Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	764029
MD5:	2396925cc38be4f07bd426cf080256ce
SHA1:	8884e5383b3601e59089f0d287acad1eff20c676
SHA256:	e91bb1f7c2b2ffd094d3915f1fffbfe929efd49e1d732b51d60e8a378a8a066b
Tags:	exe
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Amadeys stealer DLL

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected Amadey bot

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Machine Learning detection for sample

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Drops PE files

Contains functionality to read the PEB

Contains functionality to launch a program with higher privileges

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 3520 cmdline: C:\Users\user\Desktop\file.exe MD5: 2396925CC38BE4F07BD426CF080256CE)

gntuud.exe (PID: 2016 cmdline: "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe" MD5: 2396925CC38BE4F07BD426CF080256CE)

schtasks.exe (PID: 5144 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

gntuud.exe (PID: 5292 cmdline: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe MD5: 2396925CC38BE4F07BD426CF080256CE)

cleanup

Malware Configuration

Threatname: Amadey

{"C2 url": "77.73.133.72/hfk3vK9/index.php", "Version": "3.50"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	INDICATOR_TOOL_PWS_Amady	Detects password stealer DLL. Dropped by Amadey	ditekSHen	0xd868:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x15604:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x16074:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData 0x15158:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0x151bc:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 0xdd0c:$s3: \Mikrotik\Winbox\Addresses.cdb 0x190d8:$s4: \HostName 0x19100:$s5: \Password 0x17c04:$s6: SOFTWARE\RealVNC\ 0x17c30:$s6: SOFTWARE\RealVNC\ 0x17c5c:$s6: SOFTWARE\RealVNC\ 0x17ca4:$s6: SOFTWARE\RealVNC\ 0x17cd0:$s6: SOFTWARE\RealVNC\ 0x18008:$s7: SOFTWARE\TightVNC\ 0x18034:$s7: SOFTWARE\TightVNC\ 0x18060:$s7: SOFTWARE\TightVNC\ 0x180ac:$s7: SOFTWARE\TightVNC\ 0x1c43c:$s8: cred.dll

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.259666135.00000000005D3000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1640:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000003.293480849.00000000007CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000003.271178795.0000000000680000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000004.00000003.312159954.0000000000940000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
00000000.00000003.256458471.0000000000940000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.313317695.00000000006E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000004.00000002.313317695.00000000006E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.313412358.0000000000745000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1328:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Process Memory Space: gntuud.exe PID: 2016	JoeSecurity_Amadey	Yara detected Amadey bot	Joe Security
Process Memory Space: gntuud.exe PID: 2016	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.gntuud.exe.400000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
4.2.gntuud.exe.6e0e67.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
4.3.gntuud.exe.940000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.900e67.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
4.2.gntuud.exe.6e0e67.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
4.2.gntuud.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.3.file.exe.940000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
1.3.gntuud.exe.680000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
1.3.gntuud.exe.680000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.400000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
4.3.gntuud.exe.940000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.3.file.exe.940000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.900e67.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll_	Avira URL Cloud: Label: malware
Source: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll=	Avira URL Cloud: Label: malware
Source: http://77.73.133.72/hfk3vK9/index.php	Avira URL Cloud: Label: malware
Source: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll	Avira URL Cloud: Label: malware
Source: http://77.73.133.72/hfk3vK9/index.php8	Avira URL Cloud: Label: malware
Source: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll)	Avira URL Cloud: Label: malware
Source: http://77.73.133.72/hfk3vK9/index.phpplay	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll	Virustotal: Detection: 18%			Perma Link
Source: http://77.73.133.72/hfk3vK9/index.php	Virustotal: Detection: 9%			Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll

Avira: detection malicious, Label: HEUR/AGEN.1233121

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll

ReversingLabs: Detection: 88%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe

Joe Sandbox ML: detected

Source: 0.2.file.exe.900e67.1.unpack

Malware Configuration Extractor: Amadey {"C2 url": "77.73.133.72/hfk3vK9/index.php", "Version": "3.50"}

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Unpacked PE file: 4.2.gntuud.exe.400000.0.unpack

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: file.exe, file.exe, 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.256458471.0000000000940000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, gntuud.exe, gntuud.exe, 00000004.00000003.312159954.0000000000940000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: C:\wabuj\8-vuca\fomehibarayar-zejegogotu94\guyo\veceradaro\fev.pdb source: file.exe, gntuud.exe.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00420BA6 FindFirstFileExW,	0_2_00420BA6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00920E0D FindFirstFileExW,	0_2_00920E0D
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_00420BA6 FindFirstFileExW,	4_2_00420BA6

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 77.73.133.72/hfk3vK9/index.php

Source: Joe Sandbox View

ASN Name: AS43260TR AS43260TR

Source: Joe Sandbox View

IP Address: 77.73.133.72 77.73.133.72

Source: gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll
Source: gntuud.exe, 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll)
Source: gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll=
Source: gntuud.exe, 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.73.133.72/hfk3vK9/Plugins/cred64.dll_
Source: gntuud.exe, 00000001.00000003.293349447.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.73.133.72/hfk3vK9/index.php
Source: gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.73.133.72/hfk3vK9/index.php8
Source: gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.73.133.72/hfk3vK9/index.phpplay

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404180 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00404180

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00402C70 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,

0_2_00402C70

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.259666135.00000000005D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.313317695.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.313412358.0000000000745000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED	Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.259666135.00000000005D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.313317695.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.313412358.0000000000745000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED	Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040CBD0	0_2_0040CBD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429470	0_2_00429470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042848D	0_2_0042848D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00432890	0_2_00432890
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009296D7	0_2_009296D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009286F4	0_2_009286F4
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_00429470	4_2_00429470
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_0042848D	4_2_0042848D
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_00432890	4_2_00432890
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_0040CBD0	4_2_0040CBD0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00418C40 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00416F50 appears 130 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00918EA7 appears 33 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 009171B7 appears 125 times
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: String function: 00416F50 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: String function: 00418C40 appears 40 times

Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe

Process Stats: CPU usage > 98%

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll 5CD41F164DE6F783B7DA82B5F6DBD49413ECCD87CC7470F2004D58CA081FB0E0

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe"
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe" /F	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe

File created: C:\Users\user\AppData\Roaming\f49dfc5e4e2508

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\ecaac49691

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/4@0/1

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe

Code function: 4_2_00746356 CreateToolhelp32Snapshot,Module32First,

4_2_00746356

Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Mutant created: \Sessions\1\BaseNamedObjects\f49dfc5e4e2508eabedc241a3f1ae459
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_01

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: file.exe, file.exe, 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.256458471.0000000000940000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, gntuud.exe, gntuud.exe, 00000004.00000003.312159954.0000000000940000.00000004.00001000.00020000.00000000.sdmp, gntuud.exe, 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: C:\wabuj\8-vuca\fomehibarayar-zejegogotu94\guyo\veceradaro\fev.pdb source: file.exe, gntuud.exe.0.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Unpacked PE file: 4.2.gntuud.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.wuve:R;.bedicar:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Unpacked PE file: 4.2.gntuud.exe.400000.0.unpack .text:ER;.data:W;.wuve:R;.bedicar:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418C86 push ecx; ret	0_2_00418C99
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_00418C86 push ecx; ret	4_2_00418C99
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_0074B3E8 push 54850227h; ret	4_2_0074B441
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_0074951B push cs; ret	4_2_00749537

Source: file.exe	Static PE information: section name: .wuve
Source: file.exe	Static PE information: section name: .bedicar
Source: gntuud.exe.0.dr	Static PE information: section name: .wuve
Source: gntuud.exe.0.dr	Static PE information: section name: .bedicar

Persistence and Installation Behavior

Yara detected Amadey bot

Source: Yara match	File source: 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gntuud.exe PID: 2016, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe" /F

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe TID: 1948	Thread sleep time: -690000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe TID: 5260	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe TID: 5324	Thread sleep time: -1620000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe TID: 5252	Thread sleep time: -1080000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe TID: 5324	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe TID: 1948	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	API coverage: 3.8 %
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	API coverage: 4.7 %

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405400 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

0_2_00405400

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00420BA6 FindFirstFileExW,	0_2_00420BA6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00920E0D FindFirstFileExW,	0_2_00920E0D
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_00420BA6 FindFirstFileExW,	4_2_00420BA6

Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Thread delayed: delay time: 50000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Thread delayed: delay time: 360000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: gntuud.exe, 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: gntuud.exe, 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWA

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00418A67

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004037D0 DeleteObject,GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,

0_2_004037D0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041B901 mov eax, dword ptr fs:[00000030h]	0_2_0041B901
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041DF02 mov eax, dword ptr fs:[00000030h]	0_2_0041DF02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090092B mov eax, dword ptr fs:[00000030h]	0_2_0090092B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091E169 mov eax, dword ptr fs:[00000030h]	0_2_0091E169
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091BB68 mov eax, dword ptr fs:[00000030h]	0_2_0091BB68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900D90 mov eax, dword ptr fs:[00000030h]	0_2_00900D90
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_0041B901 mov eax, dword ptr fs:[00000030h]	4_2_0041B901
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_0041DF02 mov eax, dword ptr fs:[00000030h]	4_2_0041DF02
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_00745C33 push dword ptr fs:[00000030h]	4_2_00745C33

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418163 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00418163
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00418A67
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CA80 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041CA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418BCC SetUnhandledExceptionFilter,	0_2_00418BCC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009183CA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009183CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00918CCE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00918CCE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091CCE7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0091CCE7
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_00418163 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00418163
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00418A67
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_0041CA80 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0041CA80
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Code function: 4_2_00418BCC SetUnhandledExceptionFilter,	4_2_00418BCC

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00403F40 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,VirtualFree,

0_2_00403F40

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404350 ShellExecuteA,

0_2_00404350

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe" /F			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Roaming\f49dfc5e4e2508\cred64.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00418887 cpuid

0_2_00418887

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00418CA1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00418CA1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00424BC4 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_00424BC4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405400 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

0_2_00405400

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040CBD0 GetUserNameA,SetCurrentDirectoryA,GetFileAttributesA,CreateDirectoryA,GetFileAttributesA,GetModuleFileNameA,SetCurrentDirectoryA,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,

0_2_0040CBD0

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 4.2.gntuud.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gntuud.exe.6e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.gntuud.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.900e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gntuud.exe.6e0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gntuud.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.gntuud.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.gntuud.exe.680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.gntuud.exe.940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.900e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.293480849.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.271178795.0000000000680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.312159954.0000000000940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.256458471.0000000000940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.313317695.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gntuud.exe PID: 2016, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED

Yara detected Amadey bot

Source: Yara match	File source: 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gntuud.exe PID: 2016, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Exploitation for Privilege Escalation	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	111 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Scheduled Task/Job	111 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Software Packing	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	100%	Avira	HEUR/AGEN.1233121
C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	88%	ReversingLabs	Win32.Infostealer.Decred

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
77.73.133.72/hfk3vK9/index.php	0%	URL Reputation	safe
http://77.73.133.72/hfk3vK9/Plugins/cred64.dll_	100%	Avira URL Cloud	malware
http://77.73.133.72/hfk3vK9/Plugins/cred64.dll=	100%	Avira URL Cloud	malware
http://77.73.133.72/hfk3vK9/Plugins/cred64.dll	19%	Virustotal		Browse
http://77.73.133.72/hfk3vK9/index.php	10%	Virustotal		Browse
http://77.73.133.72/hfk3vK9/index.php	100%	Avira URL Cloud	malware
http://77.73.133.72/hfk3vK9/Plugins/cred64.dll	100%	Avira URL Cloud	malware
http://77.73.133.72/hfk3vK9/index.php8	100%	Avira URL Cloud	malware
http://77.73.133.72/hfk3vK9/Plugins/cred64.dll)	100%	Avira URL Cloud	malware
http://77.73.133.72/hfk3vK9/index.phpplay	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
77.73.133.72/hfk3vK9/index.php	true	URL Reputation: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://77.73.133.72/hfk3vK9/Plugins/cred64.dll_	gntuud.exe, 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://77.73.133.72/hfk3vK9/Plugins/cred64.dll	gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	false	19%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://77.73.133.72/hfk3vK9/Plugins/cred64.dll=	gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://77.73.133.72/hfk3vK9/index.php	gntuud.exe, 00000001.00000003.293349447.00000000007A7000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://77.73.133.72/hfk3vK9/index.php8	gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://77.73.133.72/hfk3vK9/Plugins/cred64.dll)	gntuud.exe, 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://77.73.133.72/hfk3vK9/index.phpplay	gntuud.exe, 00000001.00000003.293294453.000000000079B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.73.133.72	unknown	Kazakhstan		43260	AS43260TR	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	764029
Start date and time:	2022-12-09 10:31:05 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/4@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 94% Number of executed functions: 22 Number of non-executed functions: 129
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:32:10	API Interceptor	2664x Sleep call for process: gntuud.exe modified
10:32:12	Task Scheduler	Run new task: gntuud.exe path: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
77.73.133.72	PFgUxajqwZ.dll	Get hash	malicious	Browse	77.73.133.72/hfk3vK9/index.php
77.73.133.72	PFgUxajqwZ.dll	Get hash	malicious	Browse	77.73.133.72/hfk3vK9/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS43260TR	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72
	file.exe	Get hash	malicious	Browse	77.73.133.72

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.512109370826634
Encrypted:	false
SSDEEP:	3072:ox7pOYzBekTRmWDWCMq6As523HeS9FAiZ87vO2rlL3RnG9:ox7ZNhTR/dMq6AO0a7vVlT
MD5:	349B2B47FEF50FA6A1FC19D0EE4B2DB8
SHA1:	077F4328B3F060A9F010B1A63D9E127D24DDAFD4
SHA-256:	5CD41F164DE6F783B7DA82B5F6DBD49413ECCD87CC7470F2004D58CA081FB0E0
SHA-512:	83FD58BE4C0051ED05B7A03443D256D52F09206D2F433BD302C9E9E3780B9D472E823AED1DB01B5052DC8FDC63A4352BEAC9E399858A8252C057F11CF2BD1773
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, Author: Joe Security Rule: INDICATOR_TOOL_PWS_Amady, Description: Detects password stealer DLL. Dropped by Amadey, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......x.............@..........................@..........................................O.......&.... ..............................................................................................................CODE................................ ..`DATA................................@...BSS......................................idata..&...........................@....edata..O...........................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\853321935212

Download File

Process:	C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	95068
Entropy (8bit):	7.918851174293143
Encrypted:	false
SSDEEP:	1536:CmbM4iTkYMKsGHObkbXmBRn052EGdH/LaAD5Y9xe4dHEdI2uhiVxp669M6bpt:hiI5GubLR+GhWr7bddpKhN
MD5:	6F8C496BA629E10E2BBF21C5BB00EA7B
SHA1:	3C6C25B7C07632F85DF4E651F68FB849852D354A
SHA-256:	00012D0BE6FC61DFF5851A32B162F2FDBBD13E1289213DEF91DCD25AF1C57B4B
SHA-512:	58F718FCB6A4D3B53024B9CC00502641259825705562472FDA199C8856C9EB5C258072AC616C06F5849BDA077B0F5B88F4EBDD2638AF179627D4AC623F7AEE06
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.\|..).?.H.'.\|....).?m.....h.t......\|4.%...d....

C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	430592
Entropy (8bit):	6.163540154379331
Encrypted:	false
SSDEEP:	6144:YecLXGqxxoij2Fjzp5/bCgXhh6K9W9n6ded89kTt:Y1LGq3NA5/bvIK9W9nbac
MD5:	2396925CC38BE4F07BD426CF080256CE
SHA1:	8884E5383B3601E59089F0D287ACAD1EFF20C676
SHA-256:	E91BB1F7C2B2FFD094D3915F1FFFBFE929EFD49E1D732B51D60E8A378A8A066B
SHA-512:	D0622E928CAD41C185244CED7E0AC587B256B9A773F85D8ADEC807B4CDCBB73E55AB03AF3C8A8EA4A67BA347F9FE21A30515CB9A5AC871189B4AADC9442432A9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.m....C...C...C...C(..C...C...C...C...C$%xC...C...C}..C...C...C...C...C...C...CRich...C........PE..L.....a.................n...P.......p............@.................................;e.......................................s..<.... ..............................................................0I..@............................................text...Vm.......n.................. ..`.data...${.......L...r..............@....wuve...............................@..@.bedicarp...........................@..@.rsrc........ ......................@..@.reloc..l............t..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.163540154379331
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	430592
MD5:	2396925cc38be4f07bd426cf080256ce
SHA1:	8884e5383b3601e59089f0d287acad1eff20c676
SHA256:	e91bb1f7c2b2ffd094d3915f1fffbfe929efd49e1d732b51d60e8a378a8a066b
SHA512:	d0622e928cad41c185244ced7e0ac587b256b9a773f85d8adec807b4cdcbb73e55ab03af3c8a8ea4a67ba347f9fe21a30515cb9a5ac871189b4aadc9442432a9
SSDEEP:	6144:YecLXGqxxoij2Fjzp5/bCgXhh6K9W9n6ded89kTt:Y1LGq3NA5/bvIK9W9nbac
TLSH:	F194D0003299C6F1E3A21D375819DBE1E93BB82BF7245537F3582B6F6E3328157A2215
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.m....C...C...C...C(..C...C...C...C...C$%xC...C...C}..C...C...C...C...C...C...CRich...C........PE..L......a.................n.

