Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	754388
MD5:	fc0582e1cd55c0fcc0628241f7e8ce54
SHA1:	89fc6969c4a12f714ec051f0b69a50385062868d
SHA256:	4294a6949aac8f29179fc5cd688c88f52c6b4c5c85fe433ad11fe6e6947737c6
Tags:	exe
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Amadeys stealer DLL

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Machine Learning detection for sample

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to steal Instant Messenger accounts or passwords

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Drops PE files

Contains functionality to read the PEB

Contains functionality to launch a program with higher privileges

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 4948 cmdline: C:\Users\user\Desktop\file.exe MD5: FC0582E1CD55C0FCC0628241F7E8CE54)

gntuud.exe (PID: 5176 cmdline: "C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe" MD5: FC0582E1CD55C0FCC0628241F7E8CE54)

schtasks.exe (PID: 5816 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 1544 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll, Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

gntuud.exe (PID: 5912 cmdline: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe MD5: FC0582E1CD55C0FCC0628241F7E8CE54)

gntuud.exe (PID: 1876 cmdline: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe MD5: FC0582E1CD55C0FCC0628241F7E8CE54)

gntuud.exe (PID: 1332 cmdline: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe MD5: FC0582E1CD55C0FCC0628241F7E8CE54)

gntuud.exe (PID: 996 cmdline: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe MD5: FC0582E1CD55C0FCC0628241F7E8CE54)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	INDICATOR_TOOL_PWS_Amady	Detects password stealer DLL. Dropped by Amadey	ditekSHen	0xd868:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x15604:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x16074:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x15158:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0x151bc:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0xdd0c:$s3: \Mikrotik\Winbox\Addresses.cdb 0x190d8:$s4: \HostName 0x19100:$s5: \Password 0x17c04:$s6: SOFTWARE\RealVNC\ 0x17c30:$s6: SOFTWARE\RealVNC\ 0x17c5c:$s6: SOFTWARE\RealVNC\ 0x17ca4:$s6: SOFTWARE\RealVNC\ 0x17cd0:$s6: SOFTWARE\RealVNC\ 0x18008:$s7: SOFTWARE\TightVNC\ 0x18034:$s7: SOFTWARE\TightVNC\ 0x18060:$s7: SOFTWARE\TightVNC\ 0x180ac:$s7: SOFTWARE\TightVNC\ 0x1c43c:$s8: cred.dll
C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll	INDICATOR_TOOL_PWS_Amady	Detects password stealer DLL. Dropped by Amadey	ditekSHen	0xd868:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x15604:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x16074:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x15158:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0x151bc:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0xdd0c:$s3: \Mikrotik\Winbox\Addresses.cdb 0x190d8:$s4: \HostName 0x19100:$s5: \Password 0x17c04:$s6: SOFTWARE\RealVNC\ 0x17c30:$s6: SOFTWARE\RealVNC\ 0x17c5c:$s6: SOFTWARE\RealVNC\ 0x17ca4:$s6: SOFTWARE\RealVNC\ 0x17cd0:$s6: SOFTWARE\RealVNC\ 0x18008:$s7: SOFTWARE\TightVNC\ 0x18034:$s7: SOFTWARE\TightVNC\ 0x18060:$s7: SOFTWARE\TightVNC\ 0x180ac:$s7: SOFTWARE\TightVNC\ 0x1c43c:$s8: cred.dll

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.323997230.0000000000D80000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000D.00000002.436289008.0000000002720000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000011.00000002.568956006.0000000000CC0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000D.00000002.435991850.0000000000C4C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xb88:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000011.00000002.569160304.0000000000D1C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xd40:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000B.00000002.324503471.0000000000DCC000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xb50:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.294516594.0000000000C86000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xcb0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000012.00000002.696239731.0000000000DBC000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xb80:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000012.00000002.696632130.0000000002750000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: http://31.41.244.17/hfk3vK9/Plugins/cred64.dll

Virustotal: Detection: 7%

Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	Avira: detection malicious, Label: HEUR/AGEN.1233121
Source: C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll	Avira: detection malicious, Label: HEUR/AGEN.1233121

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	Virustotal: Detection: 75%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll	ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll	Virustotal: Detection: 75%	Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 1.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Unpacked PE file: 11.2.gntuud.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Unpacked PE file: 13.2.gntuud.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Unpacked PE file: 17.2.gntuud.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Unpacked PE file: 18.2.gntuud.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: gntuud.exe, gntuud.exe, 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, gntuud.exe, 0000000B.00000003.313741322.0000000002760000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 0000000D.00000003.434412948.0000000002780000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 0000000D.00000002.436289008.0000000002720000.00000040.00001000.00020000.00000000.sdmp, gntuud.exe, 0000000D.00000002.435143049.0000000000400000.00000040.00000001.01000000.00000004.sdmp, gntuud.exe, 00000011.00000003.567938789.00000000027B0000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 00000011.00000002.568655643.0000000000400000.00000040.00000001.01000000.00000004.sdmp, gntuud.exe, 00000012.00000003.694215668.0000000002790000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 00000012.00000002.695283993.0000000000400000.00000040.00000001.01000000.00000004.sdmp, gntuud.exe, 00000012.00000002.696632130.0000000002750000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Z^C:\lac89\biwekuyigivoh78 cifixi20 ye.pdb source: file.exe, gntuud.exe.1.dr
Source:	Binary string: C:\lac89\biwekuyigivoh78 cifixi20 ye.pdb source: file.exe, gntuud.exe.1.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00420BA6 FindFirstFileExW,	1_2_00420BA6
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_02770E0D FindFirstFileExW,	1_2_02770E0D
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: 11_2_00420BA6 FindFirstFileExW,	11_2_00420BA6

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 31.41.244.17 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.5 80			Jump to behavior

Source: Joe Sandbox View

ASN Name: AEROEXPRESS-ASRU AEROEXPRESS-ASRU

Source: Joe Sandbox View

IP Address: 31.41.244.17 31.41.244.17

Source: gntuud.exe, 00000003.00000003.299258643.0000000000E24000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: http://31.41.244.17/hfk3vK9/Plugins/cred64.dll

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00404180 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_00404180

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00402C70 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,

1_2_00402C70

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000B.00000002.323997230.0000000000D80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000D.00000002.436289008.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000011.00000002.568956006.0000000000CC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000D.00000002.435991850.0000000000C4C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000011.00000002.569160304.0000000000D1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.324503471.0000000000DCC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.294516594.0000000000C86000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.696239731.0000000000DBC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.696632130.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPED	Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll, type: DROPPED	Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0000000B.00000002.323997230.0000000000D80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000D.00000002.436289008.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000011.00000002.568956006.0000000000CC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000D.00000002.435991850.0000000000C4C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000011.00000002.569160304.0000000000D1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.324503471.0000000000DCC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.294516594.0000000000C86000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.696239731.0000000000DBC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.696632130.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPED	Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
Source: C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll, type: DROPPED	Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040CBD0	1_2_0040CBD0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00429470	1_2_00429470
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0042848D	1_2_0042848D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00432890	1_2_00432890
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_027786F4	1_2_027786F4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_027796D7	1_2_027796D7
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: 11_2_00429470	11_2_00429470
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: 11_2_0042848D	11_2_0042848D
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: 11_2_00432890	11_2_00432890
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: 11_2_0040CBD0	11_2_0040CBD0

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: String function: 00416F50 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: String function: 00418C40 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00418C40 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 027671B7 appears 130 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00416F50 appears 130 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 02768EA7 appears 39 times

Source: file.exe	Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: gntuud.exe.1.dr	Static PE information: Resource name: RT_VERSION type: x86 executable not stripped

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe

Process Stats: CPU usage > 98%

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll D3E9A3365F73A34E2DD9022A318ABCC2C55AF98BAFB2DC302CBB55F5398BB9A0

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe "C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe"
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll, Main
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe "C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll, Main	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe

File created: C:\Users\user\AppData\Roaming\56a1c3d463f381

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\3f904562a0

Jump to behavior

Source: classification engine

Classification label: mal100.phis.spyw.evad.winEXE@12/5@0/2

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll, Main

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Mutant created: \Sessions\1\BaseNamedObjects\56a1c3d463f38174c2fd686077b9fd81
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\e832cadb1fd2ddc07c2cc5d843c5256a
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_01

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: gntuud.exe, gntuud.exe, 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, gntuud.exe, 0000000B.00000003.313741322.0000000002760000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 0000000D.00000003.434412948.0000000002780000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 0000000D.00000002.436289008.0000000002720000.00000040.00001000.00020000.00000000.sdmp, gntuud.exe, 0000000D.00000002.435143049.0000000000400000.00000040.00000001.01000000.00000004.sdmp, gntuud.exe, 00000011.00000003.567938789.00000000027B0000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 00000011.00000002.568655643.0000000000400000.00000040.00000001.01000000.00000004.sdmp, gntuud.exe, 00000012.00000003.694215668.0000000002790000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 00000012.00000002.695283993.0000000000400000.00000040.00000001.01000000.00000004.sdmp, gntuud.exe, 00000012.00000002.696632130.0000000002750000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Z^C:\lac89\biwekuyigivoh78 cifixi20 ye.pdb source: file.exe, gntuud.exe.1.dr
Source:	Binary string: C:\lac89\biwekuyigivoh78 cifixi20 ye.pdb source: file.exe, gntuud.exe.1.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 1.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Unpacked PE file: 11.2.gntuud.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Unpacked PE file: 13.2.gntuud.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Unpacked PE file: 17.2.gntuud.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Unpacked PE file: 18.2.gntuud.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 1.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Unpacked PE file: 11.2.gntuud.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Unpacked PE file: 13.2.gntuud.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Unpacked PE file: 17.2.gntuud.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Unpacked PE file: 18.2.gntuud.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00418C86 push ecx; ret	1_2_00418C99
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0275A758 push ebp; retf 0000h	1_2_0275A75F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_02768EED push ecx; ret	1_2_02768F00
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: 11_2_00418C86 push ecx; ret	11_2_00418C99

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	File created: C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe" /F

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe TID: 4356	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe TID: 4332	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe TID: 4360	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe TID: 4544	Thread sleep time: -1440000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe TID: 4356	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Thread delayed: delay time: 180000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Thread delayed: delay time: 360000			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	API coverage: 3.6 %
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	API coverage: 3.5 %

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00405400 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

1_2_00405400

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00420BA6 FindFirstFileExW,	1_2_00420BA6
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_02770E0D FindFirstFileExW,	1_2_02770E0D
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: 11_2_00420BA6 FindFirstFileExW,	11_2_00420BA6

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Thread delayed: delay time: 50000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: rundll32.exe, 0000000C.00000002.323525192.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: rundll32.exe, 0000000C.00000003.307563567.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00418A67

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_004037D0 DeleteObject,GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,

1_2_004037D0

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041B901 mov eax, dword ptr fs:[00000030h]	1_2_0041B901
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041DF02 mov eax, dword ptr fs:[00000030h]	1_2_0041DF02
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0275092B mov eax, dword ptr fs:[00000030h]	1_2_0275092B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0276E169 mov eax, dword ptr fs:[00000030h]	1_2_0276E169
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0276BB68 mov eax, dword ptr fs:[00000030h]	1_2_0276BB68
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_02750D90 mov eax, dword ptr fs:[00000030h]	1_2_02750D90
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: 11_2_0041B901 mov eax, dword ptr fs:[00000030h]	11_2_0041B901
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: 11_2_0041DF02 mov eax, dword ptr fs:[00000030h]	11_2_0041DF02

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00418163 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00418163
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00418A67
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041CA80 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0041CA80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00418BCC SetUnhandledExceptionFilter,	1_2_00418BCC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_027683CA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_027683CA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_02768E33 SetUnhandledExceptionFilter,	1_2_02768E33
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0276CCE7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0276CCE7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_02768CCE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_02768CCE
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: 11_2_00418163 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00418163
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: 11_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00418A67
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: 11_2_0041CA80 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0041CA80
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Code function: 11_2_00418BCC SetUnhandledExceptionFilter,	11_2_00418BCC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 31.41.244.17 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.5 80			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00403F40 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,VirtualFree,

1_2_00403F40

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00404350 ShellExecuteA,

1_2_00404350

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe "C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe" /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll, Main	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00418887 cpuid

1_2_00418887

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00418CA1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00418CA1

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00424BC4 _free,_free,_free,GetTimeZoneInformation,_free,

1_2_00424BC4

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00405400 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

1_2_00405400

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0040CBD0 GetUserNameA,SetCurrentDirectoryA,GetFileAttributesA,CreateDirectoryA,GetFileAttributesA,GetModuleFileNameA,SetCurrentDirectoryA,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,

1_2_0040CBD0

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll, type: DROPPED

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml

Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	211 Process Injection	2 Obfuscated Files or Information	2 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Scheduled Task/Job	2 Software Packing	1 Credentials In Files	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	1 Masquerading	NTDS	24 System Information Discovery	Distributed Component Object Model	1 Email Collection	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	21 Virtualization/Sandbox Evasion	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	211 Process Injection	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Rundll32	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	100%	Avira	HEUR/AGEN.1233121
C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll	100%	Avira	HEUR/AGEN.1233121
C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	88%	ReversingLabs	Win32.Infostealer.Decred
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	75%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe	35%	Virustotal		Browse
C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll	88%	ReversingLabs	Win32.Infostealer.Decred
C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll	75%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://31.41.244.17/hfk3vK9/Plugins/cred64.dll	0%	Avira URL Cloud	safe
http://31.41.244.17/hfk3vK9/Plugins/cred64.dll	8%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://31.41.244.17/hfk3vK9/Plugins/cred64.dll	gntuud.exe, 00000003.00000003.299258643.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.41.244.17	unknown	Russian Federation		61974	AEROEXPRESS-ASRU	true

Private

IP
192.168.2.5

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	754388
Start date and time:	2022-11-26 19:17:05 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.spyw.evad.winEXE@12/5@0/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 96% Number of executed functions: 22 Number of non-executed functions: 133
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:18:00	API Interceptor	2513x Sleep call for process: gntuud.exe modified
19:18:02	Task Scheduler	Run new task: gntuud.exe path: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
31.41.244.17	hhrs7h5uZB.dll	Get hash	malicious	Browse	31.41.244.17/hfk3vK9/index.php
31.41.244.17	hhrs7h5uZB.dll	Get hash	malicious	Browse	31.41.244.17/hfk3vK9/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AEROEXPRESS-ASRU	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	hhrs7h5uZB.dll	Get hash	malicious	Browse	31.41.244.17
	hhrs7h5uZB.dll	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17
	file.exe	Get hash	malicious	Browse	31.41.244.17

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.511961466655514
Encrypted:	false
SSDEEP:	3072:ox7pOYzBekBmWDWCMq6As523HeS9FAiZ87vO2rlL3Rnm9:ox7ZNhB/dMq6AO0a7vVlT
MD5:	ADBAF286228C46522E50371C4BE31A03
SHA1:	A29D644C4663B2E2B2BD92046BA0DF629537C297
SHA-256:	D3E9A3365F73A34E2DD9022A318ABCC2C55AF98BAFB2DC302CBB55F5398BB9A0
SHA-512:	74A55CC8D8C3AF54E5BA290A34B968918DA994EA2D55B5F0D1F39E83CB9A39D73226227933C760B48F2E0BDB646F8243967517EF8202E02D88411D2D19AE217D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, Author: Joe Security Rule: INDICATOR_TOOL_PWS_Amady, Description: Detects password stealer DLL. Dropped by Amadey, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 75%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......x.............@..........................@..........................................O.......&.... ..............................................................................................................CODE................................ ..`DATA................................@...BSS......................................idata..&...........................@....edata..O...........................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211968
Entropy (8bit):	7.389735637483072
Encrypted:	false
SSDEEP:	6144:9/kH61vyrS1ccAJEsSBrVqbtkdim2qv6Wlz:9/ine9AZSnqbt4imhNlz
MD5:	FC0582E1CD55C0FCC0628241F7E8CE54
SHA1:	89FC6969C4A12F714EC051F0B69A50385062868D
SHA-256:	4294A6949AAC8F29179FC5CD688C88F52C6B4C5C85FE433AD11FE6E6947737C6
SHA-512:	369464A7AD92D41BCB5736DEB9A6332533520EBBA19BDAFA0D93A9A026E6A26E0D46EAD8468593564DECE9D6A0F1E4CFBB5A97AC07F7C784D43D037D82CBBAEF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 35%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.+...x...x...x.J;x...x.W8x...x.W.x...x...x...x...x5..x.W)x...x.W9x...x.W<x...xRich...x................PE..L...z..a......................m.....wC....... ....@..........................`n......?..........................................P.... n..3...........................................................(..@...............<............................text............................... ..`.data.....l.. ......................@....rsrc....3... n..4..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\853321935212

Download File

Process:	C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	107080
Entropy (8bit):	7.930494196730398
Encrypted:	false
SSDEEP:	1536:CCADD22DzOc35XWKpM6b9BWSkzkTcfulVdLM5Y1Rc1m90LH2ON68aEjCwu4EgVek:yf3FIK99BE1fko1dHta8CV4EgVcVd8
MD5:	2BE638ED54CE1FD7E010B25FFE76F2C8
SHA1:	F22F4F7F433E47EB8655736D571C7C7F5D2A804C
SHA-256:	E36B1AFD90BB77E353AF9F1FB0B533BE428DE583C617138569E37A2601B32C05
SHA-512:	574CB1736CE9CE1AEF4628CA9386493BEF4821FDAC8E47912849B96A90E4290FB1E8A7C6B1020BB467D6E28EB287239C722003CD8316F40E06F481DB0C4323AE
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.\|..).?.H.'.\|....).?m.....h.t......\|4.%...d....

C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.511961466655514
Encrypted:	false
SSDEEP:	3072:ox7pOYzBekBmWDWCMq6As523HeS9FAiZ87vO2rlL3Rnm9:ox7ZNhB/dMq6AO0a7vVlT
MD5:	ADBAF286228C46522E50371C4BE31A03
SHA1:	A29D644C4663B2E2B2BD92046BA0DF629537C297
SHA-256:	D3E9A3365F73A34E2DD9022A318ABCC2C55AF98BAFB2DC302CBB55F5398BB9A0
SHA-512:	74A55CC8D8C3AF54E5BA290A34B968918DA994EA2D55B5F0D1F39E83CB9A39D73226227933C760B48F2E0BDB646F8243967517EF8202E02D88411D2D19AE217D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll, Author: Joe Security Rule: INDICATOR_TOOL_PWS_Amady, Description: Detects password stealer DLL. Dropped by Amadey, Source: C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 75%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......x.............@..........................@..........................................O.......&.... ..............................................................................................................CODE................................ ..`DATA................................@...BSS......................................idata..&...........................@....edata..O...........................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.389735637483072
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	211968
MD5:	fc0582e1cd55c0fcc0628241f7e8ce54
SHA1:	89fc6969c4a12f714ec051f0b69a50385062868d
SHA256:	4294a6949aac8f29179fc5cd688c88f52c6b4c5c85fe433ad11fe6e6947737c6
SHA512:	369464a7ad92d41bcb5736deb9a6332533520ebba19bdafa0d93a9a026e6a26e0d46ead8468593564dece9d6a0f1e4cfbb5a97ac07f7c784d43d037d82cbbaef
SSDEEP:	6144:9/kH61vyrS1ccAJEsSBrVqbtkdim2qv6Wlz:9/ine9AZSnqbt4imhNlz
TLSH:	EE24F1223A40E033C40391748538E7B13A7E797759B89843BF551FAD9FB22D2BA27359
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.+...x...x...x.J;x...x.W8x...x.W.x...x...x...x...x5..x.W)x...x.W9x...x.W<x...xRich...x................PE..L...z..a...........

File Icon


Icon Hash:	c8d0d8e0f8f0f0e0

Static PE Info

General

Entrypoint:	0x404377
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x61A7897A [Wed Dec 1 14:40:58 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	77b9cbeda5e32323ee560d94649c1c1a

Entrypoint Preview

Instruction
call 00007F155CB71D92h
jmp 00007F155CB6C97Dh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F155CB6CB0Ah
cmp edi, eax
jc 00007F155CB6CCAAh
cmp ecx, 00000100h
jc 00007F155CB6CB21h
cmp dword ptr [00AE17BCh], 00000000h
je 00007F155CB6CB18h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F155CB6CB0Ah
pop esi
pop edi
pop ebp
jmp 00007F155CB71E54h
test edi, 00000003h
jne 00007F155CB6CB17h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F155CB6CB2Ch
rep movsd
jmp dword ptr [00404504h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F155CB6CB0Eh
and eax, 03h
add ecx, eax
jmp dword ptr [00404418h+eax*4]
jmp dword ptr [00404514h+ecx*4]
nop
jmp dword ptr [00404498h+ecx*4]
nop
sub byte ptr [eax+eax*2+00h], al
push esp
inc esp
inc eax
add byte ptr [eax+44h], bh
inc eax
add byte ptr [ebx], ah
ror dword ptr [edx-75F877FAh], 1
inc esi
add dword ptr [eax+468A0147h], ecx
add al, cl
jmp 00007F155EFE5307h
add esi, 00000000h

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x107dc	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6e2000	0x33f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1280	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2810	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x23c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x104f0	0x10600	False	0.5108092795801527	data	6.104729117132287	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x12000	0x6cf7c4	0x1fe00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6e2000	0x33f0	0x3400	False	0.6715745192307693	data	5.8441873543465155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
KADI	0x6e4d68	0x4a3	ASCII text, with very long lines (1187), with no line terminators	Raeto-Romance	Switzerland
RT_ICON	0x6e2250	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Raeto-Romance	Switzerland
RT_ICON	0x6e2918	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Raeto-Romance	Switzerland
RT_ICON	0x6e2e80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Raeto-Romance	Switzerland
RT_ICON	0x6e3f28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Raeto-Romance	Switzerland
RT_ICON	0x6e48b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Raeto-Romance	Switzerland
RT_ACCELERATOR	0x6e5210	0x98	data	Raeto-Romance	Switzerland
RT_GROUP_ICON	0x6e4d18	0x4c	data	Raeto-Romance	Switzerland
RT_VERSION	0x6e52a8	0x148	x86 executable not stripped

Imports

DLL	Import
KERNEL32.dll	EnumSystemCodePagesA, EnumDateFormatsW, OpenMutexA, GetConsoleAliasExesLengthW, CopyFileExW, ReadConsoleOutputCharacterA, GetEnvironmentStrings, GetCommConfig, QueryDosDeviceA, EnumCalendarInfoExA, SetProcessPriorityBoost, CreateJobSet, AddConsoleAliasW, CreateFileA, GetMailslotInfo, GetWindowsDirectoryA, GetModuleHandleA, GlobalHandle, CreateDirectoryExA, GetLogicalDriveStringsA, ReadConsoleInputA, FindNextVolumeMountPointW, OpenWaitableTimerA, GetVersionExW, SearchPathA, RequestWakeupLatency, CallNamedPipeA, GetCurrentDirectoryW, GetDriveTypeW, CreateMailslotW, BuildCommDCBAndTimeoutsW, GetProcAddress, LoadLibraryA, LocalAlloc, MoveFileWithProgressW, GetBinaryTypeA, TerminateThread, WriteConsoleOutputA, GetCommandLineW, GetVolumeInformationA, VerifyVersionInfoA, DeleteTimerQueue, SearchPathW, CopyFileW, GetHandleInformation, FindResourceA, CreateJobObjectW, FindFirstVolumeW, GlobalFlags, CreateNamedPipeW, WritePrivateProfileStringW, InterlockedDecrement, GetModuleHandleW, GetTickCount, VerSetConditionMask, WriteTapemark, GetTapeParameters, HeapLock, GetConsoleTitleW, InterlockedExchangeAdd, EnumCalendarInfoA, InterlockedExchange, GetNamedPipeHandleStateA, TerminateProcess, MoveFileA, AddAtomW, UnregisterWait, FreeEnvironmentStringsW, SetConsoleTitleA, SetVolumeMountPointW, VirtualProtect, _hread, ClearCommBreak, GlobalFindAtomA, CloseHandle, FindFirstChangeNotificationA, LoadLibraryW, GetLastError, HeapFree, HeapAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, DeleteFileA, GetCommandLineA, GetStartupInfoA, GetCurrentProcess, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, SetHandleCount, GetFileType, FreeEnvironmentStringsA, WideCharToMultiByte, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, SetFilePointer, GetConsoleCP, GetConsoleMode, MultiByteToWideChar, HeapSize, GetLocaleInfoA, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, ReadFile
USER32.dll	GetComboBoxInfo, CharUpperBuffA, GetMenuInfo
GDI32.dll	GetCharABCWidthsA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Raeto-Romance	Switzerland

Target ID:	1
Start time:	19:17:54
Start date:	26/11/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	211968 bytes
MD5 hash:	FC0582E1CD55C0FCC0628241F7E8CE54
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.294516594.0000000000C86000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	19:17:57
Start date:	26/11/2022
Path:	C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe"
Imagebase:	0x400000
File size:	211968 bytes
MD5 hash:	FC0582E1CD55C0FCC0628241F7E8CE54
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 35%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Target ID:	7
Start time:	19:18:00
Start date:	26/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe" /F
Imagebase:	0x1c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	19:18:00
Start date:	26/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	19:18:02
Start date:	26/11/2022
Path:	C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
Imagebase:	0x400000
File size:	211968 bytes
MD5 hash:	FC0582E1CD55C0FCC0628241F7E8CE54
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.323997230.0000000000D80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.324503471.0000000000DCC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	12
Start time:	19:18:02
Start date:	26/11/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll, Main
Imagebase:	0xe10000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	19:19:01
Start date:	26/11/2022
Path:	C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
Imagebase:	0x400000
File size:	211968 bytes
MD5 hash:	FC0582E1CD55C0FCC0628241F7E8CE54
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000D.00000002.436289008.0000000002720000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000D.00000002.435991850.0000000000C4C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	17
Start time:	19:20:00
Start date:	26/11/2022
Path:	C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
Imagebase:	0x400000
File size:	211968 bytes
MD5 hash:	FC0582E1CD55C0FCC0628241F7E8CE54
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000011.00000002.568956006.0000000000CC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000011.00000002.569160304.0000000000D1C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	18
Start time:	19:21:01
Start date:	26/11/2022
Path:	C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
Imagebase:	0x400000
File size:	211968 bytes
MD5 hash:	FC0582E1CD55C0FCC0628241F7E8CE54
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000012.00000002.696239731.0000000000DBC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000012.00000002.696632130.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	6.2%
Signature Coverage:	5.5%
Total number of Nodes:	307
Total number of Limit Nodes:	7

Executed Functions

Function 0040CBD0 Relevance: 30.0, APIs: 10, Strings: 5, Instructions: 3727COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 0040CD3E
SetCurrentDirectoryA.KERNEL32(00000000,?,?), ref: 0040CD9C

Part of subcall function 00416A90: Concurrency::cancel_current_task.LIBCPMT ref: 00416B49

Part of subcall function 00402C70: RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,44FDFA8B,44FDFA8B), ref: 00402E1C
Part of subcall function 00402C70: RegQueryValueExA.ADVAPI32(44FDFA8B,?,00000000,00000000,?,00000400,?,?,00000000,00000001,44FDFA8B,44FDFA8B), ref: 00402E4A
Part of subcall function 00402C70: RegCloseKey.ADVAPI32(44FDFA8B,?,?,00000000,00000001,44FDFA8B,44FDFA8B), ref: 00402E56

Part of subcall function 00402C70: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 00402F63
Part of subcall function 00402C70: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00402F91
Part of subcall function 00402C70: RegCloseKey.ADVAPI32(80000001), ref: 00402F9A

Part of subcall function 004048C0: Sleep.KERNEL32(000003E8), ref: 004049A9

GetFileAttributesA.KERNEL32(00000000), ref: 0040E4F1
CreateDirectoryA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E623
GetFileAttributesA.KERNEL32(00000000), ref: 0040E738
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0040ED75
std::_Xinvalid_argument.LIBCPMT ref: 0040F9E5

Part of subcall function 00402C70: GdiplusStartup.GDIPLUS(?,?,00000000,44FDFA8B), ref: 004030CA

Part of subcall function 0040CBD0: SetCurrentDirectoryA.KERNEL32(00000000), ref: 0040EF9C

Strings

invalid stoi argument, xrefs: 0040F9E0, 00410314, 00410323
", xrefs: 0040FE0B
%, xrefs: 00410047
", xrefs: 0040EEF2
stoi argument out of range, xrefs: 0040F9F4, 0041032D

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DirectoryFile$AttributesCloseCurrentNameOpenValue$Concurrency::cancel_current_taskCreateGdiplusModuleQuerySleepStartupUserXinvalid_argumentstd::_
String ID: "$"$%$invalid stoi argument$stoi argument out of range
API String ID: 1674928435-2043294232
Opcode ID: bf4418512fe37c34e4452a46c62b86bedc19af7eba5b246c68533f93a84f6707
Instruction ID: ca7d88425734236cf169f520bb3e28de2df1445630f25be11c52c40f1bbbcbb8
Opcode Fuzzy Hash: bf4418512fe37c34e4452a46c62b86bedc19af7eba5b246c68533f93a84f6707
Instruction Fuzzy Hash: 07632A71A001489BEB18DB38CD897DD7B729F86304F5082ADE409A73D6DB3D9EC48B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041B901 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0041B900,0041BE86,?,NA,0041BE86,0041EF4E), ref: 0041B923
TerminateProcess.KERNEL32(00000000,?,0041B900,0041BE86,?,NA,0041BE86,0041EF4E), ref: 0041B92A
ExitProcess.KERNEL32 ref: 0041B93C

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction ID: c3524ad3d233ec0a3a19b1bf7aedcb75de5af13a6c7a41cb1465cf438659ca8f
Opcode Fuzzy Hash: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction Fuzzy Hash: 63E0B671120208EFCB216F65DD49AA97B79FB44751BC44439FA0586231CB39EE93CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0275092B Relevance: 3.8, Strings: 3, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l, xrefs: 02750966
GetProcAddress., xrefs: 027509DC, 027509DF, 027509E4
., xrefs: 0275095F

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: ba3f8c4a5a04c936f80f6b85bcc408eceefba1a569e7af12c73bd767da7089d4
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: B83138B6900619DFEB10CF99C884AAEFBF9FF48324F15404AD841A7214D7B1EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404350 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteA.SHELL32(00000000,00429838,?,?,00000000,00000000), ref: 004043F2

Strings

runas, xrefs: 004043B4

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ExecuteShell
String ID: runas
API String ID: 587946157-4000483414
Opcode ID: 82e6eb50347e734f096ebca9fc259a422462d2b896881076858bbb2ef81b7636
Instruction ID: 0d432a24b2a6eecf06ea0bc45d18f5c5656229febad52b915354dd5f9442050f
Opcode Fuzzy Hash: 82e6eb50347e734f096ebca9fc259a422462d2b896881076858bbb2ef81b7636
Instruction Fuzzy Hash: 56411370600208EBDB04DF69C981BDE7BB9EB45344FA0822AFC15972C0C779E984CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004235FD Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004232B6: CreateFileW.KERNELBASE(00000000,00000000,?,004236A6,?,?,00000000,?,004236A6,00000000,0000000C), ref: 004232D3

GetLastError.KERNEL32 ref: 00423711
__dosmaperr.LIBCMT ref: 00423718
GetFileType.KERNELBASE(00000000), ref: 00423724
GetLastError.KERNEL32 ref: 0042372E
__dosmaperr.LIBCMT ref: 00423737
CloseHandle.KERNEL32(00000000), ref: 00423757
CloseHandle.KERNEL32(?), ref: 004238A4
GetLastError.KERNEL32 ref: 004238D6
__dosmaperr.LIBCMT ref: 004238DD

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 0d649afaf30192c5c19431845a951fd0479d0f23fa76b0b367cd72335b8b290c
Instruction ID: c7b97c56f1a0d1b911df166da15c54d720095dd6c25035754b532be6d98a6b0c
Opcode Fuzzy Hash: 0d649afaf30192c5c19431845a951fd0479d0f23fa76b0b367cd72335b8b290c
Instruction Fuzzy Hash: 7CA15872A041149FCF19DF68EC917AE3BB1AB06325F54016EF811AB391CB7C8952CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0275003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0275024D

Strings

cess, xrefs: 0275018D
kernel32.dll, xrefs: 0275008F, 02750095

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 6a8be28c26d6e027151cf9905f423a8690d2d638a3724b2d8fb99916f368a809
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 71526974A01229DFDB64CF68C985BACBBB1BF09304F1480D9E94DAB351DB70AA85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0042356F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 004235D2

Strings

>A, xrefs: 00423571

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: _free
String ID: >A
API String ID: 269201875-3365779530
Opcode ID: 6d7cabbe3305cb9b6d011bf0e9d56addc9b4860a8407226052aa3c61f76cc774
Instruction ID: 30ff9b9e87434c0f379a7433cd06ee0227cf71fd1282e2cff9dc0eafdffef8ec
Opcode Fuzzy Hash: 6d7cabbe3305cb9b6d011bf0e9d56addc9b4860a8407226052aa3c61f76cc774
Instruction Fuzzy Hash: A8017172D00159BFCF01AFA89C01ADE7FF5AF08304F14016AB918E2151E7398B609BC4

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1BB Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0041D203

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9f5dec638c6018a6b24b976b0791b773a56ee0672529c52ab4d44372aafa3d49
Instruction ID: f1d333090dd57bfd17dfe39ecb9b07313f9b1ca465b706eabb36e918cd1afe6e
Opcode Fuzzy Hash: 9f5dec638c6018a6b24b976b0791b773a56ee0672529c52ab4d44372aafa3d49
Instruction Fuzzy Hash: 4FE0E5B6E0242022E211623F7C46AEB11856BD133AB15022FF860861E0DF7C88C2D19E

Uniqueness

Uniqueness Score: -1.00%

Function 02750E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02750223,?,?), ref: 02750E19
SetErrorMode.KERNELBASE(00000000,?,?,02750223,?,?), ref: 02750E1E

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 90e7bb8c758be92c28614f2c48844fb0f3aa085600f9d063d5eed204c5228071
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: D9D0123114512877D7003A94DC09BCDBB1CDF09B66F108011FB0DD9080C7B1954046E5

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3FF Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 0041E439

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 0d6bf0a7e9f29163ed6caaa22d8f5b82bf3e75d92930a2ecd6c24ab71e07ee1e
Instruction ID: 322a9cb7d115cba5ea2c99f456cc5fe6d3c651e69e51ada78d95c10651760d14
Opcode Fuzzy Hash: 0d6bf0a7e9f29163ed6caaa22d8f5b82bf3e75d92930a2ecd6c24ab71e07ee1e
Instruction Fuzzy Hash: 14115775A0020AAFCF05DF59E9459DB7BF4EF48304F0040AAF808EB311D630EA21CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00416830 Relevance: 1.5, APIs: 1, Instructions: 36
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040CBD0: GetTempPathA.KERNEL32(00000104,?), ref: 0040B2FE

Part of subcall function 0040CBD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,44FDFA8B), ref: 0040A7BC

Part of subcall function 00406510: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406540

Part of subcall function 0040CBD0: GetUserNameA.ADVAPI32(?,?), ref: 0040B96E

Part of subcall function 004138B0: IsUserAnAdmin.SHELL32 ref: 0041390D
Part of subcall function 004138B0: GetUserNameA.ADVAPI32(?,?), ref: 004139B7
Part of subcall function 004138B0: GetComputerNameExW.KERNEL32(00000002,?,?,?,?), ref: 00413A20

Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 004167F6
Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 00416807
Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 00416818
Part of subcall function 004167E0: Sleep.KERNEL32(00007530,?,00416873), ref: 00416825

InternetCloseHandle.WININET(00000000), ref: 00416887

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Name$CreateThreadUser$FileModule$AdminCloseComputerHandleInternetPathSleepTemp
String ID:
API String ID: 1411138196-0
Opcode ID: 681845bb7bdad3a9b280c05efa4f412a3339f2d7827d3117315032cc1d5ff116
Instruction ID: fcb51b4180ac2c01cd311fc2696d032aed602c74c46a29392a881be8b31f0bff
Opcode Fuzzy Hash: 681845bb7bdad3a9b280c05efa4f412a3339f2d7827d3117315032cc1d5ff116
Instruction Fuzzy Hash: 21E08671A0050407DA043BBA5D0B64E31184F8134CF94027FB815665D7EE6DD56441FF

Uniqueness

Uniqueness Score: -1.00%

Function 004232B6 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,004236A6,?,?,00000000,?,004236A6,00000000,0000000C), ref: 004232D3

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5f6f20da4e93aca7bdcb0ea2359822fb329caed46e02a9c52ac097750241beb4
Instruction ID: cd0ee65043cc83d888fb6f456493c6bde9bec702db69a9442c4f6e90f97d0004
Opcode Fuzzy Hash: 5f6f20da4e93aca7bdcb0ea2359822fb329caed46e02a9c52ac097750241beb4
Instruction Fuzzy Hash: 77D06C3210010DFFDF128F84DC06EDA3BAAFB48724F414120BA1856020C732E872EB94

Uniqueness

Uniqueness Score: -1.00%

Function 02750920 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 02750929

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: cd6e8b06e9fc6daff329b0075f01cd6e00680555ed9156381d0d7b778eb813a9
Instruction ID: 3e9c807a23c100a99a722049cf7bfbcce58d99a4c5dbb09bf75c012b4819f226
Opcode Fuzzy Hash: cd6e8b06e9fc6daff329b0075f01cd6e00680555ed9156381d0d7b778eb813a9
Instruction Fuzzy Hash: D490047034435111DC703DFC0C01F0500013741730F7107107130FD5D5DC4055004157

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402C70 Relevance: 51.7, APIs: 28, Strings: 1, Instructions: 910registrywindowfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,44FDFA8B,44FDFA8B), ref: 00402E1C
RegQueryValueExA.ADVAPI32(44FDFA8B,?,00000000,00000000,?,00000400,?,?,00000000,00000001,44FDFA8B,44FDFA8B), ref: 00402E4A
RegCloseKey.ADVAPI32(44FDFA8B,?,?,00000000,00000001,44FDFA8B,44FDFA8B), ref: 00402E56
RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 00402F63
RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00402F91
RegCloseKey.ADVAPI32(80000001), ref: 00402F9A
GdiplusStartup.GDIPLUS(?,?,00000000,44FDFA8B), ref: 004030CA
GetDC.USER32(00000000), ref: 004031C2
RegGetValueA.ADVAPI32(80000002,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00403449
GetSystemMetrics.USER32 ref: 004034A2
GetSystemMetrics.USER32 ref: 004034AB
RegGetValueA.ADVAPI32(80000002,?,00000000), ref: 004034F3
GetSystemMetrics.USER32 ref: 00403546
GetSystemMetrics.USER32 ref: 0040354F
CreateCompatibleDC.GDI32(?), ref: 0040355B
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00403570
SelectObject.GDI32(00000000,00000000), ref: 00403580
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004035A6
GdipCreateBitmapFromHBITMAP.GDIPLUS(00000000,00000000,?), ref: 004035BA
GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 004035D6
GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 00403603
GdipSaveImageToFile.GDIPLUS(00000000,?,?,00000000), ref: 00403687
SelectObject.GDI32(00000000,?), ref: 00403694
DeleteObject.GDI32(00000000), ref: 004036A1
DeleteObject.GDI32(?), ref: 004036A9
ReleaseDC.USER32 ref: 004036B3
GdipDisposeImage.GDIPLUS(00000000), ref: 004036BA
GdiplusShutdown.GDIPLUS(?), ref: 0040375C

Strings

image/jpeg, xrefs: 00403615

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Gdip$ImageMetricsObjectSystemValue$Create$BitmapCloseCompatibleDeleteEncodersGdiplusOpenSelect$DisposeFileFromQueryReleaseSaveShutdownSizeStartup
String ID: image/jpeg
API String ID: 406439762-3785015651
Opcode ID: e8628ae9d8af01cf96e14566c09d0971b984f7e7a06f5e93ac5e6e0091313de2
Instruction ID: ef3e356fa5e9885fc08513456cc6264c1fb040e0d3da28046e10bcebe11668ea
Opcode Fuzzy Hash: e8628ae9d8af01cf96e14566c09d0971b984f7e7a06f5e93ac5e6e0091313de2
Instruction Fuzzy Hash: A362F471A00108ABEB18DF28CD85BDDBB76EF45304F50826EE805B72D1DB799A85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00403F40 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 162injectionthreadmemoryCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403F66
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00403FCB
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00403FE4
GetThreadContext.KERNEL32(?,00000000), ref: 00403FFF
ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00404023
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040403E
GetProcAddress.KERNEL32(00000000), ref: 00404045
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040406D
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 0040408E
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 004040D2
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000), ref: 0040410E
SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 0040412A
ResumeThread.KERNEL32(?,?,?,00000000), ref: 00404136
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000), ref: 00404144
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00404165

Strings

ntdll.dll, xrefs: 00404039
, xrefs: 00404018
NtUnmapViewOfSection, xrefs: 00404034

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
String ID: $NtUnmapViewOfSection$ntdll.dll
API String ID: 4033543172-1522589568
Opcode ID: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
Instruction ID: 7185e54e9f5f5e6bc342fc5ffd2bfcf32a837d4cfdcfbf42461452ed81247528
Opcode Fuzzy Hash: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
Instruction Fuzzy Hash: 66518971600218EBDB209F54DC49FEAB7B8FF48701F9040B6F708AA291D7B1A995CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004037D0 Relevance: 27.2, APIs: 18, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00403822
GetProcessHeap.KERNEL32(00000008,?), ref: 00403837
HeapAlloc.KERNEL32(00000000), ref: 0040383A
GetUserNameW.ADVAPI32(00000000,?), ref: 00403848
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 0040386B
GetProcessHeap.KERNEL32(00000008,?), ref: 00403876
HeapAlloc.KERNEL32(00000000), ref: 00403879
GetProcessHeap.KERNEL32(00000008,?), ref: 00403889
HeapAlloc.KERNEL32(00000000), ref: 0040388C
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004038B6
ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 004038C9
GetProcessHeap.KERNEL32(00000000,?), ref: 004039C5
HeapFree.KERNEL32(00000000), ref: 004039CE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039D3
HeapFree.KERNEL32(00000000), ref: 004039D6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039DD
HeapFree.KERNEL32(00000000), ref: 004039E0
LocalFree.KERNEL32(00000000), ref: 004039E5

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Heap$Process$FreeName$Alloc$AccountLookupUser$ConvertLocalString
String ID:
API String ID: 3326663573-0
Opcode ID: 81082af4a1cd3e5adf3d15ae17c1d0ef02a80ef5388b3166f9402cb38f54a02f
Instruction ID: 167f534f4a5bc3f8c65bdd595c5ec8e1d54d44385eb9c59962b1969d814595bf
Opcode Fuzzy Hash: 81082af4a1cd3e5adf3d15ae17c1d0ef02a80ef5388b3166f9402cb38f54a02f
Instruction Fuzzy Hash: EA716DB1E00209ABDB14DFA5DC85BEFBBBCEB48300F40453AE905A7281DB749905CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 027541A7 Relevance: 22.7, APIs: 15, Instructions: 162injectionthreadmemoryCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 027541CD
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02754232
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0275424B
GetThreadContext.KERNEL32(?,00000000), ref: 02754266
ReadProcessMemory.KERNEL32(?,00434ECC,?,00000004,00000000), ref: 0275428A
GetModuleHandleA.KERNEL32(00434EE8,00434ED0), ref: 027542A5
GetProcAddress.KERNEL32(00000000), ref: 027542AC
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 027542D4
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 027542F5
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 02754339
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000), ref: 02754375
SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 02754391
ResumeThread.KERNEL32(?,?,?,00000000), ref: 0275439D
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000), ref: 027543AB
VirtualFree.KERNEL32(?,00000000,00008000), ref: 027543CC

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
String ID:
API String ID: 4033543172-0
Opcode ID: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
Instruction ID: 49568d744b763212b2e98cd0c818412f5909d2fa079c6506a8426ca39294f13d
Opcode Fuzzy Hash: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
Instruction Fuzzy Hash: 62516C71640218AFDB219F54DC49FEAB7B8FF08705F9000B5FA08EA2A1D7B16994CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404180 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 166networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00434EF4,00000000,00000000,00000000,00000000), ref: 0040425C
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040426E
InternetReadFile.WININET(00000000,?,03E80000,03E80000), ref: 00404281
InternetCloseHandle.WININET(00000000), ref: 00404292
InternetCloseHandle.WININET(00000000), ref: 00404295
InternetCloseHandle.WININET(00000000), ref: 004042A3
InternetCloseHandle.WININET(00000000), ref: 004042A6

Strings

runas, xrefs: 004043B4

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Internet$CloseHandle$Open$FileRead
String ID: runas
API String ID: 4294395943-4000483414
Opcode ID: fae0703545513bfb253ff8d12ed2bbd6d49dc64722ffe67a819130fce2169ef7
Instruction ID: ba1dc25ec83469701d4c7edc2e7ba4793e46b241d410edfdecdbeb0a0fce58bd
Opcode Fuzzy Hash: fae0703545513bfb253ff8d12ed2bbd6d49dc64722ffe67a819130fce2169ef7
Instruction Fuzzy Hash: 4951D571E00108ABDB14DFA4DC41BEEBB75EF85300F60816EF915B7291D7389945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00424BC4 Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00424C46
_free.LIBCMT ref: 00424C6A
_free.LIBCMT ref: 00424DF7
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004335D8), ref: 00424E09
_free.LIBCMT ref: 00424FC3

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 0fe61e17206dce54771a5055940e70056e7a200eab18ece9396fc025dad7d191
Instruction ID: 2c4f844ee906d1c5b8a05b7d4d89c1c9074c071bb98950a21f89e01ce9d05ddf
Opcode Fuzzy Hash: 0fe61e17206dce54771a5055940e70056e7a200eab18ece9396fc025dad7d191
Instruction Fuzzy Hash: 1FC17835B00128ABDB209F69EC41BAB7BA9EFC5354F94416FE550D7381E7388E01CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00405400 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,44FDFA8B,00000000), ref: 00405479
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004054E0
GetProcAddress.KERNEL32(00000000), ref: 004054E7

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: 41f166c362470559257fb6c6fdba98857b9dfdc03a0680adebd4d4756d13aeff
Instruction ID: 1307c1e28f23caf99c3cad6e9d6b2b61846357279e254348caa37701d54b456e
Opcode Fuzzy Hash: 41f166c362470559257fb6c6fdba98857b9dfdc03a0680adebd4d4756d13aeff
Instruction Fuzzy Hash: B8513971900608ABDB14DB24DD497DE7B76EB46314F5042BAE805B73C1DB389EC48F99

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA80 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0041CB78
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0041CB82
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0041CB8F

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d01e7f133785e3bb0beafcf269aef2531f9dd5a62572b740f5956f5575e894ef
Instruction ID: ff4d1174fdddd5ebc348feb1509e890b27b9c9d6be8b5b558b14357fec343526
Opcode Fuzzy Hash: d01e7f133785e3bb0beafcf269aef2531f9dd5a62572b740f5956f5575e894ef
Instruction Fuzzy Hash: 8C31A275901228ABCB21DF65D989BD9BBB8AF08310F5041EAE40CA6251EB749F858F58

Uniqueness

Uniqueness Score: -1.00%

Function 0276CCE7 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0276CDDF
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0276CDE9
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0276CDF6

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d01e7f133785e3bb0beafcf269aef2531f9dd5a62572b740f5956f5575e894ef
Instruction ID: 8ca55b2bd817a58af6016c0c371f6b312ef167b68391e11cdb9cb71140cf921c
Opcode Fuzzy Hash: d01e7f133785e3bb0beafcf269aef2531f9dd5a62572b740f5956f5575e894ef
Instruction Fuzzy Hash: 5931A5759012289BCB22DF68D98CBDDBBB4BF48310F5041EAE91CA7250E7709F958F45

Uniqueness

Uniqueness Score: -1.00%

Function 0276BB68 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0276F1B5,?,0276BB67,0276C0ED,?,0276F1B5,0276C0ED,0276F1B5), ref: 0276BB8A
TerminateProcess.KERNEL32(00000000,?,0276BB67,0276C0ED,?,0276F1B5,0276C0ED,0276F1B5), ref: 0276BB91
ExitProcess.KERNEL32 ref: 0276BBA3

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction ID: 19090f5a950a68fb1ae8d05c7f6bc2785dc9dbf6c919a9f0b118a83c103ebaaa
Opcode Fuzzy Hash: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction Fuzzy Hash: 45E09231100248EBCB266B65D81CE693BA9FB46645B805434F809E6524CB75DD92DA54

Uniqueness

Uniqueness Score: -1.00%

Function 0042848D Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00428488,?,?,00000008,?,?,00428120,00000000), ref: 004286BA

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
Instruction ID: 4a71125e6f4c823a3763720cf76552cabfd479d0aa9e4c8b08dce5cb0b77843e
Opcode Fuzzy Hash: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
Instruction Fuzzy Hash: 39B17B31211618DFD714CF28D48AB697BA0FF44364F65865DE89ACF3A1CB39E982CB44

Uniqueness

Uniqueness Score: -1.00%

Function 027786F4 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,027786EF,?,?,00000008,?,?,02778387,00000000), ref: 02778921

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
Instruction ID: 79b75ed41d7dbbdfc6fb0c4e114ec491460ab3d31ad935078903e7b9429ec63c
Opcode Fuzzy Hash: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
Instruction Fuzzy Hash: 14B13D31620605DFDB15CF28C48EB657BA0FF45368F298658E89ACF2A1C335E991DF42

Uniqueness

Uniqueness Score: -1.00%

Function 00418887 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0041889D

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: d55505ce439c0c625bb69c877a6f4797faed7c5d0db0f84db7aa582d50e4da23
Instruction ID: 42c5aa6f6f7fc7f776cec8504a7906bb6cf0d019190ab3c9283af4763153d71d
Opcode Fuzzy Hash: d55505ce439c0c625bb69c877a6f4797faed7c5d0db0f84db7aa582d50e4da23
Instruction Fuzzy Hash: 92516AB2A10215CBDB18CF65D9817AEBBF4FB48314F24942BD445EB350D7789980CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 00420BA6 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97f7f4797c3a364c903861215189f8d8653831c5c514b3b47f127515a30102c
Instruction ID: 995ca3f643b73f20b77409ea83fcee654ff77a15ad0f1f03090dea471df43cee
Opcode Fuzzy Hash: d97f7f4797c3a364c903861215189f8d8653831c5c514b3b47f127515a30102c
Instruction Fuzzy Hash: FE41C4B5904228AEDB24DF69DC89AEABBB8EF45304F5442DEE40DD3211DA349E848F54

Uniqueness

Uniqueness Score: -1.00%

Function 02770E0D Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97f7f4797c3a364c903861215189f8d8653831c5c514b3b47f127515a30102c
Instruction ID: 25f72ceac5d0811b2db7a0dbd5563b7f74c0a99c5242e11352d703dd614aaca4
Opcode Fuzzy Hash: d97f7f4797c3a364c903861215189f8d8653831c5c514b3b47f127515a30102c
Instruction Fuzzy Hash: 0C418FB580421CAEDF21DF69CC88AEABBB9EF45304F5442EDE45DE3210DA359E858F50

Uniqueness

Uniqueness Score: -1.00%

Function 00418BCC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00018BD8,004186D1), ref: 00418BD1

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5b644bd4298714589124608af917b149a8cdb7aa3ad9eb7150b270449828aa51
Instruction ID: fb13876baf3060654c4d3ec658a032312c050c0c5ceb920d56ad85ce90fc2474
Opcode Fuzzy Hash: 5b644bd4298714589124608af917b149a8cdb7aa3ad9eb7150b270449828aa51
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02768E33 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00418BD8,02768938), ref: 02768E38

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5b644bd4298714589124608af917b149a8cdb7aa3ad9eb7150b270449828aa51
Instruction ID: fb13876baf3060654c4d3ec658a032312c050c0c5ceb920d56ad85ce90fc2474
Opcode Fuzzy Hash: 5b644bd4298714589124608af917b149a8cdb7aa3ad9eb7150b270449828aa51
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00432890 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3a9157b277817cb60641082f1e4f8ca4ec7dff310ffa31a6fd9bf35832d5c1
Instruction ID: 2ed8bcd71233cdd26d40d40588c8b3db03f02c46a7ead0be40a967f157380f8c
Opcode Fuzzy Hash: 5a3a9157b277817cb60641082f1e4f8ca4ec7dff310ffa31a6fd9bf35832d5c1
Instruction Fuzzy Hash: F3E1875548E3C15FD7138B3449B5681BF70AE23114B1E96DBCCDA8E4A7D24CAA0EE732

Uniqueness

Uniqueness Score: -1.00%

Function 00429470 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 836b6cb189818071d5d152d6c3d8cd1a25b1ac1f9bf822a59482dcdb2b2a5351
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 3B115B7730407157D605DA3DF8B46BBA395EFC9320FAC437BC0424B748D22A9C839508

Uniqueness

Uniqueness Score: -1.00%

Function 027796D7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 47a5988ad1152b791bbdb134366d72e9f97da065f643aa92ec92dba43ce64b87
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: C211C47B243193C39E148E2DD9F42F6A799EAC5128B2D4A6AD3428B658D332E145DA80

Uniqueness

Uniqueness Score: -1.00%

Function 02750D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 101a31cfbdbd36781ccd57c37aaf3eaf53161d82e8e2d64777ab4f23b8630046
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: B2012672A106108FDF21DF20C804BAAB3F5FB8A306F1540B4DD0AD7282E3B0A841CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF02 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ad719187851a61f309ddbb2cee80a5110ae42387cecf94a10a94091515ac20
Instruction ID: 75fb159916dc4249806a39f04cce895c1ac82e6549e7b4276809d1188ffe9861
Opcode Fuzzy Hash: e0ad719187851a61f309ddbb2cee80a5110ae42387cecf94a10a94091515ac20
Instruction Fuzzy Hash: 70E046B2921228EBCB24DF8999049CAF3ECEB49B04B2100AAB502D3200C274DF41C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 0276E169 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ad719187851a61f309ddbb2cee80a5110ae42387cecf94a10a94091515ac20
Instruction ID: 2d512d3db21468ee4c20aeb3da59541ea0d668c7a38b958442acfd37a75affd8
Opcode Fuzzy Hash: e0ad719187851a61f309ddbb2cee80a5110ae42387cecf94a10a94091515ac20
Instruction Fuzzy Hash: 03E08C32912228EBCB19DB98D908D9AF7FEEB44B04B1544A6F902E3500C270DE00DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0042260F Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00422653

Part of subcall function 004221EC: _free.LIBCMT ref: 00422209
Part of subcall function 004221EC: _free.LIBCMT ref: 0042221B
Part of subcall function 004221EC: _free.LIBCMT ref: 0042222D
Part of subcall function 004221EC: _free.LIBCMT ref: 0042223F
Part of subcall function 004221EC: _free.LIBCMT ref: 00422251
Part of subcall function 004221EC: _free.LIBCMT ref: 00422263
Part of subcall function 004221EC: _free.LIBCMT ref: 00422275
Part of subcall function 004221EC: _free.LIBCMT ref: 00422287
Part of subcall function 004221EC: _free.LIBCMT ref: 00422299
Part of subcall function 004221EC: _free.LIBCMT ref: 004222AB
Part of subcall function 004221EC: _free.LIBCMT ref: 004222BD
Part of subcall function 004221EC: _free.LIBCMT ref: 004222CF
Part of subcall function 004221EC: _free.LIBCMT ref: 004222E1

_free.LIBCMT ref: 00422648

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 0042266A
_free.LIBCMT ref: 0042267F
_free.LIBCMT ref: 0042268A
_free.LIBCMT ref: 004226AC
_free.LIBCMT ref: 004226BF
_free.LIBCMT ref: 004226CD
_free.LIBCMT ref: 004226D8
_free.LIBCMT ref: 00422710
_free.LIBCMT ref: 00422717
_free.LIBCMT ref: 00422734
_free.LIBCMT ref: 0042274C

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
Instruction ID: 87a383156b0838ac626f9c2c6038cf6ce1f5ffd7cd3d592d57855f9c4539c293
Opcode Fuzzy Hash: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
Instruction Fuzzy Hash: B6319272604211BFEB205A76EA45B9B73E5AF80358F50441FE849D7251DFBCED80DB18

Uniqueness

Uniqueness Score: -1.00%

Function 02772876 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 027728BA

Part of subcall function 02772453: _free.LIBCMT ref: 02772470
Part of subcall function 02772453: _free.LIBCMT ref: 02772482
Part of subcall function 02772453: _free.LIBCMT ref: 02772494
Part of subcall function 02772453: _free.LIBCMT ref: 027724A6
Part of subcall function 02772453: _free.LIBCMT ref: 027724B8
Part of subcall function 02772453: _free.LIBCMT ref: 027724CA
Part of subcall function 02772453: _free.LIBCMT ref: 027724DC
Part of subcall function 02772453: _free.LIBCMT ref: 027724EE
Part of subcall function 02772453: _free.LIBCMT ref: 02772500
Part of subcall function 02772453: _free.LIBCMT ref: 02772512
Part of subcall function 02772453: _free.LIBCMT ref: 02772524
Part of subcall function 02772453: _free.LIBCMT ref: 02772536
Part of subcall function 02772453: _free.LIBCMT ref: 02772548

_free.LIBCMT ref: 027728AF

Part of subcall function 0276E808: HeapFree.KERNEL32(00000000,00000000,?,027725E4,?,00000000,?,?,?,0277260B,?,00000007,?,?,02772A0D,?), ref: 0276E81E
Part of subcall function 0276E808: GetLastError.KERNEL32(?,?,027725E4,?,00000000,?,?,?,0277260B,?,00000007,?,?,02772A0D,?,?), ref: 0276E830

_free.LIBCMT ref: 027728D1
_free.LIBCMT ref: 027728E6
_free.LIBCMT ref: 027728F1
_free.LIBCMT ref: 02772913
_free.LIBCMT ref: 02772926
_free.LIBCMT ref: 02772934
_free.LIBCMT ref: 0277293F
_free.LIBCMT ref: 02772977
_free.LIBCMT ref: 0277297E
_free.LIBCMT ref: 0277299B
_free.LIBCMT ref: 027729B3

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
Instruction ID: 9a60ce04eecac8abc32cd4ae9b6ae397bb149c5fc544f9e40773165f2afdcaf4
Opcode Fuzzy Hash: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
Instruction Fuzzy Hash: F3313E716003069FEF22AA79D84DB6A77EAEF00314F245429EC65E7151DF75E980CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00419B27 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00419C22
type_info::operator==.LIBVCRUNTIME ref: 00419C49
___TypeMatch.LIBVCRUNTIME ref: 00419D55
IsInExceptionSpec.LIBVCRUNTIME ref: 00419E30
_UnwindNestedFrames.LIBCMT ref: 00419EB7
CallUnexpected.LIBVCRUNTIME ref: 00419ED2

Strings

csm, xrefs: 00419C80
csm, xrefs: 00419BCF
csm, xrefs: 00419B62

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
Instruction ID: d03aefa22aee8cf5aa416bea0a170c685dbf4c7cd79984a2e6415da9b3a38480
Opcode Fuzzy Hash: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
Instruction Fuzzy Hash: 49C18871900209EFCF29DFA5D8A19EEBBB5BF04314F14405BE8516B242D339DE91CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 02769D8E Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 02769E89
type_info::operator==.LIBVCRUNTIME ref: 02769EB0
___TypeMatch.LIBVCRUNTIME ref: 02769FBC
IsInExceptionSpec.LIBVCRUNTIME ref: 0276A097
_UnwindNestedFrames.LIBCMT ref: 0276A11E
CallUnexpected.LIBVCRUNTIME ref: 0276A139

Strings

csm, xrefs: 02769DC9
csm, xrefs: 02769E36
csm, xrefs: 02769EE7

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
Instruction ID: ba7172ad64488b7f179499febd723124d01f242f16dafd78cfdfde122e78fa9b
Opcode Fuzzy Hash: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
Instruction Fuzzy Hash: D2C15771800209EFCF2ADFA4C988ABEBBB6AF09714F14415AED017B251E731DA55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00408B5C Relevance: 15.2, APIs: 10, Instructions: 219networkfileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00408BAC
InternetOpenA.WININET(0043432B,00000000,00000000,00000000,00000000), ref: 00408BC2
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00408BE2
InternetReadFile.WININET(00000000,00000000,?,?), ref: 00408BF3
WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00408C15
InternetReadFile.WININET(00000000,00000000,?,?), ref: 00408C20
CloseHandle.KERNEL32(?), ref: 00408C32
InternetCloseHandle.WININET(?), ref: 00408C41
InternetCloseHandle.WININET(00000000), ref: 00408C44
RemoveDirectoryA.KERNEL32(00000000,?,?,?), ref: 00408CFD

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateDirectoryRemoveWrite
String ID:
API String ID: 1496009958-0
Opcode ID: 7836158d722f943eb13c0f572eb15de27d04c743bee1a8dc89097e857feb2d98
Instruction ID: e39da941a42be4000a8416f9d2a6f8c848e32a180712f45a109694aa4e2734ce
Opcode Fuzzy Hash: 7836158d722f943eb13c0f572eb15de27d04c743bee1a8dc89097e857feb2d98
Instruction Fuzzy Hash: 6E71EF71600208ABEB14DF64DD85BEE7735EF44304F50423EF945AB2D1DB38A980CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED7A Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041ED90

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 0041ED9C
_free.LIBCMT ref: 0041EDA7
_free.LIBCMT ref: 0041EDB2
_free.LIBCMT ref: 0041EDBD
_free.LIBCMT ref: 0041EDC8
_free.LIBCMT ref: 0041EDD3
_free.LIBCMT ref: 0041EDDE
_free.LIBCMT ref: 0041EDE9
_free.LIBCMT ref: 0041EDF7

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
Instruction ID: e610bd300bd5c2f85586062e27af9f16ff799e012d6f089a2169b26ee7872c24
Opcode Fuzzy Hash: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
Instruction Fuzzy Hash: ED219CBA910108BFCB41EF96C941DDD7BF6BF88344F00416AF9199B121EB35DA84DB84

Uniqueness

Uniqueness Score: -1.00%

Function 0276EFE1 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0276EFF7

Part of subcall function 0276E808: HeapFree.KERNEL32(00000000,00000000,?,027725E4,?,00000000,?,?,?,0277260B,?,00000007,?,?,02772A0D,?), ref: 0276E81E
Part of subcall function 0276E808: GetLastError.KERNEL32(?,?,027725E4,?,00000000,?,?,?,0277260B,?,00000007,?,?,02772A0D,?,?), ref: 0276E830

_free.LIBCMT ref: 0276F003
_free.LIBCMT ref: 0276F00E
_free.LIBCMT ref: 0276F019
_free.LIBCMT ref: 0276F024
_free.LIBCMT ref: 0276F02F
_free.LIBCMT ref: 0276F03A
_free.LIBCMT ref: 0276F045
_free.LIBCMT ref: 0276F050
_free.LIBCMT ref: 0276F05E

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
Instruction ID: 3ba85a530b3435ceb1eb288e90ee44e27f8abb9ccbf60d24889cb71dce7be236
Opcode Fuzzy Hash: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
Instruction Fuzzy Hash: 3221987A910109AFDB42EF94C889DEE7FB9EF08340F415566E915AB120DB31EA94CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00426582 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
Instruction ID: 5128a0cef717139e7719faf6ed0b9fe75c650819d7ce78bb109199c1610a9dbc
Opcode Fuzzy Hash: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
Instruction Fuzzy Hash: D3C114B4B002159FDF11DF99E880BAEBBB0BF49304F51406AE914A7382C7789D81CF69

Uniqueness

Uniqueness Score: -1.00%

Function 027767E9 Relevance: 13.8, APIs: 9, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
Instruction ID: 46dfa1866fdf9769d30b82b9e5f9b3ab5a036a43473f158a321cd048c6f5b6d3
Opcode Fuzzy Hash: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
Instruction Fuzzy Hash: B3C1F4B0A04745AFDF16CF98C888BBDBBB9BF49304F14816AE944A7399C7309941CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00421A27 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00421A51
_free.LIBCMT ref: 00421B2A
_free.LIBCMT ref: 00421B57

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
Instruction ID: f188bb2de727b7b751c2d84351da10a70f250225146cef8743706f99745805fe
Opcode Fuzzy Hash: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
Instruction Fuzzy Hash: 0E518C74F44324AFDB24AFB7A881A6E7BB4AF11314F54416FE410972A1EA3D8940CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 02771C8E Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 02771CB8
_free.LIBCMT ref: 02771D91
_free.LIBCMT ref: 02771DBE

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
Instruction ID: 12afe521a9fcdd2c3e69018d01e128c62f597ce4837920bd9ba39743c19fa815
Opcode Fuzzy Hash: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
Instruction Fuzzy Hash: CF51D471D04305AFEF21EF698889E6E7BB5EF02314F94426ED958A7280EBB19540CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02753A37 Relevance: 10.7, APIs: 7, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 02753AA1
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 02753AD2
RtlAllocateHeap.NTDLL(00000000), ref: 02753AE0
RtlAllocateHeap.NTDLL(00000000), ref: 02753AF3
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 02753B1D
ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 02753B30
LocalFree.KERNEL32(00000000), ref: 02753C4C

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap$AccountLookupName$ConvertFreeLocalString
String ID:
API String ID: 856199767-0
Opcode ID: a21390300934cd29b774af7455bbd4a5da11480314e204e02bb9cb101a81b481
Instruction ID: 797eff8db7a2c54cd32f25e40976ad5c0635eccd7ab1fb7492cebe1ab7619208
Opcode Fuzzy Hash: a21390300934cd29b774af7455bbd4a5da11480314e204e02bb9cb101a81b481
Instruction Fuzzy Hash: 1A71A2B1E00219AFDB14DFA4DC88FBFBBB9EF44344F40416AE905A7291DB759909CB60

Uniqueness

Uniqueness Score: -1.00%

Function 004194D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00419507
___except_validate_context_record.LIBVCRUNTIME ref: 0041950F
_ValidateLocalCookies.LIBCMT ref: 00419598
__IsNonwritableInCurrentImage.LIBCMT ref: 004195C3
_ValidateLocalCookies.LIBCMT ref: 00419618

Strings

csm, xrefs: 004195AD

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
Instruction ID: cf6a3be1c1e6f4323defd25786acadca5afaa418f9c93884064ec3a043526e94
Opcode Fuzzy Hash: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
Instruction Fuzzy Hash: 09411A31A00214AFCF11DF69C890ADEBBB1BF45318F54806BE8146B352D739DE96CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041F14C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0041F1A3
ext-ms-, xrefs: 0041F1B7

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
Instruction ID: 8946f5363388c355846af12649c4142b4e9cf4c5f65ba016e67a922269825e5f
Opcode Fuzzy Hash: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
Instruction Fuzzy Hash: 3521C672A41221FBCB318A24DC45A9B3778AB017A0F650532ED15A7391D638ED4BC5DC

Uniqueness

Uniqueness Score: -1.00%

Function 0042238B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00422353: _free.LIBCMT ref: 00422378

_free.LIBCMT ref: 004223D9

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 004223E4
_free.LIBCMT ref: 004223EF
_free.LIBCMT ref: 00422443
_free.LIBCMT ref: 0042244E
_free.LIBCMT ref: 00422459
_free.LIBCMT ref: 00422464

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
Instruction ID: 3666b1e76cecdb1a9706d82e7bd79ae187b091a1e89744abee2c0a3d449e73e2
Opcode Fuzzy Hash: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
Instruction Fuzzy Hash: C611E471601714BAD921F7B2DD47FCB77DD5F0834CF84881EBACD6A052D6ACB6514604

Uniqueness

Uniqueness Score: -1.00%

Function 027725F2 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 027725BA: _free.LIBCMT ref: 027725DF

_free.LIBCMT ref: 02772640

Part of subcall function 0276E808: HeapFree.KERNEL32(00000000,00000000,?,027725E4,?,00000000,?,?,?,0277260B,?,00000007,?,?,02772A0D,?), ref: 0276E81E
Part of subcall function 0276E808: GetLastError.KERNEL32(?,?,027725E4,?,00000000,?,?,?,0277260B,?,00000007,?,?,02772A0D,?,?), ref: 0276E830

_free.LIBCMT ref: 0277264B
_free.LIBCMT ref: 02772656
_free.LIBCMT ref: 027726AA
_free.LIBCMT ref: 027726B5
_free.LIBCMT ref: 027726C0
_free.LIBCMT ref: 027726CB

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
Instruction ID: 690ef06092df6abb4de141e229026613ed6bdcd8bff58440342f608cb0b01082
Opcode Fuzzy Hash: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
Instruction Fuzzy Hash: F9114F72540B14AAEA23F7B0CC1EFDB77DFAF01700F400825BEA9A6051DA65B5548E50

Uniqueness

Uniqueness Score: -1.00%

Function 00423A46 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00405880,00000000), ref: 00423A8E
__fassign.LIBCMT ref: 00423C6D
__fassign.LIBCMT ref: 00423C8A
WriteFile.KERNEL32(?,00405880,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423CD2
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00423D12
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423DBE

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 5a0c35df1f21bdc5310913443ad541efee69954072d07ce9ea6e444a121a2afd
Instruction ID: 55294dd1ed643e62d688e25fe7fc8b93d32e6dca02253c809cdcf0ede3e7f937
Opcode Fuzzy Hash: 5a0c35df1f21bdc5310913443ad541efee69954072d07ce9ea6e444a121a2afd
Instruction Fuzzy Hash: 21D1A075E002689FCF15CFA8D8809EDBBB5BF48314F64016AE455FB342D738AA46CB58

Uniqueness

Uniqueness Score: -1.00%

Function 02773CAD Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,02755AE7,00000000), ref: 02773CF5
__fassign.LIBCMT ref: 02773ED4
__fassign.LIBCMT ref: 02773EF1
WriteFile.KERNEL32(?,02755AE7,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02773F39
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 02773F79
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 02774025

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: e542d5d4a89b9a95555eca30389ef7d2b429d4e8e228d9549bf9bdf1a88ffcb9
Instruction ID: 0d6d3bd5e39ce660a7c22d15134d7d5af99a88c8c978f923b85629f5209df37b
Opcode Fuzzy Hash: e542d5d4a89b9a95555eca30389ef7d2b429d4e8e228d9549bf9bdf1a88ffcb9
Instruction Fuzzy Hash: D5D19B75D002589FCF15CFA8C8949EDBBB5BF49314F2801AAE855FB242D731AA46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004197F0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004197E7,004193D7,00418C1C), ref: 004197FE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0041980C
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00419825
SetLastError.KERNEL32(00000000,004197E7,004193D7,00418C1C), ref: 00419877

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction ID: 71a7697fc03e6214697c45e1a132a8316019e6706060db725442c6d2a3e753c8
Opcode Fuzzy Hash: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction Fuzzy Hash: F101D8326293115EE62C3B76AE959D72774EF067B8720023FF120441F1EF594C95D58D

Uniqueness

Uniqueness Score: -1.00%

Function 02769A57 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02769A4E,0276963E,02768E83), ref: 02769A65
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02769A73
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02769A8C
SetLastError.KERNEL32(00000000,02769A4E,0276963E,02768E83), ref: 02769ADE

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction ID: 77eefdde2cad2ea3807d51ddf95d696e0c908912cc45292b88bfd5752bde6228
Opcode Fuzzy Hash: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction Fuzzy Hash: 1001D432609712DFE72927B57E8CA363AF6EB45774724023AEE10604F0EF634C05D948

Uniqueness

Uniqueness Score: -1.00%

Function 027543E7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 166networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00434EF4,00000000,00000000,00000000,00000000), ref: 027544C3
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 027544D5
InternetReadFile.WININET(00000000,?,03E80000,03E80000), ref: 027544E8

Strings

+CC, xrefs: 02754621
runas, xrefs: 0275461B

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: Internet$Open$FileRead
String ID: +CC$runas
API String ID: 72386350-2150734417
Opcode ID: f629ccd115f1b0a5505da88cd8cf5212883000edcb5ff7f417580e889bd18442
Instruction ID: f235b078d8e5cd8d1ce9ce8e8a15bf9b04223d9607ea949ab54a873c36bfd279
Opcode Fuzzy Hash: f629ccd115f1b0a5505da88cd8cf5212883000edcb5ff7f417580e889bd18442
Instruction Fuzzy Hash: F851F572E00128AFDB14DFA4CC95FEEBB76EF48700F608129E811B7280DB759944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420F7C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00420F81

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-517116171
Opcode ID: d9fd3d3f386e086f16d5e96c86dfc6c05a3e177acafcacdda8c025444d2164cb
Instruction ID: f2c65a4c72dcbe00dc32dc221c8eb50b3435d1ebdf66b1fbb5bbc6e11338d05a
Opcode Fuzzy Hash: d9fd3d3f386e086f16d5e96c86dfc6c05a3e177acafcacdda8c025444d2164cb
Instruction Fuzzy Hash: CB210A713001257F97206F71ED81D6BB7ADAF103A8750462BF828D7691D778DC818799

Uniqueness

Uniqueness Score: -1.00%

Function 027711E3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 027711E8

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-517116171
Opcode ID: 58ea943009bd374bebf7ec5987a08b3fa813e305a807f4d2fcbf4f6ae6d6cbf6
Instruction ID: a1691d8b73b000e1f75bc6cc6df190d83291ed8a3eacfc4bde1cc85a5015f106
Opcode Fuzzy Hash: 58ea943009bd374bebf7ec5987a08b3fa813e305a807f4d2fcbf4f6ae6d6cbf6
Instruction Fuzzy Hash: 4C218E72B04205BF9F21AF659C88E7B77AEAB153647404665ED69D7550EB20EC008FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3D6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0041C418

Strings

.exe, xrefs: 0041C425
.com, xrefs: 0041C458
.cmd, xrefs: 0041C436
.bat, xrefs: 0041C447

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 19671788b65354572937ca0f5259cacd468799deb2890a42aa5f1fe1ebfecd1d
Instruction ID: baa428b651ab7fadd2aefce0a8d8cefe58070258f098f4f191bca89b56dcb2ea
Opcode Fuzzy Hash: 19671788b65354572937ca0f5259cacd468799deb2890a42aa5f1fe1ebfecd1d
Instruction Fuzzy Hash: 7E012B3BA8C635212624101AEC62BF717988B96FB8B25412FF854F72C1ED9DEC8205DC

Uniqueness

Uniqueness Score: -1.00%

Function 0041A897 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0041A8E7

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
Instruction ID: 8addbc20e8b4f1572ca5f78bff053ba989236767de5a1c4d832f47c373f0c560
Opcode Fuzzy Hash: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
Instruction Fuzzy Hash: 2B112C71A12221EBC7314B249D44AAB37689F017B4B624933ED45AB390D738DDE1C5DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041B943 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0041B938,?,?,0041B900,0041BE86,?,NA), ref: 0041B958
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041B96B
FreeLibrary.KERNEL32(00000000,?,?,0041B938,?,?,0041B900,0041BE86,?,NA), ref: 0041B98E

Strings

mscoree.dll, xrefs: 0041B951
CorExitProcess, xrefs: 0041B963

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
Instruction ID: 6ab08718997dcf592451d77b1cbf540418157bbc441c253cf8170436862d5d78
Opcode Fuzzy Hash: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
Instruction Fuzzy Hash: 52F08230651218FBDB259B50DD0ABEEBA78DF44759F900175A504A1260CB788E46DA98

Uniqueness

Uniqueness Score: -1.00%

Function 02774E2B Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02774EAD
_free.LIBCMT ref: 02774ED1
_free.LIBCMT ref: 0277505E
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004335D8), ref: 02775070
_free.LIBCMT ref: 0277522A

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: cd66b27a8385d4536588664ec460c84106157103f67aa985b2529d6009eaf611
Instruction ID: ee50c6848bb474b5af7ccc4471fe8fa1f30a3597846ecea4035693242deb34ac
Opcode Fuzzy Hash: cd66b27a8385d4536588664ec460c84106157103f67aa985b2529d6009eaf611
Instruction Fuzzy Hash: 71C13972A002459FDF21DF78CC68BBE7BFAEF46314F58416AD84097290E7708A41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00426FA9 Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00CA43C0,00CA43C0,?,7FFFFFFF,?,?,00427265,00CA43C0,00CA43C0,?,00CA43C0,?,?,?,?,00CA43C0), ref: 0042704C
__alloca_probe_16.LIBCMT ref: 00427102
__alloca_probe_16.LIBCMT ref: 00427198
__freea.LIBCMT ref: 00427203
__freea.LIBCMT ref: 0042720F

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: c559a93f2d06cee59e46b38ea2fc726286989e451536d90b3fb509578e86aae3
Instruction ID: f6d9b8f12c634194a1b411eace1e19527ea88e01b30f60a4b5a6e0b516c13e2d
Opcode Fuzzy Hash: c559a93f2d06cee59e46b38ea2fc726286989e451536d90b3fb509578e86aae3
Instruction Fuzzy Hash: 4481E472B082259BDF219EA5AC41EEF7BB5EF09354F98005BF804A7341D62DCC458BB9

Uniqueness

Uniqueness Score: -1.00%

Function 004258D4 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00425958
__alloca_probe_16.LIBCMT ref: 00425A1E
__freea.LIBCMT ref: 00425A8A

Part of subcall function 0041EA8A: HeapAlloc.KERNEL32(00000000,?,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EABC

__freea.LIBCMT ref: 00425A93
__freea.LIBCMT ref: 00425AB6

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 801bfc73f5307c034d341afffc150cc0786828de70bde5b9b10ebb0cec96e4eb
Instruction ID: 7e0d7c363e2f027523b7077ca53f82abc72318da18e9cc0c3b19bc4bba63112a
Opcode Fuzzy Hash: 801bfc73f5307c034d341afffc150cc0786828de70bde5b9b10ebb0cec96e4eb
Instruction Fuzzy Hash: 8351E672700626AFDB209F95EC86EBF37A9EF44764F95422AFC04D7240E778DC418698

Uniqueness

Uniqueness Score: -1.00%

Function 0041C10E Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0041C040), ref: 0041C130
GetFileInformationByHandle.KERNEL32(?,?), ref: 0041C18A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0041C040,?,000000FF,00000000,00000000), ref: 0041C218
__dosmaperr.LIBCMT ref: 0041C21F
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0041C25C

Part of subcall function 0041C484: __dosmaperr.LIBCMT ref: 0041C4B9

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
Instruction ID: 0071a9752275d4edb8b9c21b1954eb469a97b67ce05b4548820d0adabff3a4d5
Opcode Fuzzy Hash: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
Instruction Fuzzy Hash: B7413C75940204AFDB249FA5DC859EFBBF9EF89700B00452EF856D3610E7389885CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0276C375 Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0276C2A7), ref: 0276C397
GetFileInformationByHandle.KERNEL32(?,?), ref: 0276C3F1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0276C2A7,?,000000FF,00000000,00000000), ref: 0276C47F
__dosmaperr.LIBCMT ref: 0276C486
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0276C4C3

Part of subcall function 0276C6EB: __dosmaperr.LIBCMT ref: 0276C720

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
Instruction ID: f2dce3c38de29645b90e79dc8f8b0570afbde7ff417312c7869cdcd7de206402
Opcode Fuzzy Hash: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
Instruction Fuzzy Hash: 2C412EB5900204ABDB26DFA5DC4D9BFBFF9EF49700B04452EE996D3A10E7309845CB60

Uniqueness

Uniqueness Score: -1.00%

Function 004222EA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00422302

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 00422314
_free.LIBCMT ref: 00422326
_free.LIBCMT ref: 00422338
_free.LIBCMT ref: 0042234A

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
Instruction ID: 8eed935d1f0a41e2b9dbe60b1656bd2ba3e28f3ae1fefd92f9cbf16fd4f54630
Opcode Fuzzy Hash: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
Instruction Fuzzy Hash: 04F04472501210B78520DBA6F6C2C4B73DAAB94355794180AF809D7641C77CFD81866C

Uniqueness

Uniqueness Score: -1.00%

Function 02772551 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 02772569

Part of subcall function 0276E808: HeapFree.KERNEL32(00000000,00000000,?,027725E4,?,00000000,?,?,?,0277260B,?,00000007,?,?,02772A0D,?), ref: 0276E81E
Part of subcall function 0276E808: GetLastError.KERNEL32(?,?,027725E4,?,00000000,?,?,?,0277260B,?,00000007,?,?,02772A0D,?,?), ref: 0276E830

_free.LIBCMT ref: 0277257B
_free.LIBCMT ref: 0277258D
_free.LIBCMT ref: 0277259F
_free.LIBCMT ref: 027725B1

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
Instruction ID: 8e5291c93d8933e4aeb2202cc74c5f8312492be2912c7737044130de530b1904
Opcode Fuzzy Hash: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
Instruction Fuzzy Hash: 79F06232811215ABDA20DB58E4DEC2A73DEEB00714BA42865F854D7540CB70FCC08A64

Uniqueness

Uniqueness Score: -1.00%

Function 0275E207 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

#, xrefs: 0275F9BB

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: #
API String ID: 3677997916-1885708031
Opcode ID: 4d26a9903dbf7e4ba4290750e16a9ab8299c95c43a50e3bd25ecedede5d2791d
Instruction ID: 7807f8706a2a98856709ee0ef03dc5717255c5c9c56eebd0d3a4cea47453a7ff
Opcode Fuzzy Hash: 4d26a9903dbf7e4ba4290750e16a9ab8299c95c43a50e3bd25ecedede5d2791d
Instruction Fuzzy Hash: C112AF70900298DBEB15DF68C94CBDDBFB6AF06308F548199D844673C2D7B95A88CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0275FC87 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 485COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 02760580
std::_Xinvalid_argument.LIBCPMT ref: 0276058F

Strings

", xrefs: 02760072
%, xrefs: 027602AE

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: "$%
API String ID: 909987262-2120515197
Opcode ID: c099b85426fcf12805a5928d4c4bd781302b2ff8f44ebcaca473b76456323364
Instruction ID: 1acf68138820871216cdf77e87ffbcbca9dd7e9aaf99845560ca50bddfc0ac9f
Opcode Fuzzy Hash: c099b85426fcf12805a5928d4c4bd781302b2ff8f44ebcaca473b76456323364
Instruction Fuzzy Hash: 9002F7B1A002589BDF15EF38CD4D7AC7B66AF86304F54419CEC4457282DB759B888F93

Uniqueness

Uniqueness Score: -1.00%

Function 004209B7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00420B51

Strings

*?, xrefs: 004209FA

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
Instruction ID: 7415b14c5d0124b7c9719d17695bca9e12f23279d28e73ebbb8fdbf8e8460f59
Opcode Fuzzy Hash: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
Instruction Fuzzy Hash: 5661A1B5E002299FCB14CFA9D8815EEFBF5EF48314B54816AE805F7301E735AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 02770C1E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02770DB8

Strings

*?, xrefs: 02770C61

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
Instruction ID: 9132b5f6416f2435e7835eceeb710ff179bfd16cfaee2d3502c3c8f98f1f05f9
Opcode Fuzzy Hash: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
Instruction Fuzzy Hash: 5A6138B6E00219AFDF15CFA9C8849EDFBF5EF48314B24816AD855E7300E771AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0275B507 Relevance: 6.4, APIs: 4, Instructions: 351fileCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0275B565
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0275B784
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?), ref: 0275B8A4
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0275B9F0

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: File$CopyCreateDirectoryModuleNamePathTemp
String ID:
API String ID: 2256340497-0
Opcode ID: 69506e0b47fdf4355df82a24afce3d41012599873781e6f53ce1b916386e2bff
Instruction ID: edf038f38d3fa5cdae65f0c9cae46b82194b5a1588214de4abedea2996d9f813
Opcode Fuzzy Hash: 69506e0b47fdf4355df82a24afce3d41012599873781e6f53ce1b916386e2bff
Instruction Fuzzy Hash: 23D128B1A001288BDB25DB24CC897EDB776AF45308F5441DCDA08A72C6DB755FC88F56

Uniqueness

Uniqueness Score: -1.00%

Function 004198D0 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00419997
___AdjustPointer.LIBCMT ref: 004199BA
___AdjustPointer.LIBCMT ref: 00419A56

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
Instruction ID: a8cd01a110c9a5ba9b93cdf8b6ca506de852c713b8af7688bfec1274bd28d331
Opcode Fuzzy Hash: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
Instruction Fuzzy Hash: 3251D0B2601286AFDB298F15D861BEA77A4EF04314F24012FE84646391E739ECC1C799

Uniqueness

Uniqueness Score: -1.00%

Function 02769B37 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 02769BFE
___AdjustPointer.LIBCMT ref: 02769C21
___AdjustPointer.LIBCMT ref: 02769CBD

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
Instruction ID: 477d1afd4253ec0c377ddbdf0ce16c0b5deaa6466c754a0171e00830ca6f593b
Opcode Fuzzy Hash: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
Instruction Fuzzy Hash: 9D51F372A06606EFDB2A8F24C98CBBA77E6FF40714F14452DDE0567690E732E844DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02755667 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,00439008,00000000), ref: 027556E0
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02755747
GetProcAddress.KERNEL32(00000000), ref: 0275574E

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: ddc787008df3d19dcf6ff3ff6324906e599249e81a3a5c2a1838fed2653284d0
Instruction ID: 422f76f37cf0a7a2f335cd6b4343aa178ccd891b1801b325ad7f070e851068fe
Opcode Fuzzy Hash: ddc787008df3d19dcf6ff3ff6324906e599249e81a3a5c2a1838fed2653284d0
Instruction Fuzzy Hash: 01511571D00218DBDB24DB68DD497EDBB75EF45310F9042A8EC05A7281EBB9AA848F91

Uniqueness

Uniqueness Score: -1.00%

Function 00425F0E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00425FDE
_free.LIBCMT ref: 00426007
SetEndOfFile.KERNEL32(00000000,0042354B,00000000,?,?,?,?,?,?,?,?,0042354B,?,00000000), ref: 00426039
GetLastError.KERNEL32(?,?,?,?,?,?,?,0042354B,?,00000000,?,?,?,?,?), ref: 00426055

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
Instruction ID: 61c1fed18fa2e053e229d2c366b1320fca6b3d495f3fb51fd3c042a4ee27fee9
Opcode Fuzzy Hash: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
Instruction Fuzzy Hash: 6C413E72B006115BDB11ABB5ED41B8E37B6AF44364F560017F424E72D2EB7CC840576D

Uniqueness

Uniqueness Score: -1.00%

Function 02776175 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02776245
_free.LIBCMT ref: 0277626E
SetEndOfFile.KERNEL32(00000000,027737B2,00000000,0276E6A5,?,?,?,?,?,?,?,027737B2,0276E6A5,00000000), ref: 027762A0
GetLastError.KERNEL32(?,?,?,?,?,?,?,027737B2,0276E6A5,00000000,?,?,?,?,00000000), ref: 027762BC

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
Instruction ID: 51d9ecf4754b3ef366f129c0f5ecec562ed086aa9c2cdcd16d4392c96bc1b6df
Opcode Fuzzy Hash: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
Instruction Fuzzy Hash: 0C41C472900A45ABDF53ABB88C0CBAF37BEEF54364F150515E814E7298EB30D8448B61

Uniqueness

Uniqueness Score: -1.00%

Function 004208E8 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0041BD6F: _free.LIBCMT ref: 0041BD7D

Part of subcall function 004218BF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00425A80,?,00000000,00000000), ref: 00421961

GetLastError.KERNEL32 ref: 00420950
__dosmaperr.LIBCMT ref: 00420957
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00420996
__dosmaperr.LIBCMT ref: 0042099D

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 2cc476a48764411ac7d7f7841f806bb526956e32d48153aac2d156f6a7af72d6
Instruction ID: 91911ec1de34df9e01eb008ea9a24e12f878ac442d2ad626700c96a69c790fc9
Opcode Fuzzy Hash: 2cc476a48764411ac7d7f7841f806bb526956e32d48153aac2d156f6a7af72d6
Instruction Fuzzy Hash: 2721F0B1700225AFA710AF62ACC196B77EDEF00374790851AF86697253D738DCC08B94

Uniqueness

Uniqueness Score: -1.00%

Function 02770B4F Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0276BFD6: _free.LIBCMT ref: 0276BFE4

Part of subcall function 02771B26: WideCharToMultiByte.KERNEL32(02755AE7,00000000,00437A28,00000000,02755AE7,02755AE7,0277463D,?,00437A28,?,00000000,?,027743AC,0000FDE9,00000000,?), ref: 02771BC8

GetLastError.KERNEL32 ref: 02770BB7
__dosmaperr.LIBCMT ref: 02770BBE
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 02770BFD
__dosmaperr.LIBCMT ref: 02770C04

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: bcfca7c6e04eeb74265432f959e909c47042bfb9664e3c7dfc54a64be2794b21
Instruction ID: ad0b2a015595efe9aeaff77aba6a71f5da29d676db88452cd7dd9b6bb879f2c1
Opcode Fuzzy Hash: bcfca7c6e04eeb74265432f959e909c47042bfb9664e3c7dfc54a64be2794b21
Instruction Fuzzy Hash: 9521AAB1604209BF9F216F758C88E7BB7AEEF053687404929F959D7150E731ED418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0276F3B3 Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
Instruction ID: 47c1dbec5c29ac22d3d6e8f02f62ae44f7ffa1f86b0745a0441bdf80d46764d7
Opcode Fuzzy Hash: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
Instruction Fuzzy Hash: 8721C032A01225EBCB219B25FC89B3A3B69BB017A4F650131ED07B7E91D730ED01C5E6

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE92 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0041BCED,00000000,?,?,?,0041BE86,?), ref: 0041EE97
_free.LIBCMT ref: 0041EEF4
_free.LIBCMT ref: 0041EF2A
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,0041BE86,?), ref: 0041EF35

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
Instruction ID: 26790fddcd24ef136aadc0cc0bf27d5f777129a8301660e6568487d79e7ca8b5
Opcode Fuzzy Hash: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
Instruction Fuzzy Hash: 2411CA3A6002017AD61427B79CC59EB256997C1779B25013BFD39832D2FE6D8CDB811D

Uniqueness

Uniqueness Score: -1.00%

Function 0276F0F9 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0276BF54,00000000,?,?,?,0276C0ED,?), ref: 0276F0FE
_free.LIBCMT ref: 0276F15B
_free.LIBCMT ref: 0276F191
SetLastError.KERNEL32(00000000,004390F8,000000FF,?,?,?,0276C0ED,?), ref: 0276F19C

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
Instruction ID: 32f7d114ce13f3f533e77e39c2a5bb95f1621cfae7ae68dcf6f153879bdaa4c3
Opcode Fuzzy Hash: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
Instruction Fuzzy Hash: F911E932200502AFD61A2BB4FCCCDBB266BDBC57F4B254134FD27929E0EF618C564566

Uniqueness

Uniqueness Score: -1.00%

Function 0041EFE9 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0041C755,0041EACD,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EFEE
_free.LIBCMT ref: 0041F04B
_free.LIBCMT ref: 0041F081
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041F08C

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
Instruction ID: d1a755533480a66cbcbdd6da6f61a8fcfdc6096e1f08231a3cc2ec091d2cf52b
Opcode Fuzzy Hash: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
Instruction Fuzzy Hash: FB114C322045016AC7102B76ACC1DEB2969DBC8778765023BF92A822E3EF6CCCDF511C

Uniqueness

Uniqueness Score: -1.00%

Function 0276F250 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0276C9BC,0276ED34,?,?,0276943A,?,?,?,?,?,0275235A,?,?), ref: 0276F255
_free.LIBCMT ref: 0276F2B2
_free.LIBCMT ref: 0276F2E8
SetLastError.KERNEL32(00000000,004390F8,000000FF,?,?,0276943A,?,?,?,?,?,0275235A,?,?), ref: 0276F2F3

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
Instruction ID: f231de62ed30e8760229f284575d5d390448aa15c6d8def6301a6f0999586517
Opcode Fuzzy Hash: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
Instruction Fuzzy Hash: 1411C6362441016EDB122674BCCCDBF216AD7C5375B254234ED27929E0DB618C564D66

Uniqueness

Uniqueness Score: -1.00%

Function 0276AAFE Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
Instruction ID: 72d13345fd4238e51520c3ca92222d09e424e1d8450a49a8f618cec963c58424
Opcode Fuzzy Hash: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
Instruction Fuzzy Hash: F4118631A01627EBCB324B289C48E7A77AA9F017B4B550535ED5EB7290E730ED01C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7CB Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041F930,00000000,?,00424658,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0041F7E1
GetLastError.KERNEL32(?,00424658,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0041F930,00000000,00000104,?), ref: 0041F7EB
__dosmaperr.LIBCMT ref: 0041F7F2

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
Instruction ID: 3e1febbc0a8defaca1089d50814ae8bcfad4f789bcb8220d5dd2739c2ed7ebaf
Opcode Fuzzy Hash: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
Instruction Fuzzy Hash: 1DF06D36600115BB8B202FA2DD08C9BBFA9FF443A03444136F52DC7561DB35E8A6CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F834 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041F930,00000000,?,004245E3,00000000,00000000,0041F930,?,?,00000000,00000000,00000001), ref: 0041F84A
GetLastError.KERNEL32(?,004245E3,00000000,00000000,0041F930,?,?,00000000,00000000,00000001,00000000,00000000,?,0041F930,00000000,00000104), ref: 0041F854
__dosmaperr.LIBCMT ref: 0041F85B

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
Instruction ID: 5356ccb821a571137923583999cca56af5607f561d8780d9d137012589ba4a16
Opcode Fuzzy Hash: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
Instruction Fuzzy Hash: FBF01231600115BB8B207BA6DC0499BBFA9FF443A03404536F52DC6521C735E8A6DBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0276FA32 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0276FB97,00000000,?,027748BF,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0276FA48
GetLastError.KERNEL32(?,027748BF,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0276FB97,00000000,00000104,?), ref: 0276FA52
__dosmaperr.LIBCMT ref: 0276FA59

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
Instruction ID: 25d75ebcc30eead9758543a2608bad7a22cd0f944c721acbb498cb0f02eeb366
Opcode Fuzzy Hash: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
Instruction Fuzzy Hash: 4FF06232600116BB8B215FA6EC0CD6ABFAAFF462A13404531E95ED6820DB32D821CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0276FA9B Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0276FB97,00000000,?,0277484A,00000000,00000000,0276FB97,?,?,00000000,00000000,00000001), ref: 0276FAB1
GetLastError.KERNEL32(?,0277484A,00000000,00000000,0276FB97,?,?,00000000,00000000,00000001,00000000,00000000,?,0276FB97,00000000,00000104), ref: 0276FABB
__dosmaperr.LIBCMT ref: 0276FAC2

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
Instruction ID: 33e46cd55be3a2a04ffb3ec8078725a0221e4fa38668b4ea89e9c62f70843b07
Opcode Fuzzy Hash: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
Instruction Fuzzy Hash: 7BF08632200115BB8B215BA2ED0CD6AFF6AFF452A03444522FD5ED7930CB32D821CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 004272CF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00405880,00000000,00437A28,00000000,00405880,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880), ref: 004272E6
GetLastError.KERNEL32(?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000,00405880,?,0042436F,00405880), ref: 004272F2

Part of subcall function 004272B8: CloseHandle.KERNEL32(FFFFFFFE,00427302,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000,00405880), ref: 004272C8

___initconout.LIBCMT ref: 00427302

Part of subcall function 0042727A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004272A9,004269D4,00405880,?,00423E1B,00000000,?,00405880,00000000), ref: 0042728D

WriteConsoleW.KERNEL32(00405880,00000000,00437A28,00000000,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000), ref: 00427317

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction ID: 5b8baa1da4bb66d128bbbdf819d740daca6d0282673a7c9b135cb97f91750bdc
Opcode Fuzzy Hash: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction Fuzzy Hash: 46F01C36201129FBCF221F95EC04A8A3F66FF093A1B814075FE1C86231D6328820EB98

Uniqueness

Uniqueness Score: -1.00%

Function 02777536 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(02755AE7,00000000,00437A28,00000000,02755AE7,?,02776C4E,02755AE7,00000001,02755AE7,02755AE7,?,02774082,00000000,?,02755AE7), ref: 0277754D
GetLastError.KERNEL32(?,02776C4E,02755AE7,00000001,02755AE7,02755AE7,?,02774082,00000000,?,02755AE7,00000000,02755AE7,?,027745D6,02755AE7), ref: 02777559

Part of subcall function 0277751F: CloseHandle.KERNEL32(00439900,02777569,?,02776C4E,02755AE7,00000001,02755AE7,02755AE7,?,02774082,00000000,?,02755AE7,00000000,02755AE7), ref: 0277752F

___initconout.LIBCMT ref: 02777569

Part of subcall function 027774E1: CreateFileW.KERNEL32(004336B8,40000000,00000003,00000000,00000003,00000000,00000000,02777510,02776C3B,02755AE7,?,02774082,00000000,?,02755AE7,00000000), ref: 027774F4

WriteConsoleW.KERNEL32(02755AE7,00000000,00437A28,00000000,?,02776C4E,02755AE7,00000001,02755AE7,02755AE7,?,02774082,00000000,?,02755AE7,00000000), ref: 0277757E

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction ID: 3c21345bd29c11fae10a7276c8166fee0963c6bb79cc2ad2dc99626ad9fc3724
Opcode Fuzzy Hash: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction Fuzzy Hash: BBF01536501128BBCF222FD1DC08E8A7F66EF083B1F814430FA1885231D7328820DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004167E0 Relevance: 6.0, APIs: 4, Instructions: 27threadsleepCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 004167F6
CreateThread.KERNEL32 ref: 00416807
CreateThread.KERNEL32 ref: 00416818
Sleep.KERNEL32(00007530,?,00416873), ref: 00416825

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateThread$Sleep
String ID:
API String ID: 422425972-0
Opcode ID: c7ec29c90368d79a70c95a5ee9845132da8938ab2cedaa7c12f416f09ab0d9a8
Instruction ID: 3e58bb4c01d1f945cb402fb00719d76fe511b7683de936d62f19d1048555ce50
Opcode Fuzzy Hash: c7ec29c90368d79a70c95a5ee9845132da8938ab2cedaa7c12f416f09ab0d9a8
Instruction Fuzzy Hash: 69E09231BE8334B6F47126A45C03F891E545B08F95FB20023B70CBE4D084C87485CAEE

Uniqueness

Uniqueness Score: -1.00%

Function 0041D819 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041D822

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 0041D835
_free.LIBCMT ref: 0041D846
_free.LIBCMT ref: 0041D857

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
Instruction ID: 2f128d3171f244c94fc48b8332bc88089a284fec835ab8af747093701a289460
Opcode Fuzzy Hash: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
Instruction Fuzzy Hash: C3E04FB4801520AFCE012F53FE055953BA2FB947EC340302AF81406232DB390261EFCE

Uniqueness

Uniqueness Score: -1.00%

Function 0276DA80 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0276DA89

Part of subcall function 0276E808: HeapFree.KERNEL32(00000000,00000000,?,027725E4,?,00000000,?,?,?,0277260B,?,00000007,?,?,02772A0D,?), ref: 0276E81E
Part of subcall function 0276E808: GetLastError.KERNEL32(?,?,027725E4,?,00000000,?,?,?,0277260B,?,00000007,?,?,02772A0D,?,?), ref: 0276E830

_free.LIBCMT ref: 0276DA9C
_free.LIBCMT ref: 0276DAAD
_free.LIBCMT ref: 0276DABE

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
Instruction ID: 49ad5cfea78a1c5b26876bc67c413274f1d2f24641eb5ba4395d2916a94ae46f
Opcode Fuzzy Hash: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
Instruction Fuzzy Hash: 2EE08CB88805209FDB032F21BC0E96A3FA2FB247A03113036E82006230CB350162DFDE

Uniqueness

Uniqueness Score: -1.00%

Function 004122F0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 374COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00412FEF

Part of subcall function 00416F50: Concurrency::cancel_current_task.LIBCPMT ref: 00417083

Strings

invalid stoi argument, xrefs: 00412FEA
stoi argument out of range, xrefs: 00412FF9

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_
String ID: invalid stoi argument$stoi argument out of range
API String ID: 3646673767-1606216832
Opcode ID: d3d9237d7b9dd4d64f5b1881bc64ddae9b507e0a978812b243918a6d9f26b778
Instruction ID: 6d18bec53ddcbea06decae191a6eae5fb5e1180c669e5708db714ed38e612d95
Opcode Fuzzy Hash: d3d9237d7b9dd4d64f5b1881bc64ddae9b507e0a978812b243918a6d9f26b778
Instruction Fuzzy Hash: 60E1D171A001189BEF28DF28CE857DDBB72EB46304F50819EE419972C1DB799AD1CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE88 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 0041CECB, 0041CED2, 0041CF08

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-517116171
Opcode ID: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
Instruction ID: 3e019bb9f1f37e8f56b3af26f626c64f14fa1fa210d5d8f79d997b38734a4c96
Opcode Fuzzy Hash: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
Instruction Fuzzy Hash: 9A41A271A80214AFDB11DF9A9CC19EFBBB9EB85710F10006BF40497251D7788E82CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0276D0EF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 0276D132, 0276D139, 0276D16F

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-517116171
Opcode ID: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
Instruction ID: 04379a2e3fc591e02a4bd202a747a8a133cb7e6b0714164b3e41183513cdce4e
Opcode Fuzzy Hash: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
Instruction Fuzzy Hash: 3D419571F50214AFDB26DB99DC8CABFBBF9EF89310F15406AE804A7250D7B09A40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02769737 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 02769776
__IsNonwritableInCurrentImage.LIBCMT ref: 0276982A

Strings

csm, xrefs: 02769814

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
Instruction ID: f14e25b65724a60554b4f1d1149c475650202b7d791fa19baf9d0dd962919b70
Opcode Fuzzy Hash: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
Instruction Fuzzy Hash: F4418234A0021AEBCF11DF68C888AAEBBB5BF44318F148565ED15AB351D732A915CF91

Uniqueness

Uniqueness Score: -1.00%

Function 027545B7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,00429838,?,?,00000000,00000000), ref: 02754659

Strings

+CC, xrefs: 02754621
runas, xrefs: 0275461B

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: +CC$runas
API String ID: 587946157-2150734417
Opcode ID: 275e86e7e836fdb05351418f23eea9cc16955723fba3a8d83db6570cd9dbdf7c
Instruction ID: 15be516937d4775f8a2a6a82734e1dbc4e2e379e0030a5b2712e872f9b92591d
Opcode Fuzzy Hash: 275e86e7e836fdb05351418f23eea9cc16955723fba3a8d83db6570cd9dbdf7c
Instruction Fuzzy Hash: C141E471600208EFDB04DF68C899BDE7BB6EB45744F908629FC15876C0D7B9E9848F91

Uniqueness

Uniqueness Score: -1.00%

Function 00419EDD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00419F02

Strings

RCC, xrefs: 00419F1C
MOC, xrefs: 00419F14

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 9ba41499cbdf9a4a038d6cc8401d48825653b63da1d3c73c684997a9dc15089d
Instruction ID: ef4240616421f5d170a5d1c4fd7b0d446090a164c11462a96303fe54a6744129
Opcode Fuzzy Hash: 9ba41499cbdf9a4a038d6cc8401d48825653b63da1d3c73c684997a9dc15089d
Instruction Fuzzy Hash: 5C414872900209EFCF16DF98C981AEEBBB5FF48304F18819AF904A7251D3399DA1DB55

Uniqueness

Uniqueness Score: -1.00%

Function 0276A144 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0276A169

Strings

RCC, xrefs: 0276A183
MOC, xrefs: 0276A17B

Memory Dump Source

Source File: 00000001.00000002.294752359.0000000002750000.00000040.00001000.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2750000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
Instruction ID: ab015dd983a39f54bfc8a12bb31122c68db2a3495161ba5d1a3ba8e6d954cd20
Opcode Fuzzy Hash: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
Instruction Fuzzy Hash: CD412871900209EFDF16DF94CD89AAE7BB6BF88304F258159EE04B6261D3369A50DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00412CFF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00412D18

Strings

5120, xrefs: 00412D5F
., xrefs: 00412DCB

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileModuleName
String ID: .$5120
API String ID: 514040917-2446372808
Opcode ID: d5977a1847af3593c6d2360099aed04a1f4c529663bf82042b77ea6028604958
Instruction ID: 9696d8c15566c1d42fadb68592e21f39738dfdc301de5d2260ec8dd83da14f2d
Opcode Fuzzy Hash: d5977a1847af3593c6d2360099aed04a1f4c529663bf82042b77ea6028604958
Instruction Fuzzy Hash: D421E2B09002489BDB14EF69C90A7DD7FB49F06348F5001CEE44567282D7B99A498BE7

Uniqueness

Uniqueness Score: -1.00%

Function 00423927 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041FDF2: EnterCriticalSection.KERNEL32(00405880,?,00424223,00405880,00437D48,00000010,0041EA11,00000000,C032C301,00000000,00000000,00405880,?,0041BB1A,00405880,00000000), ref: 0041FE0D

FlushFileBuffers.KERNEL32(00000000,00437D28,0000000C,00423A2E,nA,?,00000001,?,0041E96E,?), ref: 00423970
GetLastError.KERNEL32 ref: 00423981

Strings

nA, xrefs: 004239A8

Memory Dump Source

Source File: 00000001.00000002.294096543.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.294245823.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: nA
API String ID: 4109680722-4035868545
Opcode ID: f003fc8eaf19488ae7f9339aa40c70496bc05c9f4a2d22a8ae3e610d030b7c35
Instruction ID: 0418fce989e2f534913a4f38d2ce8aa3e5464a19317c2ea272403c313fbf0c0e
Opcode Fuzzy Hash: f003fc8eaf19488ae7f9339aa40c70496bc05c9f4a2d22a8ae3e610d030b7c35
Instruction Fuzzy Hash: 45018076B002108FC714AF69E90569D7BB5AF49724F50412FF4219B3D2DBBC9982CB98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: gntuud.exePID: 5912, Parent PID: 1084COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	16.2%
Signature Coverage:	0%
Total number of Nodes:	1396
Total number of Limit Nodes:	8

Executed Functions

Function 0041B901 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0041B900,0041BE86,?,NA,0041BE86,0041EF4E), ref: 0041B923
TerminateProcess.KERNEL32(00000000,?,0041B900,0041BE86,?,NA,0041BE86,0041EF4E), ref: 0041B92A
ExitProcess.KERNEL32 ref: 0041B93C

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction ID: c3524ad3d233ec0a3a19b1bf7aedcb75de5af13a6c7a41cb1465cf438659ca8f
Opcode Fuzzy Hash: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction Fuzzy Hash: 63E0B671120208EFCB216F65DD49AA97B79FB44751BC44439FA0586231CB39EE93CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00408650 Relevance: 4.9, APIs: 3, Instructions: 374
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(00000000,00000000,?,0043A194,418014E8,?,00000000,00000000), ref: 004086B1
GetLastError.KERNEL32(?,00000000,00000000), ref: 004086B7

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: 963d7460e6cdeb5c2414da801d1c48bd329e912f359a02807103749b9dce1abb
Instruction ID: d5025c2257f1853fae8f1be1934c88d0cd5ba35f682ee7a5a0e711edb3be859e
Opcode Fuzzy Hash: 963d7460e6cdeb5c2414da801d1c48bd329e912f359a02807103749b9dce1abb
Instruction Fuzzy Hash: 57D15C71A001089BEB18DB28CE85BDDB772EF85314F60817EE445B73D6DF395A808B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1BB Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0041D203

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9f5dec638c6018a6b24b976b0791b773a56ee0672529c52ab4d44372aafa3d49
Instruction ID: f1d333090dd57bfd17dfe39ecb9b07313f9b1ca465b706eabb36e918cd1afe6e
Opcode Fuzzy Hash: 9f5dec638c6018a6b24b976b0791b773a56ee0672529c52ab4d44372aafa3d49
Instruction Fuzzy Hash: 4FE0E5B6E0242022E211623F7C46AEB11856BD133AB15022FF860861E0DF7C88C2D19E

Uniqueness

Uniqueness Score: -1.00%

Function 00408770 Relevance: 1.7, APIs: 1, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00408770: GetModuleFileNameA.KERNEL32(00000000,?,00000104,418014E8), ref: 00406BFF

Part of subcall function 00406590: GetModuleFileNameA.KERNEL32(00000000,?,00000104,418014E8,?,00000000), ref: 004065F3

SetCurrentDirectoryA.KERNEL32(00000000,418014E8,00000000), ref: 004087BC

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: FileModuleName$CurrentDirectory
String ID:
API String ID: 1135421992-0
Opcode ID: 8bf1f08f99a344696cbf6c5750fc4a98637de2d6f1fa2b96419d82953a99ffaa
Instruction ID: d0dae173410c9e4e1febe3177f2c9113cc4b317fee0fa56548834116e9d8ebca
Opcode Fuzzy Hash: 8bf1f08f99a344696cbf6c5750fc4a98637de2d6f1fa2b96419d82953a99ffaa
Instruction Fuzzy Hash: 4B51FA70E002489BEF14EB64CA45BDDBB72AF42308F6041AED445773C7DB781A84CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00416F50 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00417083

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: c85319de66d303704c5b32efceed12899cb95431b14fbd0adeec5c40d65b88a5
Instruction ID: fd946b0658ffb94c1012bd53882065ed5fda9b86f930e014646194fe2c62c28b
Opcode Fuzzy Hash: c85319de66d303704c5b32efceed12899cb95431b14fbd0adeec5c40d65b88a5
Instruction Fuzzy Hash: FE316A317042049BC7289F7898805AEB7E8EB49320B24473FF865C7381DB79DDC18399

Uniqueness

Uniqueness Score: -1.00%

Function 00417A50 Relevance: 1.6, APIs: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00417B8F

Part of subcall function 00402180: ___std_exception_copy.LIBVCRUNTIME ref: 004021BE

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: Concurrency::cancel_current_task___std_exception_copy
String ID:
API String ID: 1979911387-0
Opcode ID: b3e929870bcd979361fd632a4e356694b34bdea9201ccb953d59f5018555cbdd
Instruction ID: 17865e07c0a9020476bb62f3ecb7ae26e4e2800d30adc2ccf051e38fdb3837cc
Opcode Fuzzy Hash: b3e929870bcd979361fd632a4e356694b34bdea9201ccb953d59f5018555cbdd
Instruction Fuzzy Hash: CD414772A0810A9BCB14DF288C819EFB3B5FF84358714067AD819DB341E734EE9583D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041835E Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004021BE

Part of subcall function 004193E4: RaiseException.KERNEL32(E06D7363,00000001,00000003,0040219C,?,?,?,0040219C,?,00437E4C), ref: 00419444

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID:
API String ID: 3109751735-0
Opcode ID: 79f28c06042652cc4a4b4e37ebf95145dffe76a591269d0a023a1b3527f7ecb0
Instruction ID: 0754849f2873f9ee99eecf20cf2606fb6430f2f66f9579a4d74c0798b0fd6e96
Opcode Fuzzy Hash: 79f28c06042652cc4a4b4e37ebf95145dffe76a591269d0a023a1b3527f7ecb0
Instruction Fuzzy Hash: 09012B3590020D77C714BAA5EC469CA73AC9E04714B60453BF928A7191FB78E9C587DD

Uniqueness

Uniqueness Score: -1.00%

Function 00416830 Relevance: 1.5, APIs: 1, Instructions: 36
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040CBD0: GetTempPathA.KERNEL32(00000104,?), ref: 0040B2FE

Part of subcall function 0040CBD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,418014E8), ref: 0040A7BC

Part of subcall function 00406510: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406540

Part of subcall function 0040CBD0: GetUserNameA.ADVAPI32(?,?), ref: 0040B96E

Part of subcall function 004138B0: IsUserAnAdmin.SHELL32 ref: 0041390D
Part of subcall function 004138B0: GetUserNameA.ADVAPI32(?,?), ref: 004139B7
Part of subcall function 004138B0: GetComputerNameExW.KERNEL32(00000002,?,?,?,?), ref: 00413A20

Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 004167F6
Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 00416807
Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 00416818
Part of subcall function 004167E0: Sleep.KERNEL32(00007530,?,00416873), ref: 00416825

InternetCloseHandle.WININET(00000000), ref: 00416887

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: Name$CreateThreadUser$FileModule$AdminCloseComputerHandleInternetPathSleepTemp
String ID:
API String ID: 1411138196-0
Opcode ID: 681845bb7bdad3a9b280c05efa4f412a3339f2d7827d3117315032cc1d5ff116
Instruction ID: fcb51b4180ac2c01cd311fc2696d032aed602c74c46a29392a881be8b31f0bff
Opcode Fuzzy Hash: 681845bb7bdad3a9b280c05efa4f412a3339f2d7827d3117315032cc1d5ff116
Instruction Fuzzy Hash: 21E08671A0050407DA043BBA5D0B64E31184F8134CF94027FB815665D7EE6DD56441FF

Uniqueness

Uniqueness Score: -1.00%

Function 0041EA8A Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EABC

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dfa22ebf96d117e5e2d1e15a0c463ff833afb46ba7fb8ad48bf3f6a11dcdaed7
Instruction ID: 5e5b785a8da04b63c94067ca99906f02eb36a9a31bcd46b4234264a7978573d4
Opcode Fuzzy Hash: dfa22ebf96d117e5e2d1e15a0c463ff833afb46ba7fb8ad48bf3f6a11dcdaed7
Instruction Fuzzy Hash: A5E0E53954012266E62126634C007DB7A48BF813F0F050037EC18962C0DB98DCC182ED

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00403F40 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 162
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403F66
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00403FCB
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00403FE4
GetThreadContext.KERNEL32(?,00000000), ref: 00403FFF
ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00404023
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040403E
GetProcAddress.KERNEL32(00000000), ref: 00404045
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040406D
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 0040408E
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 004040D2
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000), ref: 0040410E
SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 0040412A
ResumeThread.KERNEL32(?,?,?,00000000), ref: 00404136
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000), ref: 00404144
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00404165

Strings

, xrefs: 00404018
NtUnmapViewOfSection, xrefs: 00404034
ntdll.dll, xrefs: 00404039

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
String ID: $NtUnmapViewOfSection$ntdll.dll
API String ID: 4033543172-1522589568
Opcode ID: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
Instruction ID: 7185e54e9f5f5e6bc342fc5ffd2bfcf32a837d4cfdcfbf42461452ed81247528
Opcode Fuzzy Hash: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
Instruction Fuzzy Hash: 66518971600218EBDB209F54DC49FEAB7B8FF48701F9040B6F708AA291D7B1A995CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004037D0 Relevance: 27.2, APIs: 18, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00403822
GetProcessHeap.KERNEL32(00000008,?), ref: 00403837
HeapAlloc.KERNEL32(00000000), ref: 0040383A
GetUserNameW.ADVAPI32(00000000,?), ref: 00403848
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 0040386B
GetProcessHeap.KERNEL32(00000008,?), ref: 00403876
HeapAlloc.KERNEL32(00000000), ref: 00403879
GetProcessHeap.KERNEL32(00000008,?), ref: 00403889
HeapAlloc.KERNEL32(00000000), ref: 0040388C
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004038B6
ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 004038C9
GetProcessHeap.KERNEL32(00000000,?), ref: 004039C5
HeapFree.KERNEL32(00000000), ref: 004039CE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039D3
HeapFree.KERNEL32(00000000), ref: 004039D6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039DD
HeapFree.KERNEL32(00000000), ref: 004039E0
LocalFree.KERNEL32(00000000), ref: 004039E5

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: Heap$Process$FreeName$Alloc$AccountLookupUser$ConvertLocalString
String ID:
API String ID: 3326663573-0
Opcode ID: 063badce4704df2348e03859ddb56def879fca3a8a55ff5aa2bc949915fba159
Instruction ID: 167f534f4a5bc3f8c65bdd595c5ec8e1d54d44385eb9c59962b1969d814595bf
Opcode Fuzzy Hash: 063badce4704df2348e03859ddb56def879fca3a8a55ff5aa2bc949915fba159
Instruction Fuzzy Hash: EA716DB1E00209ABDB14DFA5DC85BEFBBBCEB48300F40453AE905A7281DB749905CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042260F Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00422653

Part of subcall function 004221EC: _free.LIBCMT ref: 00422209
Part of subcall function 004221EC: _free.LIBCMT ref: 0042221B
Part of subcall function 004221EC: _free.LIBCMT ref: 0042222D
Part of subcall function 004221EC: _free.LIBCMT ref: 0042223F
Part of subcall function 004221EC: _free.LIBCMT ref: 00422251
Part of subcall function 004221EC: _free.LIBCMT ref: 00422263
Part of subcall function 004221EC: _free.LIBCMT ref: 00422275
Part of subcall function 004221EC: _free.LIBCMT ref: 00422287
Part of subcall function 004221EC: _free.LIBCMT ref: 00422299
Part of subcall function 004221EC: _free.LIBCMT ref: 004222AB
Part of subcall function 004221EC: _free.LIBCMT ref: 004222BD
Part of subcall function 004221EC: _free.LIBCMT ref: 004222CF
Part of subcall function 004221EC: _free.LIBCMT ref: 004222E1

_free.LIBCMT ref: 00422648

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 0042266A
_free.LIBCMT ref: 0042267F
_free.LIBCMT ref: 0042268A
_free.LIBCMT ref: 004226AC
_free.LIBCMT ref: 004226BF
_free.LIBCMT ref: 004226CD
_free.LIBCMT ref: 004226D8
_free.LIBCMT ref: 00422710
_free.LIBCMT ref: 00422717
_free.LIBCMT ref: 00422734
_free.LIBCMT ref: 0042274C

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
Instruction ID: 87a383156b0838ac626f9c2c6038cf6ce1f5ffd7cd3d592d57855f9c4539c293
Opcode Fuzzy Hash: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
Instruction Fuzzy Hash: B6319272604211BFEB205A76EA45B9B73E5AF80358F50441FE849D7251DFBCED80DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00419B27 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00419C22
type_info::operator==.LIBVCRUNTIME ref: 00419C49
___TypeMatch.LIBVCRUNTIME ref: 00419D55
IsInExceptionSpec.LIBVCRUNTIME ref: 00419E30
_UnwindNestedFrames.LIBCMT ref: 00419EB7
CallUnexpected.LIBVCRUNTIME ref: 00419ED2

Strings

csm, xrefs: 00419B62
csm, xrefs: 00419C80
csm, xrefs: 00419BCF

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
Instruction ID: d03aefa22aee8cf5aa416bea0a170c685dbf4c7cd79984a2e6415da9b3a38480
Opcode Fuzzy Hash: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
Instruction Fuzzy Hash: 49C18871900209EFCF29DFA5D8A19EEBBB5BF04314F14405BE8516B242D339DE91CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408B5C Relevance: 15.2, APIs: 10, Instructions: 219networkfileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00408BAC
InternetOpenA.WININET(0043432B,00000000,00000000,00000000,00000000), ref: 00408BC2
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00408BE2
InternetReadFile.WININET(00000000,00000000,?,?), ref: 00408BF3
WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00408C15
InternetReadFile.WININET(00000000,00000000,?,?), ref: 00408C20
CloseHandle.KERNEL32(?), ref: 00408C32
InternetCloseHandle.WININET(?), ref: 00408C41
InternetCloseHandle.WININET(00000000), ref: 00408C44
RemoveDirectoryA.KERNEL32(00000000,?,?,?), ref: 00408CFD

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateDirectoryRemoveWrite
String ID:
API String ID: 1496009958-0
Opcode ID: e4593b5a40381b42fd0a3fcc928968875e60be204a817a7aa3ecd11dd024d64c
Instruction ID: e39da941a42be4000a8416f9d2a6f8c848e32a180712f45a109694aa4e2734ce
Opcode Fuzzy Hash: e4593b5a40381b42fd0a3fcc928968875e60be204a817a7aa3ecd11dd024d64c
Instruction Fuzzy Hash: 6E71EF71600208ABEB14DF64DD85BEE7735EF44304F50423EF945AB2D1DB38A980CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED7A Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041ED90

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 0041ED9C
_free.LIBCMT ref: 0041EDA7
_free.LIBCMT ref: 0041EDB2
_free.LIBCMT ref: 0041EDBD
_free.LIBCMT ref: 0041EDC8
_free.LIBCMT ref: 0041EDD3
_free.LIBCMT ref: 0041EDDE
_free.LIBCMT ref: 0041EDE9
_free.LIBCMT ref: 0041EDF7

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
Instruction ID: e610bd300bd5c2f85586062e27af9f16ff799e012d6f089a2169b26ee7872c24
Opcode Fuzzy Hash: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
Instruction Fuzzy Hash: ED219CBA910108BFCB41EF96C941DDD7BF6BF88344F00416AF9199B121EB35DA84DB84

Uniqueness

Uniqueness Score: -1.00%

Function 00404180 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 166networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00434EF4,00000000,00000000,00000000,00000000), ref: 0040425C
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040426E
InternetReadFile.WININET(00000000,?,03E80000,03E80000), ref: 00404281
InternetCloseHandle.WININET(00000000), ref: 00404292
InternetCloseHandle.WININET(00000000), ref: 00404295
InternetCloseHandle.WININET(00000000), ref: 004042A3
InternetCloseHandle.WININET(00000000), ref: 004042A6

Strings

runas, xrefs: 004043B4

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: Internet$CloseHandle$Open$FileRead
String ID: runas
API String ID: 4294395943-4000483414
Opcode ID: 803e3b06f4ecfe67b7134cfd9f16a7ce5dde67ef08abd650df4eb275a5d8527c
Instruction ID: ba1dc25ec83469701d4c7edc2e7ba4793e46b241d410edfdecdbeb0a0fce58bd
Opcode Fuzzy Hash: 803e3b06f4ecfe67b7134cfd9f16a7ce5dde67ef08abd650df4eb275a5d8527c
Instruction Fuzzy Hash: 4951D571E00108ABDB14DFA4DC41BEEBB75EF85300F60816EF915B7291D7389945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00426582 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
Instruction ID: 5128a0cef717139e7719faf6ed0b9fe75c650819d7ce78bb109199c1610a9dbc
Opcode Fuzzy Hash: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
Instruction Fuzzy Hash: D3C114B4B002159FDF11DF99E880BAEBBB0BF49304F51406AE914A7382C7789D81CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004235FD Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004232B6: CreateFileW.KERNEL32(00000000,00000000,?,004236A6,?,?,00000000,?,004236A6,00000000,0000000C), ref: 004232D3

GetLastError.KERNEL32 ref: 00423711
__dosmaperr.LIBCMT ref: 00423718
GetFileType.KERNEL32(00000000), ref: 00423724
GetLastError.KERNEL32 ref: 0042372E
__dosmaperr.LIBCMT ref: 00423737
CloseHandle.KERNEL32(00000000), ref: 00423757
CloseHandle.KERNEL32(?), ref: 004238A4
GetLastError.KERNEL32 ref: 004238D6
__dosmaperr.LIBCMT ref: 004238DD

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 0d649afaf30192c5c19431845a951fd0479d0f23fa76b0b367cd72335b8b290c
Instruction ID: c7b97c56f1a0d1b911df166da15c54d720095dd6c25035754b532be6d98a6b0c
Opcode Fuzzy Hash: 0d649afaf30192c5c19431845a951fd0479d0f23fa76b0b367cd72335b8b290c
Instruction Fuzzy Hash: 7CA15872A041149FCF19DF68EC917AE3BB1AB06325F54016EF811AB391CB7C8952CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00421A27 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00421A51
_free.LIBCMT ref: 00421B2A
_free.LIBCMT ref: 00421B57

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
Instruction ID: f188bb2de727b7b751c2d84351da10a70f250225146cef8743706f99745805fe
Opcode Fuzzy Hash: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
Instruction Fuzzy Hash: 0E518C74F44324AFDB24AFB7A881A6E7BB4AF11314F54416FE410972A1EA3D8940CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004194D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00419507
___except_validate_context_record.LIBVCRUNTIME ref: 0041950F
_ValidateLocalCookies.LIBCMT ref: 00419598
__IsNonwritableInCurrentImage.LIBCMT ref: 004195C3
_ValidateLocalCookies.LIBCMT ref: 00419618

Strings

csm, xrefs: 004195AD

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
Instruction ID: cf6a3be1c1e6f4323defd25786acadca5afaa418f9c93884064ec3a043526e94
Opcode Fuzzy Hash: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
Instruction Fuzzy Hash: 09411A31A00214AFCF11DF69C890ADEBBB1BF45318F54806BE8146B352D739DE96CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041F14C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 0041F1B7
api-ms-, xrefs: 0041F1A3

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
Instruction ID: 8946f5363388c355846af12649c4142b4e9cf4c5f65ba016e67a922269825e5f
Opcode Fuzzy Hash: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
Instruction Fuzzy Hash: 3521C672A41221FBCB318A24DC45A9B3778AB017A0F650532ED15A7391D638ED4BC5DC

Uniqueness

Uniqueness Score: -1.00%

Function 0042238B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00422353: _free.LIBCMT ref: 00422378

_free.LIBCMT ref: 004223D9

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 004223E4
_free.LIBCMT ref: 004223EF
_free.LIBCMT ref: 00422443
_free.LIBCMT ref: 0042244E
_free.LIBCMT ref: 00422459
_free.LIBCMT ref: 00422464

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
Instruction ID: 3666b1e76cecdb1a9706d82e7bd79ae187b091a1e89744abee2c0a3d449e73e2
Opcode Fuzzy Hash: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
Instruction Fuzzy Hash: C611E471601714BAD921F7B2DD47FCB77DD5F0834CF84881EBACD6A052D6ACB6514604

Uniqueness

Uniqueness Score: -1.00%

Function 00423A46 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00405880,00000000), ref: 00423A8E
__fassign.LIBCMT ref: 00423C6D
__fassign.LIBCMT ref: 00423C8A
WriteFile.KERNEL32(?,00405880,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423CD2
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00423D12
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423DBE

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 5a0c35df1f21bdc5310913443ad541efee69954072d07ce9ea6e444a121a2afd
Instruction ID: 55294dd1ed643e62d688e25fe7fc8b93d32e6dca02253c809cdcf0ede3e7f937
Opcode Fuzzy Hash: 5a0c35df1f21bdc5310913443ad541efee69954072d07ce9ea6e444a121a2afd
Instruction Fuzzy Hash: 21D1A075E002689FCF15CFA8D8809EDBBB5BF48314F64016AE455FB342D738AA46CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004197F0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004197E7,004193D7,00418C1C), ref: 004197FE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0041980C
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00419825
SetLastError.KERNEL32(00000000,004197E7,004193D7,00418C1C), ref: 00419877

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction ID: 71a7697fc03e6214697c45e1a132a8316019e6706060db725442c6d2a3e753c8
Opcode Fuzzy Hash: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction Fuzzy Hash: F101D8326293115EE62C3B76AE959D72774EF067B8720023FF120441F1EF594C95D58D

Uniqueness

Uniqueness Score: -1.00%

Function 00420F7C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe, xrefs: 00420F81

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
API String ID: 0-3669967572
Opcode ID: d9fd3d3f386e086f16d5e96c86dfc6c05a3e177acafcacdda8c025444d2164cb
Instruction ID: f2c65a4c72dcbe00dc32dc221c8eb50b3435d1ebdf66b1fbb5bbc6e11338d05a
Opcode Fuzzy Hash: d9fd3d3f386e086f16d5e96c86dfc6c05a3e177acafcacdda8c025444d2164cb
Instruction Fuzzy Hash: CB210A713001257F97206F71ED81D6BB7ADAF103A8750462BF828D7691D778DC818799

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3D6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0041C418

Strings

.bat, xrefs: 0041C447
.exe, xrefs: 0041C425
.com, xrefs: 0041C458
.cmd, xrefs: 0041C436

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 19671788b65354572937ca0f5259cacd468799deb2890a42aa5f1fe1ebfecd1d
Instruction ID: baa428b651ab7fadd2aefce0a8d8cefe58070258f098f4f191bca89b56dcb2ea
Opcode Fuzzy Hash: 19671788b65354572937ca0f5259cacd468799deb2890a42aa5f1fe1ebfecd1d
Instruction Fuzzy Hash: 7E012B3BA8C635212624101AEC62BF717988B96FB8B25412FF854F72C1ED9DEC8205DC

Uniqueness

Uniqueness Score: -1.00%

Function 0041A897 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0041A8E7

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
Instruction ID: 8addbc20e8b4f1572ca5f78bff053ba989236767de5a1c4d832f47c373f0c560
Opcode Fuzzy Hash: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
Instruction Fuzzy Hash: 2B112C71A12221EBC7314B249D44AAB37689F017B4B624933ED45AB390D738DDE1C5DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041B943 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0041B938,?,?,0041B900,0041BE86,?,NA), ref: 0041B958
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041B96B
FreeLibrary.KERNEL32(00000000,?,?,0041B938,?,?,0041B900,0041BE86,?,NA), ref: 0041B98E

Strings

CorExitProcess, xrefs: 0041B963
mscoree.dll, xrefs: 0041B951

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
Instruction ID: 6ab08718997dcf592451d77b1cbf540418157bbc441c253cf8170436862d5d78
Opcode Fuzzy Hash: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
Instruction Fuzzy Hash: 52F08230651218FBDB259B50DD0ABEEBA78DF44759F900175A504A1260CB788E46DA98

Uniqueness

Uniqueness Score: -1.00%

Function 00424BC4 Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00424C46
_free.LIBCMT ref: 00424C6A
_free.LIBCMT ref: 00424DF7
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004335D8), ref: 00424E09
_free.LIBCMT ref: 00424FC3

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 0fe61e17206dce54771a5055940e70056e7a200eab18ece9396fc025dad7d191
Instruction ID: 2c4f844ee906d1c5b8a05b7d4d89c1c9074c071bb98950a21f89e01ce9d05ddf
Opcode Fuzzy Hash: 0fe61e17206dce54771a5055940e70056e7a200eab18ece9396fc025dad7d191
Instruction Fuzzy Hash: 1FC17835B00128ABDB209F69EC41BAB7BA9EFC5354F94416FE550D7381E7388E01CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00426FA9 Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00DEDB60,00DEDB60,?,7FFFFFFF,?,?,00427265,00DEDB60,00DEDB60,?,00DEDB60,?,?,?,?,00DEDB60), ref: 0042704C
__alloca_probe_16.LIBCMT ref: 00427102
__alloca_probe_16.LIBCMT ref: 00427198
__freea.LIBCMT ref: 00427203
__freea.LIBCMT ref: 0042720F

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: c559a93f2d06cee59e46b38ea2fc726286989e451536d90b3fb509578e86aae3
Instruction ID: f6d9b8f12c634194a1b411eace1e19527ea88e01b30f60a4b5a6e0b516c13e2d
Opcode Fuzzy Hash: c559a93f2d06cee59e46b38ea2fc726286989e451536d90b3fb509578e86aae3
Instruction Fuzzy Hash: 4481E472B082259BDF219EA5AC41EEF7BB5EF09354F98005BF804A7341D62DCC458BB9

Uniqueness

Uniqueness Score: -1.00%

Function 004258D4 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00425958
__alloca_probe_16.LIBCMT ref: 00425A1E
__freea.LIBCMT ref: 00425A8A

Part of subcall function 0041EA8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EABC

__freea.LIBCMT ref: 00425A93
__freea.LIBCMT ref: 00425AB6

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 801bfc73f5307c034d341afffc150cc0786828de70bde5b9b10ebb0cec96e4eb
Instruction ID: 7e0d7c363e2f027523b7077ca53f82abc72318da18e9cc0c3b19bc4bba63112a
Opcode Fuzzy Hash: 801bfc73f5307c034d341afffc150cc0786828de70bde5b9b10ebb0cec96e4eb
Instruction Fuzzy Hash: 8351E672700626AFDB209F95EC86EBF37A9EF44764F95422AFC04D7240E778DC418698

Uniqueness

Uniqueness Score: -1.00%

Function 0041C10E Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0041C040), ref: 0041C130
GetFileInformationByHandle.KERNEL32(?,?), ref: 0041C18A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0041C040,?,000000FF,00000000,00000000), ref: 0041C218
__dosmaperr.LIBCMT ref: 0041C21F
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0041C25C

Part of subcall function 0041C484: __dosmaperr.LIBCMT ref: 0041C4B9

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
Instruction ID: 0071a9752275d4edb8b9c21b1954eb469a97b67ce05b4548820d0adabff3a4d5
Opcode Fuzzy Hash: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
Instruction Fuzzy Hash: B7413C75940204AFDB249FA5DC859EFBBF9EF89700B00452EF856D3610E7389885CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004222EA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00422302

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 00422314
_free.LIBCMT ref: 00422326
_free.LIBCMT ref: 00422338
_free.LIBCMT ref: 0042234A

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
Instruction ID: 8eed935d1f0a41e2b9dbe60b1656bd2ba3e28f3ae1fefd92f9cbf16fd4f54630
Opcode Fuzzy Hash: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
Instruction Fuzzy Hash: 04F04472501210B78520DBA6F6C2C4B73DAAB94355794180AF809D7641C77CFD81866C

Uniqueness

Uniqueness Score: -1.00%

Function 004209B7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00420B51

Strings

*?, xrefs: 004209FA

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
Instruction ID: 7415b14c5d0124b7c9719d17695bca9e12f23279d28e73ebbb8fdbf8e8460f59
Opcode Fuzzy Hash: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
Instruction Fuzzy Hash: 5661A1B5E002299FCB14CFA9D8815EEFBF5EF48314B54816AE805F7301E735AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 004198D0 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00419997
___AdjustPointer.LIBCMT ref: 004199BA
___AdjustPointer.LIBCMT ref: 00419A56

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
Instruction ID: a8cd01a110c9a5ba9b93cdf8b6ca506de852c713b8af7688bfec1274bd28d331
Opcode Fuzzy Hash: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
Instruction Fuzzy Hash: 3251D0B2601286AFDB298F15D861BEA77A4EF04314F24012FE84646391E739ECC1C799

Uniqueness

Uniqueness Score: -1.00%

Function 00405400 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,418014E8,00000000), ref: 00405479
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004054E0
GetProcAddress.KERNEL32(00000000), ref: 004054E7

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: 392948f06ea052b49649e5df3ed82fd719d3dc17998501f89306a50c3bb47a8a
Instruction ID: 1307c1e28f23caf99c3cad6e9d6b2b61846357279e254348caa37701d54b456e
Opcode Fuzzy Hash: 392948f06ea052b49649e5df3ed82fd719d3dc17998501f89306a50c3bb47a8a
Instruction Fuzzy Hash: B8513971900608ABDB14DB24DD497DE7B76EB46314F5042BAE805B73C1DB389EC48F99

Uniqueness

Uniqueness Score: -1.00%

Function 00425F0E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00425FDE
_free.LIBCMT ref: 00426007
SetEndOfFile.KERNEL32(00000000,0042354B,00000000,?,?,?,?,?,?,?,?,0042354B,?,00000000), ref: 00426039
GetLastError.KERNEL32(?,?,?,?,?,?,?,0042354B,?,00000000,?,?,?,?,?), ref: 00426055

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
Instruction ID: 61c1fed18fa2e053e229d2c366b1320fca6b3d495f3fb51fd3c042a4ee27fee9
Opcode Fuzzy Hash: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
Instruction Fuzzy Hash: 6C413E72B006115BDB11ABB5ED41B8E37B6AF44364F560017F424E72D2EB7CC840576D

Uniqueness

Uniqueness Score: -1.00%

Function 004208E8 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0041BD6F: _free.LIBCMT ref: 0041BD7D

Part of subcall function 004218BF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00425A80,?,00000000,00000000), ref: 00421961

GetLastError.KERNEL32 ref: 00420950
__dosmaperr.LIBCMT ref: 00420957
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00420996
__dosmaperr.LIBCMT ref: 0042099D

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 2cc476a48764411ac7d7f7841f806bb526956e32d48153aac2d156f6a7af72d6
Instruction ID: 91911ec1de34df9e01eb008ea9a24e12f878ac442d2ad626700c96a69c790fc9
Opcode Fuzzy Hash: 2cc476a48764411ac7d7f7841f806bb526956e32d48153aac2d156f6a7af72d6
Instruction Fuzzy Hash: 2721F0B1700225AFA710AF62ACC196B77EDEF00374790851AF86697253D738DCC08B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE92 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0041BCED,00000000,?,?,?,0041BE86,?), ref: 0041EE97
_free.LIBCMT ref: 0041EEF4
_free.LIBCMT ref: 0041EF2A
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,0041BE86,?), ref: 0041EF35

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
Instruction ID: 26790fddcd24ef136aadc0cc0bf27d5f777129a8301660e6568487d79e7ca8b5
Opcode Fuzzy Hash: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
Instruction Fuzzy Hash: 2411CA3A6002017AD61427B79CC59EB256997C1779B25013BFD39832D2FE6D8CDB811D

Uniqueness

Uniqueness Score: -1.00%

Function 0041EFE9 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0041C755,0041EACD,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EFEE
_free.LIBCMT ref: 0041F04B
_free.LIBCMT ref: 0041F081
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041F08C

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
Instruction ID: d1a755533480a66cbcbdd6da6f61a8fcfdc6096e1f08231a3cc2ec091d2cf52b
Opcode Fuzzy Hash: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
Instruction Fuzzy Hash: FB114C322045016AC7102B76ACC1DEB2969DBC8778765023BF92A822E3EF6CCCDF511C

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7CB Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041F930,00000000,?,00424658,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0041F7E1
GetLastError.KERNEL32(?,00424658,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0041F930,00000000,00000104,?), ref: 0041F7EB
__dosmaperr.LIBCMT ref: 0041F7F2

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
Instruction ID: 3e1febbc0a8defaca1089d50814ae8bcfad4f789bcb8220d5dd2739c2ed7ebaf
Opcode Fuzzy Hash: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
Instruction Fuzzy Hash: 1DF06D36600115BB8B202FA2DD08C9BBFA9FF443A03444136F52DC7561DB35E8A6CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F834 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041F930,00000000,?,004245E3,00000000,00000000,0041F930,?,?,00000000,00000000,00000001), ref: 0041F84A
GetLastError.KERNEL32(?,004245E3,00000000,00000000,0041F930,?,?,00000000,00000000,00000001,00000000,00000000,?,0041F930,00000000,00000104), ref: 0041F854
__dosmaperr.LIBCMT ref: 0041F85B

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
Instruction ID: 5356ccb821a571137923583999cca56af5607f561d8780d9d137012589ba4a16
Opcode Fuzzy Hash: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
Instruction Fuzzy Hash: FBF01231600115BB8B207BA6DC0499BBFA9FF443A03404536F52DC6521C735E8A6DBD4

Uniqueness

Uniqueness Score: -1.00%

Function 004272CF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00405880,00000000,00437A28,00000000,00405880,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880), ref: 004272E6
GetLastError.KERNEL32(?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000,00405880,?,0042436F,00405880), ref: 004272F2

Part of subcall function 004272B8: CloseHandle.KERNEL32(FFFFFFFE,00427302,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000,00405880), ref: 004272C8

___initconout.LIBCMT ref: 00427302

Part of subcall function 0042727A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004272A9,004269D4,00405880,?,00423E1B,00000000,?,00405880,00000000), ref: 0042728D

WriteConsoleW.KERNEL32(00405880,00000000,00437A28,00000000,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000), ref: 00427317

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction ID: 5b8baa1da4bb66d128bbbdf819d740daca6d0282673a7c9b135cb97f91750bdc
Opcode Fuzzy Hash: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction Fuzzy Hash: 46F01C36201129FBCF221F95EC04A8A3F66FF093A1B814075FE1C86231D6328820EB98

Uniqueness

Uniqueness Score: -1.00%

Function 004167E0 Relevance: 6.0, APIs: 4, Instructions: 27threadsleepCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 004167F6
CreateThread.KERNEL32 ref: 00416807
CreateThread.KERNEL32 ref: 00416818
Sleep.KERNEL32(00007530,?,00416873), ref: 00416825

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: CreateThread$Sleep
String ID:
API String ID: 422425972-0
Opcode ID: c7ec29c90368d79a70c95a5ee9845132da8938ab2cedaa7c12f416f09ab0d9a8
Instruction ID: 3e58bb4c01d1f945cb402fb00719d76fe511b7683de936d62f19d1048555ce50
Opcode Fuzzy Hash: c7ec29c90368d79a70c95a5ee9845132da8938ab2cedaa7c12f416f09ab0d9a8
Instruction Fuzzy Hash: 69E09231BE8334B6F47126A45C03F891E545B08F95FB20023B70CBE4D084C87485CAEE

Uniqueness

Uniqueness Score: -1.00%

Function 0041D819 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041D822

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 0041D835
_free.LIBCMT ref: 0041D846
_free.LIBCMT ref: 0041D857

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
Instruction ID: 2f128d3171f244c94fc48b8332bc88089a284fec835ab8af747093701a289460
Opcode Fuzzy Hash: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
Instruction Fuzzy Hash: C3E04FB4801520AFCE012F53FE055953BA2FB947EC340302AF81406232DB390261EFCE

Uniqueness

Uniqueness Score: -1.00%

Function 004122F0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 374COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00412FEF

Part of subcall function 00416F50: Concurrency::cancel_current_task.LIBCPMT ref: 00417083

Strings

stoi argument out of range, xrefs: 00412FF9
invalid stoi argument, xrefs: 00412FEA

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_
String ID: invalid stoi argument$stoi argument out of range
API String ID: 3646673767-1606216832
Opcode ID: efdd6db421bad83b1e12b61f9b9769eb067da44a7a1b71930ad22f2661138b05
Instruction ID: 6d18bec53ddcbea06decae191a6eae5fb5e1180c669e5708db714ed38e612d95
Opcode Fuzzy Hash: efdd6db421bad83b1e12b61f9b9769eb067da44a7a1b71930ad22f2661138b05
Instruction Fuzzy Hash: 60E1D171A001189BEF28DF28CE857DDBB72EB46304F50819EE419972C1DB799AD1CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE88 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe, xrefs: 0041CECB, 0041CED2, 0041CF08

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe
API String ID: 0-3669967572
Opcode ID: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
Instruction ID: 3e019bb9f1f37e8f56b3af26f626c64f14fa1fa210d5d8f79d997b38734a4c96
Opcode Fuzzy Hash: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
Instruction Fuzzy Hash: 9A41A271A80214AFDB11DF9A9CC19EFBBB9EB85710F10006BF40497251D7788E82CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00419EDD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00419F02

Strings

MOC, xrefs: 00419F14
RCC, xrefs: 00419F1C

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 9ba41499cbdf9a4a038d6cc8401d48825653b63da1d3c73c684997a9dc15089d
Instruction ID: ef4240616421f5d170a5d1c4fd7b0d446090a164c11462a96303fe54a6744129
Opcode Fuzzy Hash: 9ba41499cbdf9a4a038d6cc8401d48825653b63da1d3c73c684997a9dc15089d
Instruction Fuzzy Hash: 5C414872900209EFCF16DF98C981AEEBBB5FF48304F18819AF904A7251D3399DA1DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00412CFF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00412D18

Strings

5120, xrefs: 00412D5F
., xrefs: 00412DCB

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: FileModuleName
String ID: .$5120
API String ID: 514040917-2446372808
Opcode ID: f0f7fa9079d412dfae67557f0ce5a92bcf03b2979e1f9ae925df876b28d94858
Instruction ID: 9696d8c15566c1d42fadb68592e21f39738dfdc301de5d2260ec8dd83da14f2d
Opcode Fuzzy Hash: f0f7fa9079d412dfae67557f0ce5a92bcf03b2979e1f9ae925df876b28d94858
Instruction Fuzzy Hash: D421E2B09002489BDB14EF69C90A7DD7FB49F06348F5001CEE44567282D7B99A498BE7

Uniqueness

Uniqueness Score: -1.00%

Function 00423927 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041FDF2: EnterCriticalSection.KERNEL32(00405880,?,00424223,00405880,00437D48,00000010,0041EA11,00000000,C032C301,00000000,00000000,00405880,?,0041BB1A,00405880,00000000), ref: 0041FE0D

FlushFileBuffers.KERNEL32(00000000,00437D28,0000000C,00423A2E,nA,?,00000001,?,0041E96E,?), ref: 00423970
GetLastError.KERNEL32 ref: 00423981

Strings

nA, xrefs: 004239A8

Memory Dump Source

Source File: 0000000B.00000002.314003713.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000002.314071069.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_gntuud.jbxd

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: nA
API String ID: 4109680722-4035868545
Opcode ID: f003fc8eaf19488ae7f9339aa40c70496bc05c9f4a2d22a8ae3e610d030b7c35
Instruction ID: 0418fce989e2f534913a4f38d2ce8aa3e5464a19317c2ea272403c313fbf0c0e
Opcode Fuzzy Hash: f003fc8eaf19488ae7f9339aa40c70496bc05c9f4a2d22a8ae3e610d030b7c35
Instruction Fuzzy Hash: 45018076B002108FC714AF69E90569D7BB5AF49724F50412FF4219B3D2DBBC9982CB98

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll

C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe

C:\Users\user\AppData\Local\Temp\3f904562a0\gntuud.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\853321935212

C:\Users\user\AppData\Roaming\56a1c3d463f381\cred64.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
file.exe

Function 0041B901 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 0275092B Relevance: 3.8, Strings: 3, Instructions: 90
COMMON

Function 00404350 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121
COMMON

Function 004235FD Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Function 0275003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 0042356F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Function 0041D1BB Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Function 02750E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 0041E3FF Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Function 00416830 Relevance: 1.5, APIs: 1, Instructions: 36
networkCOMMON

Function 004232B6 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Function 02750920 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre