000), ref: 00456B74
SetFilePointerEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,004011D8,00000000), ref: 00456B9A
SetFilePointerEx.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00456BC0

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 5b56bcbd4c671fecd75217bdbb02ef0464eaecf8ac0f59643d9c94699803eb38
Instruction ID: 23e91fdcb1a7104bc3273f7a94d4b7c242fe8f20993f077516c42dfe65022fe4
Opcode Fuzzy Hash: 5b56bcbd4c671fecd75217bdbb02ef0464eaecf8ac0f59643d9c94699803eb38
Instruction Fuzzy Hash: 66118875800128BBDB10AF5ACC089DF3FB9EF00365F404519F820972A1E7709A44DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0045B9B6 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(00000006,?,?,00000000,0045B8AF,00000000,?,004618EC,0045B8AF,?,00000006,00000000,00000104,00004E30,00000001,00000000), ref: 0045B9CC
GetLastError.KERNEL32(?,004618EC,0045B8AF,?,00000006,00000000,00000104,00004E30,00000001,00000000,00000000,?,0045B8AF,00004E30,00000104,?), ref: 0045B9D6
__dosmaperr.LIBCMT ref: 0045B9DD
GetFullPathNameW.KERNEL32(00000006,?,?,00000000,?,?,004618EC,0045B8AF,?,00000006,00000000,00000104,00004E30,00000001,00000000,00000000), ref: 0045BA07

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: ba5282754d184c6d309740ce3a9511922dd35345f1b2846f54f8b262bbf2378f
Instruction ID: 3745931c349c579b2146f67486802c36961f4fd332943e7a4ce3e28d139d4771
Opcode Fuzzy Hash: ba5282754d184c6d309740ce3a9511922dd35345f1b2846f54f8b262bbf2378f
Instruction Fuzzy Hash: 18F0A9752002006FD7306F67DC08D577BEDEF84361710442AF959C3221E775E81087A5

Uniqueness

Uniqueness Score: -1.00%

Function 0045BA1C Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(00000006,?,?,00000000,0045B8AF,00000000,?,00461874,0045B8AF,0045B8AF,?,00000006,00000000,00000104,00004E30,00000001), ref: 0045BA32
GetLastError.KERNEL32(?,00461874,0045B8AF,0045B8AF,?,00000006,00000000,00000104,00004E30,00000001,00000000,00000000,?,0045B8AF,00004E30,00000104), ref: 0045BA3C
__dosmaperr.LIBCMT ref: 0045BA43
GetFullPathNameW.KERNEL32(00000006,?,?,00000000,?,?,00461874,0045B8AF,0045B8AF,?,00000006,00000000,00000104,00004E30,00000001,00000000), ref: 0045BA6D

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: c5caae84886f4af998c3ce600fc4c0e628b8bd820caae2ca9c51f86d4988d584
Instruction ID: bf923fac6c2dad86a0d2781db911c3f037527751af333c588ac22f26e7570290
Opcode Fuzzy Hash: c5caae84886f4af998c3ce600fc4c0e628b8bd820caae2ca9c51f86d4988d584
Instruction Fuzzy Hash: 83F04476200301AFEB306F62DC08E577BEDEF54361714882AF959C3121EB75EC1597A9

Uniqueness

Uniqueness Score: -1.00%

Function 00462688 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0045A462,00000000,00000000,00000000,?,0046043A,00000000,00000001,00000000,?,?,00456757,?,0045A462,00000000), ref: 0046269F
GetLastError.KERNEL32(?,0046043A,00000000,00000001,00000000,?,?,00456757,?,0045A462,00000000,?,?,?,004560A2,00449EFD), ref: 004626AB

Part of subcall function 004626FC: CloseHandle.KERNEL32(FFFFFFFE,004626BB,?,0046043A,00000000,00000001,00000000,?,?,00456757,?,0045A462,00000000,?,?), ref: 0046270C

___initconout.LIBCMT ref: 004626BB

Part of subcall function 004626DD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00462679,00460427,?,?,00456757,?,0045A462,00000000,?), ref: 004626F0

WriteConsoleW.KERNEL32(00000000,0045A462,00000000,00000000,?,0046043A,00000000,00000001,00000000,?,?,00456757,?,0045A462,00000000,?), ref: 004626D0

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: fd83122c02efdcaed0d2a7ad9df32816af1b9b6e46a8d175793a9f330eaa0680
Instruction ID: 28aeb1562bf03d41762a1add2850f363bd9bcc8f1066ddcb92c024103a38fac9
Opcode Fuzzy Hash: fd83122c02efdcaed0d2a7ad9df32816af1b9b6e46a8d175793a9f330eaa0680
Instruction Fuzzy Hash: 73F03736000518BBCF122F96DD0898A3FA6FB443E1F044462FA1C96130E77188A0AF9A

Uniqueness

Uniqueness Score: -1.00%

Function 004408F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0044092F
__IsNonwritableInCurrentImage.LIBCMT ref: 004409E3

Strings

csm, xrefs: 004409CD

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 275c96539a70827f11ac0d50cf1574406b2bf1ea013512e04c1c8eab895d6e0e
Instruction ID: 2fcdaa67747dfc903c6bf25bc4b0eb5fc3ce860e0e35b7b3f6278563bb9b42c1
Opcode Fuzzy Hash: 275c96539a70827f11ac0d50cf1574406b2bf1ea013512e04c1c8eab895d6e0e
Instruction Fuzzy Hash: 1641E774A00208ABEF10DF69C880A9EBBB5BF45314F14805BEA189B352D779E915CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0045FAFF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0045FD76

Strings

csm, xrefs: 0045FE09
csm, xrefs: 0045FD98

Memory Dump Source

Source File: 00000000.00000002.2877630848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2877613708.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877671150.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877693642.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877714274.0000000000473000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2877732419.0000000000474000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uqt8tDIQYk.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 7a135f77747070d93fbe2afbb920f71193ef7bb04584a8986e17e64043826707
Instruction ID: c3d2d9295f435962aeb7dc978c7452de5aec3cef12e0992502e4adce58ef7be8
Opcode Fuzzy Hash: 7a135f77747070d93fbe2afbb920f71193ef7bb04584a8986e17e64043826707
Instruction Fuzzy Hash: EC31C132400218ABCF264F50D8458AA7B66FB09316B18857BFC4449223D37AD86EDB8B

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Uqt8tDIQYk.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Uqt8tDIQYk.exePID: 6628, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: Uqt8tDIQYk.exePID: 6628, Parent PID: 2580COMMON

Execution Graph

Windows Analysis Report
Uqt8tDIQYk.exe

Function 0045477F Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Function 00403596 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 332
stringCOMMON

Function 0042FF13 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 315
stringCOMMON