File Icon


Icon Hash:	8286dccea68c9ca4

Static PE Info

General

Entrypoint:	0x407096
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6190B3DA [Sun Nov 14 06:59:38 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	eeffe9860bc9c6507e24465b9b5239be

Entrypoint Preview

Instruction
call 00007FD0B4BE489Ch
jmp 00007FD0B4BDEBFEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 28h
xor eax, eax
push ebx
mov ebx, dword ptr [ebp+0Ch]
push esi
mov esi, dword ptr [ebp+10h]
push edi
mov edi, dword ptr [ebp+08h]
mov byte ptr [ebp-08h], al
mov byte ptr [ebp-07h], al
mov byte ptr [ebp-06h], al
mov byte ptr [ebp-05h], al
mov byte ptr [ebp-04h], al
mov byte ptr [ebp-03h], al
mov byte ptr [ebp-02h], al
mov byte ptr [ebp-01h], al
cmp dword ptr [0044CB64h], eax
je 00007FD0B4BDED90h
push dword ptr [0044FB08h]
call 00007FD0B4BE37C8h
pop ecx
jmp 00007FD0B4BDED87h
mov eax, 0040CC48h
mov ecx, dword ptr [ebp+14h]
mov edx, 000000A6h
cmp ecx, edx
jg 00007FD0B4BDEEFAh
je 00007FD0B4BDEEE1h
cmp ecx, 19h
jg 00007FD0B4BDEE7Eh
je 00007FD0B4BDEE6Fh
mov edx, ecx
push 00000002h
pop ecx
sub edx, ecx
je 00007FD0B4BDEE53h
dec edx
je 00007FD0B4BDEE43h
sub edx, 05h
je 00007FD0B4BDEE2Bh
dec edx
je 00007FD0B4BDEE0Ch
sub edx, 05h
je 00007FD0B4BDEDF3h
dec edx
je 00007FD0B4BDEDC7h
sub edx, 09h
jne 00007FD0B4BDEF5Ah
mov dword ptr [ebp-28h], 00000003h
mov dword ptr [ebp-24h], 00401348h
fld qword ptr [edi]
lea ecx, dword ptr [ebp-28h]
fstp qword ptr [ebp-20h]
push ecx
fld qword ptr [ebx]
fstp qword ptr [ebp+00h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x173c4	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x1a510	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6d000	0xda4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11f0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4930	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x19c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16d56	0x16e00	False	0.5955110143442623	data	6.70284422084366	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x18000	0x37b24	0x34c00	False	0.5779074718601895	data	5.56923108020657	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.wuve	0x50000	0xbb8	0xc00	False	0.008138020833333334	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bedicar	0x51000	0x270	0x400	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x1a510	0x1a600	False	0.6376073755924171	data	6.234348410854522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6d000	0x1c6c	0x1e00	False	0.38958333333333334	data	3.8825877184339204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x6a450	0x2	data	Slovak	Slovakia
AFX_DIALOG_LAYOUT	0x6a438	0x2	data	Slovak	Slovakia
AFX_DIALOG_LAYOUT	0x6a440	0xc	data	Slovak	Slovakia
SUXUMOWUDAKOLA	0x682d0	0x2107	ASCII text, with very long lines (8455), with no line terminators	Slovak	Slovakia
RT_CURSOR	0x6a458	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_CURSOR	0x6b300	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_CURSOR	0x6bbd0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	Slovak	Slovakia
RT_CURSOR	0x6bd00	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0	Slovak	Slovakia
RT_ICON	0x52990	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x53058	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x55600	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x55a98	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x56940	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x571e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x57750	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x59cf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x5ada0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x5b728	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x5bbf8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x5caa0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x5d348	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x5da10	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x5df78	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x60520	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x615c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x61a98	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Slovak	Slovakia
RT_ICON	0x62940	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Slovak	Slovakia
RT_ICON	0x631e8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Slovak	Slovakia
RT_ICON	0x638b0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Slovak	Slovakia
RT_ICON	0x63e18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Slovak	Slovakia
RT_ICON	0x663c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Slovak	Slovakia
RT_ICON	0x67468	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Slovak	Slovakia
RT_ICON	0x67df0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Slovak	Slovakia
RT_STRING	0x6bfc8	0x546	data	Slovak	Slovakia
RT_ACCELERATOR	0x6a3d8	0x40	data	Slovak	Slovakia
RT_GROUP_CURSOR	0x6bba8	0x22	data	Slovak	Slovakia
RT_GROUP_CURSOR	0x6bdb0	0x22	data	Slovak	Slovakia
RT_GROUP_ICON	0x61a30	0x68	data	Slovak	Slovakia
RT_GROUP_ICON	0x55a68	0x30	data	Slovak	Slovakia
RT_GROUP_ICON	0x5bb90	0x68	data	Slovak	Slovakia
RT_GROUP_ICON	0x68258	0x76	data	Slovak	Slovakia
RT_VERSION	0x6bdd8	0x1f0	MS Windows COFF PowerPC object file	Slovak	Slovakia
None	0x6a418	0xa	data	Slovak	Slovakia
None	0x6a428	0xa	data	Slovak	Slovakia

Imports

DLL

Import

KERNEL32.dll

FillConsoleOutputCharacterA, GetCPInfo, GetProfileIntW, GetSystemDefaultLCID, GetModuleHandleW, WaitNamedPipeW, TlsSetValue, GetPriorityClass, GetVolumeInformationA, LoadLibraryW, IsProcessInJob, AssignProcessToJobObject, GetCalendarInfoW, GetFileAttributesA, TransactNamedPipe, WriteConsoleW, GetVolumePathNameA, CreateJobObjectA, GetVolumeNameForVolumeMountPointA, FillConsoleOutputCharacterW, GetLastError, GetProcAddress, VirtualAlloc, EnumSystemCodePagesW, SetFileAttributesA, LoadLibraryA, WriteConsoleA, GetProcessWorkingSetSize, LocalAlloc, OpenJobObjectW, FoldStringW, FoldStringA, FindFirstChangeNotificationA, GetFileInformationByHandle, FindActCtxSectionStringW, LCMapStringW, GetConsoleAliasesW, GetFullPathNameW, HeapFree, HeapAlloc, Sleep, ExitProcess, GetStartupInfoW, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapReAlloc, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind, SetHandleCount, GetFileType, GetStartupInfoA, SetFilePointer, TlsGetValue, TlsAlloc, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RaiseException, GetConsoleOutputCP, MultiByteToWideChar, SetStdHandle, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, CreateFileA, GetModuleHandleA, HeapSize, GetLocaleInfoA, LCMapStringA, GetStringTypeA, GetStringTypeW, SetEndOfFile, GetProcessHeap, ReadFile

ADVAPI32.dll

BackupEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Slovak	Slovakia

Target ID:	0
Start time:	10:31:56
Start date:	09/12/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	430592 bytes
MD5 hash:	2396925CC38BE4F07BD426CF080256CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.259666135.00000000005D3000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.256458471.0000000000940000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	10:32:03
Start date:	09/12/2022
Path:	C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe"
Imagebase:	0x400000
File size:	430592 bytes
MD5 hash:	2396925CC38BE4F07BD426CF080256CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.293480849.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.271178795.0000000000680000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey, Description: Yara detected Amadey bot, Source: 00000001.00000003.293433328.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	10:32:10
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe" /F
Imagebase:	0x1050000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	10:32:10
Start date:	09/12/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	10:32:12
Start date:	09/12/2022
Path:	C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe
Imagebase:	0x400000
File size:	430592 bytes
MD5 hash:	2396925CC38BE4F07BD426CF080256CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000004.00000003.312159954.0000000000940000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000004.00000002.313317695.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.313317695.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.313412358.0000000000745000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	6.2%
Signature Coverage:	5.5%
Total number of Nodes:	307
Total number of Limit Nodes:	7

Executed Functions

Function 0040CBD0 Relevance: 30.0, APIs: 10, Strings: 5, Instructions: 3727COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 0040CD3E
SetCurrentDirectoryA.KERNEL32(00000000,?,?), ref: 0040CD9C

Part of subcall function 00416A90: Concurrency::cancel_current_task.LIBCPMT ref: 00416B49

Part of subcall function 00402C70: RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,FBA00511,FBA00511), ref: 00402E1C
Part of subcall function 00402C70: RegQueryValueExA.ADVAPI32(FBA00511,?,00000000,00000000,?,00000400,?,?,00000000,00000001,FBA00511,FBA00511), ref: 00402E4A
Part of subcall function 00402C70: RegCloseKey.ADVAPI32(FBA00511,?,?,00000000,00000001,FBA00511,FBA00511), ref: 00402E56

Part of subcall function 00402C70: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 00402F63
Part of subcall function 00402C70: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00402F91
Part of subcall function 00402C70: RegCloseKey.ADVAPI32(80000001), ref: 00402F9A

Part of subcall function 004048C0: Sleep.KERNEL32(000003E8), ref: 004049A9

GetFileAttributesA.KERNEL32(00000000), ref: 0040E4F1
CreateDirectoryA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E623
GetFileAttributesA.KERNEL32(00000000), ref: 0040E738
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0040ED75
std::_Xinvalid_argument.LIBCPMT ref: 0040F9E5

Part of subcall function 00402C70: GdiplusStartup.GDIPLUS(?,?,00000000,FBA00511), ref: 004030CA

Part of subcall function 0040CBD0: SetCurrentDirectoryA.KERNEL32(00000000), ref: 0040EF9C

Strings

%, xrefs: 00410047
invalid stoi argument, xrefs: 0040F9E0, 00410314, 00410323
", xrefs: 0040FE0B
stoi argument out of range, xrefs: 0040F9F4, 0041032D
", xrefs: 0040EEF2

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: DirectoryFile$AttributesCloseCurrentNameOpenValue$Concurrency::cancel_current_taskCreateGdiplusModuleQuerySleepStartupUserXinvalid_argumentstd::_
String ID: "$"$%$invalid stoi argument$stoi argument out of range
API String ID: 1674928435-2043294232
Opcode ID: d58a70c0b947218ce40ea755a6b85afed98bfd464afc2cec89cffcacd805f77e
Instruction ID: ca7d88425734236cf169f520bb3e28de2df1445630f25be11c52c40f1bbbcbb8
Opcode Fuzzy Hash: d58a70c0b947218ce40ea755a6b85afed98bfd464afc2cec89cffcacd805f77e
Instruction Fuzzy Hash: 07632A71A001489BEB18DB38CD897DD7B729F86304F5082ADE409A73D6DB3D9EC48B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041B901 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0041B900,0041BE86,?,NA,0041BE86,0041EF4E), ref: 0041B923
TerminateProcess.KERNEL32(00000000,?,0041B900,0041BE86,?,NA,0041BE86,0041EF4E), ref: 0041B92A
ExitProcess.KERNEL32 ref: 0041B93C

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction ID: c3524ad3d233ec0a3a19b1bf7aedcb75de5af13a6c7a41cb1465cf438659ca8f
Opcode Fuzzy Hash: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction Fuzzy Hash: 63E0B671120208EFCB216F65DD49AA97B79FB44751BC44439FA0586231CB39EE93CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0090092B Relevance: 3.8, Strings: 3, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

GetProcAddress., xrefs: 009009DC, 009009DF, 009009E4
., xrefs: 0090095F
l, xrefs: 00900966

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 520dc34f5cb0e4c7ffaa731f1686fc0a207e8b75648b6858ea7761a596e9eef0
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: F7316AB6900609DFDB10CF99C880BAEBBF9FF88324F25404AD841A7351D775EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404350 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteA.SHELL32(00000000,00429838,?,?,00000000,00000000), ref: 004043F2

Strings

runas, xrefs: 004043B4

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: runas
API String ID: 587946157-4000483414
Opcode ID: d80de1ca38c1f9366a18ecaf0721887ea901d7ba4e133c8412f7233846fa743a
Instruction ID: 0d432a24b2a6eecf06ea0bc45d18f5c5656229febad52b915354dd5f9442050f
Opcode Fuzzy Hash: d80de1ca38c1f9366a18ecaf0721887ea901d7ba4e133c8412f7233846fa743a
Instruction Fuzzy Hash: 56411370600208EBDB04DF69C981BDE7BB9EB45344FA0822AFC15972C0C779E984CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004235FD Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004232B6: CreateFileW.KERNELBASE(00000000,00000000,?,004236A6,?,?,00000000,?,004236A6,00000000,0000000C), ref: 004232D3

GetLastError.KERNEL32 ref: 00423711
__dosmaperr.LIBCMT ref: 00423718
GetFileType.KERNELBASE(00000000), ref: 00423724
GetLastError.KERNEL32 ref: 0042372E
__dosmaperr.LIBCMT ref: 00423737
CloseHandle.KERNEL32(00000000), ref: 00423757
CloseHandle.KERNEL32(?), ref: 004238A4
GetLastError.KERNEL32 ref: 004238D6
__dosmaperr.LIBCMT ref: 004238DD

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 0d649afaf30192c5c19431845a951fd0479d0f23fa76b0b367cd72335b8b290c
Instruction ID: c7b97c56f1a0d1b911df166da15c54d720095dd6c25035754b532be6d98a6b0c
Opcode Fuzzy Hash: 0d649afaf30192c5c19431845a951fd0479d0f23fa76b0b367cd72335b8b290c
Instruction Fuzzy Hash: 7CA15872A041149FCF19DF68EC917AE3BB1AB06325F54016EF811AB391CB7C8952CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0090003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0090024D

Strings

kernel32.dll, xrefs: 0090008F, 00900095
cess, xrefs: 0090018D

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: a333e6a411b48fa1e3fcca5256e1b4aee84f3571d1e6abc263e030b453690c43
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 70527974A01229DFDB64CF58C984BACBBB1BF49304F1480D9E94DAB291DB34AE85DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0042356F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 004235D2

Strings

>A, xrefs: 00423571

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free
String ID: >A
API String ID: 269201875-3365779530
Opcode ID: 6d7cabbe3305cb9b6d011bf0e9d56addc9b4860a8407226052aa3c61f76cc774
Instruction ID: 30ff9b9e87434c0f379a7433cd06ee0227cf71fd1282e2cff9dc0eafdffef8ec
Opcode Fuzzy Hash: 6d7cabbe3305cb9b6d011bf0e9d56addc9b4860a8407226052aa3c61f76cc774
Instruction Fuzzy Hash: A8017172D00159BFCF01AFA89C01ADE7FF5AF08304F14016AB918E2151E7398B609BC4

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1BB Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0041D203

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9f5dec638c6018a6b24b976b0791b773a56ee0672529c52ab4d44372aafa3d49
Instruction ID: f1d333090dd57bfd17dfe39ecb9b07313f9b1ca465b706eabb36e918cd1afe6e
Opcode Fuzzy Hash: 9f5dec638c6018a6b24b976b0791b773a56ee0672529c52ab4d44372aafa3d49
Instruction Fuzzy Hash: 4FE0E5B6E0242022E211623F7C46AEB11856BD133AB15022FF860861E0DF7C88C2D19E

Uniqueness

Uniqueness Score: -1.00%

Function 00900E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00900223,?,?), ref: 00900E19
SetErrorMode.KERNELBASE(00000000,?,?,00900223,?,?), ref: 00900E1E

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: a9ae9ecf61987860a9aad7c84a8effda743ffebd388c1edcb4f9afcbabe7c4d7
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 01D0123114512877D7002A94DC09BCD7B1CDF05B62F008411FB0DE9080C770994046E5

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3FF Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 0041E439

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 0d6bf0a7e9f29163ed6caaa22d8f5b82bf3e75d92930a2ecd6c24ab71e07ee1e
Instruction ID: 322a9cb7d115cba5ea2c99f456cc5fe6d3c651e69e51ada78d95c10651760d14
Opcode Fuzzy Hash: 0d6bf0a7e9f29163ed6caaa22d8f5b82bf3e75d92930a2ecd6c24ab71e07ee1e
Instruction Fuzzy Hash: 14115775A0020AAFCF05DF59E9459DB7BF4EF48304F0040AAF808EB311D630EA21CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00416830 Relevance: 1.5, APIs: 1, Instructions: 36
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040CBD0: GetTempPathA.KERNEL32(00000104,?), ref: 0040B2FE

Part of subcall function 0040CBD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,FBA00511), ref: 0040A7BC

Part of subcall function 00406510: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406540

Part of subcall function 0040CBD0: GetUserNameA.ADVAPI32(?,?), ref: 0040B96E

Part of subcall function 004138B0: IsUserAnAdmin.SHELL32 ref: 0041390D
Part of subcall function 004138B0: GetUserNameA.ADVAPI32(?,?), ref: 004139B7
Part of subcall function 004138B0: GetComputerNameExW.KERNEL32(00000002,?,?,?,?), ref: 00413A20

Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 004167F6
Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 00416807
Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 00416818
Part of subcall function 004167E0: Sleep.KERNEL32(00007530,?,00416873), ref: 00416825

InternetCloseHandle.WININET(00000000), ref: 00416887

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Name$CreateThreadUser$FileModule$AdminCloseComputerHandleInternetPathSleepTemp
String ID:
API String ID: 1411138196-0
Opcode ID: 681845bb7bdad3a9b280c05efa4f412a3339f2d7827d3117315032cc1d5ff116
Instruction ID: fcb51b4180ac2c01cd311fc2696d032aed602c74c46a29392a881be8b31f0bff
Opcode Fuzzy Hash: 681845bb7bdad3a9b280c05efa4f412a3339f2d7827d3117315032cc1d5ff116
Instruction Fuzzy Hash: 21E08671A0050407DA043BBA5D0B64E31184F8134CF94027FB815665D7EE6DD56441FF

Uniqueness

Uniqueness Score: -1.00%

Function 004232B6 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,004236A6,?,?,00000000,?,004236A6,00000000,0000000C), ref: 004232D3

