Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1430667
MD5:	c6d4e7a7751714cacc798033a7405b3f
SHA1:	c7a4c20ed1ff6b6eb9c6cc0d1388c05cb67a3be1
SHA256:	c6ff8e76f68ee14c4c68827ad1eb0b49fbc2180c5ba1b44e85464c51469a2460
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found potential dummy code loops (likely to delay analysis)

Found stalling execution ending in API Sleep call

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Potential thread-based time evasion detected

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7044 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C6D4E7A7751714CACC798033A7405B3F)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7044	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 193.233.132.47

Timestamp:	04/24/24-02:13:59.503423
SID:	2049060
Source Port:	49732
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.47

Timestamp:	04/24/24-02:18:00.111924
SID:	2046269
Source Port:	49732
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 193.233.132.47 - Destination IP: 192.168.2.4

Timestamp:	04/24/24-02:13:59.816392
SID:	2046266
Source Port:	50500
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 20%

Perma Link

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49732 -> 193.233.132.47:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.47:50500 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 193.233.132.47:50500

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 193.233.132.47:50500

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E14EB0 recv,recv,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,

0_2_00E14EB0

Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: file.exe, 00000000.00000002.4096544778.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000002.4096544778.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTlLHT

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F32D85	0_2_00F32D85
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E940A0	0_2_00E940A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9001D	0_2_00D9001D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E881A0	0_2_00E881A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011AC316	0_2_011AC316
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E54220	0_2_00E54220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E64220	0_2_00E64220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9035F	0_2_00D9035F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E40350	0_2_00E40350
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E50520	0_2_00E50520
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA47AD	0_2_00DA47AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8C8D0	0_2_00E8C8D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D8C950	0_2_00D8C950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E94AE0	0_2_00E94AE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E44AA0	0_2_00E44AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01040B69	0_2_01040B69
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E44CD0	0_2_00E44CD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01130D7A	0_2_01130D7A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3CD20	0_2_00E3CD20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA8E20	0_2_00DA8E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3CFC0	0_2_00E3CFC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E44F70	0_2_00E44F70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0118D145	0_2_0118D145
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E45070	0_2_00E45070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E51040	0_2_00E51040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5D199	0_2_00D5D199
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D61135	0_2_00D61135
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4D320	0_2_00E4D320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E554A0	0_2_00E554A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3D7D0	0_2_00E3D7D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F557C3	0_2_00F557C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D61743	0_2_00D61743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E618D0	0_2_00E618D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E45960	0_2_00E45960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E95A40	0_2_00E95A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D9DA74	0_2_00D9DA74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D59C90	0_2_00D59C90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E45EB0	0_2_00E45EB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4DF20	0_2_00E4DF20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E820C0	0_2_00E820C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0116A5B5	0_2_0116A5B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF269F	0_2_00EF269F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D8A918	0_2_00D8A918
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E86B30	0_2_00E86B30

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D84370 appears 39 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E94890 appears 52 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000000.1640274378.000000000148D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetup.exe@ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSetup.exe@ vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\trixyJzclrbU7IL69

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: file.exe

Virustotal: Detection: 20%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll	Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 4019448 > 1048576

Source: file.exe

Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x3a7e00

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E1C630 LoadLibraryA,GetProcAddress,

0_2_00E1C630

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp

Source: file.exe	Static PE information: section name: .vmp
Source: file.exe	Static PE information: section name: .vmp
Source: file.exe	Static PE information: section name: .vmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01014B01 pushad ; iretd	0_2_01014B7F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010B0CD0 push edx; ret	0_2_010B0CE4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD4E38 push eax; ret	0_2_00FD4E55
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011992A3 push ss; iretd	0_2_011992F5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FED780 push eax; ret	0_2_00FED836
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0110996D push ebx; ret	0_2_010E6B57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D762CE push ds; retf	0_2_00D762CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6E854 push esp; ret	0_2_00F6E85F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0110E9E3 push eax; retf	0_2_0117CFFE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010E6B26 push ebx; ret	0_2_010E6B57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0108AD93 pushfd ; ret	0_2_0102181F

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7044 base: 7F0005 value: E9 2B BA 6D 76	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7044 base: 76ECBA30 value: E9 DA 45 92 89	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7044 base: B40008 value: E9 8B 8E 3D 76	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7044 base: 76F18E90 value: E9 80 71 C2 89	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7044 base: C60005 value: E9 8B 4D F9 74	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7044 base: 75BF4D90 value: E9 7A B2 06 8B	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7044 base: C70005 value: E9 EB EB F9 74	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7044 base: 75C0EBF0 value: E9 1A 14 06 8B	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7044 base: C90005 value: E9 8B 8A 34 74	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7044 base: 74FD8A90 value: E9 7A 75 CB 8B	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7044 base: CA0005 value: E9 2B 02 36 74	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7044 base: 75000230 value: E9 DA FD C9 8B	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

graph_0-60787

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

graph_0-60789

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\file.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-60821

Potential thread-based time evasion detected

Source: Initial file

Signature Results: Thread-based counter

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB8A20 rdtsc

0_2_00FB8A20

Source: C:\Users\user\Desktop\file.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

0_2_00DADA50

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 2988			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 6871			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-60821

Source: C:\Users\user\Desktop\file.exe

API coverage: 9.7 %

Source: C:\Users\user\Desktop\file.exe TID: 7072	Thread sleep count: 2988 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7072	Thread sleep time: -301788s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7072	Thread sleep count: 6871 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7072	Thread sleep time: -693971s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed

Source: file.exe, 00000000.00000002.4096544778.0000000000B50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: file.exe, 00000000.00000003.1661389596.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000002.4096544778.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}s
Source: file.exe, 00000000.00000003.1661389596.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000002.4096544778.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB8A20 rdtsc

0_2_00FB8A20

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E1C630 LoadLibraryA,GetProcAddress,

0_2_00E1C630

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DADA50 mov eax, dword ptr fs:[00000030h]		0_2_00DADA50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DADA50 mov eax, dword ptr fs:[00000030h]		0_2_00DADA50

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7044, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7044, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	211 Virtualization/Sandbox Evasion	1 Credential API Hooking	321 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	211 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	20%	Virustotal		Browse

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	file.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.winimage.com/zLibDll	file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp	false		high
https://t.me/RiseProSUPPORT	file.exe, 00000000.00000002.4096544778.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	file.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	file.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	file.exe	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORTlLHT	file.exe, 00000000.00000002.4096544778.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.132.47	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430667
Start date and time:	2024-04-24 02:13:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
02:14:34	API Interceptor	994672x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
193.233.132.47	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	193.233.132.234
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	193.233.132.234
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	193.233.132.167
	c3nBx2HQG2.exe	Get hash	malicious	Glupteba, Mars Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	193.233.132.234
	file.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	193.233.132.169
	MOD.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	ygm2mXUReY.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	193.233.132.175

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.95741990316148
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	4'019'448 bytes
MD5:	c6d4e7a7751714cacc798033a7405b3f
SHA1:	c7a4c20ed1ff6b6eb9c6cc0d1388c05cb67a3be1
SHA256:	c6ff8e76f68ee14c4c68827ad1eb0b49fbc2180c5ba1b44e85464c51469a2460
SHA512:	ae47d59925256b1925ea0bdb646e2983057b61a89005b0423aa682b382333c80134ff58adcf3c8279d984e479a7cd878a94f3e2b42f2fdce48823355e253fb28
SSDEEP:	98304://yhdds+FCQdZP8vabXFKW0e67+KIJGL:SddFFlZkmXFKL57Z6G
TLSH:	D016339D6BE71116C41AA2744B12F9BD34791AD903248E267838FDC69EF33906DF62C3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.%f...............'............ .r...........@...........................v.....Q.=...@................................

File Icon


Icon Hash:	544c78797264bc98

Static PE Info

General

Entrypoint:	0xb2f720
Entrypoint Section:	.vmp
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6625EF5E [Mon Apr 22 05:02:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	fce2185f86316405847dae4f4adccdc7

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=AVG Technologies USA LLC \u2122\u2030\u2122\u2030\u2122\u2030
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	06/01/2024 10:14:42 07/01/2034 10:14:42
Subject Chain	CN=AVG Technologies USA LLC \u2122\u2030\u2122\u2030\u2122\u2030
Version:	3
Thumbprint MD5:	27F5DD79C86B9255242DDB29A51B691E
Thumbprint SHA-1:	44268FBAA5D87BA1717C7237701B06FA20E9AF66
Thumbprint SHA-256:	1C39A7BBBC7445339DEFD55E21DFA65CDEB9037F0FD33140759077C31CB40BE0
Serial:	59AE1233E1806897438DF0EEC7051E17

Entrypoint Preview

Instruction
call 00007FB1245BD35Eh
mov ecx, DBAB1CA8h
mov eax, ecx
mov eax, dword ptr [esi]
and ecx, FFB00A27h
mov ecx, dword ptr [esi+04h]
ja 00007FB12455E833h
rcl edx, cl
arpl word ptr [edx], di
xor eax, A1523741h
cmc
xor byte ptr [edx], al
and ebx, dword ptr [edx+12F74176h]
xchg eax, edx
sbb ebx, dword ptr [edx-4Ah]
sbb eax, 9C10C92Ch
jmp 00007FB1248335DAh
sbb al, F3h
enter 861Dh, 24h
mov eax, dword ptr [064466F2h]
add byte ptr [ebp-4D096B09h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], dh
jl 00007FB124833577h
aas
fild word ptr [esi+736E1972h]
cmp al, 49h
rol bl, 1
fst dword ptr [ebp+72h]
pop edx
mov esi, D74585CFh
sbb dl, byte ptr [ebp+6B4D6CFBh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x46531c	0x140	.vmp
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x73f000	0x2958d	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3d3c00	0x18f8	.vmp
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x73d000	0x1a10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x430898	0x18	.vmp
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x73c480	0x40	.vmp
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x394000	0x8c	.vmp
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x40f8d0	0x40	.vmp
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x158af8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15a000	0x27b5a	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x182000	0x4930	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x187000	0x20c337	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp	0x394000	0x72c	0x800	d55390fa92d793fca2f4643786f0f9b6	False	0.0556640625	data	0.34656804998527746	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x395000	0x3a7d30	0x3a7e00	311c73fe845e584807066466b5e78ff1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x73d000	0x1a10	0x1c00	85d05c19d2e41912662b1c769fe84f55	False	0.37918526785714285	data	5.757845403427371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x73f000	0x2958d	0x29600	49d50500fd5a2b2bade9e4f51d19f5eb	False	0.753215870468278	data	7.138542640397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x73f1d4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	French	France	0.7300656660412758
RT_ICON	0x74027c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	French	France	0.6073452999527633
RT_ICON	0x7444a4	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	French	France	0.5098189991718917
RT_ICON	0x754ccc	0x13208	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	French	France	1.0003956907995506
RT_GROUP_ICON	0x767ed4	0x3e	data	French	France	0.8064516129032258
RT_VERSION	0x767f14	0x320	data	English	United States	0.4225
RT_MANIFEST	0x768234	0x359	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4644107351225204

Imports

DLL	Import
KERNEL32.dll	GetVersionExA
USER32.dll	wsprintfA
GDI32.dll	CreateCompatibleBitmap
ADVAPI32.dll	RegQueryValueExA
SHELL32.dll	ShellExecuteA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession
KERNEL32.dll	GetSystemTimeAsFileTime
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
French	France
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-02:13:59.503423	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49732	50500	192.168.2.4	193.233.132.47
04/24/24-02:18:00.111924	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49732	50500	192.168.2.4	193.233.132.47
04/24/24-02:13:59.816392	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50500	49732	193.233.132.47	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 02:13:59.131812096 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:13:59.473968983 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:13:59.474056959 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:13:59.503422976 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:13:59.816391945 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:13:59.861840010 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:13:59.957020998 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:14:02.955728054 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:14:03.453269005 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:14:34.580651999 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:14:35.054075003 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:14:56.580620050 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:14:57.053845882 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:06.006191969 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:06.453366041 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:12.565913916 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:12.953174114 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:15.690299988 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:16.155078888 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:18.831031084 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:19.253335953 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:21.971563101 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:22.353763103 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:25.096466064 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:25.653301001 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:28.236882925 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:28.654078007 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:31.377576113 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:31.853971004 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:34.518165112 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:34.953488111 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:37.658787966 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:38.053366899 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:40.799523115 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:41.353527069 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:43.939964056 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:44.353833914 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:47.065026999 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:47.454178095 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:50.205682039 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:50.653305054 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:53.346446991 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:53.753566980 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:56.471378088 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:15:56.853070021 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:15:59.612525940 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:00.054008007 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:02.752554893 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:03.153928041 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:05.893198967 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:06.439912081 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:06.453883886 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:06.782517910 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:09.018361092 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:09.453623056 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:12.935113907 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:13.353152990 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:16.064960003 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:16.553415060 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:19.190869093 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:19.653850079 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:22.315203905 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:22.754067898 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:25.455558062 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:25.853651047 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:28.580696106 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:29.052958012 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:31.721436024 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:32.153101921 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:34.861958027 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:35.253113985 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:37.987200975 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:38.453283072 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:41.111927986 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:41.553900957 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:44.252686977 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:44.653564930 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:47.393208981 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:47.854042053 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:50.518527031 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:51.053868055 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:53.643491983 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:54.053746939 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:16:56.783888102 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:16:57.254478931 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:00.606498957 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:01.053221941 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:03.721148968 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:04.153211117 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:06.846154928 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:07.253859043 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:09.986951113 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:10.453897953 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:13.112116098 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:13.553904057 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:16.236851931 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:16.753705978 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:19.377437115 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:19.853434086 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:22.503663063 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:23.053436995 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:25.643055916 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:26.054091930 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:28.768366098 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:29.153284073 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:31.893080950 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:32.353811979 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:35.073266029 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:35.654139996 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:38.190133095 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:38.752969027 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:41.315170050 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:41.753473043 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:44.455533028 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:44.853473902 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:47.580526114 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:48.053911924 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:50.721266031 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:51.153323889 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:53.861882925 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:54.253382921 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:17:56.986840963 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:17:57.453799963 CEST	50500	49732	193.233.132.47	192.168.2.4
Apr 24, 2024 02:18:00.111923933 CEST	49732	50500	192.168.2.4	193.233.132.47
Apr 24, 2024 02:18:00.553698063 CEST	50500	49732	193.233.132.47	192.168.2.4

Target ID:	0
Start time:	02:13:56
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xd50000
File size:	4'019'448 bytes
MD5 hash:	C6D4E7A7751714CACC798033A7405B3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.6%
Total number of Nodes:	175
Total number of Limit Nodes:	32

Executed Functions

Function 00E14EB0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 280
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(?,0000030C,0000FFFF,00001006), ref: 00E14F71
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00E14FF3
recv.WS2_32(00000000,0000000C,00000008), ref: 00E15014
recv.WS2_32(00000000,?,00000008,?), ref: 00E150CB

Part of subcall function 00E15940: closesocket.WS2_32(74D723A0), ref: 00E15A2D

recv.WS2_32(?,00000004,00000008), ref: 00E151D3
__Xtime_get_ticks.LIBCPMT ref: 00E151DA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E151E8
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00E15261
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00E15269

Strings

(c, xrefs: 00E14F05

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: recv$Sleep$Unothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocket
String ID: (c
API String ID: 4162995302-1781735918
Opcode ID: ada5214b99b1c2f20d1cc1b3991553eb2d36261d4dca50b6d1cdeb362605244d
Instruction ID: 0b0a82a49d2fd5150911cbc40d40491a3837816fdd8d7ceb56e709fddf758bc1
Opcode Fuzzy Hash: ada5214b99b1c2f20d1cc1b3991553eb2d36261d4dca50b6d1cdeb362605244d
Instruction Fuzzy Hash: 04B1BDB2D00308DFEB15DFA4DD49BADBBB1EF59304F14021AE454BB2A2D7B05988DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DADA50 Relevance: 7.7, APIs: 5, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCursorPos.USER32(?), ref: 00DADA63
GetCursorPos.USER32(?), ref: 00DADA69
Sleep.KERNELBASE(000003E9), ref: 00DADB18
GetCursorPos.USER32(?), ref: 00DADB1E
Sleep.KERNELBASE(00000001), ref: 00DADBCA

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Cursor$Sleep
String ID:
API String ID: 1847515627-0
Opcode ID: 0ee8609d3a3a47099238a4f1a8bde8db1013ac9a5ebd783567fcd8217ae923c5
Instruction ID: dd941ffe40dfd2cac810b65e8d551b2ce7cbad0e452349a62cc3b153eef71e39
Opcode Fuzzy Hash: 0ee8609d3a3a47099238a4f1a8bde8db1013ac9a5ebd783567fcd8217ae923c5
Instruction Fuzzy Hash: FF519D35A04215CFCB14CF58C4D0EA9B7F2FF4A704B1A8199D446ABB51D731ED05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F32D85 Relevance: 1.6, Strings: 1, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

v<Ea, xrefs: 00E32FC6

Memory Dump Source

Source File: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: v<Ea
API String ID: 0-4124759590
Opcode ID: 1968182d0c2279b66626e934f60e52382bbebd5d9fbd59a9db6cde57d95046de
Instruction ID: 4f52cbe81d497294213dac1c7d36f348c5ed07d1223147355389b45916e4f151
Opcode Fuzzy Hash: 1968182d0c2279b66626e934f60e52382bbebd5d9fbd59a9db6cde57d95046de
Instruction Fuzzy Hash: 710267B0D002498BDB14CFA8C995BEEBBB0FF45304F24425DE944BB341E7716A84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EEE07C Relevance: 3.1, APIs: 2, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943737b8470e6a7cac3f4a86bb88d9246d146cc958efc5919e36d89a806ee602
Instruction ID: e5246e4c09762d96cdb9baf42d9d0aea6ba9b6084a082ba7e9d5205cbd9bdd99
Opcode Fuzzy Hash: 943737b8470e6a7cac3f4a86bb88d9246d146cc958efc5919e36d89a806ee602
Instruction Fuzzy Hash: 0211E7314463CD99A6357BB7BC0687E37D9EFD13A5730352AF158F0292DF3288819161

Uniqueness

Uniqueness Score: -1.00%

Function 00D98DEF Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00D98CD6,00000000,CF830579,00EC7178,0000000C,00D98D92,00D8D06D,?), ref: 00D98E45
GetLastError.KERNEL32 ref: 00D98E4F

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 5b589fa8502018ea748797a46c1ba62413055cde4d7d5f36dc11f7723b7c33f9
Instruction ID: fd0cdcfa482a26927a3617c94ca71c6ba9a7bde6c5ffe43aa222eb8a7f665671
Opcode Fuzzy Hash: 5b589fa8502018ea748797a46c1ba62413055cde4d7d5f36dc11f7723b7c33f9
Instruction Fuzzy Hash: 6F116B33A042506ACF256B34EC99B7E6749CB83F34F2D0619F818972C2DF329C8092B0

Uniqueness

Uniqueness Score: -1.00%

Function 00E15940 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

closesocket.WS2_32(74D723A0), ref: 00E15A2D

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 2d278051b74993df46f08a7183f17db7e0b30a5e74206d90eed6b2cd3d5a871a
Instruction ID: 9364e9093a6771b3128b820533329091ddef3218ba73d2b0f4df38323edd62db
Opcode Fuzzy Hash: 2d278051b74993df46f08a7183f17db7e0b30a5e74206d90eed6b2cd3d5a871a
Instruction Fuzzy Hash: 28312672509700AFC7219B648C40AABBBE5FFC5728F04571AF8A4A7191D371984887A2

Uniqueness

Uniqueness Score: -1.00%

Function 00D532D0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00D5331F

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction ID: 25198ae3095ce88a85520be81edeae124d3d94cb8d2be08155285de4fb8e71d6
Opcode Fuzzy Hash: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction Fuzzy Hash: 0FF0B4721001049BDF147F68D4168E9B3E8EF243A2754097AEC8DC7212FB26DA5887B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D9250C Relevance: 1.3, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000000,?,00000000,00000000,00D8D0B7,00000000,00000002,00000000,00000000,00000000,00000000,?,00D92646,00000000,00000000,00D8D0B7), ref: 00D92555

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 3afe3a0f10bda36810725bc0c9cc00b78a3c4485159837cfe830d8a9614a4dda
Instruction ID: c81b84027d6617f7018f12d3e856d6f6b85fd51e96e5ad9e05bc39b227e7edef
Opcode Fuzzy Hash: 3afe3a0f10bda36810725bc0c9cc00b78a3c4485159837cfe830d8a9614a4dda
Instruction Fuzzy Hash: 6101D233610215BFCF09CF59DC55DBE3B29EB85320B290209F811AB291E671EE429BA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D5D199 Relevance: 109.3, APIs: 19, Strings: 41, Instructions: 4265COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,00000000), ref: 00D5D29A
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D5D6F8
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D5DAD7
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D5DF3C
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D5E6FA
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00D5EEEA
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D5F45B
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D5F525
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D5F933
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D61E6E

Strings

v<Ea, xrefs: 00D614EC
v<Ea, xrefs: 00D5E300
v<Ea, xrefs: 00D60D5A
v<Ea, xrefs: 00D5E1F8
v<Ea, xrefs: 00D5E414
!E, xrefs: 00D5FB2A
VPtm,, xrefs: 00D61CD5
X, xrefs: 00D5E83E
CH, xrefs: 00D5F808
P(S, xrefs: 00D61082
v<Ea, xrefs: 00D5DEDD
v<Ea, xrefs: 00D6127C
Psk, xrefs: 00D5F837
v<Ea, xrefs: 00D61390
v<Ea, xrefs: 00D614A0
t=, xrefs: 00D5F3A4
v<Ea, xrefs: 00D5F219
v<Ea, xrefs: 00D62177
v<Ea, xrefs: 00D61016
.4, xrefs: 00D60CED
v<Ea, xrefs: 00D612C8
v<Ea, xrefs: 00D5F1CA
v<Ea, xrefs: 00D5FFF4
v<Ea, xrefs: 00D60C7E
Pih, xrefs: 00D5FB41
v<Ea, xrefs: 00D5EC07
5H, xrefs: 00D5F2E6
tv, xrefs: 00D61257
v<Ea, xrefs: 00D613DC
v<Ea, xrefs: 00D5EC59
~, xrefs: 00D60C07
t=, xrefs: 00D61DB7
aS, xrefs: 00D5D3AA
?, xrefs: 00D60066
v<Ea, xrefs: 00D5E34C
v<Ea, xrefs: 00D61C83
PQh, xrefs: 00D5FB59
v<Ea, xrefs: 00D5DDD7
v<Ea, xrefs: 00D5E244
v<Ea, xrefs: 00D5E040
U, xrefs: 00D5E612

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CreateDirectory
String ID: P(S$PQh$Pih$Psk$VPtm,$t=$t=$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$~$U$X$!E$.4$5H$CH$aS$tv$?
API String ID: 4241100979-2467105940
Opcode ID: 823eda9a54719eec0ad367d3af9fdc853fcd1d338ddd37e3653597b173c7fcfc
Instruction ID: 498d49dc7178a375ac1677306393758e19881c38858aad0b7018131e3bdfd22f
Opcode Fuzzy Hash: 823eda9a54719eec0ad367d3af9fdc853fcd1d338ddd37e3653597b173c7fcfc
Instruction Fuzzy Hash: 3CB3EFB4D0426D8BDF25CFA8C991AEDBBB1BF08300F148199D859B7341EB742A85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00D61135 Relevance: 25.3, APIs: 3, Strings: 11, Instructions: 808COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,00000000), ref: 00D61904

Strings

v<Ea, xrefs: 00D613DC
v<Ea, xrefs: 00D614EC
v<Ea, xrefs: 00D62177
VPtm,, xrefs: 00D61CD5
t=, xrefs: 00D61DB7
v<Ea, xrefs: 00D61390
v<Ea, xrefs: 00D612C8
v<Ea, xrefs: 00D614A0
v<Ea, xrefs: 00D61C83
tv, xrefs: 00D61257
v<Ea, xrefs: 00D6127C

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CreateDirectory
String ID: VPtm,$t=$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$tv
API String ID: 4241100979-668254263
Opcode ID: e230946b75d44c34ac16c8a8afedd8bf97d261082d1b547e611f8c288765de00
Instruction ID: e2c22fcc23ea720ee4420cd60ac8786c75012663c5220169a05baa8405dac97c
Opcode Fuzzy Hash: e230946b75d44c34ac16c8a8afedd8bf97d261082d1b547e611f8c288765de00
Instruction Fuzzy Hash: 0CA2EEB4D0425C8BDB25CFA8C984AECBBB1AF59310F1442D9D859B7381EB712E85CF25

Uniqueness

Uniqueness Score: -1.00%

Function 00E95A40 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 872COMMON

Download Yara Rule

Strings

NaN, xrefs: 00E960C8
Inf, xrefs: 00E961C9
gfff, xrefs: 00E9649D
+Inf, xrefs: 00E961C0
-Inf, xrefs: 00E961B9
+, xrefs: 00E9600D

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: +$+Inf$-Inf$Inf$NaN$gfff
API String ID: 0-2743850093
Opcode ID: 98765163ef19a44c4928082a55dab36803ec8935de110636921414c5bf593c17
Instruction ID: 56198cf33241457d8bf9e3c5f168be0cea89ae1bb76e0959f9f506530460c74d
Opcode Fuzzy Hash: 98765163ef19a44c4928082a55dab36803ec8935de110636921414c5bf593c17
Instruction Fuzzy Hash: D672E57190CB808FDB26CF29845036BBBE1AFD6344F189A5EE8D6A7252D770C945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00D59C90 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 357libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00D59D32
GetProcAddress.KERNEL32(?), ref: 00D59E3D
GetProcAddress.KERNEL32(?), ref: 00D59F36
GetProcAddress.KERNEL32(?), ref: 00D59FBB
GetProcAddress.KERNEL32(?), ref: 00D5A055
GetProcAddress.KERNEL32(?), ref: 00D5A0EF
GetProcAddress.KERNEL32(?), ref: 00D5A189
GetProcAddress.KERNEL32(?), ref: 00D5A223

Strings

v<Ea, xrefs: 00D5A1EA

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: v<Ea
API String ID: 2238633743-4124759590
Opcode ID: 5b17feba70774a7e924d693eec6bc97ffdccd87876a1f89e9308c3b3aa1084fb
Instruction ID: 3188d222f326181099158da6daedfeb5fcaf2d36b3372456cdf47268b54b0272
Opcode Fuzzy Hash: 5b17feba70774a7e924d693eec6bc97ffdccd87876a1f89e9308c3b3aa1084fb
Instruction Fuzzy Hash: 252265B8D0525CEFDB15CFA9D9816ECBBB1BB08310F20819AD859B7350E7702A85EF45

Uniqueness

Uniqueness Score: -1.00%

Function 00D61743 Relevance: 14.7, APIs: 3, Strings: 5, Instructions: 687COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,00000000), ref: 00D61904

Strings

v<Ea, xrefs: 00D62177
VPtm,, xrefs: 00D61CD5
t=, xrefs: 00D61DB7
v<Ea, xrefs: 00D61C83
string too long, xrefs: 00D622AC

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CreateDirectory
String ID: VPtm,$string too long$t=$v<Ea$v<Ea
API String ID: 4241100979-470778155
Opcode ID: 7431e0e4488a86c17715ffbe6c6cdc4f32c90fb618dafd9980c2713a0c348852
Instruction ID: 4c517da503597e49ac031b8474f4fbd7d1c062d71fb8f66acb7b1509598c312e
Opcode Fuzzy Hash: 7431e0e4488a86c17715ffbe6c6cdc4f32c90fb618dafd9980c2713a0c348852
Instruction Fuzzy Hash: 408203B4C0529C8BDB25DFA8C9846DCBBF1AF09320F244299D859B7341EB712E85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DA47AD Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00DA49C4

Strings

1#SNAN, xrefs: 00DA48B9
1#QNAN, xrefs: 00DA48C0
1#INF, xrefs: 00DA48E3
1#IND, xrefs: 00DA48B2

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a6b106ea73605939c30f8f52a6c8fa0c217cc9764403cefa31c307b7a7fa32d4
Instruction ID: df1dc69037e0daa0ed3e5e987c0aec1beff17af6d6378474d8bb0d7835f2f70c
Opcode Fuzzy Hash: a6b106ea73605939c30f8f52a6c8fa0c217cc9764403cefa31c307b7a7fa32d4
Instruction Fuzzy Hash: C2D25971E086288FDB64CF28DC407EAB7B5EB85315F1841EAD44DE7244E778AE818F61

Uniqueness

Uniqueness Score: -1.00%

Function 00E64220 Relevance: 8.9, Strings: 6, Instructions: 1371COMMON

Download Yara Rule

Strings

OID, xrefs: 00E64A02
ROWID, xrefs: 00E649F2
table %S has %d columns but %d values were supplied, xrefs: 00E64869
%d values for %d columns, xrefs: 00E64933
table %S has no column named %s, xrefs: 00E64A3F
_ROWID_, xrefs: 00E649DD

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: %d values for %d columns$OID$ROWID$_ROWID_$table %S has %d columns but %d values were supplied$table %S has no column named %s
API String ID: 0-3534356592
Opcode ID: 910cba5274f86a742de39be44d7746bfab2334148f81e2d023467a5118f7eb15
Instruction ID: e6c87d48d2965789cf98a9a01e49a0dfec82d30fdde28ed86360afd0f67e5ce5
Opcode Fuzzy Hash: 910cba5274f86a742de39be44d7746bfab2334148f81e2d023467a5118f7eb15
Instruction Fuzzy Hash: B7D2B0B06047418FD724DF18D440B2BBBE1FF84788F15995DE88AAB392D771E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E1C630 Relevance: 6.5, Strings: 5, Instructions: 248COMMON

Download Yara Rule

Strings

(c, xrefs: 00E1C6D7, 00E1C683, 00E1C6B3, 00E1C6DC, 00E1C687, 00E1C677, 00E1C67E, 00E1C6AB
v<Ea, xrefs: 00E1C7D2
%s|%s, xrefs: 00E1C89F
(c, xrefs: 00E1C95E
(c, xrefs: 00E1C80E

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: %s|%s$(c$(c$(c$v<Ea
API String ID: 0-2154753988
Opcode ID: e35f32da48ed5f99776939967bdfce416411053bf30b86b94a7cdfe684b8c236
Instruction ID: 0fc60125842a0707fd28415dd4e9bb0ed1225c5424bd08d58258c4dae7d392a4
Opcode Fuzzy Hash: e35f32da48ed5f99776939967bdfce416411053bf30b86b94a7cdfe684b8c236
Instruction Fuzzy Hash: 98A17AB1D002089FDB14CFA9CC85BEEBBB4FF48710F104259E959BB281D7746A85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D8C950 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46284e79cbb253acf149296a2f9e055bfabcba478f2dcd3cb23d94f7ca6c8d97
Instruction ID: a71b7da869f19de05a2e6b915765257b60ba7616cb96460934370fc709438984
Opcode Fuzzy Hash: 46284e79cbb253acf149296a2f9e055bfabcba478f2dcd3cb23d94f7ca6c8d97
Instruction Fuzzy Hash: 94023C71E11219DBDF14DFA9D8806AEFBF1FF48314F248269E919E7341D731A9418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E618D0 Relevance: 6.3, Strings: 4, Instructions: 1286COMMON

Download Yara Rule

Strings

unknown error, xrefs: 00E6280C, 00E6287C
out of memory, xrefs: 00E627D8, 00E62848
library routine called out of sequence, xrefs: 00E6275F, 00E627B7
WITHOUT ROWID, xrefs: 00E61934, 00E619FA

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: WITHOUT ROWID$library routine called out of sequence$out of memory$unknown error
API String ID: 0-2048571646
Opcode ID: 7d01117cc8212087075d5a36a09361543783d2d98360a5c42dda930e99038b76
Instruction ID: b93701db038c0621b2129ec81f905fcf7d234f0ef45dde1e5b75bb4c12d019ef
Opcode Fuzzy Hash: 7d01117cc8212087075d5a36a09361543783d2d98360a5c42dda930e99038b76
Instruction Fuzzy Hash: FFB2BE70A40606DFDB29CF28E880BAEB7B1FF04344F18556EE91ABB351D731A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E54220 Relevance: 6.2, Strings: 4, Instructions: 1165COMMON

Download Yara Rule

Strings

OID, xrefs: 00E54518
ROWID, xrefs: 00E54508
no such column: %s, xrefs: 00E54597
_ROWID_, xrefs: 00E544F4

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: OID$ROWID$_ROWID_$no such column: %s
API String ID: 0-2593059340
Opcode ID: 9ef4eff329c595c75b0097a195d43f1c688aed8b4d66fc6dee67dd301d4a496a
Instruction ID: 5c9827dfdf85249aa3e0aa1f5c5b6fd434d92be8ccb83bbe9c5cfc8e451608ff
Opcode Fuzzy Hash: 9ef4eff329c595c75b0097a195d43f1c688aed8b4d66fc6dee67dd301d4a496a
Instruction Fuzzy Hash: 67C269B0604B418FC724DF18C090B2ABBE1FF84349F15995DED9A6B392D775E849CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E4DF20 Relevance: 6.1, Strings: 4, Instructions: 1130COMMON

Download Yara Rule

Strings

.,+-, xrefs: 00E4E3A0
@, xrefs: 00E4DF86
H, xrefs: 00E4E6CE
Q, xrefs: 00E4E6C7

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: .,+-$@$H$Q
API String ID: 0-2755557186
Opcode ID: f159eea2f7f6536e5ecd2ebb2e32b68161e22c62859aab79fa84aa0a75319b3f
Instruction ID: cbcf199b3c6e4929ff28c566b497590873a37c0f44f5f2a7e5aaefd54ae933d7
Opcode Fuzzy Hash: f159eea2f7f6536e5ecd2ebb2e32b68161e22c62859aab79fa84aa0a75319b3f
Instruction Fuzzy Hash: 3DB26A70E002099FDF14DFA8D890AAEBBB2FF48304F149169E855BB392D735AD55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DA8E20 Relevance: 5.5, Strings: 4, Instructions: 463COMMON

Download Yara Rule

Strings

+, xrefs: 00DA9353
J, xrefs: 00DA91E5, 00DA919E, 00DA90FF
/, xrefs: 00DA9358
string too long, xrefs: 00DA9327

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: +$/$J$string too long
API String ID: 0-2407699343
Opcode ID: 516a1e754bc688077e9529f7c6876b896289834250be9ae073c7bfc35edb9c87
Instruction ID: 548072e52d3c7c208c21574d3423df0bf82f12c5a3a918acf8d3e5d9731fd51f
Opcode Fuzzy Hash: 516a1e754bc688077e9529f7c6876b896289834250be9ae073c7bfc35edb9c87
Instruction Fuzzy Hash: C102D1719042459FCB05CF68C8947EEBBF5EF4A310F28426AE865A7382D7349A44CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E554A0 Relevance: 5.4, Strings: 3, Instructions: 1619COMMON

Download Yara Rule

Strings

too many terms in compound SELECT, xrefs: 00E55726
min, xrefs: 00E5694D
max, xrefs: 00E5696C

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: max$min$too many terms in compound SELECT
API String ID: 0-238764930
Opcode ID: cbf5376050c120e587522801a01ab93cfba7f263105473f83823799712703295
Instruction ID: 4f46fa1b83a0135543a3343e21a7ed8ce0bd0b3c5da8041a19e1781e11e09190
Opcode Fuzzy Hash: cbf5376050c120e587522801a01ab93cfba7f263105473f83823799712703295
Instruction Fuzzy Hash: D8F26970604741CFD724DF28C490B2ABBE1FF84309F15996DE9899B352EB75E909CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01130D7A Relevance: 5.1, Strings: 4, Instructions: 148COMMON

Download Yara Rule

Strings

4, xrefs: 0118E7F0
?, xrefs: 01130DB2
', xrefs: 012963CD
a, xrefs: 01130DB9

Memory Dump Source

Source File: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: '$4$?$a
API String ID: 0-2496703398
Opcode ID: 32316e718a757849c0748b7f18aa416830173eb800411bc52a8f1b7aa6792b4f
Instruction ID: 9bc8876e1ae0b4185cf20c48584172c5d6148382c0d9971159b2abe35bf7b2ea
Opcode Fuzzy Hash: 32316e718a757849c0748b7f18aa416830173eb800411bc52a8f1b7aa6792b4f
Instruction Fuzzy Hash: 1F51583150C791ABD71DAF24C8156AABBE1FF92320F54DA5CE4EA071D2E3359406DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00E4D320 Relevance: 4.6, Strings: 3, Instructions: 827COMMON

Download Yara Rule

Strings

@, xrefs: 00E4D99B
at most %d tables in a join, xrefs: 00E4D348
cannot use index: %s, xrefs: 00E4DAD2

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: @$at most %d tables in a join$cannot use index: %s
API String ID: 0-1661248
Opcode ID: 3cb89e5d228d70d8bf21ecf0fccf2401f2224719539d2781725883217d8ffdc0
Instruction ID: 43d2ee5836fcf9fd6c6ebe4cec207a9658ef02cf4cbbb71cab886bd74d6538ed
Opcode Fuzzy Hash: 3cb89e5d228d70d8bf21ecf0fccf2401f2224719539d2781725883217d8ffdc0
Instruction Fuzzy Hash: 61725771A087418FD724CF28D840B2AB7E2FFC8318F159A5DE899AB351D770E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0116A5B5 Relevance: 4.0, Strings: 3, Instructions: 241COMMON

Download Yara Rule

Strings

', xrefs: 012963CD
X'{, xrefs: 01113E49
Z, xrefs: 0116A619

Memory Dump Source

Source File: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: '$X'{$Z
API String ID: 0-4276205954
Opcode ID: 7dc47073ff71d3badd0ef0079de72d08779d235589716dcfdb9026319fbc0479
Instruction ID: c8a7875d47551cd5d8106d74ce06d6ea4b14b3bce5822cf4abbe8413f8ea4dec
Opcode Fuzzy Hash: 7dc47073ff71d3badd0ef0079de72d08779d235589716dcfdb9026319fbc0479
Instruction Fuzzy Hash: 418199315187969FC7099F38C8806EABBE2FFD2324F848A2DE5E6871D6D3359406C741

Uniqueness

Uniqueness Score: -1.00%

Function 00E8C8D0 Relevance: 3.5, APIs: 2, Instructions: 484COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8CA85
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8CD87

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 7643884fd159501ad21b83adce755281ab3e9a7888280cc720f3666325f71a0e
Instruction ID: 1c3784c1852aa4f0955c7b542418c59fe72c69ddcc46b35b06785691e72342d6
Opcode Fuzzy Hash: 7643884fd159501ad21b83adce755281ab3e9a7888280cc720f3666325f71a0e
Instruction Fuzzy Hash: 3A02D470604602AFDB18EF28C840B6AB7E0BF8A318F24956DE45DE7650D774EC95CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00E940A0 Relevance: 3.5, APIs: 2, Instructions: 465COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E94443
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E944A1

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: fd72d836d90a6cfad1a6a999fa81fbda92248e81c5ce7c131b337026effd61df
Instruction ID: 79569f1784d8f88159032528791e56af7312154d39ff2b9da0051bbc4864f016
Opcode Fuzzy Hash: fd72d836d90a6cfad1a6a999fa81fbda92248e81c5ce7c131b337026effd61df
Instruction Fuzzy Hash: 6402E2B1E006198BCF18CFADC890ABDFBF1BB95314F1952AAE959BB391D7344942C740

Uniqueness

Uniqueness Score: -1.00%

Function 00E881A0 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

d, xrefs: 00E883D1
Wa, xrefs: 00E881DC, 00E8848A, 00E88437, 00E8837D, 00E8840D

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: Wa$d
API String ID: 0-563278814
Opcode ID: 5c1731f4dc62e84164a98e596763b0f5c08a0bc014a8373ec83a0d8eab401c5d
Instruction ID: 5b0181290706db740d26c5c0edc92accd9a5c0df70451ec126b6c498757faa77
Opcode Fuzzy Hash: 5c1731f4dc62e84164a98e596763b0f5c08a0bc014a8373ec83a0d8eab401c5d
Instruction Fuzzy Hash: 0DB1B1316047428FD314DF29C58056ABBE2BF99304F5885ADE89D9F343DB36E906CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0118D145 Relevance: 2.7, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

_CZ8, xrefs: 011F206B
\K, xrefs: 011F1F20

Memory Dump Source

Source File: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: _CZ8$\K
API String ID: 0-1938404051
Opcode ID: 45d2e40018c0a13860ab6eed7eda0c9500f61ace60405a1136f13194e70f0c29
Instruction ID: 37332fae61f10cad0a68ada44f327d3232b4b7bd562245f927c573ce35933e5f
Opcode Fuzzy Hash: 45d2e40018c0a13860ab6eed7eda0c9500f61ace60405a1136f13194e70f0c29
Instruction Fuzzy Hash: 9271C97750C6C2DFD72B8FB898201D57FA2EEA721071846CEC6D18B1A2D722940AC792

Uniqueness

Uniqueness Score: -1.00%

Function 00E50520 Relevance: 2.1, Strings: 1, Instructions: 858COMMON

Download Yara Rule

Strings

match, xrefs: 00E50E38

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: match
API String ID: 0-2052834565
Opcode ID: e38c5ba39e3c86c1cfb3484f3b4715c707fca6b152b31ebfcf0d6a4c18ce0fc5
Instruction ID: 39b4acc7f3aa2ea3a4e7949859e46d6da17cffc4cd2ad391877d3c0a92044f14
Opcode Fuzzy Hash: e38c5ba39e3c86c1cfb3484f3b4715c707fca6b152b31ebfcf0d6a4c18ce0fc5
Instruction Fuzzy Hash: 2D729E706047418FD724CF24C481B2AB7E1BF88315F149A6DFC9AAB392D775E849CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E820C0 Relevance: 2.0, Strings: 1, Instructions: 710COMMON

Download Yara Rule

Strings

%s-mj%08X, xrefs: 00E82318

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: %s-mj%08X
API String ID: 0-77246884
Opcode ID: c471fa593e583f4e6c3933c268b1271ac89d98a3b3f29649eee6d1263f2baac7
Instruction ID: fa9127eaf440281e22ef74f6f8054588aaab4ef6ca8ccdc2542d3f87f91aeea8
Opcode Fuzzy Hash: c471fa593e583f4e6c3933c268b1271ac89d98a3b3f29649eee6d1263f2baac7
Instruction Fuzzy Hash: 5C428974A002059FDB14EFA9D880AAAB7F1FF48308F14946EEA1EB7361D731A945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E45070 Relevance: 1.9, Strings: 1, Instructions: 621COMMON

Download Yara Rule

Strings

NX, xrefs: 00E451F6, 00E45789, 00E4560E, 00E453E3, 00E452BE, 00E45237

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: NX
API String ID: 0-1533795491
Opcode ID: 679fac2c59c74b1f95650f526264bd9f66ba08f8b4be776cab117ae058108006
Instruction ID: 34f5cefa9011acd0240c482eab374f80deecdf23913ff6c19c22b6a0938d8d4d
Opcode Fuzzy Hash: 679fac2c59c74b1f95650f526264bd9f66ba08f8b4be776cab117ae058108006
Instruction Fuzzy Hash: 6D42ED72A01A49CBDB14CE78C8407ADFBB1FF46304F1486ADE4A5E7782D7749909CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E45EB0 Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

_^, xrefs: 00E460E0, 00E46204, 00E46269, 00E462A2, 00E4636F, 00E45F2B, 00E45F73, 00E45F98, 00E45FA8, 00E45FDC, 00E46008, 00E46030, 00E4603D, 00E46065, 00E45F32, 00E45F79, 00E45FB0, 00E46010, 00E46045, 00E460E7, 00E462BA, 00E462D7

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: _^
API String ID: 0-595606861
Opcode ID: 89db716a02e146326b243d9066911edda74ae4d7f1014736d1d635ede4752255
Instruction ID: bcafcece9cf65933d3a7c20826a38e99ec23b43693efb7c379702758764f3210
Opcode Fuzzy Hash: 89db716a02e146326b243d9066911edda74ae4d7f1014736d1d635ede4752255
Instruction Fuzzy Hash: D8125071E006099FDF24DFA8D980AAFB7F6EF89314F104629E816A3351E731EE058B51

Uniqueness

Uniqueness Score: -1.00%

Function 00E94AE0 Relevance: 1.7, Strings: 1, Instructions: 429COMMON

Download Yara Rule

Strings

GD, xrefs: 00E94F89, 00E94DA7, 00E94BCA

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: GD
API String ID: 0-1286887157
Opcode ID: 167ef22492c207c921e56e1c20753adab6c38b6063002745a7889ef1cf7ca7c3
Instruction ID: 627d2a7922fce2b06daf921634dc6a0e2ab87205db69bb5f744e50327cd12bf0
Opcode Fuzzy Hash: 167ef22492c207c921e56e1c20753adab6c38b6063002745a7889ef1cf7ca7c3
Instruction Fuzzy Hash: 50E17EB29092928EDF158F38C4817EDFFA2EF65304F1856A6C495AB7C2D2349A46C790

Uniqueness

Uniqueness Score: -1.00%

Function 00E45960 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

-, xrefs: 00E459BC

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 380dda1ef3d93faf75dbacb9f630860303182309aaebddffecc3a3ea39fa0403
Instruction ID: d0e8cbdb6f22906fc194f8d0aa5c4de998b99097d23212ab0cec396fb3e9b38b
Opcode Fuzzy Hash: 380dda1ef3d93faf75dbacb9f630860303182309aaebddffecc3a3ea39fa0403
Instruction Fuzzy Hash: 55C1A676900B049FDB21CFA4CC40AEEFBF5EF44310F108A59E4A6E7691D770AA45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00D9001D Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 00D901A1

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 77f26a8dea2f6029c41abbe118531b7cfb566cab24313c2f25501dc56542953c
Instruction ID: dd727fa55f4e40dbb9dd874e5c535f895dc44105a405c0ac47f8bfb6c48f6cdf
Opcode Fuzzy Hash: 77f26a8dea2f6029c41abbe118531b7cfb566cab24313c2f25501dc56542953c
Instruction Fuzzy Hash: 15B1A170A0070A8FCF288F68E9596BEBFB5EF04304F18461AD996E7691D731E941CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00E44CD0 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

-, xrefs: 00E44D4F

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: ffad52e287b60b8b48c8f6c01dcfbe838c716be90c45fb450b26370899277487
Instruction ID: c55235dd8ff5a899898933e19bec1cee53a9484844d2fcf2d80197aedcd54c79
Opcode Fuzzy Hash: ffad52e287b60b8b48c8f6c01dcfbe838c716be90c45fb450b26370899277487
Instruction Fuzzy Hash: 66817271A51648AEEF219AB4C840BEDFFE0EF05201F1489E8E8D5E3B41D678D64AC761

Uniqueness

Uniqueness Score: -1.00%

Function 011AC316 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

2, xrefs: 011AC361

Memory Dump Source

Source File: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 761b39ab4049f001374611d32ddd216a6fa552aacbd2c987adec83d97d3023a2
Instruction ID: bd3da1f4354a8c73da114299ded588536c3d2b162ed5a63757dbc5fdaa02aa13
Opcode Fuzzy Hash: 761b39ab4049f001374611d32ddd216a6fa552aacbd2c987adec83d97d3023a2
Instruction Fuzzy Hash: 23719C725083929FC715AB38DC002AEBBE0FF96710F498A5DE9D4475A6D335980ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E86B30 Relevance: 1.0, Instructions: 974COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e67c1ac17531a5a025ef85f890630ff36b91d86e43df02c23b2a37ca7560038
Instruction ID: 721c33bcbea811e92794a0fa38afbae103531baca75d657be99c7e24e3dc6364
Opcode Fuzzy Hash: 2e67c1ac17531a5a025ef85f890630ff36b91d86e43df02c23b2a37ca7560038
Instruction Fuzzy Hash: 8F928C70A083518FC714DF29D480A2ABBE1FFC9304F14996EE8D9A7352E735E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E40350 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd8b1d68f7a16e38b41e5422b5b8e38dcca659e74be3dcbc866f7a1a144ec7e
Instruction ID: 2798b5731163cef50a55abcf1c85e7a8744da3d8924a911c28e395694875181a
Opcode Fuzzy Hash: cfd8b1d68f7a16e38b41e5422b5b8e38dcca659e74be3dcbc866f7a1a144ec7e
Instruction Fuzzy Hash: BC626AB1E002059FDF18CF59D5846AEBBF1AF88308F2891A9DA54BB342C775D946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E51040 Relevance: .7, Instructions: 660COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4ba0ac1fa63b83f14caaa64dd9e0e0dde97c818dd99233cb6e5efc87cf38aa
Instruction ID: a9da759fb70749233a97657780e643bd9817c864927da35a3b49489782bd24c4
Opcode Fuzzy Hash: 7b4ba0ac1fa63b83f14caaa64dd9e0e0dde97c818dd99233cb6e5efc87cf38aa
Instruction Fuzzy Hash: 8C427071A043418FD714CF28C480B1AFBE1BF89319F159AADED99AB351D771E849CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E3D7D0 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13db34f20032a7c6e92d0ca4e09ea16b80b58f6f7507fafc4a3215e9184e4dc6
Instruction ID: 731a964b53f2ed90a8e6d51e5f5a52347e6046278b4a3810b20df2d913762e11
Opcode Fuzzy Hash: 13db34f20032a7c6e92d0ca4e09ea16b80b58f6f7507fafc4a3215e9184e4dc6
Instruction Fuzzy Hash: 01126634A04B008FCB24CF29D884AA6BBF1FF88318F14596EE8969B751D771F951CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00D9035F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a19ae02a516b05082bc255c0b731f91b588db8e4935e9dfa7a6ebf2d2aca8ca
Instruction ID: 7c648aed2208963668a204ec1952cd9a514323bd5d5e299ec30b67f571bcc362
Opcode Fuzzy Hash: 1a19ae02a516b05082bc255c0b731f91b588db8e4935e9dfa7a6ebf2d2aca8ca
Instruction Fuzzy Hash: BEC1CA7090060A8FCF24DF68E9846BABFB5EF45300F284619DA969B692C731ED45CF71

Uniqueness

Uniqueness Score: -1.00%

Function 00D9DA74 Relevance: .3, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db754529a7736d4ee08ddd42d57fbc670e220fd9642efe229ae09d0667b9fd83
Instruction ID: 6970fa2425d605985d1031a8a92aad8b2ae6ae93a635f06822c73f9e2a1483d6
Opcode Fuzzy Hash: db754529a7736d4ee08ddd42d57fbc670e220fd9642efe229ae09d0667b9fd83
Instruction Fuzzy Hash: 1AB13C316106089FDB19CF28C48AB657BF1FF49364F298658E8D9CF2A1C375E991CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E44AA0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a67febc048bd5e7bed61c903892d463eae84642cc4542d2051080d3f21be36
Instruction ID: df2ba5a0f1a728eaf7207f164cd15f6f85a35fb7e381b37ffc4fbba08bc2eec9
Opcode Fuzzy Hash: 21a67febc048bd5e7bed61c903892d463eae84642cc4542d2051080d3f21be36
Instruction Fuzzy Hash: B361E770600605AFEB34CAA8D881BEEFBE5EF45310F208AACE596E37D0D271E645C751

Uniqueness

Uniqueness Score: -1.00%

Function 00E3CD20 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a69bb6c2e2dd0246e9eed7c9937f7434ec19c89c8bc092a0474fc883d991025
Instruction ID: 5fa792c39a148d4cc52003e74d8f9d43a09d9be340e708a5348d11d557e2305f
Opcode Fuzzy Hash: 5a69bb6c2e2dd0246e9eed7c9937f7434ec19c89c8bc092a0474fc883d991025
Instruction Fuzzy Hash: D07161326205644FD70ECF5FECC05273762A78A3417D5872AEA81F7295C539FA2AC7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E3CFC0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c0fe21f4d14e376c2ae9e7ff776500b313db378e1d2a236112620963421295
Instruction ID: c884eb9a0aad50217c9d9faae08d99c0004818117bbaa0e87c04cd25e601335f
Opcode Fuzzy Hash: e7c0fe21f4d14e376c2ae9e7ff776500b313db378e1d2a236112620963421295
Instruction Fuzzy Hash: 79614C716201648FD70DCF5FFCC04273766E78A341786472AEA81EB2D6C535E92AD7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00D8A918 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563c096d62770bff53cdbb19f3653670aacb8bd0a76d05738593bad46fe6d402
Instruction ID: 01f72c976f8380824181328275a82eb53f6527fdf3fff3c4eced98fa92df8363
Opcode Fuzzy Hash: 563c096d62770bff53cdbb19f3653670aacb8bd0a76d05738593bad46fe6d402
Instruction Fuzzy Hash: 4B518072D00119AFDF04DF98C941AEEBBB2FF88300F598459E955AB201D7349A40DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F557C3 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2690a81f27f6994415059e057746b6e1ce943cdab0d87838aefee2dd9494447
Instruction ID: 6be4315698300786549119a7b2ebdba964b5322d2253cfd6a748d93107914c53
Opcode Fuzzy Hash: d2690a81f27f6994415059e057746b6e1ce943cdab0d87838aefee2dd9494447
Instruction Fuzzy Hash: 3D31487160879A5FC721EE3DD94049A7BE2BBC6310F14D77DE0E4871D6D735840AEA42

Uniqueness

Uniqueness Score: -1.00%

Function 01040B69 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c984d3f07eda0a429da2c70b56e3254edc4134771c9ffa6adb7c022f487015
Instruction ID: 5c294d3e95b3dcca07ea89e624d961555982ed9b656f21dccda62c2c83572a0b
Opcode Fuzzy Hash: 42c984d3f07eda0a429da2c70b56e3254edc4134771c9ffa6adb7c022f487015
Instruction Fuzzy Hash: 55312272A0879A6FC731EE39990059B7792BBC6320F14D72DE4E8875D6C735800AEA42

Uniqueness

Uniqueness Score: -1.00%

Function 00E44F70 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1584348cf9e3f3be4a9b24cc4e2ffe07feb8b558a8eaef0232f41b95094aa3e0
Instruction ID: 8f961ab890de4720c8fa8dde243d6b889b5c9cd9f0a04b662df788d740b9b3bb
Opcode Fuzzy Hash: 1584348cf9e3f3be4a9b24cc4e2ffe07feb8b558a8eaef0232f41b95094aa3e0
Instruction Fuzzy Hash: 0D312972B80708AEDB209E69DC40BC9BFD6EF45211F08C559FD9C9B750C2B1E249C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB8A20 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94978ecb10fb46a92cf3899432018b8b37c83ef522de7d078de12bb46ee25086
Instruction ID: 64606c1c3d4d26e97f446000d2beed60cf0f42562ec2e08bb82ffa9f263e0588
Opcode Fuzzy Hash: 94978ecb10fb46a92cf3899432018b8b37c83ef522de7d078de12bb46ee25086
Instruction Fuzzy Hash: FFE0DF356083A58BC750FB60CA0269EBBA9BAE0340F984729B6E2A7409DB346454D787

Uniqueness

Uniqueness Score: -1.00%

Function 00DA8013 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00DA8040
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00DA8055

Strings

``, xrefs: 00DA8066
ReleaseSRWLockExclusive, xrefs: 00DA804A
AcquireSRWLockExclusive, xrefs: 00DA803A
KERNEL32.DLL, xrefs: 00DA8025

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: AddressProc
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive$``
API String ID: 190572456-3927222770
Opcode ID: 091afc2546241784bb5cb40806e0a3cbb1ba9968617d3b048f874c6682a74318
Instruction ID: 0b60b0d07d7c5d1e1c35ac920ce123b160b016086557c2a180e78e8a0d111464
Opcode Fuzzy Hash: 091afc2546241784bb5cb40806e0a3cbb1ba9968617d3b048f874c6682a74318
Instruction Fuzzy Hash: B0F0C2316427225F4B711FA55CC52A73288AA037E431D413EDE42F3140EE14CC8EB2B8

Uniqueness

Uniqueness Score: -1.00%

Function 00EEE3EB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EEE45C
___crtGetStringTypeA.LIBCMT ref: 00EEE487
___crtLCMapStringA.LIBCMT ref: 00EEE4A7
___crtLCMapStringA.LIBCMT ref: 00EEE4CC

Strings

, xrefs: 00EEE433

Memory Dump Source

Source File: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: String___crt$Type_memset
String ID:
API String ID: 1957702402-3916222277
Opcode ID: 9b361b41e08002eb96135586fdf474ba1a58ac9be43322b8183458d74da400c5
Instruction ID: 9f69b3033867bc3f49497712f89be8c7e3dca519c84a2de168b686a6c6d6af9e
Opcode Fuzzy Hash: 9b361b41e08002eb96135586fdf474ba1a58ac9be43322b8183458d74da400c5
Instruction Fuzzy Hash: C24138B050079C9EDB218B259C85FFB7BF9AF05308F1454E8E696A7283E2719E49CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00EF81F0 Relevance: 7.8, APIs: 5, Instructions: 263COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00EF82F1
__FindPESection.LIBCMT ref: 00EF830B

Memory Dump Source

Source File: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: f47af90b38500edd1440b2c79f5c45b1b8af42c86a5f66920b45704c51c417bf
Instruction ID: fe08e89a2839beb546da789119ad240efd7274ea895e0e8cf26820efbf2022bd
Opcode Fuzzy Hash: f47af90b38500edd1440b2c79f5c45b1b8af42c86a5f66920b45704c51c417bf
Instruction Fuzzy Hash: 7E91B032A0161D8BDB14CF58DA9477EB3B6FB84714F155229EA15B73A0DB31ED02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D6D260 Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D6D28A
std::_Lockit::_Lockit.LIBCPMT ref: 00D6D2AC
std::_Lockit::~_Lockit.LIBCPMT ref: 00D6D2D4
__Getcoll.LIBCPMT ref: 00D6D39F
std::_Lockit::~_Lockit.LIBCPMT ref: 00D6D40E

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getcoll
String ID:
API String ID: 2318601406-0
Opcode ID: 3783a3a5efc0a8b4395db4ba06cfeaef19402ba5a2653c55c032d239bfaca835
Instruction ID: a274e46bb37922037c3580374acdc3d954722c027afd445ab3db14d502ba44a0
Opcode Fuzzy Hash: 3783a3a5efc0a8b4395db4ba06cfeaef19402ba5a2653c55c032d239bfaca835
Instruction Fuzzy Hash: C251ABB0D01208DFDB01DF99E9447AEBBB4EF40314F248059E8156B381D775AE09CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D56180 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 353COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00D56587

Strings

", ", xrefs: 00D563D8
: ", xrefs: 00D563AE
string too long, xrefs: 00D56512

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: ", "$: "$string too long
API String ID: 4194217158-1244075009
Opcode ID: 5960045ed0c649374d05ab6e914f4ebb1e895b5a1f223a2eefca1f69521ffb87
Instruction ID: 8ba91d1f885aae9bce22f6bd8a978583ed97cf16342d13d3d02a0227673053cd
Opcode Fuzzy Hash: 5960045ed0c649374d05ab6e914f4ebb1e895b5a1f223a2eefca1f69521ffb87
Instruction Fuzzy Hash: 4FD1C370D002059FCF24DFA8D841AAEBBF5EF44311F14462DE865A7381EB70AA48CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D591CE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 105libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 00D591D3

Strings

Ws2_32.dll, xrefs: 00D591BF
v<Ea, xrefs: 00D59197
v<Ea, xrefs: 00D59169

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: AddressProc
String ID: Ws2_32.dll$v<Ea$v<Ea
API String ID: 190572456-996692458
Opcode ID: b66eb4405b3018313e662ef82b6bddba4afdef940880800301fb14aa7595888e
Instruction ID: 955c58b84ec9fe9d0c459bf6422593b4e4e648f0dff7b81bdd068758de273b48
Opcode Fuzzy Hash: b66eb4405b3018313e662ef82b6bddba4afdef940880800301fb14aa7595888e
Instruction Fuzzy Hash: E3410174E04658CBDF24CFA8C8546ADFBB0BF48311F28824DE865AB390DB746946CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1AF6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

___initmbctable.LIBCMT ref: 00EF1B0B

Part of subcall function 00EEEA1D: __setmbcp.LIBCMT ref: 00EEEA28

_parse_cmdline.LIBCMT ref: 00EF1B4D
_parse_cmdline.LIBCMT ref: 00EF1B8E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00EF1B15, 00EF1B1A

Memory Dump Source

Source File: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: _parse_cmdline$___initmbctable__setmbcp
String ID: C:\Users\user\Desktop\file.exe
API String ID: 1290970244-1957095476
Opcode ID: 85a50852ea1b027c7764e48295f657d1038c8ebe74679b9a99119bdee3ed5967
Instruction ID: 6187730327d9ac3a0f1795fc166ef768d558604ad1e7f65d55966b7b98b85ecf
Opcode Fuzzy Hash: 85a50852ea1b027c7764e48295f657d1038c8ebe74679b9a99119bdee3ed5967
Instruction Fuzzy Hash: B621B776D0010DEBCB10DBA5AC948AE7BBCFA8032471056B9E714F7251E2305E45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF2CEA Relevance: 6.2, APIs: 4, Instructions: 171COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00ED6328,00000000,?,?,00000000,00000000,00001006,00001004,000030BB,?,?,?,00EF2ED4,00000001,?,00ED6328), ref: 00EF2D90
_memset.LIBCMT ref: 00EF2DE5
MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,00ED6328,?,00000001,00ED6328,00ED6328,00000008,?,00ED6328), ref: 00EF2DFA

Memory Dump Source

Source File: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: ByteCharMultiWide$_memset
String ID:
API String ID: 3545102435-0
Opcode ID: 58ab5bad5d5d51aa44cb2173e68ea1ec4dc1ded59f7b3b86fdba6732a6e1f3d4
Instruction ID: cc5b9161569ce4d900c83afddb3e1765fc041522aca0e5686f5053b939cd35a3
Opcode Fuzzy Hash: 58ab5bad5d5d51aa44cb2173e68ea1ec4dc1ded59f7b3b86fdba6732a6e1f3d4
Instruction Fuzzy Hash: 80518C7290010EAFDF129F64DC81DBE7BA9EF18358B245429FB04EB261D731CD619BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D6A060 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D6A09D
std::_Lockit::_Lockit.LIBCPMT ref: 00D6A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00D6A0E7
std::_Lockit::~_Lockit.LIBCPMT ref: 00D6A223

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 8fb13e61af8f76051e3159918883bc17bfa6687d5a65d8b0e5379dcc630ad841
Instruction ID: cba02332432edc65ba9ff93a015da2ef4b12422b7e3fbea87ac73c57c30b95e0
Opcode Fuzzy Hash: 8fb13e61af8f76051e3159918883bc17bfa6687d5a65d8b0e5379dcc630ad841
Instruction Fuzzy Hash: 555187B1901749CFDB11DF58C9417AEBBB0EB15314F18815AD885BB281E774AE48CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D82719 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D82720
std::_Lockit::_Lockit.LIBCPMT ref: 00D8272B
std::_Lockit::~_Lockit.LIBCPMT ref: 00D82799

Part of subcall function 00D8287C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D82894

std::locale::_Setgloballocale.LIBCPMT ref: 00D82746

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 0e67742cec83749362dc6b6917cd223f00a62a2786dd4b825d62340280c59065
Instruction ID: 1bd7eb77179b811e51574867a6c87dd60f156cca321ef3bdb2f94dd0860c71c0
Opcode Fuzzy Hash: 0e67742cec83749362dc6b6917cd223f00a62a2786dd4b825d62340280c59065
Instruction Fuzzy Hash: 8D01B876A006209FCB06FB25DC4197D7BB1FF84B80B08000AE80127386CF74AA4ACBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00D75757 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00D75787
___std_exception_destroy.LIBVCRUNTIME ref: 00D7579E

Strings

l, xrefs: 00D757A6

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: l
API String ID: 4194217158-2517025534
Opcode ID: a2f997624f2c7475cbdfe518c8b3b17163aa5eb5eba8d0d640458bf4d676be8e
Instruction ID: 4a0fd93551f7850e25c2792b5b90349d03526d36abf489efa6ea8356681a19aa
Opcode Fuzzy Hash: a2f997624f2c7475cbdfe518c8b3b17163aa5eb5eba8d0d640458bf4d676be8e
Instruction Fuzzy Hash: 9BF0A9A0C052C8DEDF01DBA8D9457CDBBB59B16304F144096D4446B246E7B5AB1CE773

Uniqueness

Uniqueness Score: -1.00%

Function 00D75654 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00D75680
___std_exception_destroy.LIBVCRUNTIME ref: 00D75697

Strings

x, xrefs: 00D7569F

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: x
API String ID: 4194217158-2363233923
Opcode ID: 8af529a4ff030e25563164fac151c952243fc81b2342025af1f4d0f414ec4551
Instruction ID: 7194770ee3b84b50e29562f8fbef50c305cb34f7f8fde0aec214ef89a4c0b1b6
Opcode Fuzzy Hash: 8af529a4ff030e25563164fac151c952243fc81b2342025af1f4d0f414ec4551
Instruction Fuzzy Hash: D4F0DAA0C09288D9DF41DBE4D54978DBBB45F15304F1480AAD84867241E7B8A70CD777

Uniqueness

Uniqueness Score: -1.00%

Function 00E928E0 Relevance: 5.1, APIs: 4, Instructions: 146sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001,?,00000000,40000000,00000000,00000001,00000000), ref: 00E92951
GetLastError.KERNEL32(?,00000000,40000000,00000000,00000001,00000000), ref: 00E92968

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: fb9cf50877540dc8e43870076bfb60e4993ea827a07d13f2589d403448626cac
Instruction ID: 2aac9caa29d76a30929ddfd9ba70e9f3f1b65f3768238b9447f0f269070ee7ca
Opcode Fuzzy Hash: fb9cf50877540dc8e43870076bfb60e4993ea827a07d13f2589d403448626cac
Instruction Fuzzy Hash: C841D931B413157BDF319B69DC817AEB795EB89724F24926AEE08BB381C3719D4087D0

Uniqueness

Uniqueness Score: -1.00%

Function 00E92070 Relevance: 5.1, APIs: 4, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,00000000,?,00000000,?,00000000), ref: 00E920E6
Sleep.KERNEL32(00000064,?,00000000,?,00000000), ref: 00E920FC
GetLastError.KERNEL32(00000000), ref: 00E92119
Sleep.KERNEL32(00000064,00000000), ref: 00E9212F

Memory Dump Source

Source File: 00000000.00000002.4096844284.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.4096830508.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096978283.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4096996467.0000000000ED7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097024924.0000000000EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097045634.0000000000F05000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097172034.00000000010E4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097187071.00000000010E5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4097418935.000000000148D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 90d45aa6a9a12f5079e882f3c1207d089962acae8ad29930a64360b0a7f11c2a
Instruction ID: 5c5349ca79037c844d2b7e519f7bb8cb3b36d28444bb87118c490ee644054801
Opcode Fuzzy Hash: 90d45aa6a9a12f5079e882f3c1207d089962acae8ad29930a64360b0a7f11c2a
Instruction Fuzzy Hash: F9214D75D01304AFCF20AB756CC45BE73B8EB55338F10456EFA1DF2240DA31888A9252

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 7044, Parent PID: 2580

Windows Analysis Report
file.exe

Function 00E14EB0 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 280
networksleepCOMMON

Function 00DADA50 Relevance: 7.7, APIs: 5, Instructions: 156
sleepCOMMON

Function 00F32D85 Relevance: 1.6, Strings: 1, Instructions: 391
COMMON

Function 00EEE07C Relevance: 3.1, APIs: 2, Instructions: 75
COMMON

Function 00D98DEF Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Function 00E15940 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 00D532D0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 00D9250C Relevance: 1.3, APIs: 1, Instructions: 53
COMMON