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5f6f20da4e93aca7bdcb0ea2359822fb329caed46e02a9c52ac097750241beb4
Instruction ID: cd0ee65043cc83d888fb6f456493c6bde9bec702db69a9442c4f6e90f97d0004
Opcode Fuzzy Hash: 5f6f20da4e93aca7bdcb0ea2359822fb329caed46e02a9c52ac097750241beb4
Instruction Fuzzy Hash: 77D06C3210010DFFDF128F84DC06EDA3BAAFB48724F414120BA1856020C732E872EB94

Uniqueness

Uniqueness Score: -1.00%

Function 00900920 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00900929

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: a81f69529bcf2872433a6626b6dddab0307a3207cad9c1e7665d850a07e5ea8b
Instruction ID: f1a77b98683cafb1fb7459b4dcf7902f75ab8b99c0f73db378513641b05b932d
Opcode Fuzzy Hash: a81f69529bcf2872433a6626b6dddab0307a3207cad9c1e7665d850a07e5ea8b
Instruction Fuzzy Hash: 1190026038415011D820259C4C02B0510021751634F3047107170B91D4D84496144126

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402C70 Relevance: 53.4, APIs: 28, Strings: 2, Instructions: 910registrywindowfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,FBA00511,FBA00511), ref: 00402E1C
RegQueryValueExA.ADVAPI32(FBA00511,?,00000000,00000000,?,00000400,?,?,00000000,00000001,FBA00511,FBA00511), ref: 00402E4A
RegCloseKey.ADVAPI32(FBA00511,?,?,00000000,00000001,FBA00511,FBA00511), ref: 00402E56
RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 00402F63
RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00402F91
RegCloseKey.ADVAPI32(80000001), ref: 00402F9A
GdiplusStartup.GDIPLUS(?,?,00000000,FBA00511), ref: 004030CA
GetDC.USER32(00000000), ref: 004031C2
RegGetValueA.ADVAPI32(80000002,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00403449
GetSystemMetrics.USER32 ref: 004034A2
GetSystemMetrics.USER32 ref: 004034AB
RegGetValueA.ADVAPI32(80000002,?,00000000), ref: 004034F3
GetSystemMetrics.USER32 ref: 00403546
GetSystemMetrics.USER32 ref: 0040354F
CreateCompatibleDC.GDI32(?), ref: 0040355B
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00403570
SelectObject.GDI32(00000000,00000000), ref: 00403580
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004035A6
GdipCreateBitmapFromHBITMAP.GDIPLUS(00000000,00000000,?), ref: 004035BA
GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 004035D6
GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 00403603
GdipSaveImageToFile.GDIPLUS(00000000,?,?,00000000), ref: 00403687
SelectObject.GDI32(00000000,?), ref: 00403694
DeleteObject.GDI32(00000000), ref: 004036A1
DeleteObject.GDI32(?), ref: 004036A9
ReleaseDC.USER32 ref: 004036B3
GdipDisposeImage.GDIPLUS(00000000), ref: 004036BA
GdiplusShutdown.GDIPLUS(?), ref: 0040375C

Strings

Pr<p, xrefs: 00403687
image/jpeg, xrefs: 00403615

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Gdip$ImageMetricsObjectSystemValue$Create$BitmapCloseCompatibleDeleteEncodersGdiplusOpenSelect$DisposeFileFromQueryReleaseSaveShutdownSizeStartup
String ID: Pr<p$image/jpeg
API String ID: 406439762-3751219293
Opcode ID: 625a111996d65bc9ed0ed905ec51ae3e3c4fd81772ab0eac13281042dc8f5b47
Instruction ID: ef3e356fa5e9885fc08513456cc6264c1fb040e0d3da28046e10bcebe11668ea
Opcode Fuzzy Hash: 625a111996d65bc9ed0ed905ec51ae3e3c4fd81772ab0eac13281042dc8f5b47
Instruction Fuzzy Hash: A362F471A00108ABEB18DF28CD85BDDBB76EF45304F50826EE805B72D1DB799A85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00403F40 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 162injectionthreadmemoryCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403F66
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00403FCB
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00403FE4
GetThreadContext.KERNEL32(?,00000000), ref: 00403FFF
ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00404023
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040403E
GetProcAddress.KERNEL32(00000000), ref: 00404045
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040406D
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 0040408E
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 004040D2
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000), ref: 0040410E
SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 0040412A
ResumeThread.KERNEL32(?,?,?,00000000), ref: 00404136
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000), ref: 00404144
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00404165

Strings

ntdll.dll, xrefs: 00404039
, xrefs: 00404018
NtUnmapViewOfSection, xrefs: 00404034

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
String ID: $NtUnmapViewOfSection$ntdll.dll
API String ID: 4033543172-1522589568
Opcode ID: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
Instruction ID: 7185e54e9f5f5e6bc342fc5ffd2bfcf32a837d4cfdcfbf42461452ed81247528
Opcode Fuzzy Hash: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
Instruction Fuzzy Hash: 66518971600218EBDB209F54DC49FEAB7B8FF48701F9040B6F708AA291D7B1A995CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004037D0 Relevance: 27.2, APIs: 18, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00403822
GetProcessHeap.KERNEL32(00000008,?), ref: 00403837
HeapAlloc.KERNEL32(00000000), ref: 0040383A
GetUserNameW.ADVAPI32(00000000,?), ref: 00403848
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 0040386B
GetProcessHeap.KERNEL32(00000008,?), ref: 00403876
HeapAlloc.KERNEL32(00000000), ref: 00403879
GetProcessHeap.KERNEL32(00000008,?), ref: 00403889
HeapAlloc.KERNEL32(00000000), ref: 0040388C
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004038B6
ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 004038C9
GetProcessHeap.KERNEL32(00000000,?), ref: 004039C5
HeapFree.KERNEL32(00000000), ref: 004039CE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039D3
HeapFree.KERNEL32(00000000), ref: 004039D6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039DD
HeapFree.KERNEL32(00000000), ref: 004039E0
LocalFree.KERNEL32(00000000), ref: 004039E5

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeName$Alloc$AccountLookupUser$ConvertLocalString
String ID:
API String ID: 3326663573-0
Opcode ID: 93a4281d13f0704140c6beef434c464d6d8b3a4c89b9e3582a668aa3840330e6
Instruction ID: 167f534f4a5bc3f8c65bdd595c5ec8e1d54d44385eb9c59962b1969d814595bf
Opcode Fuzzy Hash: 93a4281d13f0704140c6beef434c464d6d8b3a4c89b9e3582a668aa3840330e6
Instruction Fuzzy Hash: EA716DB1E00209ABDB14DFA5DC85BEFBBBCEB48300F40453AE905A7281DB749905CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 009041A7 Relevance: 22.7, APIs: 15, Instructions: 162injectionthreadmemoryCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 009041CD
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00904232
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0090424B
GetThreadContext.KERNEL32(?,00000000), ref: 00904266
ReadProcessMemory.KERNEL32(?,00434ECC,?,00000004,00000000), ref: 0090428A
GetModuleHandleA.KERNEL32(00434EE8,00434ED0), ref: 009042A5
GetProcAddress.KERNEL32(00000000), ref: 009042AC
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 009042D4
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 009042F5
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 00904339
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000), ref: 00904375
SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 00904391
ResumeThread.KERNEL32(?,?,?,00000000), ref: 0090439D
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000), ref: 009043AB
VirtualFree.KERNEL32(?,00000000,00008000), ref: 009043CC

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
String ID:
API String ID: 4033543172-0
Opcode ID: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
Instruction ID: 47865855c339fcac2aa575af8c197fa55696cef6e415eee374fa9b57d342aedf
Opcode Fuzzy Hash: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
Instruction Fuzzy Hash: 1B516871A40218AFDB219B54DD45FEAB7B8FF08701F9000B5FA08EA2D1D7B1A995CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404180 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 166networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00434EF4,00000000,00000000,00000000,00000000), ref: 0040425C
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040426E
InternetReadFile.WININET(00000000,?,03E80000,03E80000), ref: 00404281
InternetCloseHandle.WININET(00000000), ref: 00404292
InternetCloseHandle.WININET(00000000), ref: 00404295
InternetCloseHandle.WININET(00000000), ref: 004042A3
InternetCloseHandle.WININET(00000000), ref: 004042A6

Strings

runas, xrefs: 004043B4

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$Open$FileRead
String ID: runas
API String ID: 4294395943-4000483414
Opcode ID: a0e62042591dcd607715080cbff65227e67b358108453fe37a7e00f2974e3f0f
Instruction ID: ba1dc25ec83469701d4c7edc2e7ba4793e46b241d410edfdecdbeb0a0fce58bd
Opcode Fuzzy Hash: a0e62042591dcd607715080cbff65227e67b358108453fe37a7e00f2974e3f0f
Instruction Fuzzy Hash: 4951D571E00108ABDB14DFA4DC41BEEBB75EF85300F60816EF915B7291D7389945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00424BC4 Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00424C46
_free.LIBCMT ref: 00424C6A
_free.LIBCMT ref: 00424DF7
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004335D8), ref: 00424E09
_free.LIBCMT ref: 00424FC3

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 0fe61e17206dce54771a5055940e70056e7a200eab18ece9396fc025dad7d191
Instruction ID: 2c4f844ee906d1c5b8a05b7d4d89c1c9074c071bb98950a21f89e01ce9d05ddf
Opcode Fuzzy Hash: 0fe61e17206dce54771a5055940e70056e7a200eab18ece9396fc025dad7d191
Instruction Fuzzy Hash: 1FC17835B00128ABDB209F69EC41BAB7BA9EFC5354F94416FE550D7381E7388E01CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00405400 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,FBA00511,00000000), ref: 00405479
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004054E0
GetProcAddress.KERNEL32(00000000), ref: 004054E7

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: 025e2cf7a5914327391402419fbf5478b425843cba7f01ef3a6bcbe6256d18f7
Instruction ID: 1307c1e28f23caf99c3cad6e9d6b2b61846357279e254348caa37701d54b456e
Opcode Fuzzy Hash: 025e2cf7a5914327391402419fbf5478b425843cba7f01ef3a6bcbe6256d18f7
Instruction Fuzzy Hash: B8513971900608ABDB14DB24DD497DE7B76EB46314F5042BAE805B73C1DB389EC48F99

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA80 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0041CB78
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0041CB82
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0041CB8F

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d01e7f133785e3bb0beafcf269aef2531f9dd5a62572b740f5956f5575e894ef
Instruction ID: ff4d1174fdddd5ebc348feb1509e890b27b9c9d6be8b5b558b14357fec343526
Opcode Fuzzy Hash: d01e7f133785e3bb0beafcf269aef2531f9dd5a62572b740f5956f5575e894ef
Instruction Fuzzy Hash: 8C31A275901228ABCB21DF65D989BD9BBB8AF08310F5041EAE40CA6251EB749F858F58

Uniqueness

Uniqueness Score: -1.00%

Function 0091CCE7 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0091CDDF
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0091CDE9
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0091CDF6

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d01e7f133785e3bb0beafcf269aef2531f9dd5a62572b740f5956f5575e894ef
Instruction ID: 28e3415dce9daf1f57a745cb9ca0de07979e7e8adc76e651560d475a155874d3
Opcode Fuzzy Hash: d01e7f133785e3bb0beafcf269aef2531f9dd5a62572b740f5956f5575e894ef
Instruction Fuzzy Hash: E331C674A0121C9BCB21DF68D9897DDBBB8BF48710F5041EAE41CA6251E7709FD58F44

Uniqueness

Uniqueness Score: -1.00%

Function 0091BB68 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0091F1B5,?,0091BB67,0091C0ED,?,0091F1B5,0091C0ED,0091F1B5), ref: 0091BB8A
TerminateProcess.KERNEL32(00000000,?,0091BB67,0091C0ED,?,0091F1B5,0091C0ED,0091F1B5), ref: 0091BB91
ExitProcess.KERNEL32 ref: 0091BBA3

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction ID: 3eb00b9f77b235fbc77a4c09d7a139db7d8923c227bd3391f1ace5b6a3fdf95a
Opcode Fuzzy Hash: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction Fuzzy Hash: F2E09231244248EBCB216B65D809AA93BAAFB84741BC44434F80986525CB35DD92CA54

Uniqueness

Uniqueness Score: -1.00%

Function 0042848D Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00428488,?,?,00000008,?,?,00428120,00000000), ref: 004286BA

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
Instruction ID: 4a71125e6f4c823a3763720cf76552cabfd479d0aa9e4c8b08dce5cb0b77843e
Opcode Fuzzy Hash: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
Instruction Fuzzy Hash: 39B17B31211618DFD714CF28D48AB697BA0FF44364F65865DE89ACF3A1CB39E982CB44

Uniqueness

Uniqueness Score: -1.00%

Function 009286F4 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009286EF,?,?,00000008,?,?,00928387,00000000), ref: 00928921

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
Instruction ID: 6642dd05f8316dd916a896d817974448012b7bf92e168c18eae29257f1b4440a
Opcode Fuzzy Hash: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
Instruction Fuzzy Hash: 7AB18C35611618CFD718CF28D486B667BE0FF45364F298658E8EACF2A5C735E982CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00418887 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0041889D

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: d55505ce439c0c625bb69c877a6f4797faed7c5d0db0f84db7aa582d50e4da23
Instruction ID: 42c5aa6f6f7fc7f776cec8504a7906bb6cf0d019190ab3c9283af4763153d71d
Opcode Fuzzy Hash: d55505ce439c0c625bb69c877a6f4797faed7c5d0db0f84db7aa582d50e4da23
Instruction Fuzzy Hash: 92516AB2A10215CBDB18CF65D9817AEBBF4FB48314F24942BD445EB350D7789980CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 00420BA6 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97f7f4797c3a364c903861215189f8d8653831c5c514b3b47f127515a30102c
Instruction ID: 995ca3f643b73f20b77409ea83fcee654ff77a15ad0f1f03090dea471df43cee
Opcode Fuzzy Hash: d97f7f4797c3a364c903861215189f8d8653831c5c514b3b47f127515a30102c
Instruction Fuzzy Hash: FE41C4B5904228AEDB24DF69DC89AEABBB8EF45304F5442DEE40DD3211DA349E848F54

Uniqueness

Uniqueness Score: -1.00%

Function 00920E0D Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97f7f4797c3a364c903861215189f8d8653831c5c514b3b47f127515a30102c
Instruction ID: f17ed17631185613e0974f3c68eefd0de4fcdf86dcdbe6e40fdb7fcadbc9e040
Opcode Fuzzy Hash: d97f7f4797c3a364c903861215189f8d8653831c5c514b3b47f127515a30102c
Instruction Fuzzy Hash: 1541A4B180422CAEDF20DF69DC89AEABBBDEF85300F1442D9E41DE3205D6319E858F50

Uniqueness

Uniqueness Score: -1.00%

Function 00418BCC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00018BD8,004186D1), ref: 00418BD1

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5b644bd4298714589124608af917b149a8cdb7aa3ad9eb7150b270449828aa51
Instruction ID: fb13876baf3060654c4d3ec658a032312c050c0c5ceb920d56ad85ce90fc2474
Opcode Fuzzy Hash: 5b644bd4298714589124608af917b149a8cdb7aa3ad9eb7150b270449828aa51
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00432890 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3a9157b277817cb60641082f1e4f8ca4ec7dff310ffa31a6fd9bf35832d5c1
Instruction ID: 2ed8bcd71233cdd26d40d40588c8b3db03f02c46a7ead0be40a967f157380f8c
Opcode Fuzzy Hash: 5a3a9157b277817cb60641082f1e4f8ca4ec7dff310ffa31a6fd9bf35832d5c1
Instruction Fuzzy Hash: F3E1875548E3C15FD7138B3449B5681BF70AE23114B1E96DBCCDA8E4A7D24CAA0EE732

Uniqueness

Uniqueness Score: -1.00%

Function 00429470 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 836b6cb189818071d5d152d6c3d8cd1a25b1ac1f9bf822a59482dcdb2b2a5351
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 3B115B7730407157D605DA3DF8B46BBA395EFC9320FAC437BC0424B748D22A9C839508

Uniqueness

Uniqueness Score: -1.00%

Function 009296D7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: cd2d6def0ea168070ea203d4fa9fa44f0e799964e925fd5460bd45be1438a453
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: BC11EB7B2611B143D6148E2DF9F41F7A7DDEBD5320F2D427AD0428F75CD122EA459A04

Uniqueness

Uniqueness Score: -1.00%

Function 00900D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 567c10109addfba5efa79a0d59ea0cc09ae68345949f4a779214ad3919a58e14
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 7401A276A006048FDF21CF64C804BAA33E9EBC6316F4544A5D90AAB2C2E774A9818F90

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF02 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ad719187851a61f309ddbb2cee80a5110ae42387cecf94a10a94091515ac20
Instruction ID: 75fb159916dc4249806a39f04cce895c1ac82e6549e7b4276809d1188ffe9861
Opcode Fuzzy Hash: e0ad719187851a61f309ddbb2cee80a5110ae42387cecf94a10a94091515ac20
Instruction Fuzzy Hash: 70E046B2921228EBCB24DF8999049CAF3ECEB49B04B2100AAB502D3200C274DF41C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 0091E169 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ad719187851a61f309ddbb2cee80a5110ae42387cecf94a10a94091515ac20
Instruction ID: fe313f8a4db0f48ac5a15f3858cabba5eaf4b6548c08782c35345d5cf3c5b403
Opcode Fuzzy Hash: e0ad719187851a61f309ddbb2cee80a5110ae42387cecf94a10a94091515ac20
Instruction Fuzzy Hash: F5E08C32A1522CEBCB14DB8CD904ACAF7FCEB84F00B1144A6B901E3111C270DE40CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0042260F Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00422653

Part of subcall function 004221EC: _free.LIBCMT ref: 00422209
Part of subcall function 004221EC: _free.LIBCMT ref: 0042221B
Part of subcall function 004221EC: _free.LIBCMT ref: 0042222D
Part of subcall function 004221EC: _free.LIBCMT ref: 0042223F
Part of subcall function 004221EC: _free.LIBCMT ref: 00422251
Part of subcall function 004221EC: _free.LIBCMT ref: 00422263
Part of subcall function 004221EC: _free.LIBCMT ref: 00422275
Part of subcall function 004221EC: _free.LIBCMT ref: 00422287
Part of subcall function 004221EC: _free.LIBCMT ref: 00422299
Part of subcall function 004221EC: _free.LIBCMT ref: 004222AB
Part of subcall function 004221EC: _free.LIBCMT ref: 004222BD
Part of subcall function 004221EC: _free.LIBCMT ref: 004222CF
Part of subcall function 004221EC: _free.LIBCMT ref: 004222E1

_free.LIBCMT ref: 00422648

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 0042266A
_free.LIBCMT ref: 0042267F
_free.LIBCMT ref: 0042268A
_free.LIBCMT ref: 004226AC
_free.LIBCMT ref: 004226BF
_free.LIBCMT ref: 004226CD
_free.LIBCMT ref: 004226D8
_free.LIBCMT ref: 00422710
_free.LIBCMT ref: 00422717
_free.LIBCMT ref: 00422734
_free.LIBCMT ref: 0042274C

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
Instruction ID: 87a383156b0838ac626f9c2c6038cf6ce1f5ffd7cd3d592d57855f9c4539c293
Opcode Fuzzy Hash: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
Instruction Fuzzy Hash: B6319272604211BFEB205A76EA45B9B73E5AF80358F50441FE849D7251DFBCED80DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00922876 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 009228BA

Part of subcall function 00922453: _free.LIBCMT ref: 00922470
Part of subcall function 00922453: _free.LIBCMT ref: 00922482
Part of subcall function 00922453: _free.LIBCMT ref: 00922494
Part of subcall function 00922453: _free.LIBCMT ref: 009224A6
Part of subcall function 00922453: _free.LIBCMT ref: 009224B8
Part of subcall function 00922453: _free.LIBCMT ref: 009224CA
Part of subcall function 00922453: _free.LIBCMT ref: 009224DC
Part of subcall function 00922453: _free.LIBCMT ref: 009224EE
Part of subcall function 00922453: _free.LIBCMT ref: 00922500
Part of subcall function 00922453: _free.LIBCMT ref: 00922512
Part of subcall function 00922453: _free.LIBCMT ref: 00922524
Part of subcall function 00922453: _free.LIBCMT ref: 00922536
Part of subcall function 00922453: _free.LIBCMT ref: 00922548

_free.LIBCMT ref: 009228AF

Part of subcall function 0091E808: HeapFree.KERNEL32(00000000,00000000,?,009225E4,?,00000000,?,?,?,0092260B,?,00000007,?,?,00922A0D,?), ref: 0091E81E
Part of subcall function 0091E808: GetLastError.KERNEL32(?,?,009225E4,?,00000000,?,?,?,0092260B,?,00000007,?,?,00922A0D,?,?), ref: 0091E830

_free.LIBCMT ref: 009228D1
_free.LIBCMT ref: 009228E6
_free.LIBCMT ref: 009228F1
_free.LIBCMT ref: 00922913
_free.LIBCMT ref: 00922926
_free.LIBCMT ref: 00922934
_free.LIBCMT ref: 0092293F
_free.LIBCMT ref: 00922977
_free.LIBCMT ref: 0092297E
_free.LIBCMT ref: 0092299B
_free.LIBCMT ref: 009229B3

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
Instruction ID: 73f32a29da1eb0e49a3805a95da45d433cbf92b183cb5faa6d51f008893ba708
Opcode Fuzzy Hash: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
Instruction Fuzzy Hash: 0D316D31610319AFEB20AB38E949B9AB7EDEF40310F644469F859D71A5DB71ECC0CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00919D8E Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00919E89
type_info::operator==.LIBVCRUNTIME ref: 00919EB0
___TypeMatch.LIBVCRUNTIME ref: 00919FBC
CatchIt.LIBVCRUNTIME ref: 0091A011
IsInExceptionSpec.LIBVCRUNTIME ref: 0091A097
_UnwindNestedFrames.LIBCMT ref: 0091A11E
CallUnexpected.LIBVCRUNTIME ref: 0091A139

Strings

csm, xrefs: 00919EE7
csm, xrefs: 00919E36
csm, xrefs: 00919DC9

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
Instruction ID: b03b8247f1cd3639bc2aa2c2de5c4b6c4fdb27be9687167bc702bb4c8b25e417
Opcode Fuzzy Hash: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
Instruction Fuzzy Hash: 29C19A71A0120DEFCF25DFA4C891AEEBBB9BF59310F04415AE8116B252D335DE91CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00419B27 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00419C22
type_info::operator==.LIBVCRUNTIME ref: 00419C49
___TypeMatch.LIBVCRUNTIME ref: 00419D55
IsInExceptionSpec.LIBVCRUNTIME ref: 00419E30
_UnwindNestedFrames.LIBCMT ref: 00419EB7
CallUnexpected.LIBVCRUNTIME ref: 00419ED2

Strings

csm, xrefs: 00419C80
csm, xrefs: 00419B62
csm, xrefs: 00419BCF

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
Instruction ID: d03aefa22aee8cf5aa416bea0a170c685dbf4c7cd79984a2e6415da9b3a38480
Opcode Fuzzy Hash: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
Instruction Fuzzy Hash: 49C18871900209EFCF29DFA5D8A19EEBBB5BF04314F14405BE8516B242D339DE91CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408B5C Relevance: 15.2, APIs: 10, Instructions: 219networkfileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00408BAC
InternetOpenA.WININET(0043432B,00000000,00000000,00000000,00000000), ref: 00408BC2
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00408BE2
InternetReadFile.WININET(00000000,00000000,?,?), ref: 00408BF3
WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00408C15
InternetReadFile.WININET(00000000,00000000,?,?), ref: 00408C20
CloseHandle.KERNEL32(?), ref: 00408C32
InternetCloseHandle.WININET(?), ref: 00408C41
InternetCloseHandle.WININET(00000000), ref: 00408C44
RemoveDirectoryA.KERNEL32(00000000,?,?,?), ref: 00408CFD

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateDirectoryRemoveWrite
String ID:
API String ID: 1496009958-0
Opcode ID: d6c720663f9b5b78fa5f1015a3dfa6bc7eec9ceecaca795ede3bf18aecdef0c6
Instruction ID: e39da941a42be4000a8416f9d2a6f8c848e32a180712f45a109694aa4e2734ce
Opcode Fuzzy Hash: d6c720663f9b5b78fa5f1015a3dfa6bc7eec9ceecaca795ede3bf18aecdef0c6
Instruction Fuzzy Hash: 6E71EF71600208ABEB14DF64DD85BEE7735EF44304F50423EF945AB2D1DB38A980CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED7A Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041ED90

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 0041ED9C
_free.LIBCMT ref: 0041EDA7
_free.LIBCMT ref: 0041EDB2
_free.LIBCMT ref: 0041EDBD
_free.LIBCMT ref: 0041EDC8
_free.LIBCMT ref: 0041EDD3
_free.LIBCMT ref: 0041EDDE
_free.LIBCMT ref: 0041EDE9
_free.LIBCMT ref: 0041EDF7

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
Instruction ID: e610bd300bd5c2f85586062e27af9f16ff799e012d6f089a2169b26ee7872c24
Opcode Fuzzy Hash: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
Instruction Fuzzy Hash: ED219CBA910108BFCB41EF96C941DDD7BF6BF88344F00416AF9199B121EB35DA84DB84

Uniqueness

Uniqueness Score: -1.00%

Function 00426582 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
Instruction ID: 5128a0cef717139e7719faf6ed0b9fe75c650819d7ce78bb109199c1610a9dbc
Opcode Fuzzy Hash: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
Instruction Fuzzy Hash: D3C114B4B002159FDF11DF99E880BAEBBB0BF49304F51406AE914A7382C7789D81CF69

Uniqueness

Uniqueness Score: -1.00%

Function 009267E9 Relevance: 13.8, APIs: 9, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
Instruction ID: a312a967e7d33081e48440c1b11a92d6a8e24dc1c6a4e4ba106a157e7a3c58f2
Opcode Fuzzy Hash: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
Instruction Fuzzy Hash: 23C116B1E04259AFDF11DF98EC80BADBBB4BF89300F148069E541A779AC7349D81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00421A27 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00421A51
_free.LIBCMT ref: 00421B2A
_free.LIBCMT ref: 00421B57

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
Instruction ID: f188bb2de727b7b751c2d84351da10a70f250225146cef8743706f99745805fe
Opcode Fuzzy Hash: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
Instruction Fuzzy Hash: 0E518C74F44324AFDB24AFB7A881A6E7BB4AF11314F54416FE410972A1EA3D8940CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00921C8E Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00921CB8
_free.LIBCMT ref: 00921D91
_free.LIBCMT ref: 00921DBE

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
Instruction ID: 79603d8c938d4cb5cc3053aea00248fd5033e236be0824de408aa7eb2306cab8
Opcode Fuzzy Hash: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
Instruction Fuzzy Hash: 18515B70E04325AFEB20AF74BC85BAE7BB8FF61310F154169ED1097289DB3199A0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00903A37 Relevance: 10.7, APIs: 7, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 00903AA1
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 00903AD2
RtlAllocateHeap.NTDLL(00000000), ref: 00903AE0
RtlAllocateHeap.NTDLL(00000000), ref: 00903AF3
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 00903B1D
ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 00903B30
LocalFree.KERNEL32(00000000), ref: 00903C4C

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap$AccountLookupName$ConvertFreeLocalString
String ID:
API String ID: 856199767-0
Opcode ID: a21390300934cd29b774af7455bbd4a5da11480314e204e02bb9cb101a81b481
Instruction ID: 43f14e2c16035f7adb5b0d9711097b4a937949b4b5869a25f3ef3557981b297a
Opcode Fuzzy Hash: a21390300934cd29b774af7455bbd4a5da11480314e204e02bb9cb101a81b481
Instruction Fuzzy Hash: 0D716DB1E00219AFEB149FA5DC85BFFBBBCEF48300F408529E905A3281DB349945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 004194D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00419507
___except_validate_context_record.LIBVCRUNTIME ref: 0041950F
_ValidateLocalCookies.LIBCMT ref: 00419598
__IsNonwritableInCurrentImage.LIBCMT ref: 004195C3
_ValidateLocalCookies.LIBCMT ref: 00419618

Strings

csm, xrefs: 004195AD

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
Instruction ID: cf6a3be1c1e6f4323defd25786acadca5afaa418f9c93884064ec3a043526e94
Opcode Fuzzy Hash: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
Instruction Fuzzy Hash: 09411A31A00214AFCF11DF69C890ADEBBB1BF45318F54806BE8146B352D739DE96CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041F14C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0041F1A3
ext-ms-, xrefs: 0041F1B7

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
Instruction ID: 8946f5363388c355846af12649c4142b4e9cf4c5f65ba016e67a922269825e5f
Opcode Fuzzy Hash: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
Instruction Fuzzy Hash: 3521C672A41221FBCB318A24DC45A9B3778AB017A0F650532ED15A7391D638ED4BC5DC

Uniqueness

Uniqueness Score: -1.00%

Function 0042238B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00422353: _free.LIBCMT ref: 00422378

_free.LIBCMT ref: 004223D9

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 004223E4
_free.LIBCMT ref: 004223EF
_free.LIBCMT ref: 00422443
_free.LIBCMT ref: 0042244E
_free.LIBCMT ref: 00422459
_free.LIBCMT ref: 00422464

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
Instruction ID: 3666b1e76cecdb1a9706d82e7bd79ae187b091a1e89744abee2c0a3d449e73e2
Opcode Fuzzy Hash: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
Instruction Fuzzy Hash: C611E471601714BAD921F7B2DD47FCB77DD5F0834CF84881EBACD6A052D6ACB6514604

Uniqueness

Uniqueness Score: -1.00%

Function 009225F2 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009225BA: _free.LIBCMT ref: 009225DF

_free.LIBCMT ref: 00922640

Part of subcall function 0091E808: HeapFree.KERNEL32(00000000,00000000,?,009225E4,?,00000000,?,?,?,0092260B,?,00000007,?,?,00922A0D,?), ref: 0091E81E
Part of subcall function 0091E808: GetLastError.KERNEL32(?,?,009225E4,?,00000000,?,?,?,0092260B,?,00000007,?,?,00922A0D,?,?), ref: 0091E830

_free.LIBCMT ref: 0092264B
_free.LIBCMT ref: 00922656
_free.LIBCMT ref: 009226AA
_free.LIBCMT ref: 009226B5
_free.LIBCMT ref: 009226C0
_free.LIBCMT ref: 009226CB

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
Instruction ID: f0502966c2378b057e8740c9db177374b2e74779ca55fe5d4de3eb5456d6738a
Opcode Fuzzy Hash: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
Instruction Fuzzy Hash: DD115B72540718B6E730F7B0DC07FCBB79DAF84700F404C25FA9966056D679B9844750

Uniqueness

Uniqueness Score: -1.00%

Function 00423A46 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00405880,00000000), ref: 00423A8E
__fassign.LIBCMT ref: 00423C6D
__fassign.LIBCMT ref: 00423C8A
WriteFile.KERNEL32(?,00405880,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423CD2
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00423D12
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423DBE

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 5a0c35df1f21bdc5310913443ad541efee69954072d07ce9ea6e444a121a2afd
Instruction ID: 55294dd1ed643e62d688e25fe7fc8b93d32e6dca02253c809cdcf0ede3e7f937
Opcode Fuzzy Hash: 5a0c35df1f21bdc5310913443ad541efee69954072d07ce9ea6e444a121a2afd
Instruction Fuzzy Hash: 21D1A075E002689FCF15CFA8D8809EDBBB5BF48314F64016AE455FB342D738AA46CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00923CAD Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00905AE7,00000000), ref: 00923CF5
__fassign.LIBCMT ref: 00923ED4
__fassign.LIBCMT ref: 00923EF1
WriteFile.KERNEL32(?,00905AE7,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00923F39
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00923F79
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00924025

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: e542d5d4a89b9a95555eca30389ef7d2b429d4e8e228d9549bf9bdf1a88ffcb9
Instruction ID: 04569f86539a572a6ac5cdf8ead83c52c697729a0b311242235c68ee31b3ae89
Opcode Fuzzy Hash: e542d5d4a89b9a95555eca30389ef7d2b429d4e8e228d9549bf9bdf1a88ffcb9
Instruction Fuzzy Hash: 8CD1CD75D002689FCF15CFA8E8809EDBBB5BF48304F28416AE855FB246D731AE46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 004197F0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004197E7,004193D7,00418C1C), ref: 004197FE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0041980C
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00419825
SetLastError.KERNEL32(00000000,004197E7,004193D7,00418C1C), ref: 00419877

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction ID: 71a7697fc03e6214697c45e1a132a8316019e6706060db725442c6d2a3e753c8
Opcode Fuzzy Hash: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction Fuzzy Hash: F101D8326293115EE62C3B76AE959D72774EF067B8720023FF120441F1EF594C95D58D

Uniqueness

Uniqueness Score: -1.00%

Function 00919A57 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00919A4E,0091963E,00918E83), ref: 00919A65
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00919A73
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00919A8C
SetLastError.KERNEL32(00000000,00919A4E,0091963E,00918E83), ref: 00919ADE

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction ID: 060a2e9a3b9426c4a15cc78a40e65c73be1c0a35bf15f1ea94e4f3df0660fd6d
Opcode Fuzzy Hash: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction Fuzzy Hash: C801F73270971A5FE72C27757E95AE62AB8EF957707240239F550400F1EF524C899184

Uniqueness

Uniqueness Score: -1.00%

Function 009043E7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 166networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00434EF4,00000000,00000000,00000000,00000000), ref: 009044C3
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 009044D5
InternetReadFile.WININET(00000000,?,03E80000,03E80000), ref: 009044E8

Strings

runas, xrefs: 0090461B
+CC, xrefs: 00904621

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: Internet$Open$FileRead
String ID: +CC$runas
API String ID: 72386350-2150734417
Opcode ID: f629ccd115f1b0a5505da88cd8cf5212883000edcb5ff7f417580e889bd18442
Instruction ID: 363ad39e5e83cdf653ccb377388059af00715928be177eaead52f5875a2cc99f
Opcode Fuzzy Hash: f629ccd115f1b0a5505da88cd8cf5212883000edcb5ff7f417580e889bd18442
Instruction Fuzzy Hash: 0551D5B2E00109AFDB14DFA4CC81FEEBBB5EF88700F608529F511A7291DB359945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420F7C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00420F81

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-2502435711
Opcode ID: d9fd3d3f386e086f16d5e96c86dfc6c05a3e177acafcacdda8c025444d2164cb
Instruction ID: f2c65a4c72dcbe00dc32dc221c8eb50b3435d1ebdf66b1fbb5bbc6e11338d05a
Opcode Fuzzy Hash: d9fd3d3f386e086f16d5e96c86dfc6c05a3e177acafcacdda8c025444d2164cb
Instruction Fuzzy Hash: CB210A713001257F97206F71ED81D6BB7ADAF103A8750462BF828D7691D778DC818799

Uniqueness

Uniqueness Score: -1.00%

Function 009211E3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 009211E8

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-2502435711
Opcode ID: 58ea943009bd374bebf7ec5987a08b3fa813e305a807f4d2fcbf4f6ae6d6cbf6
Instruction ID: fb3bdd2e992c82ed8c61de5ea0adbb332b60dc9894b1cb72e774db80c0f7ffeb
Opcode Fuzzy Hash: 58ea943009bd374bebf7ec5987a08b3fa813e305a807f4d2fcbf4f6ae6d6cbf6
Instruction Fuzzy Hash: 9721A4B2B04229BF9B20AF75EC81E6B776DEF603647104624F934D7259E730EC6087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3D6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0041C418

Strings

.com, xrefs: 0041C458
.bat, xrefs: 0041C447
.exe, xrefs: 0041C425
.cmd, xrefs: 0041C436

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 19671788b65354572937ca0f5259cacd468799deb2890a42aa5f1fe1ebfecd1d
Instruction ID: baa428b651ab7fadd2aefce0a8d8cefe58070258f098f4f191bca89b56dcb2ea
Opcode Fuzzy Hash: 19671788b65354572937ca0f5259cacd468799deb2890a42aa5f1fe1ebfecd1d
Instruction Fuzzy Hash: 7E012B3BA8C635212624101AEC62BF717988B96FB8B25412FF854F72C1ED9DEC8205DC

Uniqueness

Uniqueness Score: -1.00%

Function 0041A897 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0041A8E7

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
Instruction ID: 8addbc20e8b4f1572ca5f78bff053ba989236767de5a1c4d832f47c373f0c560
Opcode Fuzzy Hash: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
Instruction Fuzzy Hash: 2B112C71A12221EBC7314B249D44AAB37689F017B4B624933ED45AB390D738DDE1C5DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041B943 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0041B938,?,?,0041B900,0041BE86,?,NA), ref: 0041B958
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041B96B
FreeLibrary.KERNEL32(00000000,?,?,0041B938,?,?,0041B900,0041BE86,?,NA), ref: 0041B98E

Strings

mscoree.dll, xrefs: 0041B951
CorExitProcess, xrefs: 0041B963

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
Instruction ID: 6ab08718997dcf592451d77b1cbf540418157bbc441c253cf8170436862d5d78
Opcode Fuzzy Hash: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
Instruction Fuzzy Hash: 52F08230651218FBDB259B50DD0ABEEBA78DF44759F900175A504A1260CB788E46DA98

Uniqueness

Uniqueness Score: -1.00%

Function 00924E2B Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00924EAD
_free.LIBCMT ref: 00924ED1
_free.LIBCMT ref: 0092505E
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004335D8), ref: 00925070
_free.LIBCMT ref: 0092522A

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: cd66b27a8385d4536588664ec460c84106157103f67aa985b2529d6009eaf611
Instruction ID: 7d188cf609a94e6c9df1e9dc4e354c7e6be68a112f5a74adf856f43055e31604
Opcode Fuzzy Hash: cd66b27a8385d4536588664ec460c84106157103f67aa985b2529d6009eaf611
Instruction Fuzzy Hash: 6FC13971A00269AFDB20DF68EC45BEE7BBDEF85310F15416AE851D728AE7308D41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00426FA9 Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(005F1E48,005F1E48,?,7FFFFFFF,?,?,00427265,005F1E48,005F1E48,?,005F1E48,?,?,?,?,005F1E48), ref: 0042704C
__alloca_probe_16.LIBCMT ref: 00427102
__alloca_probe_16.LIBCMT ref: 00427198
__freea.LIBCMT ref: 00427203
__freea.LIBCMT ref: 0042720F

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: c559a93f2d06cee59e46b38ea2fc726286989e451536d90b3fb509578e86aae3
Instruction ID: f6d9b8f12c634194a1b411eace1e19527ea88e01b30f60a4b5a6e0b516c13e2d
Opcode Fuzzy Hash: c559a93f2d06cee59e46b38ea2fc726286989e451536d90b3fb509578e86aae3
Instruction Fuzzy Hash: 4481E472B082259BDF219EA5AC41EEF7BB5EF09354F98005BF804A7341D62DCC458BB9

Uniqueness

Uniqueness Score: -1.00%

Function 004258D4 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00425958
__alloca_probe_16.LIBCMT ref: 00425A1E
__freea.LIBCMT ref: 00425A8A

Part of subcall function 0041EA8A: HeapAlloc.KERNEL32(00000000,?,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EABC

__freea.LIBCMT ref: 00425A93
__freea.LIBCMT ref: 00425AB6

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 801bfc73f5307c034d341afffc150cc0786828de70bde5b9b10ebb0cec96e4eb
Instruction ID: 7e0d7c363e2f027523b7077ca53f82abc72318da18e9cc0c3b19bc4bba63112a
Opcode Fuzzy Hash: 801bfc73f5307c034d341afffc150cc0786828de70bde5b9b10ebb0cec96e4eb
Instruction Fuzzy Hash: 8351E672700626AFDB209F95EC86EBF37A9EF44764F95422AFC04D7240E778DC418698

Uniqueness

Uniqueness Score: -1.00%

Function 0041C10E Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0041C040), ref: 0041C130
GetFileInformationByHandle.KERNEL32(?,?), ref: 0041C18A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0041C040,?,000000FF,00000000,00000000), ref: 0041C218
__dosmaperr.LIBCMT ref: 0041C21F
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0041C25C

Part of subcall function 0041C484: __dosmaperr.LIBCMT ref: 0041C4B9

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
Instruction ID: 0071a9752275d4edb8b9c21b1954eb469a97b67ce05b4548820d0adabff3a4d5
Opcode Fuzzy Hash: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
Instruction Fuzzy Hash: B7413C75940204AFDB249FA5DC859EFBBF9EF89700B00452EF856D3610E7389885CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0091C375 Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0091C2A7), ref: 0091C397
GetFileInformationByHandle.KERNEL32(?,?), ref: 0091C3F1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0091C2A7,?,000000FF,00000000,00000000), ref: 0091C47F
__dosmaperr.LIBCMT ref: 0091C486
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0091C4C3

Part of subcall function 0091C6EB: __dosmaperr.LIBCMT ref: 0091C720

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
Instruction ID: 6579284268bfa244cde56fe647c1d75bc5d31675bc3e0e1d32d1c4959c82b46c
Opcode Fuzzy Hash: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
Instruction Fuzzy Hash: 15416FB5A44208ABCB24DFA5DC559FFBBF9EF887007004529F956D3660E6349885CB20

Uniqueness

Uniqueness Score: -1.00%

Function 004222EA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00422302

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 00422314
_free.LIBCMT ref: 00422326
_free.LIBCMT ref: 00422338
_free.LIBCMT ref: 0042234A

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
Instruction ID: 8eed935d1f0a41e2b9dbe60b1656bd2ba3e28f3ae1fefd92f9cbf16fd4f54630
Opcode Fuzzy Hash: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
Instruction Fuzzy Hash: 04F04472501210B78520DBA6F6C2C4B73DAAB94355794180AF809D7641C77CFD81866C

Uniqueness

Uniqueness Score: -1.00%

Function 00922551 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00922569

Part of subcall function 0091E808: HeapFree.KERNEL32(00000000,00000000,?,009225E4,?,00000000,?,?,?,0092260B,?,00000007,?,?,00922A0D,?), ref: 0091E81E
Part of subcall function 0091E808: GetLastError.KERNEL32(?,?,009225E4,?,00000000,?,?,?,0092260B,?,00000007,?,?,00922A0D,?,?), ref: 0091E830

_free.LIBCMT ref: 0092257B
_free.LIBCMT ref: 0092258D
_free.LIBCMT ref: 0092259F
_free.LIBCMT ref: 009225B1

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
Instruction ID: 69062e6505738a0dce4d37ff36018a6291cdce049293f16c4a9724d559ed95a7
Opcode Fuzzy Hash: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
Instruction Fuzzy Hash: 9DF09632925218BBD720DF54F4C6C9AB3DDEB403107A45865F404D7544CB70FCC08694

Uniqueness

Uniqueness Score: -1.00%

Function 0090E207 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

#, xrefs: 0090F9BB

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: #
API String ID: 3677997916-1885708031
Opcode ID: 4d26a9903dbf7e4ba4290750e16a9ab8299c95c43a50e3bd25ecedede5d2791d
Instruction ID: f95b3bddd0445c9e7feb3aa2a76d36977b64df9762eeb795983c213a40bf9cd4
Opcode Fuzzy Hash: 4d26a9903dbf7e4ba4290750e16a9ab8299c95c43a50e3bd25ecedede5d2791d
Instruction Fuzzy Hash: D712CF70A0428CDFEF14DF68C949BDDBFB5AB45304F508598E844673C2D7B95A88CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004209B7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00420B51

Strings

*?, xrefs: 004209FA

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
Instruction ID: 7415b14c5d0124b7c9719d17695bca9e12f23279d28e73ebbb8fdbf8e8460f59
Opcode Fuzzy Hash: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
Instruction Fuzzy Hash: 5661A1B5E002299FCB14CFA9D8815EEFBF5EF48314B54816AE805F7301E735AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00920C1E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00920DB8

Strings

*?, xrefs: 00920C61

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
Instruction ID: 5e24d6aea41164e299f37363c8c26bebfae06dd71b3b42dc8050ed8619166b58
Opcode Fuzzy Hash: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
Instruction Fuzzy Hash: 01615CB5E002299FCF14CFA8D8815EDFBF9EF88310B24816AE855F7345D631AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0091A144 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0091A169
CatchIt.LIBVCRUNTIME ref: 0091A24F

Strings

MOC, xrefs: 0091A17B
RCC, xrefs: 0091A183

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
Instruction ID: db8ba5d18e9e06ebe78755ba27463113a3f5c2890177742f2a3466321595d572
Opcode Fuzzy Hash: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
Instruction Fuzzy Hash: AE415871A0120DAFDF15DF98CD81AEE7BB9BF88300F188159F914A7261D3369D90DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0090B507 Relevance: 6.4, APIs: 4, Instructions: 351fileCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0090B565
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0090B784
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?), ref: 0090B8A4
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0090B9F0

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: File$CopyCreateDirectoryModuleNamePathTemp
String ID:
API String ID: 2256340497-0
Opcode ID: 69506e0b47fdf4355df82a24afce3d41012599873781e6f53ce1b916386e2bff
Instruction ID: 3dc78a10a5c927721ce32143a8bffdf154cbe6c5b39fa9b5bd17e841b8073315
Opcode Fuzzy Hash: 69506e0b47fdf4355df82a24afce3d41012599873781e6f53ce1b916386e2bff
Instruction Fuzzy Hash: B8D1E2B1A001188FEB24DB28CC85BDDB779AF85304F5041E8E659A32C2DB755FC48F6A

Uniqueness

Uniqueness Score: -1.00%

Function 004198D0 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00419997
___AdjustPointer.LIBCMT ref: 004199BA
___AdjustPointer.LIBCMT ref: 00419A56

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
Instruction ID: a8cd01a110c9a5ba9b93cdf8b6ca506de852c713b8af7688bfec1274bd28d331
Opcode Fuzzy Hash: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
Instruction Fuzzy Hash: 3251D0B2601286AFDB298F15D861BEA77A4EF04314F24012FE84646391E739ECC1C799

Uniqueness

Uniqueness Score: -1.00%

Function 00919B37 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00919BFE
___AdjustPointer.LIBCMT ref: 00919C21
___AdjustPointer.LIBCMT ref: 00919CBD

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
Instruction ID: d5710e9617424eb533ca73fd58ee0188d22a8f6a6e78ee97a7e6c775ad63b798
Opcode Fuzzy Hash: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
Instruction Fuzzy Hash: E751BF72B0560AAFDB298F14D8A1BEA77E9EF50710F144529E88A47290E731EDC0D790

Uniqueness

Uniqueness Score: -1.00%

Function 00905667 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,00439008,00000000), ref: 009056E0
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00905747
GetProcAddress.KERNEL32(00000000), ref: 0090574E

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: ddc787008df3d19dcf6ff3ff6324906e599249e81a3a5c2a1838fed2653284d0
Instruction ID: 2e748ae2982acb9a126e7053dc0f3ded4ad058f2cfb0f0f358c1a8b6a4794faf
Opcode Fuzzy Hash: ddc787008df3d19dcf6ff3ff6324906e599249e81a3a5c2a1838fed2653284d0
Instruction Fuzzy Hash: A951D571E00608DFDB24DB68DD497DEB779EB45310F9082A8E815A72C1EB359EC48F91

Uniqueness

Uniqueness Score: -1.00%

Function 00425F0E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00425FDE
_free.LIBCMT ref: 00426007
SetEndOfFile.KERNEL32(00000000,0042354B,00000000,?,?,?,?,?,?,?,?,0042354B,?,00000000), ref: 00426039
GetLastError.KERNEL32(?,?,?,?,?,?,?,0042354B,?,00000000,?,?,?,?,?), ref: 00426055

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
Instruction ID: 61c1fed18fa2e053e229d2c366b1320fca6b3d495f3fb51fd3c042a4ee27fee9
Opcode Fuzzy Hash: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
Instruction Fuzzy Hash: 6C413E72B006115BDB11ABB5ED41B8E37B6AF44364F560017F424E72D2EB7CC840576D

Uniqueness

Uniqueness Score: -1.00%

Function 00926175 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00926245
_free.LIBCMT ref: 0092626E
SetEndOfFile.KERNEL32(00000000,009237B2,00000000,0091E6A5,?,?,?,?,?,?,?,009237B2,0091E6A5,00000000), ref: 009262A0
GetLastError.KERNEL32(?,?,?,?,?,?,?,009237B2,0091E6A5,00000000,?,?,?,?,00000000), ref: 009262BC

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
Instruction ID: 22ddc026a44be9e00aedc3bb04043ddbed80a9c0ba4a04aa8cdeb63bc3f15244
Opcode Fuzzy Hash: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
Instruction Fuzzy Hash: 13410772A00265EBDF11ABB8EC06B9E7779EFC4360F250510F424E769AEA34D8848761

Uniqueness

Uniqueness Score: -1.00%

Function 004208E8 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0041BD6F: _free.LIBCMT ref: 0041BD7D

Part of subcall function 004218BF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00425A80,?,00000000,00000000), ref: 00421961

GetLastError.KERNEL32 ref: 00420950
__dosmaperr.LIBCMT ref: 00420957
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00420996
__dosmaperr.LIBCMT ref: 0042099D

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 2cc476a48764411ac7d7f7841f806bb526956e32d48153aac2d156f6a7af72d6
Instruction ID: 91911ec1de34df9e01eb008ea9a24e12f878ac442d2ad626700c96a69c790fc9
Opcode Fuzzy Hash: 2cc476a48764411ac7d7f7841f806bb526956e32d48153aac2d156f6a7af72d6
Instruction Fuzzy Hash: 2721F0B1700225AFA710AF62ACC196B77EDEF00374790851AF86697253D738DCC08B94

Uniqueness

Uniqueness Score: -1.00%

Function 00920B4F Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0091BFD6: _free.LIBCMT ref: 0091BFE4

Part of subcall function 00921B26: WideCharToMultiByte.KERNEL32(00905AE7,00000000,00437A28,00000000,00905AE7,00905AE7,0092463D,?,00437A28,?,00000000,?,009243AC,0000FDE9,00000000,?), ref: 00921BC8

GetLastError.KERNEL32 ref: 00920BB7
__dosmaperr.LIBCMT ref: 00920BBE
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00920BFD
__dosmaperr.LIBCMT ref: 00920C04

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: bcfca7c6e04eeb74265432f959e909c47042bfb9664e3c7dfc54a64be2794b21
Instruction ID: ea27ebbcb6d346a4543f4fbf81d5043c582e5534b15a31edde0ca2ebcbec2497
Opcode Fuzzy Hash: bcfca7c6e04eeb74265432f959e909c47042bfb9664e3c7dfc54a64be2794b21
Instruction Fuzzy Hash: 7C2137B160422DBFDF20AF75AC80E6BF7ACEF943687108624F85493246D730EC9187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0091F3B3 Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
Instruction ID: a07e7d37ff819b2103b44b399196b800014933503ad63946d036be058c4dabbc
Opcode Fuzzy Hash: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
Instruction Fuzzy Hash: 3D210231B0122CEBCB219B24DCA8BAB376C9F41774FA40531EE55A72E1D630EC8585E4

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE92 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0041BCED,00000000,?,?,?,0041BE86,?), ref: 0041EE97
_free.LIBCMT ref: 0041EEF4
_free.LIBCMT ref: 0041EF2A
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,0041BE86,?), ref: 0041EF35

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
Instruction ID: 26790fddcd24ef136aadc0cc0bf27d5f777129a8301660e6568487d79e7ca8b5
Opcode Fuzzy Hash: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
Instruction Fuzzy Hash: 2411CA3A6002017AD61427B79CC59EB256997C1779B25013BFD39832D2FE6D8CDB811D

Uniqueness

Uniqueness Score: -1.00%

Function 0091F0F9 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0091BF54,00000000,?,?,?,0091C0ED,?), ref: 0091F0FE
_free.LIBCMT ref: 0091F15B
_free.LIBCMT ref: 0091F191
SetLastError.KERNEL32(00000000,004390F8,000000FF,?,?,?,0091C0ED,?), ref: 0091F19C

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
Instruction ID: 25ee56c6cb9ed96c3e2a58b0c60ae59391cea25ad2bfb276dea95c0bf0169093
Opcode Fuzzy Hash: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
Instruction Fuzzy Hash: D4114C7230850EFADB142BB4DCE5EEB226DDBC03B4B750234F926821E1EF658CD64150

Uniqueness

Uniqueness Score: -1.00%

Function 0041EFE9 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0041C755,0041EACD,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EFEE
_free.LIBCMT ref: 0041F04B
_free.LIBCMT ref: 0041F081
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041F08C

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
Instruction ID: d1a755533480a66cbcbdd6da6f61a8fcfdc6096e1f08231a3cc2ec091d2cf52b
Opcode Fuzzy Hash: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
Instruction Fuzzy Hash: FB114C322045016AC7102B76ACC1DEB2969DBC8778765023BF92A822E3EF6CCCDF511C

Uniqueness

Uniqueness Score: -1.00%

Function 0091F250 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0091C9BC,0091ED34,?,?,0091943A,?,?,?,?,?,0090235A,?,?), ref: 0091F255
_free.LIBCMT ref: 0091F2B2
_free.LIBCMT ref: 0091F2E8
SetLastError.KERNEL32(00000000,004390F8,000000FF,?,?,0091943A,?,?,?,?,?,0090235A,?,?), ref: 0091F2F3

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
Instruction ID: 76efa30bc93519a542e5802fac46b6e6c786442a3fe726d0d99e8862e98481dc
Opcode Fuzzy Hash: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
Instruction Fuzzy Hash: 1F11257630020D6ADA112B789CE5EEA216DDBC13B1B610734F93A821E1EE718CD64114

Uniqueness

Uniqueness Score: -1.00%

Function 0091AAFE Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
Instruction ID: ffd1c387d67692d3660134526af65b859cb0b1eb60e18652d775ba60ed75ccfe
Opcode Fuzzy Hash: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
Instruction Fuzzy Hash: 4111E931B8B26DEBC7324B249C40EAA776E9B017B0B910531ED46A7290D630EC84C5D6

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7CB Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041F930,00000000,?,00424658,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0041F7E1
GetLastError.KERNEL32(?,00424658,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0041F930,00000000,00000104,?), ref: 0041F7EB
__dosmaperr.LIBCMT ref: 0041F7F2

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
Instruction ID: 3e1febbc0a8defaca1089d50814ae8bcfad4f789bcb8220d5dd2739c2ed7ebaf
Opcode Fuzzy Hash: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
Instruction Fuzzy Hash: 1DF06D36600115BB8B202FA2DD08C9BBFA9FF443A03444136F52DC7561DB35E8A6CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F834 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041F930,00000000,?,004245E3,00000000,00000000,0041F930,?,?,00000000,00000000,00000001), ref: 0041F84A
GetLastError.KERNEL32(?,004245E3,00000000,00000000,0041F930,?,?,00000000,00000000,00000001,00000000,00000000,?,0041F930,00000000,00000104), ref: 0041F854
__dosmaperr.LIBCMT ref: 0041F85B

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
Instruction ID: 5356ccb821a571137923583999cca56af5607f561d8780d9d137012589ba4a16
Opcode Fuzzy Hash: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
Instruction Fuzzy Hash: FBF01231600115BB8B207BA6DC0499BBFA9FF443A03404536F52DC6521C735E8A6DBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0091FA9B Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0091FB97,00000000,?,0092484A,00000000,00000000,0091FB97,?,?,00000000,00000000,00000001), ref: 0091FAB1
GetLastError.KERNEL32(?,0092484A,00000000,00000000,0091FB97,?,?,00000000,00000000,00000001,00000000,00000000,?,0091FB97,00000000,00000104), ref: 0091FABB
__dosmaperr.LIBCMT ref: 0091FAC2

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
Instruction ID: 7969d3eebbfd896d8338124d590afec1e60a00553728a14d819b4b661b4e4f75
Opcode Fuzzy Hash: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
Instruction Fuzzy Hash: F4F06D3230011DBB9B205BA2DD18D9ABFADEF443A03548531F51DC6921DB35E8A1C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0091FA32 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0091FB97,00000000,?,009248BF,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0091FA48
GetLastError.KERNEL32(?,009248BF,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0091FB97,00000000,00000104,?), ref: 0091FA52
__dosmaperr.LIBCMT ref: 0091FA59

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
Instruction ID: 12d4c64dc32f944dadaa7044007fa08e64e008abddfa5dbbb9e0127a3bf72869
Opcode Fuzzy Hash: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
Instruction Fuzzy Hash: 47F01D7270011EBB8F205BA6DC19D9ABFADFF843A03444531B55DC6521EB35E8A1D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 004272CF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00405880,00000000,00437A28,00000000,00405880,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880), ref: 004272E6
GetLastError.KERNEL32(?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000,00405880,?,0042436F,00405880), ref: 004272F2

Part of subcall function 004272B8: CloseHandle.KERNEL32(FFFFFFFE,00427302,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000,00405880), ref: 004272C8

___initconout.LIBCMT ref: 00427302

Part of subcall function 0042727A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004272A9,004269D4,00405880,?,00423E1B,00000000,?,00405880,00000000), ref: 0042728D

WriteConsoleW.KERNEL32(00405880,00000000,00437A28,00000000,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000), ref: 00427317

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction ID: 5b8baa1da4bb66d128bbbdf819d740daca6d0282673a7c9b135cb97f91750bdc
Opcode Fuzzy Hash: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction Fuzzy Hash: 46F01C36201129FBCF221F95EC04A8A3F66FF093A1B814075FE1C86231D6328820EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00927536 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00905AE7,00000000,00437A28,00000000,00905AE7,?,00926C4E,00905AE7,00000001,00905AE7,00905AE7,?,00924082,00000000,?,00905AE7), ref: 0092754D
GetLastError.KERNEL32(?,00926C4E,00905AE7,00000001,00905AE7,00905AE7,?,00924082,00000000,?,00905AE7,00000000,00905AE7,?,009245D6,00905AE7), ref: 00927559

Part of subcall function 0092751F: CloseHandle.KERNEL32(00439900,00927569,?,00926C4E,00905AE7,00000001,00905AE7,00905AE7,?,00924082,00000000,?,00905AE7,00000000,00905AE7), ref: 0092752F

___initconout.LIBCMT ref: 00927569

Part of subcall function 009274E1: CreateFileW.KERNEL32(004336B8,40000000,00000003,00000000,00000003,00000000,00000000,00927510,00926C3B,00905AE7,?,00924082,00000000,?,00905AE7,00000000), ref: 009274F4

WriteConsoleW.KERNEL32(00905AE7,00000000,00437A28,00000000,?,00926C4E,00905AE7,00000001,00905AE7,00905AE7,?,00924082,00000000,?,00905AE7,00000000), ref: 0092757E

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction ID: 06ed2e5b98884c0e1488f0a028fbccff0d9f1da680ea2d4d915a5dee27478679
Opcode Fuzzy Hash: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction Fuzzy Hash: C0F01C36101128BBCF222FD1EC08E89BF66EF483B1B814030FA1895231D6328860DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004167E0 Relevance: 6.0, APIs: 4, Instructions: 27threadsleepCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 004167F6
CreateThread.KERNEL32 ref: 00416807
CreateThread.KERNEL32 ref: 00416818
Sleep.KERNEL32(00007530,?,00416873), ref: 00416825

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CreateThread$Sleep
String ID:
API String ID: 422425972-0
Opcode ID: c7ec29c90368d79a70c95a5ee9845132da8938ab2cedaa7c12f416f09ab0d9a8
Instruction ID: 3e58bb4c01d1f945cb402fb00719d76fe511b7683de936d62f19d1048555ce50
Opcode Fuzzy Hash: c7ec29c90368d79a70c95a5ee9845132da8938ab2cedaa7c12f416f09ab0d9a8
Instruction Fuzzy Hash: 69E09231BE8334B6F47126A45C03F891E545B08F95FB20023B70CBE4D084C87485CAEE

Uniqueness

Uniqueness Score: -1.00%

Function 0041D819 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041D822

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 0041D835
_free.LIBCMT ref: 0041D846
_free.LIBCMT ref: 0041D857

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
Instruction ID: 2f128d3171f244c94fc48b8332bc88089a284fec835ab8af747093701a289460
Opcode Fuzzy Hash: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
Instruction Fuzzy Hash: C3E04FB4801520AFCE012F53FE055953BA2FB947EC340302AF81406232DB390261EFCE

Uniqueness

Uniqueness Score: -1.00%

Function 004122F0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 374COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00412FEF

Part of subcall function 00416F50: Concurrency::cancel_current_task.LIBCPMT ref: 00417083

Strings

invalid stoi argument, xrefs: 00412FEA
stoi argument out of range, xrefs: 00412FF9

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_
String ID: invalid stoi argument$stoi argument out of range
API String ID: 3646673767-1606216832
Opcode ID: b85171a2f2d5f1a5290fdfb8afa1959db864ff036c3f01053f7b11ad4a7871fd
Instruction ID: 6d18bec53ddcbea06decae191a6eae5fb5e1180c669e5708db714ed38e612d95
Opcode Fuzzy Hash: b85171a2f2d5f1a5290fdfb8afa1959db864ff036c3f01053f7b11ad4a7871fd
Instruction Fuzzy Hash: 60E1D171A001189BEF28DF28CE857DDBB72EB46304F50819EE419972C1DB799AD1CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE88 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 0041CECB, 0041CED2, 0041CF08

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-2502435711
Opcode ID: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
Instruction ID: 3e019bb9f1f37e8f56b3af26f626c64f14fa1fa210d5d8f79d997b38734a4c96
Opcode Fuzzy Hash: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
Instruction Fuzzy Hash: 9A41A271A80214AFDB11DF9A9CC19EFBBB9EB85710F10006BF40497251D7788E82CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0091D0EF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 0091D132, 0091D139, 0091D16F

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-2502435711
Opcode ID: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
Instruction ID: 4f231fffb86a680d51bedf5e790736b47d0ea77421014d5cf4a2b5b39103e85e
Opcode Fuzzy Hash: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
Instruction Fuzzy Hash: EB41AD71F4521CBFDB26DB999C81AEEBBBCEB85310B10046AF41597211D7709E80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00919737 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00919776
__IsNonwritableInCurrentImage.LIBCMT ref: 0091982A

Strings

csm, xrefs: 00919814

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
Instruction ID: a45f4f602d3739a49e4f864c1b903fefe76c19f3ba4ac43411a0f6e220169fb4
Opcode Fuzzy Hash: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
Instruction Fuzzy Hash: 5641A134B0021DABCF10DF68C894AEEBBB5BF45314F1480A5E8199B392D735EE85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009045B7 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,00429838,?,?,00000000,00000000), ref: 00904659

Strings

runas, xrefs: 0090461B
+CC, xrefs: 00904621

Memory Dump Source

Source File: 00000000.00000002.259872011.0000000000900000.00000040.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_900000_file.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: +CC$runas
API String ID: 587946157-2150734417
Opcode ID: 275e86e7e836fdb05351418f23eea9cc16955723fba3a8d83db6570cd9dbdf7c
Instruction ID: e86c604c89b455090ba24c0eb587b12a05faec799004e6b367dd6e925a625a22
Opcode Fuzzy Hash: 275e86e7e836fdb05351418f23eea9cc16955723fba3a8d83db6570cd9dbdf7c
Instruction Fuzzy Hash: B141D371600209EFEB04DF68C985BDE7BB9EB46700F908229FD15876C1D779D9848B91

Uniqueness

Uniqueness Score: -1.00%

Function 00419EDD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00419F02

Strings

MOC, xrefs: 00419F14
RCC, xrefs: 00419F1C

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
Instruction ID: ef4240616421f5d170a5d1c4fd7b0d446090a164c11462a96303fe54a6744129
Opcode Fuzzy Hash: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
Instruction Fuzzy Hash: 5C414872900209EFCF16DF98C981AEEBBB5FF48304F18819AF904A7251D3399DA1DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00412CFF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00412D18

Strings

., xrefs: 00412DCB
5120, xrefs: 00412D5F

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: .$5120
API String ID: 514040917-2446372808
Opcode ID: d5977a1847af3593c6d2360099aed04a1f4c529663bf82042b77ea6028604958
Instruction ID: 9696d8c15566c1d42fadb68592e21f39738dfdc301de5d2260ec8dd83da14f2d
Opcode Fuzzy Hash: d5977a1847af3593c6d2360099aed04a1f4c529663bf82042b77ea6028604958
Instruction Fuzzy Hash: D421E2B09002489BDB14EF69C90A7DD7FB49F06348F5001CEE44567282D7B99A498BE7

Uniqueness

Uniqueness Score: -1.00%

Function 00423927 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041FDF2: EnterCriticalSection.KERNEL32(00405880,?,00424223,00405880,00437D48,00000010,0041EA11,00000000,C032C301,00000000,00000000,00405880,?,0041BB1A,00405880,00000000), ref: 0041FE0D

FlushFileBuffers.KERNEL32(00000000,00437D28,0000000C,00423A2E,nA,?,00000001,?,0041E96E,?), ref: 00423970
GetLastError.KERNEL32 ref: 00423981

Strings

nA, xrefs: 004239A8

Memory Dump Source

Source File: 00000000.00000002.259530025.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259563361.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: nA
API String ID: 4109680722-4035868545
Opcode ID: f003fc8eaf19488ae7f9339aa40c70496bc05c9f4a2d22a8ae3e610d030b7c35
Instruction ID: 0418fce989e2f534913a4f38d2ce8aa3e5464a19317c2ea272403c313fbf0c0e
Opcode Fuzzy Hash: f003fc8eaf19488ae7f9339aa40c70496bc05c9f4a2d22a8ae3e610d030b7c35
Instruction Fuzzy Hash: 45018076B002108FC714AF69E90569D7BB5AF49724F50412FF4219B3D2DBBC9982CB98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: gntuud.exePID: 5292, Parent PID: 1080COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	15.8%
Signature Coverage:	0.5%
Total number of Nodes:	1230
Total number of Limit Nodes:	13

Executed Functions

Function 0041B901 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0041B900,0041BE86,?,NA,0041BE86,0041EF4E), ref: 0041B923
TerminateProcess.KERNEL32(00000000,?,0041B900,0041BE86,?,NA,0041BE86,0041EF4E), ref: 0041B92A
ExitProcess.KERNEL32 ref: 0041B93C

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction ID: c3524ad3d233ec0a3a19b1bf7aedcb75de5af13a6c7a41cb1465cf438659ca8f
Opcode Fuzzy Hash: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
Instruction Fuzzy Hash: 63E0B671120208EFCB216F65DD49AA97B79FB44751BC44439FA0586231CB39EE93CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00746356 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0074637E
Module32First.KERNEL32(00000000,00000224), ref: 0074639E

Memory Dump Source

Source File: 00000004.00000002.313412358.0000000000745000.00000040.00000020.00020000.00000000.sdmp, Offset: 00745000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_745000_gntuud.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 800ca910bae1827fd7d2c7323629eea0331a8709acb35b0f0cef728f55581133
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: B3F09636200710AFE7303FF5988DB6E76F8EF4B725F100528E642910C0DB74EC458A62

Uniqueness

Uniqueness Score: -1.00%

Function 00408650 Relevance: 4.9, APIs: 3, Instructions: 374
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(00000000,00000000,?,0043A194,E3B8478F,?,00000000,00000000), ref: 004086B1
GetLastError.KERNEL32(?,00000000,00000000), ref: 004086B7

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: f1f2071e9a285aa1a3a2cb53637d1cd3f182b2e936a90f1bb04a7aa8ed66fc7e
Instruction ID: d5025c2257f1853fae8f1be1934c88d0cd5ba35f682ee7a5a0e711edb3be859e
Opcode Fuzzy Hash: f1f2071e9a285aa1a3a2cb53637d1cd3f182b2e936a90f1bb04a7aa8ed66fc7e
Instruction Fuzzy Hash: 57D15C71A001089BEB18DB28CE85BDDB772EF85314F60817EE445B73D6DF395A808B59

Uniqueness

Uniqueness Score: -1.00%

Function 004219A3 Relevance: 4.6, APIs: 3, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004219AC
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00421A1A

Part of subcall function 004218BF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00425A80,?,00000000,00000000), ref: 00421961

Part of subcall function 0041EA8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EABC

_free.LIBCMT ref: 00421A0B

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 9bbd66b76b4a34ca0bab716a56d9e69b7f3100a2bd4ca48c1cc341373bda4218
Instruction ID: 29b21772b9320c3fddc08945695e8111c5dc75795407a2b0146b8edf9caf2341
Opcode Fuzzy Hash: 9bbd66b76b4a34ca0bab716a56d9e69b7f3100a2bd4ca48c1cc341373bda4218
Instruction Fuzzy Hash: DA01FCB2B022753B273125B73CC9DBF696DCED2BA5394013AFD04D7211EE588D0282B8

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1BB Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0041D203

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9f5dec638c6018a6b24b976b0791b773a56ee0672529c52ab4d44372aafa3d49
Instruction ID: f1d333090dd57bfd17dfe39ecb9b07313f9b1ca465b706eabb36e918cd1afe6e
Opcode Fuzzy Hash: 9f5dec638c6018a6b24b976b0791b773a56ee0672529c52ab4d44372aafa3d49
Instruction Fuzzy Hash: 4FE0E5B6E0242022E211623F7C46AEB11856BD133AB15022FF860861E0DF7C88C2D19E

Uniqueness

Uniqueness Score: -1.00%

Function 00408770 Relevance: 1.7, APIs: 1, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00408770: GetModuleFileNameA.KERNEL32(00000000,?,00000104,E3B8478F), ref: 00406BFF

Part of subcall function 00406590: GetModuleFileNameA.KERNEL32(00000000,?,00000104,E3B8478F,?,00000000), ref: 004065F3

SetCurrentDirectoryA.KERNEL32(00000000,E3B8478F,00000000), ref: 004087BC

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: FileModuleName$CurrentDirectory
String ID:
API String ID: 1135421992-0
Opcode ID: d15d28231d876320d4a374a6555e1b741faa2093d9bfaf1a5f49efdbc005a14e
Instruction ID: d0dae173410c9e4e1febe3177f2c9113cc4b317fee0fa56548834116e9d8ebca
Opcode Fuzzy Hash: d15d28231d876320d4a374a6555e1b741faa2093d9bfaf1a5f49efdbc005a14e
Instruction Fuzzy Hash: 4B51FA70E002489BEF14EB64CA45BDDBB72AF42308F6041AED445773C7DB781A84CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00416830 Relevance: 1.5, APIs: 1, Instructions: 36
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040CBD0: GetTempPathA.KERNEL32(00000104,?), ref: 0040B2FE

Part of subcall function 0040CBD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,E3B8478F), ref: 0040A7BC

Part of subcall function 00406510: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406540

Part of subcall function 0040CBD0: GetUserNameA.ADVAPI32(?,?), ref: 0040B96E

Part of subcall function 004138B0: IsUserAnAdmin.SHELL32 ref: 0041390D
Part of subcall function 004138B0: GetUserNameA.ADVAPI32(?,?), ref: 004139B7
Part of subcall function 004138B0: GetComputerNameExW.KERNEL32(00000002,?,?,?,?), ref: 00413A20

Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 004167F6
Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 00416807
Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 00416818
Part of subcall function 004167E0: Sleep.KERNEL32(00007530,?,00416873), ref: 00416825

InternetCloseHandle.WININET(00000000), ref: 00416887

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: Name$CreateThreadUser$FileModule$AdminCloseComputerHandleInternetPathSleepTemp
String ID:
API String ID: 1411138196-0
Opcode ID: 681845bb7bdad3a9b280c05efa4f412a3339f2d7827d3117315032cc1d5ff116
Instruction ID: fcb51b4180ac2c01cd311fc2696d032aed602c74c46a29392a881be8b31f0bff
Opcode Fuzzy Hash: 681845bb7bdad3a9b280c05efa4f412a3339f2d7827d3117315032cc1d5ff116
Instruction Fuzzy Hash: 21E08671A0050407DA043BBA5D0B64E31184F8134CF94027FB815665D7EE6DD56441FF

Uniqueness

Uniqueness Score: -1.00%

Function 0041EA8A Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EABC

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dfa22ebf96d117e5e2d1e15a0c463ff833afb46ba7fb8ad48bf3f6a11dcdaed7
Instruction ID: 5e5b785a8da04b63c94067ca99906f02eb36a9a31bcd46b4234264a7978573d4
Opcode Fuzzy Hash: dfa22ebf96d117e5e2d1e15a0c463ff833afb46ba7fb8ad48bf3f6a11dcdaed7
Instruction Fuzzy Hash: A5E0E53954012266E62126634C007DB7A48BF813F0F050037EC18962C0DB98DCC182ED

Uniqueness

Uniqueness Score: -1.00%

Function 00746015 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00746066

Memory Dump Source

Source File: 00000004.00000002.313412358.0000000000745000.00000040.00000020.00020000.00000000.sdmp, Offset: 00745000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_745000_gntuud.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 28e6f838be98979790bbef2cba6f041e401689a40e4813e40c5d73970d9929d1
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 27113C79A00208EFDB01DF98C985E98BFF5AF09350F1580A4F9489B362D375EA50DF91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00403F40 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 162
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403F66
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00403FCB
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00403FE4
GetThreadContext.KERNEL32(?,00000000), ref: 00403FFF
ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00404023
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040403E
GetProcAddress.KERNEL32(00000000), ref: 00404045
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040406D
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 0040408E
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 004040D2
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000), ref: 0040410E
SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 0040412A
ResumeThread.KERNEL32(?,?,?,00000000), ref: 00404136
VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000), ref: 00404144
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00404165

Strings

ntdll.dll, xrefs: 00404039
, xrefs: 00404018
NtUnmapViewOfSection, xrefs: 00404034

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
String ID: $NtUnmapViewOfSection$ntdll.dll
API String ID: 4033543172-1522589568
Opcode ID: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
Instruction ID: 7185e54e9f5f5e6bc342fc5ffd2bfcf32a837d4cfdcfbf42461452ed81247528
Opcode Fuzzy Hash: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
Instruction Fuzzy Hash: 66518971600218EBDB209F54DC49FEAB7B8FF48701F9040B6F708AA291D7B1A995CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004037D0 Relevance: 27.2, APIs: 18, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 00403822
GetProcessHeap.KERNEL32(00000008,?), ref: 00403837
HeapAlloc.KERNEL32(00000000), ref: 0040383A
GetUserNameW.ADVAPI32(00000000,?), ref: 00403848
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 0040386B
GetProcessHeap.KERNEL32(00000008,?), ref: 00403876
HeapAlloc.KERNEL32(00000000), ref: 00403879
GetProcessHeap.KERNEL32(00000008,?), ref: 00403889
HeapAlloc.KERNEL32(00000000), ref: 0040388C
LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004038B6
ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 004038C9
GetProcessHeap.KERNEL32(00000000,?), ref: 004039C5
HeapFree.KERNEL32(00000000), ref: 004039CE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039D3
HeapFree.KERNEL32(00000000), ref: 004039D6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039DD
HeapFree.KERNEL32(00000000), ref: 004039E0
LocalFree.KERNEL32(00000000), ref: 004039E5

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeName$Alloc$AccountLookupUser$ConvertLocalString
String ID:
API String ID: 3326663573-0
Opcode ID: 24deddb8270008d93cf80c25edeb7c65e048e87636c7ba757fb88ba172af2b56
Instruction ID: 167f534f4a5bc3f8c65bdd595c5ec8e1d54d44385eb9c59962b1969d814595bf
Opcode Fuzzy Hash: 24deddb8270008d93cf80c25edeb7c65e048e87636c7ba757fb88ba172af2b56
Instruction Fuzzy Hash: EA716DB1E00209ABDB14DFA5DC85BEFBBBCEB48300F40453AE905A7281DB749905CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042260F Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00422653

Part of subcall function 004221EC: _free.LIBCMT ref: 00422209
Part of subcall function 004221EC: _free.LIBCMT ref: 0042221B
Part of subcall function 004221EC: _free.LIBCMT ref: 0042222D
Part of subcall function 004221EC: _free.LIBCMT ref: 0042223F
Part of subcall function 004221EC: _free.LIBCMT ref: 00422251
Part of subcall function 004221EC: _free.LIBCMT ref: 00422263
Part of subcall function 004221EC: _free.LIBCMT ref: 00422275
Part of subcall function 004221EC: _free.LIBCMT ref: 00422287
Part of subcall function 004221EC: _free.LIBCMT ref: 00422299
Part of subcall function 004221EC: _free.LIBCMT ref: 004222AB
Part of subcall function 004221EC: _free.LIBCMT ref: 004222BD
Part of subcall function 004221EC: _free.LIBCMT ref: 004222CF
Part of subcall function 004221EC: _free.LIBCMT ref: 004222E1

_free.LIBCMT ref: 00422648

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 0042266A
_free.LIBCMT ref: 0042267F
_free.LIBCMT ref: 0042268A
_free.LIBCMT ref: 004226AC
_free.LIBCMT ref: 004226BF
_free.LIBCMT ref: 004226CD
_free.LIBCMT ref: 004226D8
_free.LIBCMT ref: 00422710
_free.LIBCMT ref: 00422717
_free.LIBCMT ref: 00422734
_free.LIBCMT ref: 0042274C

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
Instruction ID: 87a383156b0838ac626f9c2c6038cf6ce1f5ffd7cd3d592d57855f9c4539c293
Opcode Fuzzy Hash: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
Instruction Fuzzy Hash: B6319272604211BFEB205A76EA45B9B73E5AF80358F50441FE849D7251DFBCED80DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00419B27 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00419C22
type_info::operator==.LIBVCRUNTIME ref: 00419C49
___TypeMatch.LIBVCRUNTIME ref: 00419D55
IsInExceptionSpec.LIBVCRUNTIME ref: 00419E30
_UnwindNestedFrames.LIBCMT ref: 00419EB7
CallUnexpected.LIBVCRUNTIME ref: 00419ED2

Strings

csm, xrefs: 00419C80
csm, xrefs: 00419BCF
csm, xrefs: 00419B62

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
Instruction ID: d03aefa22aee8cf5aa416bea0a170c685dbf4c7cd79984a2e6415da9b3a38480
Opcode Fuzzy Hash: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
Instruction Fuzzy Hash: 49C18871900209EFCF29DFA5D8A19EEBBB5BF04314F14405BE8516B242D339DE91CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408B5C Relevance: 15.2, APIs: 10, Instructions: 219networkfileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00408BAC
InternetOpenA.WININET(0043432B,00000000,00000000,00000000,00000000), ref: 00408BC2
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00408BE2
InternetReadFile.WININET(00000000,00000000,?,?), ref: 00408BF3
WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00408C15
InternetReadFile.WININET(00000000,00000000,?,?), ref: 00408C20
CloseHandle.KERNEL32(?), ref: 00408C32
InternetCloseHandle.WININET(?), ref: 00408C41
InternetCloseHandle.WININET(00000000), ref: 00408C44
RemoveDirectoryA.KERNEL32(00000000,?,?,?), ref: 00408CFD

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: Internet$File$CloseHandle$OpenRead$CreateDirectoryRemoveWrite
String ID:
API String ID: 1496009958-0
Opcode ID: f0e68a228d38e1b1568164ddce2365734541be2ccb1222d6eed42596258d13e1
Instruction ID: e39da941a42be4000a8416f9d2a6f8c848e32a180712f45a109694aa4e2734ce
Opcode Fuzzy Hash: f0e68a228d38e1b1568164ddce2365734541be2ccb1222d6eed42596258d13e1
Instruction Fuzzy Hash: 6E71EF71600208ABEB14DF64DD85BEE7735EF44304F50423EF945AB2D1DB38A980CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED7A Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041ED90

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 0041ED9C
_free.LIBCMT ref: 0041EDA7
_free.LIBCMT ref: 0041EDB2
_free.LIBCMT ref: 0041EDBD
_free.LIBCMT ref: 0041EDC8
_free.LIBCMT ref: 0041EDD3
_free.LIBCMT ref: 0041EDDE
_free.LIBCMT ref: 0041EDE9
_free.LIBCMT ref: 0041EDF7

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
Instruction ID: e610bd300bd5c2f85586062e27af9f16ff799e012d6f089a2169b26ee7872c24
Opcode Fuzzy Hash: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
Instruction Fuzzy Hash: ED219CBA910108BFCB41EF96C941DDD7BF6BF88344F00416AF9199B121EB35DA84DB84

Uniqueness

Uniqueness Score: -1.00%

Function 00404180 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 166networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00434EF4,00000000,00000000,00000000,00000000), ref: 0040425C
InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040426E
InternetReadFile.WININET(00000000,?,03E80000,03E80000), ref: 00404281
InternetCloseHandle.WININET(00000000), ref: 00404292
InternetCloseHandle.WININET(00000000), ref: 00404295
InternetCloseHandle.WININET(00000000), ref: 004042A3
InternetCloseHandle.WININET(00000000), ref: 004042A6

Strings

runas, xrefs: 004043B4

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$Open$FileRead
String ID: runas
API String ID: 4294395943-4000483414
Opcode ID: 28ad086152bd7b8e8c5954caccd98e56c6d06132053c0a63dc99d43c85a75fa5
Instruction ID: ba1dc25ec83469701d4c7edc2e7ba4793e46b241d410edfdecdbeb0a0fce58bd
Opcode Fuzzy Hash: 28ad086152bd7b8e8c5954caccd98e56c6d06132053c0a63dc99d43c85a75fa5
Instruction Fuzzy Hash: 4951D571E00108ABDB14DFA4DC41BEEBB75EF85300F60816EF915B7291D7389945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00426582 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a78892049de11e46c50fbd2fa855718c5aabf05d02eef10ffa1756f3991459e
Instruction ID: 5128a0cef717139e7719faf6ed0b9fe75c650819d7ce78bb109199c1610a9dbc
Opcode Fuzzy Hash: 1a78892049de11e46c50fbd2fa855718c5aabf05d02eef10ffa1756f3991459e
Instruction Fuzzy Hash: D3C114B4B002159FDF11DF99E880BAEBBB0BF49304F51406AE914A7382C7789D81CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004235FD Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004232B6: CreateFileW.KERNEL32(00000000,00000000,?,004236A6,?,?,00000000,?,004236A6,00000000,0000000C), ref: 004232D3

GetLastError.KERNEL32 ref: 00423711
__dosmaperr.LIBCMT ref: 00423718
GetFileType.KERNEL32(00000000), ref: 00423724
GetLastError.KERNEL32 ref: 0042372E
__dosmaperr.LIBCMT ref: 00423737
CloseHandle.KERNEL32(00000000), ref: 00423757
CloseHandle.KERNEL32(?), ref: 004238A4
GetLastError.KERNEL32 ref: 004238D6
__dosmaperr.LIBCMT ref: 004238DD

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 0d649afaf30192c5c19431845a951fd0479d0f23fa76b0b367cd72335b8b290c
Instruction ID: c7b97c56f1a0d1b911df166da15c54d720095dd6c25035754b532be6d98a6b0c
Opcode Fuzzy Hash: 0d649afaf30192c5c19431845a951fd0479d0f23fa76b0b367cd72335b8b290c
Instruction Fuzzy Hash: 7CA15872A041149FCF19DF68EC917AE3BB1AB06325F54016EF811AB391CB7C8952CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00421A27 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00421A51
_free.LIBCMT ref: 00421B2A
_free.LIBCMT ref: 00421B57

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
Instruction ID: f188bb2de727b7b751c2d84351da10a70f250225146cef8743706f99745805fe
Opcode Fuzzy Hash: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
Instruction Fuzzy Hash: 0E518C74F44324AFDB24AFB7A881A6E7BB4AF11314F54416FE410972A1EA3D8940CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004194D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00419507
___except_validate_context_record.LIBVCRUNTIME ref: 0041950F
_ValidateLocalCookies.LIBCMT ref: 00419598
__IsNonwritableInCurrentImage.LIBCMT ref: 004195C3
_ValidateLocalCookies.LIBCMT ref: 00419618

Strings

csm, xrefs: 004195AD

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
Instruction ID: cf6a3be1c1e6f4323defd25786acadca5afaa418f9c93884064ec3a043526e94
Opcode Fuzzy Hash: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
Instruction Fuzzy Hash: 09411A31A00214AFCF11DF69C890ADEBBB1BF45318F54806BE8146B352D739DE96CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041F14C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 0041F1B7
api-ms-, xrefs: 0041F1A3

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
Instruction ID: 8946f5363388c355846af12649c4142b4e9cf4c5f65ba016e67a922269825e5f
Opcode Fuzzy Hash: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
Instruction Fuzzy Hash: 3521C672A41221FBCB318A24DC45A9B3778AB017A0F650532ED15A7391D638ED4BC5DC

Uniqueness

Uniqueness Score: -1.00%

Function 0042238B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00422353: _free.LIBCMT ref: 00422378

_free.LIBCMT ref: 004223D9

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 004223E4
_free.LIBCMT ref: 004223EF
_free.LIBCMT ref: 00422443
_free.LIBCMT ref: 0042244E
_free.LIBCMT ref: 00422459
_free.LIBCMT ref: 00422464

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
Instruction ID: 3666b1e76cecdb1a9706d82e7bd79ae187b091a1e89744abee2c0a3d449e73e2
Opcode Fuzzy Hash: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
Instruction Fuzzy Hash: C611E471601714BAD921F7B2DD47FCB77DD5F0834CF84881EBACD6A052D6ACB6514604

Uniqueness

Uniqueness Score: -1.00%

Function 00423A46 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00405880,00000000), ref: 00423A8E
__fassign.LIBCMT ref: 00423C6D
__fassign.LIBCMT ref: 00423C8A
WriteFile.KERNEL32(?,00405880,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423CD2
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00423D12
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423DBE

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 5a0c35df1f21bdc5310913443ad541efee69954072d07ce9ea6e444a121a2afd
Instruction ID: 55294dd1ed643e62d688e25fe7fc8b93d32e6dca02253c809cdcf0ede3e7f937
Opcode Fuzzy Hash: 5a0c35df1f21bdc5310913443ad541efee69954072d07ce9ea6e444a121a2afd
Instruction Fuzzy Hash: 21D1A075E002689FCF15CFA8D8809EDBBB5BF48314F64016AE455FB342D738AA46CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004197F0 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004197E7,004193D7,00418C1C), ref: 004197FE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0041980C
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00419825
SetLastError.KERNEL32(00000000,004197E7,004193D7,00418C1C), ref: 00419877

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction ID: 71a7697fc03e6214697c45e1a132a8316019e6706060db725442c6d2a3e753c8
Opcode Fuzzy Hash: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
Instruction Fuzzy Hash: F101D8326293115EE62C3B76AE959D72774EF067B8720023FF120441F1EF594C95D58D

Uniqueness

Uniqueness Score: -1.00%

Function 00420F7C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe, xrefs: 00420F81

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe
API String ID: 0-2701828164
Opcode ID: d9fd3d3f386e086f16d5e96c86dfc6c05a3e177acafcacdda8c025444d2164cb
Instruction ID: f2c65a4c72dcbe00dc32dc221c8eb50b3435d1ebdf66b1fbb5bbc6e11338d05a
Opcode Fuzzy Hash: d9fd3d3f386e086f16d5e96c86dfc6c05a3e177acafcacdda8c025444d2164cb
Instruction Fuzzy Hash: CB210A713001257F97206F71ED81D6BB7ADAF103A8750462BF828D7691D778DC818799

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3D6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0041C418

Strings

.bat, xrefs: 0041C447
.com, xrefs: 0041C458
.exe, xrefs: 0041C425
.cmd, xrefs: 0041C436

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 19671788b65354572937ca0f5259cacd468799deb2890a42aa5f1fe1ebfecd1d
Instruction ID: baa428b651ab7fadd2aefce0a8d8cefe58070258f098f4f191bca89b56dcb2ea
Opcode Fuzzy Hash: 19671788b65354572937ca0f5259cacd468799deb2890a42aa5f1fe1ebfecd1d
Instruction Fuzzy Hash: 7E012B3BA8C635212624101AEC62BF717988B96FB8B25412FF854F72C1ED9DEC8205DC

Uniqueness

Uniqueness Score: -1.00%

Function 0041A897 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0041A8E7

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
Instruction ID: 8addbc20e8b4f1572ca5f78bff053ba989236767de5a1c4d832f47c373f0c560
Opcode Fuzzy Hash: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
Instruction Fuzzy Hash: 2B112C71A12221EBC7314B249D44AAB37689F017B4B624933ED45AB390D738DDE1C5DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041B943 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0041B938,?,?,0041B900,0041BE86,?,NA), ref: 0041B958
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041B96B
FreeLibrary.KERNEL32(00000000,?,?,0041B938,?,?,0041B900,0041BE86,?,NA), ref: 0041B98E

Strings

mscoree.dll, xrefs: 0041B951
CorExitProcess, xrefs: 0041B963

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
Instruction ID: 6ab08718997dcf592451d77b1cbf540418157bbc441c253cf8170436862d5d78
Opcode Fuzzy Hash: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
Instruction Fuzzy Hash: 52F08230651218FBDB259B50DD0ABEEBA78DF44759F900175A504A1260CB788E46DA98

Uniqueness

Uniqueness Score: -1.00%

Function 00424BC4 Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00424C46
_free.LIBCMT ref: 00424C6A
_free.LIBCMT ref: 00424DF7
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004335D8), ref: 00424E09
_free.LIBCMT ref: 00424FC3

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 8c2b88b9d242ee917946bc58aad9aca9963a64eab752d66957554f7044879769
Instruction ID: 2c4f844ee906d1c5b8a05b7d4d89c1c9074c071bb98950a21f89e01ce9d05ddf
Opcode Fuzzy Hash: 8c2b88b9d242ee917946bc58aad9aca9963a64eab752d66957554f7044879769
Instruction Fuzzy Hash: 1FC17835B00128ABDB209F69EC41BAB7BA9EFC5354F94416FE550D7381E7388E01CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00426FA9 Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00763A80,00763A80,?,7FFFFFFF,?,?,00427265,00763A80,00763A80,?,00763A80,?,?,?,?,00763A80), ref: 0042704C
__alloca_probe_16.LIBCMT ref: 00427102
__alloca_probe_16.LIBCMT ref: 00427198
__freea.LIBCMT ref: 00427203
__freea.LIBCMT ref: 0042720F

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: 5f2a50e45296c4ab9ea81c751da5de9d4fb401d4688c96eb67b443e93606af8c
Instruction ID: f6d9b8f12c634194a1b411eace1e19527ea88e01b30f60a4b5a6e0b516c13e2d
Opcode Fuzzy Hash: 5f2a50e45296c4ab9ea81c751da5de9d4fb401d4688c96eb67b443e93606af8c
Instruction Fuzzy Hash: 4481E472B082259BDF219EA5AC41EEF7BB5EF09354F98005BF804A7341D62DCC458BB9

Uniqueness

Uniqueness Score: -1.00%

Function 004258D4 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00425958
__alloca_probe_16.LIBCMT ref: 00425A1E
__freea.LIBCMT ref: 00425A8A

Part of subcall function 0041EA8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EABC

__freea.LIBCMT ref: 00425A93
__freea.LIBCMT ref: 00425AB6

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: c74094a0c6d5729c86e1c932978b4c2ceda6b25e6d516f0e0492038c5d5f24b8
Instruction ID: 7e0d7c363e2f027523b7077ca53f82abc72318da18e9cc0c3b19bc4bba63112a
Opcode Fuzzy Hash: c74094a0c6d5729c86e1c932978b4c2ceda6b25e6d516f0e0492038c5d5f24b8
Instruction Fuzzy Hash: 8351E672700626AFDB209F95EC86EBF37A9EF44764F95422AFC04D7240E778DC418698

Uniqueness

Uniqueness Score: -1.00%

Function 0041C10E Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0041C040), ref: 0041C130
GetFileInformationByHandle.KERNEL32(?,?), ref: 0041C18A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0041C040,?,000000FF,00000000,00000000), ref: 0041C218
__dosmaperr.LIBCMT ref: 0041C21F
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0041C25C

Part of subcall function 0041C484: __dosmaperr.LIBCMT ref: 0041C4B9

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
Instruction ID: 0071a9752275d4edb8b9c21b1954eb469a97b67ce05b4548820d0adabff3a4d5
Opcode Fuzzy Hash: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
Instruction Fuzzy Hash: B7413C75940204AFDB249FA5DC859EFBBF9EF89700B00452EF856D3610E7389885CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004222EA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00422302

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 00422314
_free.LIBCMT ref: 00422326
_free.LIBCMT ref: 00422338
_free.LIBCMT ref: 0042234A

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
Instruction ID: 8eed935d1f0a41e2b9dbe60b1656bd2ba3e28f3ae1fefd92f9cbf16fd4f54630
Opcode Fuzzy Hash: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
Instruction Fuzzy Hash: 04F04472501210B78520DBA6F6C2C4B73DAAB94355794180AF809D7641C77CFD81866C

Uniqueness

Uniqueness Score: -1.00%

Function 004209B7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00420B51

Strings

*?, xrefs: 004209FA

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
Instruction ID: 7415b14c5d0124b7c9719d17695bca9e12f23279d28e73ebbb8fdbf8e8460f59
Opcode Fuzzy Hash: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
Instruction Fuzzy Hash: 5661A1B5E002299FCB14CFA9D8815EEFBF5EF48314B54816AE805F7301E735AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 004198D0 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00419997
___AdjustPointer.LIBCMT ref: 004199BA
___AdjustPointer.LIBCMT ref: 00419A56

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
Instruction ID: a8cd01a110c9a5ba9b93cdf8b6ca506de852c713b8af7688bfec1274bd28d331
Opcode Fuzzy Hash: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
Instruction Fuzzy Hash: 3251D0B2601286AFDB298F15D861BEA77A4EF04314F24012FE84646391E739ECC1C799

Uniqueness

Uniqueness Score: -1.00%

Function 00405400 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,E3B8478F,00000000), ref: 00405479
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004054E0
GetProcAddress.KERNEL32(00000000), ref: 004054E7

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: 5f7b47061abc6791dac321b9274febf74b70e5b52455e87435bb2734be5b4ea5
Instruction ID: 1307c1e28f23caf99c3cad6e9d6b2b61846357279e254348caa37701d54b456e
Opcode Fuzzy Hash: 5f7b47061abc6791dac321b9274febf74b70e5b52455e87435bb2734be5b4ea5
Instruction Fuzzy Hash: B8513971900608ABDB14DB24DD497DE7B76EB46314F5042BAE805B73C1DB389EC48F99

Uniqueness

Uniqueness Score: -1.00%

Function 00425F0E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00425FDE
_free.LIBCMT ref: 00426007
SetEndOfFile.KERNEL32(00000000,0042354B,00000000,?,?,?,?,?,?,?,?,0042354B,?,00000000), ref: 00426039
GetLastError.KERNEL32(?,?,?,?,?,?,?,0042354B,?,00000000,?,?,?,?,?), ref: 00426055

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
Instruction ID: 61c1fed18fa2e053e229d2c366b1320fca6b3d495f3fb51fd3c042a4ee27fee9
Opcode Fuzzy Hash: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
Instruction Fuzzy Hash: 6C413E72B006115BDB11ABB5ED41B8E37B6AF44364F560017F424E72D2EB7CC840576D

Uniqueness

Uniqueness Score: -1.00%

Function 004208E8 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0041BD6F: _free.LIBCMT ref: 0041BD7D

Part of subcall function 004218BF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00425A80,?,00000000,00000000), ref: 00421961

GetLastError.KERNEL32 ref: 00420950
__dosmaperr.LIBCMT ref: 00420957
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00420996
__dosmaperr.LIBCMT ref: 0042099D

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 2cc476a48764411ac7d7f7841f806bb526956e32d48153aac2d156f6a7af72d6
Instruction ID: 91911ec1de34df9e01eb008ea9a24e12f878ac442d2ad626700c96a69c790fc9
Opcode Fuzzy Hash: 2cc476a48764411ac7d7f7841f806bb526956e32d48153aac2d156f6a7af72d6
Instruction Fuzzy Hash: 2721F0B1700225AFA710AF62ACC196B77EDEF00374790851AF86697253D738DCC08B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE92 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0041BCED,00000000,?,?,?,0041BE86,?), ref: 0041EE97
_free.LIBCMT ref: 0041EEF4
_free.LIBCMT ref: 0041EF2A
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,0041BE86,?), ref: 0041EF35

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
Instruction ID: 26790fddcd24ef136aadc0cc0bf27d5f777129a8301660e6568487d79e7ca8b5
Opcode Fuzzy Hash: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
Instruction Fuzzy Hash: 2411CA3A6002017AD61427B79CC59EB256997C1779B25013BFD39832D2FE6D8CDB811D

Uniqueness

Uniqueness Score: -1.00%

Function 0041EFE9 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0041C755,0041EACD,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EFEE
_free.LIBCMT ref: 0041F04B
_free.LIBCMT ref: 0041F081
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041F08C

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
Instruction ID: d1a755533480a66cbcbdd6da6f61a8fcfdc6096e1f08231a3cc2ec091d2cf52b
Opcode Fuzzy Hash: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
Instruction Fuzzy Hash: FB114C322045016AC7102B76ACC1DEB2969DBC8778765023BF92A822E3EF6CCCDF511C

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7CB Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041F930,00000000,?,00424658,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0041F7E1
GetLastError.KERNEL32(?,00424658,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0041F930,00000000,00000104,?), ref: 0041F7EB
__dosmaperr.LIBCMT ref: 0041F7F2

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
Instruction ID: 3e1febbc0a8defaca1089d50814ae8bcfad4f789bcb8220d5dd2739c2ed7ebaf
Opcode Fuzzy Hash: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
Instruction Fuzzy Hash: 1DF06D36600115BB8B202FA2DD08C9BBFA9FF443A03444136F52DC7561DB35E8A6CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F834 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041F930,00000000,?,004245E3,00000000,00000000,0041F930,?,?,00000000,00000000,00000001), ref: 0041F84A
GetLastError.KERNEL32(?,004245E3,00000000,00000000,0041F930,?,?,00000000,00000000,00000001,00000000,00000000,?,0041F930,00000000,00000104), ref: 0041F854
__dosmaperr.LIBCMT ref: 0041F85B

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
Instruction ID: 5356ccb821a571137923583999cca56af5607f561d8780d9d137012589ba4a16
Opcode Fuzzy Hash: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
Instruction Fuzzy Hash: FBF01231600115BB8B207BA6DC0499BBFA9FF443A03404536F52DC6521C735E8A6DBD4

Uniqueness

Uniqueness Score: -1.00%

Function 004272CF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00405880,00000000,00437A28,00000000,00405880,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880), ref: 004272E6
GetLastError.KERNEL32(?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000,00405880,?,0042436F,00405880), ref: 004272F2

Part of subcall function 004272B8: CloseHandle.KERNEL32(FFFFFFFE,00427302,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000,00405880), ref: 004272C8

___initconout.LIBCMT ref: 00427302

Part of subcall function 0042727A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004272A9,004269D4,00405880,?,00423E1B,00000000,?,00405880,00000000), ref: 0042728D

WriteConsoleW.KERNEL32(00405880,00000000,00437A28,00000000,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000), ref: 00427317

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction ID: 5b8baa1da4bb66d128bbbdf819d740daca6d0282673a7c9b135cb97f91750bdc
Opcode Fuzzy Hash: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
Instruction Fuzzy Hash: 46F01C36201129FBCF221F95EC04A8A3F66FF093A1B814075FE1C86231D6328820EB98

Uniqueness

Uniqueness Score: -1.00%

Function 004167E0 Relevance: 6.0, APIs: 4, Instructions: 27threadsleepCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 004167F6
CreateThread.KERNEL32 ref: 00416807
CreateThread.KERNEL32 ref: 00416818
Sleep.KERNEL32(00007530,?,00416873), ref: 00416825

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: CreateThread$Sleep
String ID:
API String ID: 422425972-0
Opcode ID: c7ec29c90368d79a70c95a5ee9845132da8938ab2cedaa7c12f416f09ab0d9a8
Instruction ID: 3e58bb4c01d1f945cb402fb00719d76fe511b7683de936d62f19d1048555ce50
Opcode Fuzzy Hash: c7ec29c90368d79a70c95a5ee9845132da8938ab2cedaa7c12f416f09ab0d9a8
Instruction Fuzzy Hash: 69E09231BE8334B6F47126A45C03F891E545B08F95FB20023B70CBE4D084C87485CAEE

Uniqueness

Uniqueness Score: -1.00%

Function 0041D819 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041D822

Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9

_free.LIBCMT ref: 0041D835
_free.LIBCMT ref: 0041D846
_free.LIBCMT ref: 0041D857

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
Instruction ID: 2f128d3171f244c94fc48b8332bc88089a284fec835ab8af747093701a289460
Opcode Fuzzy Hash: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
Instruction Fuzzy Hash: C3E04FB4801520AFCE012F53FE055953BA2FB947EC340302AF81406232DB390261EFCE

Uniqueness

Uniqueness Score: -1.00%

Function 004122F0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 374COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00412FEF

Part of subcall function 00416F50: Concurrency::cancel_current_task.LIBCPMT ref: 00417083

Strings

invalid stoi argument, xrefs: 00412FEA
stoi argument out of range, xrefs: 00412FF9

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_
String ID: invalid stoi argument$stoi argument out of range
API String ID: 3646673767-1606216832
Opcode ID: 8144e7b91affbd64eda4419a9c47eec50b32785b06bb4bebaeb4e700ccc872c7
Instruction ID: 6d18bec53ddcbea06decae191a6eae5fb5e1180c669e5708db714ed38e612d95
Opcode Fuzzy Hash: 8144e7b91affbd64eda4419a9c47eec50b32785b06bb4bebaeb4e700ccc872c7
Instruction Fuzzy Hash: 60E1D171A001189BEF28DF28CE857DDBB72EB46304F50819EE419972C1DB799AD1CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE88 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe, xrefs: 0041CECB, 0041CED2, 0041CF08

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe
API String ID: 0-2701828164
Opcode ID: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
Instruction ID: 3e019bb9f1f37e8f56b3af26f626c64f14fa1fa210d5d8f79d997b38734a4c96
Opcode Fuzzy Hash: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
Instruction Fuzzy Hash: 9A41A271A80214AFDB11DF9A9CC19EFBBB9EB85710F10006BF40497251D7788E82CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00419EDD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00419F02

Strings

RCC, xrefs: 00419F1C
MOC, xrefs: 00419F14

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
Instruction ID: ef4240616421f5d170a5d1c4fd7b0d446090a164c11462a96303fe54a6744129
Opcode Fuzzy Hash: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
Instruction Fuzzy Hash: 5C414872900209EFCF16DF98C981AEEBBB5FF48304F18819AF904A7251D3399DA1DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00412CFF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00412D18

Strings

., xrefs: 00412DCB
5120, xrefs: 00412D5F

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: .$5120
API String ID: 514040917-2446372808
Opcode ID: d5977a1847af3593c6d2360099aed04a1f4c529663bf82042b77ea6028604958
Instruction ID: 9696d8c15566c1d42fadb68592e21f39738dfdc301de5d2260ec8dd83da14f2d
Opcode Fuzzy Hash: d5977a1847af3593c6d2360099aed04a1f4c529663bf82042b77ea6028604958
Instruction Fuzzy Hash: D421E2B09002489BDB14EF69C90A7DD7FB49F06348F5001CEE44567282D7B99A498BE7

Uniqueness

Uniqueness Score: -1.00%

Function 00423927 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041FDF2: EnterCriticalSection.KERNEL32(00405880,?,00424223,00405880,00437D48,00000010,0041EA11,00000000,C032C301,00000000,00000000,00405880,?,0041BB1A,00405880,00000000), ref: 0041FE0D

FlushFileBuffers.KERNEL32(00000000,00437D28,0000000C,00423A2E,nA,?,00000001,?,0041E96E,?), ref: 00423970
GetLastError.KERNEL32 ref: 00423981

Strings

nA, xrefs: 004239A8

Memory Dump Source

Source File: 00000004.00000002.312844293.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.312933356.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gntuud.jbxd

Yara matches

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: nA
API String ID: 4109680722-4035868545
Opcode ID: f003fc8eaf19488ae7f9339aa40c70496bc05c9f4a2d22a8ae3e610d030b7c35
Instruction ID: 0418fce989e2f534913a4f38d2ce8aa3e5464a19317c2ea272403c313fbf0c0e
Opcode Fuzzy Hash: f003fc8eaf19488ae7f9339aa40c70496bc05c9f4a2d22a8ae3e610d030b7c35
Instruction Fuzzy Hash: 45018076B002108FC714AF69E90569D7BB5AF49724F50412FF4219B3D2DBBC9982CB98

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Amadey

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll

C:\Users\user\AppData\Local\Temp\853321935212

C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe

C:\Users\user\AppData\Local\Temp\ecaac49691\gntuud.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
file.exe

Function 0041B901 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 0090092B Relevance: 3.8, Strings: 3, Instructions: 90
COMMON

Function 00404350 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121
COMMON

Function 004235FD Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Function 0090003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 0042356F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Function 0041D1BB Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Function 00900E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 0041E3FF Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Function 00416830 Relevance: 1.5, APIs: 1, Instructions: 36
networkCOMMON

Function 004232B6 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Function 00900920 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON