Play interactive tour

Edit tour

Analysis Report systemupdate_ProtectedAUS.exe

Overview

General Information

Joe Sandbox Version:	26.0.0 Aquamarine
Analysis ID:	934785
Start date:	12.08.2019
Start time:	21:25:35
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	systemupdate_ProtectedAUS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@5/5@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 3% (good quality ratio 2.2%) Quality average: 59.7% Quality standard deviation: 40.6%
HCA Information:	Successful, ratio: 79% Number of executed functions: 96 Number of non-executed functions: 77
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, mscorsvw.exe Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100	Report FP / FN	false	njRat

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Windows Remote Management	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Software Packing22	Credential Dumping3	System Time Discovery12	Application Deployment Software	Input Capture1	Data Encrypted1	Uncommonly Used Port1
Replication Through Removable Media	Service Execution	Port Monitors	Process Injection21	Disabling Security Tools1	Input Capture1	Query Registry1	Remote Services	Data from Local System2	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol2
Drive-by Compromise	Windows Management Instrumentation	Accessibility Features	Path Interception	Modify Registry1	Credentials in Registry1	Process Discovery2	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Access Token Manipulation1	Credentials in Files2	Application Window Discovery1	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Process Injection21	Account Manipulation	Security Software Discovery251	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	Deobfuscate/Decode Files or Information1	Brute Force	File and Directory Discovery1	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port
Spearphishing via Service	Scripting	Path Interception	Scheduled Task	Obfuscated Files or Information3	Two-Factor Authentication Interception	System Information Discovery23	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port
Supply Chain Compromise	Third-party Software	Logon Scripts	Process Injection	DLL Side-Loading1	Bash History	Network Service Scanning	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\SysWOW64\taskeng.exe

virustotal: Detection: 47%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: systemupdate_ProtectedAUS.exe

virustotal: Detection: 47%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00401329 CryptAcquireContextA,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptGetHashParam,swprintf,swprintf,CryptDestroyHash,CryptReleaseContext,	4_2_00401329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_004023A8 CLSIDFromString,CredEnumerateA,CryptUnprotectData,___from_strstr_to_strchr,_strstr,swprintf,swprintf,___from_strstr_to_strchr,GetLastError,AuditFree,GetLastError,	4_2_004023A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_004014AE CryptAcquireContextA,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptGetHashParam,GetLastError,CryptDestroyHash,CryptReleaseContext,	4_2_004014AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00403678 CryptUnprotectData,GetLastError,	4_2_00403678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00402884 CryptUnprotectData,GetLastError,	4_2_00402884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00401CEA RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegCloseKey,CryptUnprotectData,swprintf,swprintf,WideCharToMultiByte,LocalFree,GetLastError,	4_2_00401CEA

Networking:

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.1.81:49163 -> 160.116.15.134:3361

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknown	TCP traffic detected without corresponding DNS query: 160.116.15.134

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View

ASN Name: COGENT-174-CogentCommunicationsUS COGENT-174-CogentCommunicationsUS

Found strings which match to known social media urls

Show sources

Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: ERR%WindowsLive:name=*%http://hotmail.com9Software\ooVoo\Settings\UserUserQhttp://www.oovoo.com/?Encrypted PasswordPass equals www.hotmail.com (Hotmail)
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809478481.00370000.00000004.00000020.sdmp	String found in binary or memory: Microsoft.AspNet.Mvc.Facebook equals www.facebook.com (Facebook)
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: Yahoo equals www.yahoo.com (Yahoo)
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: http://Yahoo.com48nhH equals www.yahoo.com (Yahoo)
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: http://hotmail.com equals www.hotmail.com (Hotmail)
Source: vbc.exe	String found in binary or memory: http://twitter.com/ equals www.twitter.com (Twitter)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp	String found in binary or memory: http://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp	String found in binary or memory: http://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.linkedin.com (Linkedin)
Source: vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp	String found in binary or memory: http://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.myspace.com (Myspace)
Source: vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp	String found in binary or memory: http://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.twitter.com (Twitter)
Source: vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp	String found in binary or memory: http://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: vbc.exe	String found in binary or memory: http://www.myspace.com equals www.myspace.com (Myspace)
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: https://myspace.com equals www.myspace.com (Myspace)
Source: vbc.exe	String found in binary or memory: https://twitter.com/ equals www.twitter.com (Twitter)
Source: vbc.exe	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: pwd%http://Paltalk.com/Software\Yahoo\Profiles!http://Yahoo.com equals www.yahoo.com (Yahoo)

Urls found in memory or binary data

Show sources

Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.com
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: http://Paltalk.com
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: http://Paltalk.com/Software
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: http://Yahoo.com
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: http://Yahoo.com48nhH
Source: vbc.exe	String found in binary or memory: http://digg.com
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: http://hotmail.com
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: http://hotmail.com9Software
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: http://no-ip.com
Source: systemupdate_ProtectedAUS.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: vbc.exe, vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp	String found in binary or memory: http://securityxploded.com/browser-password-dump.php
Source: vbc.exe	String found in binary or memory: http://slashdot.org/bookmark.pl
Source: vbc.exe	String found in binary or memory: http://twitter.com/
Source: vbc.exe, vbc.exe, 00000004.00000002.14657959113.00321000.00000004.00000020.sdmp, 4371570.4.dr	String found in binary or memory: http://www.SecurityXploded.com
Source: vbc.exe	String found in binary or memory: http://www.linkedin.com/
Source: vbc.exe	String found in binary or memory: http://www.myspace.com
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: http://www.noip.com/
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	String found in binary or memory: http://www.oovoo.com/?Encrypted
Source: vbc.exe	String found in binary or memory: http://www.reddit.com/login
Source: vbc.exe	String found in binary or memory: http://www.stumbleupon.com/sign_up.php
Source: vbc.exe	String found in binary or memory: https://accounts.google.com/servicelogin
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: vbc.exe	String found in binary or memory: https://my.screenname.aol.com/_cqr/login/login.psp
Source: vbc.exe	String found in binary or memory: https://myspace.com
Source: vbc.exe	String found in binary or memory: https://pinterest.com/login/
Source: vbc.exe	String found in binary or memory: https://signin.ebay.com/ws/ebayisapi.dll
Source: vbc.exe	String found in binary or memory: https://twitter.com/
Source: vbc.exe	String found in binary or memory: https://www.amazon.com/ap/signin/190-9059340-4656153
Source: vbc.exe	String found in binary or memory: https://www.amazon.com/gp/css/homepage.html
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, j/kl.cs	.Net Code: VKCodeToUnicode
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, j/kl.cs	.Net Code: VKCodeToUnicode

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects hacktools by SecurityXploded
Source: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects hacktools by SecurityXploded
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPE	Matched rule: Detects malware sample from Burning Umbrella report - Generic Winnti Rule
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPE	Matched rule: Detects malware sample from Burning Umbrella report - Generic Winnti Rule
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware sample from Burning Umbrella report - Generic Winnti Rule
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware sample from Burning Umbrella report - Generic Winnti Rule
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects hacktools by SecurityXploded
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects hacktools by SecurityXploded
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects hacktools by SecurityXploded
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects hacktools by SecurityXploded

Contains functionality to call native functions

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_00551C04 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtSetContextThread,NtResumeThread,		1_2_00551C04
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_005500AD NtOpenSection,NtMapViewOfSection,		1_2_005500AD

Creates mutexes

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Mutant created: \Sessions\1\BaseNamedObjects\frenchy_shellcode_002
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Mutant created: \Sessions\1\BaseNamedObjects\Client.exe

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_001A6013	1_2_001A6013
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_001AC838	1_2_001AC838
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_001A8958	1_2_001A8958
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_001AB210	1_2_001AB210
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_001A7DFA	1_2_001A7DFA
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_001AD6D8	1_2_001AD6D8
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_001A97E8	1_2_001A97E8
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_001A60A3	1_2_001A60A3
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_001A60E3	1_2_001A60E3
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_001A6232	1_2_001A6232
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_001A635E	1_2_001A635E
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_006822A7	1_2_006822A7
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 2_2_003C6058	2_2_003C6058
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 2_2_003CCCD0	2_2_003CCCD0
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 2_2_003C79D8	2_2_003C79D8
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 2_2_003C5768	2_2_003C5768
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 2_2_003C1B40	2_2_003C1B40
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 2_2_003C0FEA	2_2_003C0FEA
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 2_2_003C5418	2_2_003C5418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00449182	4_2_00449182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00440CD7	4_2_00440CD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_004080C8	4_2_004080C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0045008C	4_2_0045008C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00409101	4_2_00409101
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0044A248	4_2_0044A248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00431223	4_2_00431223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_004392D4	4_2_004392D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0042B386	4_2_0042B386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0044B3BE	4_2_0044B3BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00435460	4_2_00435460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00432513	4_2_00432513
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_004505FC	4_2_004505FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0043F640	4_2_0043F640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0042D61C	4_2_0042D61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0042170A	4_2_0042170A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0044A73C	4_2_0044A73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041C8D5	4_2_0041C8D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_004388E7	4_2_004388E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0040494F	4_2_0040494F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0044AB54	4_2_0044AB54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00451B7C	4_2_00451B7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0044FB1C	4_2_0044FB1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00404BBF	4_2_00404BBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041EC16	4_2_0041EC16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00404CCC	4_2_00404CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00450D78	4_2_00450D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041ADF6	4_2_0041ADF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00404F44	4_2_00404F44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0044AF89	4_2_0044AF89

Found potential string decryption / allocating functions

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 00408E3D appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 00444860 appears 48 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 004097AF appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 0040970D appears 102 times

Sample file is different than original file name gathered from version info

Show sources

Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810024483.0113C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameuTorrent.exe@ vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809420023.00320000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemaqUVPsBdw.exe4 vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809365509.002E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameqbPoogbjlb.dll4 vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809777836.007A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809478481.00370000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809115991.000E0000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamepw.dllL vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesHelper.exe< vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14813822585.00610000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14813436263.001E0000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14816655264.03E20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000000.14553244545.0113C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameuTorrent.exe@ vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814024137.00800000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814015368.007F0000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenamemsvfw32.dll.muij% vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe	Binary or memory string: OriginalFilenameuTorrent.exe@ vs systemupdate_ProtectedAUS.exe

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

File read: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Jump to behavior

Tries to load missing DLLs

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Section loaded: ntdll.dll

Jump to behavior

Yara signature match

Show sources

Source: 00000002.00000002.14813731660.00402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000002.14810081002.01D40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000002.14811656068.04500000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000002.14810211843.01DE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = https://creativecommons.org/licenses/by-nc/4.0/, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: SecurityXploded_Producer_String_RID33B2 date = 2017-07-13 14:58:51, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000001.00000002.14809736152.00682000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000002.14810167494.01DAD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1_RID3003 date = 2018-05-04 12:21:41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Winnti_Sample_May18_1_RID3003 date = 2018-05-04 12:21:41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = https://creativecommons.org/licenses/by-nc/4.0/, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: SecurityXploded_Producer_String_RID33B2 date = 2017-07-13 14:58:51, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = https://creativecommons.org/licenses/by-nc/4.0/, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: SecurityXploded_Producer_String_RID33B2 date = 2017-07-13 14:58:51, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7

.NET source code contains many API calls related to security

Show sources

Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, BotKillers.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, BotKillers.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, BotKillers.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, BotKillers.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, BotKillers.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)

Classification label

Show sources

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@5/5@0/1

Contains functionality for error logging

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_0040AB07 GetTempPathW,GetTempPathA,_free,GetLastError,FormatMessageA,

4_2_0040AB07

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_00404399 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetEnvironmentVariableA,_wprintf,_wprintf,

4_2_00404399

Contains functionality to check free disk space

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_0040AFF0 GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,

4_2_0040AFF0

Contains functionality to instantiate COM classes

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_00401F3D RegOpenKeyExA,RegEnumValueA,RegEnumValueA,RegCloseKey,CoInitialize,CLSIDFromString,CLSIDFromString,CLSIDFromString,CoCreateInstance,_wcschr,__wcsnicmp,__wcsnicmp,CoUninitialize,

4_2_00401F3D

Creates files inside the user directory

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

File created: C:\Users\user\SysWOW64

Jump to behavior

Creates temporary files

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

File created: C:\Users\user\AppData\Local\Temp\4371570

Jump to behavior

PE file has an executable .text section and no other executable section

Show sources

Source: systemupdate_ProtectedAUS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Reads ini files

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

SQL strings found in memory and binary data

Show sources

Source: vbc.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exe	Binary or memory string: select * from logins where blacklisted_by_user=0;
Source: vbc.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe	Binary or memory string: select * from moz_logins;
Source: vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM ' \|\| quote(name) \|\| ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Sample is known by Antivirus

Show sources

Source: systemupdate_ProtectedAUS.exe

virustotal: Detection: 47%

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe 'C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe'
Source: unknown	Process created: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' -f 'C:\Users\user\AppData\Local\Temp\4371570'
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process created: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' -f 'C:\Users\user\AppData\Local\Temp\4371570'	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Uses Microsoft Silverlight

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Show sources

Source: systemupdate_ProtectedAUS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: systemupdate_ProtectedAUS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:

Binary string: C:\Users\Super\Documents\visual studio 2013\Projects\pw plugin\WindowsApplication12\obj\Release\pw.pdb source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, j/OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, j/OK.cs	.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_0068973C push es; ret	1_2_00689818
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_00689287 push cs; ret	1_2_00689288
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_010F3A6D push 28060002h; retn 0002h	1_2_010F3A72
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 2_2_010F3A6D push 28060002h; retn 0002h	2_2_010F3A72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_004448A5 push ecx; ret	4_2_004448B8

Binary may include packed or encrypted code

Show sources

Source: initial sample	Static PE information: section name: .text entropy: 6.92696568298
Source: initial sample	Static PE information: section name: .text entropy: 6.92696568298

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

File created: C:\Users\user\SysWOW64\taskeng.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Load

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Detected FrenchyShellcode packer

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Mutex created: \Sessions\1\BaseNamedObjects\frenchy_shellcode_002

Jump to behavior

Stores large binary data to the registry

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Client.exe 96bbeae23f13d8b402340f54c661c049

Jump to behavior

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810081002.01D40000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810081002.01D40000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL5SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809420023.00320000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLKSOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\LOAD

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Window / User API: threadDelayed 5505			Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Window / User API: threadDelayed 515			Jump to behavior

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_4-43540

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe TID: 3012	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe TID: 3100	Thread sleep time: -780000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe TID: 3272	Thread sleep time: -60000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_0040B148 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 0040B197h

4_2_0040B148

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810081002.01D40000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14813731660.00402000.00000040.00000001.sdmp	Binary or memory string: VBoxServiceM{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}
Source: systemupdate_ProtectedAUS.exe	Binary or memory string: VBoxService
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809420023.00320000.00000004.00000001.sdmp	Binary or memory string: VMwareVBOX

Program exit points

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	API call chain: ExitProcess graph end node			graph_4-44485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	API call chain: ExitProcess graph end node			graph_4-43541

Queries a list of all running processes

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Code function: 1_2_001ADC28 CheckRemoteDebuggerPresent,

1_2_001ADC28

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Checks if the current process is being debugged

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_004400AC IsDebuggerPresent,

4_2_004400AC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_0044C259 RtlEncodePointer,RtlEncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,74ECFFF6,RtlEncodePointer,74ECFFF6,RtlEncodePointer,74ECFFF6,RtlEncodePointer,74ECFFF6,RtlEncodePointer,74ECFFF6,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

4_2_0044C259

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_005501CB mov eax, dword ptr fs:[00000030h]	1_2_005501CB
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_005500AD mov ecx, dword ptr fs:[00000030h]	1_2_005500AD
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Code function: 1_2_005500AD mov eax, dword ptr fs:[00000030h]	1_2_005500AD

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_00443C67 GetProcessHeap,

4_2_00443C67

Enables debug privileges

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process token adjusted: Debug	Jump to behavior

Contains functionality to register its own exception handler

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00447049 SetUnhandledExceptionFilter,		4_2_00447049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0044706C SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_0044706C

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, j/OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, j/kl.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, j/OK.cs	Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, j/kl.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Section loaded: unknown target pid: 3188 protection: execute and read and write

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Thread register set: target process: 3188			Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Thread register set: target process: 2440			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814935251.01D94000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHDnh
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810041551.01140000.00000002.00000001.sdmp, systemupdate_ProtectedAUS.exe, 00000002.00000002.14814827949.01140000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810041551.01140000.00000002.00000001.sdmp, systemupdate_ProtectedAUS.exe, 00000002.00000002.14814935251.01D94000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810041551.01140000.00000002.00000001.sdmp, systemupdate_ProtectedAUS.exe, 00000002.00000002.14814827949.01140000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810081002.01D40000.00000004.00000001.sdmp, systemupdate_ProtectedAUS.exe, 00000002.00000002.14813731660.00402000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndyHKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
Source: systemupdate_ProtectedAUS.exe, systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	Binary or memory string: Shell_traywnd

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_00441B9C cpuid

4_2_00441B9C

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Queries volume information: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Queries volume information: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_00448F27 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,RtlQueryPerformanceCounter,

4_2_00448F27

Contains functionality to query time zone information

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_004483A1 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

4_2_004483A1

Contains functionality to query windows version

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_004041A8 _memset,GetVersionExA,FreeLibrary,

4_2_004041A8

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Contains functionality to steal Internet Explorer form passwords

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2		4_2_00401F3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2		4_2_00401CEA

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\22qkc0w7.default\signons3.txt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\22qkc0w7.default\signons.txt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\22qkc0w7.default\cert8.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\22qkc0w7.default\signons2.txt	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\22qkc0w7.default\key3.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\22qkc0w7.default\secmod.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe

Key opened: HKEY_CURRENT_USER\Software\Paltalk

Jump to behavior

Remote Access Functionality:

Detected njRat

Show sources

Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, j/OK.cs	.Net Code: njRat config detected
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, j/OK.cs	.Net Code: njRat config detected

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
21:26:34	API Interceptor	788x Sleep call for process: systemupdate_ProtectedAUS.exe modified
21:27:32	API Interceptor	3x Sleep call for process: vbc.exe modified

Antivirus and Machine Learning Detection

Initial Sample

Source	Detection	Scanner	Label	Link
systemupdate_ProtectedAUS.exe	48%	virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\SysWOW64\taskeng.exe	48%	virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack	100%	Avira	TR/Dropper.Gen	Download File
2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack	100%	Avira	TR/Dropper.Gen	Download File
4.2.vbc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1004669	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://no-ip.com	0%	virustotal		Browse
http://no-ip.com	0%	Avira URL Cloud	safe
http://Yahoo.com48nhH	0%	Avira URL Cloud	safe
http://hotmail.com9Software	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.14813731660.00402000.00000040.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xac22:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00 0xaa1c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xaa7c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xad5a:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
00000001.00000002.14810081002.01D40000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x5393e:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00 0x53738:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0x53798:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0x53a76:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
00000001.00000002.14811656068.04500000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xae6a:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00 0xac64:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xacc4:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xafa2:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
00000001.00000002.14810211843.01DE7000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xdb3a:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00 0xd934:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xd994:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xdc72:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
00000004.00000002.14658008517.00400000.00000040.00000001.sdmp	SecurityXploded_Producer_String	Detects hacktools by SecurityXploded	Florian Roth	0x58ae0:$x1: http://securityxploded.com
00000004.00000002.14658008517.00400000.00000040.00000001.sdmp	SecurityXploded_Producer_String_RID33B2	Detects hacktools by SecurityXploded	Florian Roth	0x58ae0:$x1: http://securityxploded.com
00000001.00000002.14809736152.00682000.00000040.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xac22:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00 0xaa1c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xaa7c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xad5a:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
00000001.00000002.14810167494.01DAD000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x358ee:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00 0x356e8:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0x35748:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0x35a26:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xaf5a:$x1: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00 \x00"\x00 0xac62:$s3: E\x00x\x00e\x00c\x00u\x00t\x00e\x00d\x00 \x00A\x00s\x00 \x00 0x90e7:$s5: Stub.exe 0xac40:$s6: D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xab7e:$s7: s\x00h\x00u\x00t\x00d\x00o\x00w\x00n\x00 \x00-\x00r\x00 \x00-\x00t\x00 \x000\x000\x00
1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0x9e8e:$s1: w\x00i\x00r\x00e\x00s\x00h\x00a\x00r\x00k\x00 0x9e58:$s2: p\x00r\x00o\x00c\x00e\x00x\x00p\x00
1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack	MAL_Winnti_Sample_May18_1_RID3003	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0x9e8e:$s1: w\x00i\x00r\x00e\x00s\x00h\x00a\x00r\x00k\x00 0x9e58:$s2: p\x00r\x00o\x00c\x00e\x00x\x00p\x00
1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0xaf5a:$x1: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00 \x00"\x00 0xac62:$s3: E\x00x\x00e\x00c\x00u\x00t\x00e\x00d\x00 \x00A\x00s\x00 \x00 0x90e7:$s5: Stub.exe 0xac40:$s6: D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xab7e:$s7: s\x00h\x00u\x00t\x00d\x00o\x00w\x00n\x00 \x00-\x00r\x00 \x00-\x00t\x00 \x000\x000\x00
1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xae22:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00 0xac1c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xac7c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xaf5a:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xaf5a:$x1: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00 \x00"\x00 0xac62:$s3: E\x00x\x00e\x00c\x00u\x00t\x00e\x00d\x00 \x00A\x00s\x00 \x00 0x90e7:$s5: Stub.exe 0xac40:$s6: D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xab7e:$s7: s\x00h\x00u\x00t\x00d\x00o\x00w\x00n\x00 \x00-\x00r\x00 \x00-\x00t\x00 \x000\x000\x00
2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack	MAL_Winnti_Sample_May18_1	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0x9e8e:$s1: w\x00i\x00r\x00e\x00s\x00h\x00a\x00r\x00k\x00 0x9e58:$s2: p\x00r\x00o\x00c\x00e\x00x\x00p\x00
2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack	MAL_Winnti_Sample_May18_1_RID3003	Detects malware sample from Burning Umbrella report - Generic Winnti Rule	Florian Roth	0x9e8e:$s1: w\x00i\x00r\x00e\x00s\x00h\x00a\x00r\x00k\x00 0x9e58:$s2: p\x00r\x00o\x00c\x00e\x00x\x00p\x00
2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack	CN_disclosed_20180208_c_RID2E71	Detects malware from disclosed CN malware set	Florian Roth	0xaf5a:$x1: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00 \x00"\x00 0xac62:$s3: E\x00x\x00e\x00c\x00u\x00t\x00e\x00d\x00 \x00A\x00s\x00 \x00 0x90e7:$s5: Stub.exe 0xac40:$s6: D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xab7e:$s7: s\x00h\x00u\x00t\x00d\x00o\x00w\x00n\x00 \x00-\x00r\x00 \x00-\x00t\x00 \x000\x000\x00
2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xae22:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00 0xac1c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xac7c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00 0xaf5a:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
4.2.vbc.exe.400000.1.raw.unpack	SecurityXploded_Producer_String	Detects hacktools by SecurityXploded	Florian Roth	0x58ae0:$x1: http://securityxploded.com
4.2.vbc.exe.400000.1.raw.unpack	SecurityXploded_Producer_String_RID33B2	Detects hacktools by SecurityXploded	Florian Roth	0x58ae0:$x1: http://securityxploded.com
4.2.vbc.exe.400000.1.unpack	SecurityXploded_Producer_String	Detects hacktools by SecurityXploded	Florian Roth	0x58ae0:$x1: http://securityxploded.com
4.2.vbc.exe.400000.1.unpack	SecurityXploded_Producer_String_RID33B2	Detects hacktools by SecurityXploded	Florian Roth	0x58ae0:$x1: http://securityxploded.com

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
COGENT-174-CogentCommunicationsUS	61redacted@threatwav.exe	Get hash	malicious	Browse	38.118.12.3
	51mai.exe	Get hash	malicious	Browse	192.246.84.2
	48Transcrip.exe	Get hash	malicious	Browse	38.118.12.3
	Mo2spc6bT8.dll	Get hash	malicious	Browse	206.3.192.64
	Quote_Pdf.vbs	Get hash	malicious	Browse	172.81.178.93
	65eqgdz.exe	Get hash	malicious	Browse	192.246.84.2
	45LETTER.EXE	Get hash	malicious	Browse	38.118.12.3
	hakai.x86_64	Get hash	malicious	Browse	38.212.25.216
	Wannacr.exe	Get hash	malicious	Browse	149.2.27.53
	7messag.exe	Get hash	malicious	Browse	192.246.84.2
	3transcript.exe	Get hash	malicious	Browse	38.118.12.3
	430#U0437.js	Get hash	malicious	Browse	76.73.17.194
	430#U0437.js	Get hash	malicious	Browse	76.73.17.194
	430#U0437.js	Get hash	malicious	Browse	76.73.17.194
	430#U0437.js	Get hash	malicious	Browse	76.73.17.194
	430#U0437.js	Get hash	malicious	Browse	76.73.17.194
	.exe	Get hash	malicious	Browse	154.61.81.54
	430#U0437.js	Get hash	malicious	Browse	76.73.17.194
	430#U0437.js	Get hash	malicious	Browse	76.73.17.194
	13Mai.exe	Get hash	malicious	Browse	149.122.186.39

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

systemupdate_ProtectedAUS.exe (PID: 2312 cmdline: 'C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe' MD5: 812D49BE271E7D49274F94CCACA83A90)

systemupdate_ProtectedAUS.exe (PID: 3188 cmdline: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe MD5: 812D49BE271E7D49274F94CCACA83A90)

vbc.exe (PID: 2440 cmdline: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' -f 'C:\Users\user\AppData\Local\Temp\4371570' MD5: A8CCD298F718423D35CFD925063F082D)

cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Temp\4371570 Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	399
Entropy (8bit):	3.2821118737659947
Encrypted:	false
MD5:	E4BF4F7ACCC657622FE419C0D62419AB
SHA1:	C2856936DD3DE05BAD0DA5CA94D6B521E40AB5A2
SHA-256:	B32FA68B79C5A7CEAA89E8E537EFE33A963C499666202611329944BD2C09318E
SHA-512:	85DC223E39A16DDEBA53A4B3D6C9EFF14D30EC67DFDA1E650DA2C9057F640EDD033A31868915A31CAAC0D325D240A7F634F62CD52FBD2ADC68BD1D9CB6281431
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.... ********************************************.. Browser Password Recovery Report.. ********************************************............_______________________________________________________________________.. Produced by BrowserPasswordDump from http://www.SecurityXploded.com......

C:\Users\user\AppData\Local\Temp\Login Data Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3010002
Size (bytes):	18432
Entropy (8bit):	0.852140055112637
Encrypted:	false
MD5:	A8621F29FD303FB5ED20DAAD3FD3A8CB
SHA1:	F536DE7809F38BC0FCD33A9FCA7A8CF4ECE6DDAC
SHA-256:	3A646CB91D47FD9345EED024714DE3AA07AFD2FA1F558D408A1A45A6D76CB572
SHA-512:	BA663CD2FAF7AC63536772BC2E6674779C285B297D8B70F783C80BCA658F405A306F5E3C3DDB9225928C1636F5CDB5D3585F7885D509F7B52CCFD75508F32C3F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .........................................................................-....6........o.....>.H................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N...%..oindexstats_originstats.CREATE INDEX stats_origin ON stats(origin_domain).@......._tablestatsstats.CREATE TABLE stats (origin_domain VARCHAR NOT NULL, username_value VARCHAR, dismissal_count INTEGER, update_time INTEGER NOT NULL, UNI

C:\Users\user\SysWOW64\taskeng.exe Download File
Process:	C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Size (bytes):	305152
Entropy (8bit):	6.89537174077336
Encrypted:	false
MD5:	812D49BE271E7D49274F94CCACA83A90
SHA1:	E11D287C6D0A33DA2C9C4FF13E826C0D711DDB50
SHA-256:	619281BC0A12DAA8A57C1BA3B527843066FAD2ECAB1F4B2E515E5D5B5879AFCE
SHA-512:	F02B5B4E455243AADC9FF13EF3948A77E157963CFC9DC98AFE4671A6186024719D624280FB2439B454835BE0DB58EC2707990526DC4867005D1FBF3D2FBD7A38
Malicious:	true
Antivirus:	Antivirus: virustotal, Detection: 48%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#G]................................. ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...................i...8W..............................................T%.......E.....<..,...j..2T.......n.D.%.6.N.L...L.N.....XN....t.F.G..m .5.-.>7Z.'S@cM:,.sj]...\|.yf....>..p.A.h...K.B.&4.=...=..hx0.......\|...."PV./.lZ._~.Lz[`...Q.H.v..r.'.c@.I..9..L...8x..r..^...q..r...Ee.U.@$.0......p..}...$...x.......O.......u?S..G..o..a..m......#y.A>.\.b.,.!..q.........A3.~v........_...$.8Y.y._.s.3.,....Q..g....v....c/G....Y........6...^o/.G.?...E.q4"9.t/..4p.R

C:\Users\user\SysWOW64\taskeng.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://DynDns.com	systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	false		high
http://www.reddit.com/login	vbc.exe	false		high
http://Paltalk.com/Software	systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	systemupdate_ProtectedAUS.exe	false		high
http://www.stumbleupon.com/sign_up.php	vbc.exe	false		high
http://hotmail.com	systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	false		high
https://my.screenname.aol.com/_cqr/login/login.psp	vbc.exe	false		high
https://twitter.com/	vbc.exe	false		high
http://Yahoo.com	systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	false		high
http://www.myspace.com	vbc.exe	false		high
http://www.oovoo.com/?Encrypted	systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	false		high
http://Paltalk.com	systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	false		high
http://no-ip.com	systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	false	0%, virustotal, Browse Avira URL Cloud: safe	low
http://www.noip.com/	systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	false		high
http://slashdot.org/bookmark.pl	vbc.exe	false		high
http://twitter.com/	vbc.exe	false		high
https://pinterest.com/login/	vbc.exe	false		high
https://www.amazon.com/ap/signin/190-9059340-4656153	vbc.exe	false		high
http://Yahoo.com48nhH	systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://signin.ebay.com/ws/ebayisapi.dll	vbc.exe	false		high
https://login.yahoo.com/config/login	vbc.exe	false		high
http://www.linkedin.com/	vbc.exe	false		high
http://digg.com	vbc.exe	false		high
https://www.amazon.com/gp/css/homepage.html	vbc.exe	false		high
http://hotmail.com9Software	systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://myspace.com	vbc.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
160.116.15.134	South Africa		174	COGENT-174-CogentCommunicationsUS	true

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.89537174077336
TrID:	Win32 Executable (generic) a (10002005/4) 99.23% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.73% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	systemupdate_ProtectedAUS.exe
File size:	305152
MD5:	812d49be271e7d49274f94ccaca83a90
SHA1:	e11d287c6d0a33da2c9c4ff13e826c0d711ddb50
SHA256:	619281bc0a12daa8a57c1ba3b527843066fad2ecab1f4b2e515e5d5b5879afce
SHA512:	f02b5b4e455243aadc9ff13ef3948a77e157963cfc9dc98afe4671a6186024719d624280fb2439b454835be0db58ec2707990526dc4867005d1fbf3d2fbd7a38
SSDEEP:	6144:ypzbpDZtF1JaicVykjg1072r8+oDE6sZU6jXF47zkhagF:kpDntcVykjg3Y546sZx
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#G]................................. ........@.. ....................................@................................

File Icon


Icon Hash:	cccccccccccccc00

Static PE Info

General
Entrypoint:	0x44b82e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5D4723EF [Sun Aug 4 18:29:03 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b7dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4c000	0x8f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x49834	0x49a00	False	0.614173254457	data	6.92696568298	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x4c000	0x8f8	0xa00	False	0.378125	data	3.61215263574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4e000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x4c0e8	0x537	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x4c620	0x14	data
RT_VERSION	0x4c634	0x2c4	data	French	France

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	2019 BitTorrent, Inc. All Rights Reserved.
FileVersion	3.5.5.45311
CompanyName	BitTorrent Inc.
ProductName	Torrent
ProductVersion	3.5.5.45311
FileDescription	Torrent
OriginalFilename	uTorrent.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
French	France

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 12, 2019 21:27:05.537683010 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:05.679543972 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:05.679740906 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:07.271159887 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:07.619154930 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:07.628520966 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:07.994111061 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:11.464479923 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:11.806581020 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:11.838212013 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:11.841814041 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:12.197005987 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:29.915882111 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:29.917114973 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:30.058619022 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:30.270744085 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:30.282128096 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:30.636322021 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:33.041297913 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:33.084368944 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:33.431937933 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:35.569077015 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:35.915757895 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:36.041058064 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:36.085531950 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:36.431539059 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.673293114 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.673326015 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.673607111 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:38.815311909 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.815376043 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.815407038 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.815428019 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.815692902 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:38.957562923 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.957592964 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.957612038 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.957628965 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.957689047 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.957722902 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.957770109 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.957815886 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:38.957906008 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:38.958055973 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.099780083 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.099824905 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.099884987 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.099931002 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.099965096 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.100008965 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.100025892 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.100039005 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.100083113 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.100117922 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.100197077 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.100296974 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.100336075 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.100368023 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.100433111 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.100466013 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.100492001 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.100578070 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.241971016 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242072105 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242136002 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242197037 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242239952 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.242265940 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242311001 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242347002 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242383003 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242393017 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.242449045 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242510080 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.242548943 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242577076 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242657900 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.242686033 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242711067 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242733955 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.242809057 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.243086100 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.243105888 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.243144989 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.243175030 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.243204117 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.243206978 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.243338108 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.243501902 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.243527889 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.243551016 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.243575096 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.243598938 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.243626118 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.243640900 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.243750095 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.385446072 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.385483980 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.385505915 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.385525942 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.385572910 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.385637045 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.385757923 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.385781050 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.385850906 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.385854006 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.385984898 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386029959 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386099100 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386176109 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.386183023 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386241913 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386280060 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386329889 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386377096 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.386467934 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386522055 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386552095 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.386580944 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386625051 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386756897 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.386847973 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386885881 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386920929 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.386970997 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.387006044 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.387118101 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.387144089 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.387165070 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.387212992 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.387233973 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.387305975 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.387372971 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.387424946 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.387460947 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.387587070 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.387594938 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.387789011 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.387801886 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.387825012 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.387940884 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.387950897 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.388108015 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.388143063 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.388231039 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.388262987 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.388328075 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.388364077 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.388448954 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.388489962 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.388526917 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.388569117 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.388642073 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.388766050 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.388812065 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.388853073 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.388911009 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.388916016 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.389020920 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.389100075 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.389182091 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.528424025 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.528459072 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.528487921 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.528512001 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.528533936 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.528557062 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.528579950 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.528606892 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.528764009 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.529526949 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.529565096 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.529592037 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.529628992 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.529642105 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.529679060 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.529692888 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.529720068 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.529748917 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.529748917 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.529778004 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.529804945 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.529829979 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.529937983 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.530003071 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.530031919 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.530059099 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.530085087 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.530133963 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.530162096 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.530219078 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.531028032 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531060934 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531090975 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531121016 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531152964 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.531158924 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531189919 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531234026 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531270981 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531321049 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531332016 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531351089 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531379938 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531393051 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.531409025 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531436920 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531760931 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.531887054 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531938076 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531948090 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531958103 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.531985998 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532006979 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532028913 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532052040 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532069921 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532087088 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532306910 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.532524109 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532553911 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532625914 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532639980 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.532645941 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532697916 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532741070 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532780886 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532782078 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.532831907 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532871962 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532911062 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532942057 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532970905 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.532989979 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.533008099 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.533025026 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.533185005 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.533664942 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.533685923 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.533704042 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.533720970 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.533739090 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.533765078 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.533782005 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.533808947 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.533843994 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.533891916 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.533895016 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.533961058 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.533981085 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.534018993 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.534024000 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.534069061 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.534105062 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.534156084 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.534212112 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.534216881 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.534775019 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.534812927 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.534832001 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.534868002 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.534904003 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.534957886 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.534957886 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.534979105 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.534991026 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.535041094 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.535059929 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.535079956 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.535099030 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.535115004 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.535118103 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.535146952 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.535154104 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.535190105 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.535212040 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.535231113 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.535341978 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.535377026 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.535415888 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.535446882 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.670659065 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.670737982 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.670785904 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.670928955 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.670979977 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.671005011 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.671159983 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.671216011 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.671288967 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.671322107 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.671333075 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.671363115 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.671380997 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.671411037 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.671530008 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.671576023 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.671627998 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.671674013 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.671788931 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.671895027 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.671922922 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.671960115 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.671960115 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.672107935 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.672138929 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.672159910 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.672331095 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.672427893 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.672460079 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.672530890 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.672564030 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.672590971 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.672595024 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.672616959 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.672625065 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.672662020 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.672722101 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.672755957 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.672771931 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.672782898 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.672796011 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.672806978 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.672830105 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.672832012 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.672971964 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.673002005 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.673023939 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.673047066 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.673269987 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.673332930 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.673389912 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.673401117 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.673424006 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.673429012 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.673474073 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.673552036 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.673578024 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.673583031 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.673599958 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.673612118 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.673729897 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.673760891 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.674021959 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.674086094 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.674279928 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.674338102 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.674866915 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.674943924 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.674998999 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.675033092 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.675064087 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.675092936 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.675105095 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.675142050 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.675148964 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.675174952 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.675216913 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.675266027 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.675319910 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.675343990 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.675385952 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.675419092 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.675465107 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.675509930 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.675555944 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.675590038 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.675621986 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.675653934 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.675687075 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.675884962 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.676035881 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.676081896 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.676131964 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.676182032 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.676219940 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.676264048 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.676292896 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.676342964 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.676378965 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.676422119 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.676450014 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.676491976 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.676521063 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.676548004 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.676590919 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.676625967 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.676656961 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.676708937 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.676781893 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.676923037 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.676976919 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.677011967 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.677409887 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.677484989 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.677551985 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.677650928 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.677678108 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.677726030 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.677757978 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.677814960 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.677871943 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.677932024 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.677983046 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.678024054 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.678041935 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.678055048 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.678153038 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.678244114 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.678256035 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.678284883 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.678316116 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.678373098 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.678461075 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.678534985 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.678554058 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.678592920 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.678597927 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.678608894 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.678641081 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.678649902 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.678704977 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.678879976 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.678911924 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.678914070 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.678982973 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.678992033 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.679038048 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.679049015 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.679066896 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.679095030 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.679166079 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.679276943 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.679348946 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.679404974 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.679403067 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.679421902 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.679450035 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.679457903 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.679480076 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.679498911 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.679514885 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.679569006 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.679574013 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.679644108 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.679757118 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.679828882 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.679838896 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.679874897 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.679884911 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.679915905 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.679961920 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.679992914 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.680011988 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.680073977 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.680085897 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.680105925 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.680114985 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.680136919 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.680232048 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:39.680385113 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.680440903 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.680475950 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.680510998 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.680560112 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.680600882 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.680766106 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:39.747415066 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:40.103245020 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:40.103385925 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:40.447010040 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:41.524847031 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:41.869887114 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:43.568695068 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:43.916764975 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:46.068269014 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:46.148914099 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:46.505647898 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:47.928098917 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:47.928689003 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:48.287018061 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:49.069061995 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:49.115134954 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:49.458712101 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:52.068603039 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:52.113619089 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:52.490313053 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:55.068386078 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:55.109813929 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:55.458758116 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:58.068509102 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:27:58.108050108 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:27:58.458750010 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:28:01.068474054 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:28:01.116698027 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:28:01.458957911 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:28:05.927841902 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:28:05.929538012 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:28:06.271184921 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:28:07.569901943 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:28:07.927481890 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:28:15.569175959 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:28:15.927508116 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:28:23.927828074 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:28:23.929673910 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:28:24.287122011 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:28:39.568150997 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:28:39.911861897 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:28:41.928092957 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:28:41.928818941 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:28:42.286928892 CEST	3361	49163	160.116.15.134	192.168.1.81
Aug 12, 2019 21:28:47.567831039 CEST	49163	3361	192.168.1.81	160.116.15.134
Aug 12, 2019 21:28:47.928426981 CEST	3361	49163	160.116.15.134	192.168.1.81

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: systemupdate_ProtectedAUS.exe PID: 2312 Parent PID: 3940

General

Start time:	21:26:33
Start date:	12/08/2019
Path:	C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe'
Imagebase:	0x10f0000
File size:	305152 bytes
MD5 hash:	812D49BE271E7D49274F94CCACA83A90
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000002.14810081002.01D40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000002.14811656068.04500000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000002.14810211843.01DE7000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000002.14809736152.00682000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Njrat, Description: detect njRAT in memory, Source: 00000001.00000002.14810167494.01DAD000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: systemupdate_ProtectedAUS.exe PID: 3188 Parent PID: 2312

General

Start time:	21:26:47
Start date:	12/08/2019
Path:	C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe
Imagebase:	0x10f0000
File size:	305152 bytes
MD5 hash:	812D49BE271E7D49274F94CCACA83A90
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000002.14813731660.00402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: vbc.exe PID: 2440 Parent PID: 3188

General

Start time:	21:27:31
Start date:	12/08/2019
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' -f 'C:\Users\user\AppData\Local\Temp\4371570'
Imagebase:	0x1250000
File size:	2688144 bytes
MD5 hash:	A8CCD298F718423D35CFD925063F082D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SecurityXploded_Producer_String, Description: Detects hacktools by SecurityXploded, Source: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Author: Florian Roth Rule: SecurityXploded_Producer_String_RID33B2, Description: Detects hacktools by SecurityXploded, Source: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: systemupdate_ProtectedAUS.exe PID: 2312 Parent PID: 3940 systemupdate_ProtectedAUS.exeUNIQUE

Execution Graph

Execution Coverage:	26%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	46.3%
Total number of Nodes:	67
Total number of Limit Nodes:	2

Executed Functions

Function 005501CB, Relevance: 517.4, Strings: 413, Instructions: 1138
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

NtCo, xrefs: 00550D1B
esTo, xrefs: 00550DCF
w64P, xrefs: 00550FE1
Clas, xrefs: 00551132
lMem, xrefs: 00551022
ad, xrefs: 00550A2C
alMe, xrefs: 00550985
Cryp, xrefs: 005506A6
ueKe, xrefs: 00550BE8
oxA, xrefs: 00550FCD
Cryp, xrefs: 0055066E
ageB, xrefs: 00550FC3
oces, xrefs: 00550350
NtCr, xrefs: 00550CED
NtOp, xrefs: 005505EC
rren, xrefs: 00550ED3
tion, xrefs: 005502AB
wcsc, xrefs: 00550C83
NtOp, xrefs: 005512DD
rent, xrefs: 00550C5B
Load, xrefs: 00550800
NtOp, xrefs: 00550BB1
ings, xrefs: 00550B03
NtGe, xrefs: 00550A3B
Post, xrefs: 00551178
\Kno, xrefs: 00550431
ddre, xrefs: 00550F64
sTok, xrefs: 00550D8E
eeVi, xrefs: 0055100E
mp, xrefs: 00550FAA
\adv, xrefs: 0055040A
Reso, xrefs: 005508C2
ecti, xrefs: 00550A90
ateK, xrefs: 00550645
ow, xrefs: 005510E7
dll, xrefs: 005504A8
Show, xrefs: 005510D3
\Kno, xrefs: 005503EC
ombs, xrefs: 00551096
en, xrefs: 00550CDE
ose, xrefs: 00551040
tVal, xrefs: 00550BDE
Crea, xrefs: 0055133D
NtCr, xrefs: 00550BFB
\Kno, xrefs: 005503AB
tePr, xrefs: 005508E6
rocA, xrefs: 00550822
ll, xrefs: 00550F91
Hash, xrefs: 00550740
cess, xrefs: 00550E56
tion, xrefs: 005509C7
KERNEL32.DLL, xrefs: 00551392, 00551398
mete, xrefs: 00550E15
Ex, xrefs: 00551215
eryI, xrefs: 00550B57
onFi, xrefs: 00550B75
wnDl, xrefs: 0055125C
NtRe, xrefs: 005507CE
text, xrefs: 00550A4F
ory, xrefs: 005502ED
ls\u, xrefs: 00550576
ePro, xrefs: 00550DF7
Rect, xrefs: 005511C4
rtua, xrefs: 005507E2
o, xrefs: 00550381
ls32, xrefs: 00550400
Key, xrefs: 00550792
ll.d, xrefs: 005503D3
tTra, xrefs: 00550EDD
tCre, xrefs: 005506B0
Mess, xrefs: 00550FB9
tDer, xrefs: 005506FF
ess, xrefs: 00551082
Reso, xrefs: 0055020E
api3, xrefs: 00550414
cess, xrefs: 00550E01
tdll, xrefs: 005504D0
age, xrefs: 00551196
NtQu, xrefs: 0055031E
otec, xrefs: 00550881
NtMa, xrefs: 00550A72
le, xrefs: 00550BC5
NtSe, xrefs: 00550BD4
ath, xrefs: 00550C79
tual, xrefs: 00550895
wnDl, xrefs: 005503B5
NtQu, xrefs: 005510A6
fSec, xrefs: 005509BD
W, xrefs: 005501FB
roce, xrefs: 0055094E
Cryp, xrefs: 00550750
ls\k, xrefs: 0055053A
wcsc, xrefs: 0055104A
kernel32.dll, xrefs: 0055137C, 0055137F
Tran, xrefs: 00550E7A
eA, xrefs: 00550B3E
ry, xrefs: 005508A9
Crea, xrefs: 005508DC
ls\a, xrefs: 005504FE
ctio, xrefs: 00550F29
eate, xrefs: 005512BA
wcst, xrefs: 0055108C
RtlC, xrefs: 00550DE3
Cryp, xrefs: 00550774
ext, xrefs: 005507C4
rmin, xrefs: 0055093A
lstr, xrefs: 0055085D
wcsc, xrefs: 00550FA0
Lock, xrefs: 00550255
tStr, xrefs: 00550AF9
tAcq, xrefs: 00550678
enKe, xrefs: 005505F6
ey, xrefs: 0055064F
rThr, xrefs: 00550D5C
nfor, xrefs: 00550B61
eryV, xrefs: 00550613
y, xrefs: 00550927
urce, xrefs: 005501F1
orma, xrefs: 005502A1
Expa, xrefs: 00550AD1
troy, xrefs: 00550788
troy, xrefs: 00550736
ss, xrefs: 00550836
tDes, xrefs: 0055072C
Sect, xrefs: 00550ABD
ory, xrefs: 005507F6
ateH, xrefs: 005506BA
ileg, xrefs: 00550DC5
umer, xrefs: 0055063B
Free, xrefs: 005508B8
NtQu, xrefs: 00550279
erne, xrefs: 00550544
s, xrefs: 00550315
on, xrefs: 00550A9A
\use, xrefs: 00550494
mati, xrefs: 00550B6B
l, xrefs: 00550428
NtQu, xrefs: 00550B4D
indo, xrefs: 00551155
rypt, xrefs: 00550764
User, xrefs: 00550C65
py, xrefs: 00550665
NtSe, xrefs: 00550A04
.dll, xrefs: 005505C5
urce, xrefs: 00550269
lMem, xrefs: 005502E3
eNam, xrefs: 00550B34
Priv, xrefs: 00550DBB
texW, xrefs: 00551351
\Ole, xrefs: 00551270
Thre, xrefs: 00550A22
sour, xrefs: 0055023C
nt, xrefs: 005512CE
y, xrefs: 00550600
rtua, xrefs: 00551018
l, xrefs: 005512A7
ad, xrefs: 005509F5
2.dl, xrefs: 00550463
llba, xrefs: 00550F0B
eate, xrefs: 0055122E
Thre, xrefs: 005509EB
etCu, xrefs: 00550EC9
Begi, xrefs: 005511D4
oces, xrefs: 0055030B
ll, xrefs: 00551284
ss, xrefs: 00550958
Regi, xrefs: 0055111E
ckTr, xrefs: 00550F15
NtRe, xrefs: 005509D7
RtlZ, xrefs: 00550909
nt, xrefs: 005511E8
ile, xrefs: 00550C33
ce, xrefs: 00550246
Quit, xrefs: 00551182
mbstowcs, xrefs: 00551371, 00551374
teMu, xrefs: 00551347
NtWr, xrefs: 00550C1F
Memo, xrefs: 0055089F
eUse, xrefs: 00550E42
NtOp, xrefs: 005502F7
ls32, xrefs: 00550445
NtRe, xrefs: 00550B8E
n, xrefs: 00550F33
ance, xrefs: 00551242
wnDl, xrefs: 005504F4
hDat, xrefs: 005506E2
iteV, xrefs: 00550971
nmen, xrefs: 00550AEF
roce, xrefs: 00550FEB
\Kno, xrefs: 0055059D
at, xrefs: 00550C8A
Cryp, xrefs: 00550722
ls\n, xrefs: 005504C6
\Kno, xrefs: 00551252
2.dl, xrefs: 0055058A
wnDl, xrefs: 00550530
tCon, xrefs: 00550A0E
layE, xrefs: 00550CB0
dll, xrefs: 00550558
lize, xrefs: 0055120B
GetS, xrefs: 00550363
NtCr, xrefs: 005512B0
ZwCr, xrefs: 00550E66
oced, xrefs: 00550F50
eFil, xrefs: 00550B2A
GetP, xrefs: 00550818
NtTe, xrefs: 00550930
yste, xrefs: 0055036D
Muta, xrefs: 005512C4
ll, xrefs: 005503DD
enMu, xrefs: 005512E7
.dll, xrefs: 005504DA
le, xrefs: 00550B7F
memc, xrefs: 0055065E
ken, xrefs: 00550DD9
NtOp, xrefs: 00550E98
wnDl, xrefs: 005505A7
NtOp, xrefs: 00550D70
ofRe, xrefs: 00550232
Ole3, xrefs: 00551293
Crea, xrefs: 005510F6
ls\O, xrefs: 005505B1
on, xrefs: 005510C4
l, xrefs: 0055046D
yste, xrefs: 0055028D
ory, xrefs: 0055102C
uire, xrefs: 00550682
ls32, xrefs: 00551266
tHas, xrefs: 005506D8
ndEn, xrefs: 00550ADB
n, xrefs: 00550EB6
CoCr, xrefs: 00551224
ey, xrefs: 00550713
etPr, xrefs: 00550F46
oces, xrefs: 005508F0
ddre, xrefs: 0055082C
Load, xrefs: 00550204
2.dl, xrefs: 0055129D
Cryp, xrefs: 0055079C
teWi, xrefs: 00551100
l32., xrefs: 0055054E
ureA, xrefs: 00550F5A
mati, xrefs: 0055033C
le, xrefs: 00550BA2
iewO, xrefs: 005509B3
extW, xrefs: 00550696
\Kno, xrefs: 00550526
lMem, xrefs: 005507EC
Libr, xrefs: 00550807
NtPr, xrefs: 00550877
eUse, xrefs: 00550D52
nfor, xrefs: 00550332
NtCr, xrefs: 0055105A
ue, xrefs: 00550D2F
adFi, xrefs: 00550B98
teVi, xrefs: 005502CF
le32, xrefs: 005505BB
Cryp, xrefs: 005506F5
mInf, xrefs: 00550377
wcsl, xrefs: 00550CD4
enPr, xrefs: 00550301
Size, xrefs: 00550228
Proc, xrefs: 00551078
RtlC, xrefs: 00550E2E
i32., xrefs: 00550512
onPr, xrefs: 00550346
\Kno, xrefs: 00550562
NtCr, xrefs: 00550AA9
ion, xrefs: 00550E8E
emor, xrefs: 0055091D
enFi, xrefs: 00550BBB
alue, xrefs: 0055061D
File, xrefs: 00550C0F
LdrL, xrefs: 00550F7D
ion, xrefs: 00550AC7
GetM, xrefs: 00550B16
tion, xrefs: 00550EF1
ctio, xrefs: 00550EAC
irtu, xrefs: 0055097B
IsWo, xrefs: 00550FD7
ZwUn, xrefs: 0055099F
nsac, xrefs: 00550EE7
Reso, xrefs: 0055025F
NtQu, xrefs: 00550609
oadD, xrefs: 00550F87
pVie, xrefs: 00550A7C
et, xrefs: 00550C9D
oces, xrefs: 00550D84
viro, xrefs: 00550AE5
eryS, xrefs: 005510B0
User, xrefs: 0055106E
ndow, xrefs: 0055110A
eate, xrefs: 00550AB3
rtua, xrefs: 005502D9
mems, xrefs: 00550C93
ss, xrefs: 00550F6E
nPai, xrefs: 005511DE
y, xrefs: 00550BF2
mapV, xrefs: 005509A9
NtFr, xrefs: 00551004
NtEn, xrefs: 00550631
dvap, xrefs: 00550508
iteF, xrefs: 00550C29
RtlC, xrefs: 00550D3E
eate, xrefs: 00551064
tion, xrefs: 00550CC4
ss, xrefs: 00550FF5
wnDl, xrefs: 005503F6
ansa, xrefs: 00550F1F
ZwRo, xrefs: 00550F01
en, xrefs: 00550D98
eate, xrefs: 00550CF7
NtAl, xrefs: 005502BB
eryI, xrefs: 00550328
2.dl, xrefs: 0055041E
aryA, xrefs: 0055080E
urce, xrefs: 005508CC
Thre, xrefs: 00550D01
ash, xrefs: 005506C4
NtAd, xrefs: 00550DA7
ls32, xrefs: 005503BF
RtlS, xrefs: 00550EBF
odul, xrefs: 00550B20
Cryp, xrefs: 005506CE
cW, xrefs: 00551169
Key, xrefs: 00550627
dll, xrefs: 0055051C
ecti, xrefs: 005510BA
text, xrefs: 00550A18
ad, xrefs: 00550A63
tRel, xrefs: 005507A6
.dll, xrefs: 00550853
tCur, xrefs: 00550C51
Inst, xrefs: 00551238
just, xrefs: 00550DB1
LdrG, xrefs: 00550F3C
eate, xrefs: 00550C05
rs, xrefs: 00550E1F
tVir, xrefs: 0055088B
tant, xrefs: 005512F1
ease, xrefs: 005507B0
\ker, xrefs: 0055044F
tDec, xrefs: 0055075A
l, xrefs: 00550594
Fill, xrefs: 005511BA
reat, xrefs: 00550D48
xecu, xrefs: 00550CBA
NtCl, xrefs: 00551036
wnDl, xrefs: 005504BC
Reso, xrefs: 005501E7
NtDe, xrefs: 00550CA6
lenW, xrefs: 00550867
ateP, xrefs: 00550944
sW, xrefs: 0055113C
Cont, xrefs: 005507BA
py, xrefs: 00551051
Cont, xrefs: 0055068C
wnDl, xrefs: 00550480
Wind, xrefs: 005510DD
orma, xrefs: 00550C47
wnDl, xrefs: 0055043B
mory, xrefs: 0055098F
ls32, xrefs: 0055048A
itia, xrefs: 00551201
enPr, xrefs: 00550D7A
wOfS, xrefs: 00550A86
reat, xrefs: 00550E38
eroM, xrefs: 00550913
mInf, xrefs: 00550297
DefW, xrefs: 0055114B
CoIn, xrefs: 005511F7
wnDl, xrefs: 0055056C
KeyP, xrefs: 00550C6F
urce, xrefs: 00550218
RtlF, xrefs: 00550C3D
Find, xrefs: 005501DD
EndP, xrefs: 005511A0
Mess, xrefs: 0055118C
sume, xrefs: 005509E1
ExW, xrefs: 00551114
nel3, xrefs: 00550459
W, xrefs: 00550B0D
Thre, xrefs: 00550A59
adVi, xrefs: 005507D8
a, xrefs: 005506EC
NtWr, xrefs: 00550967
sW, xrefs: 005508FA
wPro, xrefs: 0055115F
Para, xrefs: 00550E0B
aint, xrefs: 005511AA
sact, xrefs: 00550E84
reat, xrefs: 00550DED
s, xrefs: 0055035A
adEx, xrefs: 00550D0B
\ntd, xrefs: 005503C9
enSe, xrefs: 00550EA2
tCon, xrefs: 00550A45
loca, xrefs: 005502C5
rPro, xrefs: 00550E4C
iveK, xrefs: 00550709
32.d, xrefs: 0055127A
ntin, xrefs: 00550D25
ead, xrefs: 00550D66
r32., xrefs: 0055049E
eate, xrefs: 00550E70
\Kno, xrefs: 005504B2
ser3, xrefs: 00550580
tDes, xrefs: 0055077E
\Kno, xrefs: 00550476
strlenuser32.dlladvapi32.dll, xrefs: 00551366, 00551369
ster, xrefs: 00551128
eryS, xrefs: 00550283
\Kno, xrefs: 005504EA

Memory Dump Source

Source File: 00000001.00000002.14809707322.00550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_550000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: Section$OpenView
String ID: .dll$.dll$.dll$2.dl$2.dl$2.dl$2.dl$32.d$Begi$Clas$CoCr$CoIn$Cont$Cont$Crea$Crea$Crea$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$DefW$EndP$Ex$ExW$Expa$File$Fill$Find$Free$GetM$GetP$GetS$Hash$Inst$IsWo$KERNEL32.DLL$Key$Key$KeyP$LdrG$LdrL$Libr$Load$Load$Lock$Memo$Mess$Mess$Muta$NtAd$NtAl$NtCl$NtCo$NtCr$NtCr$NtCr$NtCr$NtCr$NtDe$NtEn$NtFr$NtGe$NtMa$NtOp$NtOp$NtOp$NtOp$NtOp$NtOp$NtPr$NtQu$NtQu$NtQu$NtQu$NtQu$NtRe$NtRe$NtRe$NtSe$NtSe$NtTe$NtWr$NtWr$Ole3$Para$Post$Priv$Proc$Quit$Rect$Regi$Reso$Reso$Reso$Reso$RtlC$RtlC$RtlC$RtlF$RtlS$RtlZ$Sect$Show$Size$Thre$Thre$Thre$Thre$Tran$User$User$W$W$Wind$ZwCr$ZwRo$ZwUn$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Ole$\adv$\ker$\ntd$\use$a$ad$ad$ad$adEx$adFi$adVi$age$ageB$aint$alMe$alue$ance$ansa$api3$aryA$ash$at$ateH$ateK$ateP$ath$cW$ce$cess$cess$ckTr$ctio$ctio$ddre$ddre$dll$dll$dll$dvap$eA$eFil$eNam$ePro$eUse$eUse$ead$ease$eate$eate$eate$eate$eate$eate$eate$ecti$ecti$eeVi$emor$en$en$enFi$enKe$enMu$enPr$enPr$enSe$erne$eroM$eryI$eryI$eryS$eryS$eryV$esTo$ess$et$etCu$etPr$ext$extW$ey$ey$fSec$hDat$i32.$iewO$ile$ileg$indo$ings$ion$ion$irtu$iteF$iteV$itia$iveK$just$ken$kernel32.dll$l$l$l$l$l32.$lMem$lMem$lMem$layE$le$le$le$le32$lenW$lize$ll$ll$ll$ll.d$llba$loca$ls32$ls32$ls32$ls32$ls32$ls\O$ls\a$ls\k$ls\n$ls\u$lstr$mInf$mInf$mapV$mati$mati$mbstowcs$memc$mems$mete$mory$mp$n$n$nPai$ndEn$ndow$nel3$nfor$nfor$nmen$nsac$nt$nt$ntin$o$oadD$oced$oces$oces$oces$oces$odul$ofRe$ombs$on$on$onFi$onPr$orma$orma$ory$ory$ory$ose$otec$ow$oxA$pVie$py$py$r32.$rPro$rThr$reat$reat$reat$rent$rmin$rocA$roce$roce$rren$rs$rtua$rtua$rtua$ry$rypt$s$s$sTok$sW$sW$sact$ser3$sour$ss$ss$ss$ss$ster$strlenuser32.dlladvapi32.dll$sume$tAcq$tCon$tCon$tCre$tCur$tDec$tDer$tDes$tDes$tHas$tRel$tStr$tTra$tVal$tVir$tant$tdll$teMu$tePr$teVi$teWi$texW$text$text$tion$tion$tion$tion$troy$troy$tual$ue$ueKe$uire$umer$urce$urce$urce$urce$ureA$viro$w64P$wOfS$wPro$wcsc$wcsc$wcsc$wcsl$wcst$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$xecu$y$y$y$yste$yste
API String ID: 2380476227-789266925
Opcode ID: 2b54cb4f4d158bb32996e790de4b615c571eca0884c916132d64e0ac5066a678
Instruction ID: 9d8bd1895739fa4f4091eef509e19eb343e8463dde3c51237e032f42233dddcc
Opcode Fuzzy Hash: 2b54cb4f4d158bb32996e790de4b615c571eca0884c916132d64e0ac5066a678
Instruction Fuzzy Hash: C2D2F0B1C0526D8ACF21DFA18D89BCEBBB8BF14301F5091DAD548AB251DB309B84CF59

Uniqueness

Uniqueness Score: 100.00%

Function 00551C04, Relevance: 13.7, APIs: 9, Instructions: 225
nativethreadprocessUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 00551CB2
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 00551CD7
NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 00551CF1
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00551D3C
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 00551D61
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 00551DA4
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 00551E31
NtSetContextThread.NTDLL(?,00010007), ref: 00551E6F
NtResumeThread.NTDLL(?,00000000), ref: 00551E81

Memory Dump Source

Source File: 00000001.00000002.14809707322.00550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_550000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: Section$CreateMemoryProcessThreadViewVirtual$ContextInformationQueryReadResumeWrite
String ID:
API String ID: 3018774213-0
Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction ID: 8ef2c486aadbdbbaf4303352e3a569d59a23909225fe1eb0d5e8e14cfaabe8c1
Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
Instruction Fuzzy Hash: 8C91E271900649ABDF209FA5CC89FEEBFB8FF49705F004056FA09EA150D731AA85DB64

Uniqueness

Uniqueness Score: 100.00%

Function 005500AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92
nativeUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenSection.NTDLL(?,0000000C,?), ref: 00550199
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 005501B8

Strings

NtMapViewOfSectionNtOpenSection, xrefs: 00550128, 0055012B
wcsl, xrefs: 00550149
en, xrefs: 00550150
NtOpenSection, xrefs: 0055011D, 00550120
@, xrefs: 0055018C

Memory Dump Source

Source File: 00000001.00000002.14809707322.00550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_550000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: Section$OpenView
String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
API String ID: 2380476227-2634024955
Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction ID: ce840fd5c50cd4a4eb54f42f8eb7b26457c447e44771b5b7634e34b14596078e
Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
Instruction Fuzzy Hash: 5F3112B1D00259EBCB10CFE4C885ADEBBB8FF08750F20415AE514EB290E774AA05CBA1

Uniqueness

Uniqueness Score: 100.00%

Function 001AB210, Relevance: 3.8, Strings: 2, Instructions: 1300
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P , xrefs: 001AB240
SL, xrefs: 001AC2B9, 001AC2BE

Memory Dump Source

Source File: 00000001.00000002.14809300061.001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID: P $SL
API String ID: 0-2943038142
Opcode ID: 1ba36671000e2d6163fed2767ad98a8b9c8b851281100a81e8d5d7d7798a37be
Instruction ID: eff10b67bdeae07004ab9c222e5467d65a8050d836824f9f7378a9c96eef2c12
Opcode Fuzzy Hash: 1ba36671000e2d6163fed2767ad98a8b9c8b851281100a81e8d5d7d7798a37be
Instruction Fuzzy Hash: DFE2D8B1E0161AAFC784CF69C591A98FBF1FF4D310B50926AD419E7A40E730E9A0CF94

Uniqueness

Uniqueness Score: 100.00%

Function 001ADC28, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 001ADC9F

Memory Dump Source

Source File: 00000001.00000002.14809300061.001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 927b5ee869e86797e6a02e207ab70f3b77a5bf8f7078fda785ea5e50adde4f5a
Instruction ID: 4f4a2c31dd246b8f11e84d2df16f309f679983bf4f2585c11f48c2c4e5c70b0e
Opcode Fuzzy Hash: 927b5ee869e86797e6a02e207ab70f3b77a5bf8f7078fda785ea5e50adde4f5a
Instruction Fuzzy Hash: 972122B59006198FCB10CF9AD480BEEFBF4FB49310F14845AE859B3250C378AA44CFA1

Uniqueness

Uniqueness Score: 6.12%

Function 001A6013, Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

T, xrefs: 001A601C

Memory Dump Source

Source File: 00000001.00000002.14809300061.001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: 67cee893756e6db9596bcf7eb9437faaffecf995b41626059ce674904c667eb2
Instruction ID: 6d87859b5f3cbb2fc66c3b7f7920e7528b6d0846eb3165a437646ec2a9de6640
Opcode Fuzzy Hash: 67cee893756e6db9596bcf7eb9437faaffecf995b41626059ce674904c667eb2
Instruction Fuzzy Hash: 75A11A79E11228CFCB14CF99C584C9DB7B2BF5A301B5AC595E419AB262D331EC46CB90

Uniqueness

Uniqueness Score: 1.59%

Function 001A7DFA, Relevance: .8, Instructions: 842COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.14809300061.001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0405d109422e457600c17d40dbfb2bf465c3baf23fbf5830b9b8c5744031807c
Instruction ID: c084bf78c5313c749ab1de62e1ec9200ae2303a82bd047b800479014ac9b2b15
Opcode Fuzzy Hash: 0405d109422e457600c17d40dbfb2bf465c3baf23fbf5830b9b8c5744031807c
Instruction Fuzzy Hash: EF92E3B5E00A1AAFC754CF68C581A99FBF1FB4D310B50926AD419E7A00E730F9A1CF94

Uniqueness

Uniqueness Score: 0.00%

Function 001AC838, Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.14809300061.001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957f6762514a814c9c8b1358416b714da2608d5c637844a71b6a646d6976b3d6
Instruction ID: e4968fc60ddce4b6a5d74dbda041835642274aa2f86788727fbdc909bf24baa7
Opcode Fuzzy Hash: 957f6762514a814c9c8b1358416b714da2608d5c637844a71b6a646d6976b3d6
Instruction Fuzzy Hash: 5D428B79A00605CFCB14CF68C9949AEFBF2FF8A310B158668D456AB655D730F982CF90

Uniqueness

Uniqueness Score: 0.00%

Function 001A8958, Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.14809300061.001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27155ad09d69243a65f41deb90ebf08694e588c143f55c3980ef9ce17a512816
Instruction ID: 109798fa93658ca8b48e28a8f82a2ffee8456985767f69859b7db030fa501d63
Opcode Fuzzy Hash: 27155ad09d69243a65f41deb90ebf08694e588c143f55c3980ef9ce17a512816
Instruction Fuzzy Hash: 29426C78A00605CFCB14CF68C5949AEFBF2FF8A310B158969D456AB655DB30F982CF90

Uniqueness

Uniqueness Score: 0.00%

Function 001A97E8, Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.14809300061.001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17fa03bc5c71e04400bdf68b22659bf525cc744d3c5e99a38921b4b68368131
Instruction ID: ae4e895dd460340f45026bf92042ba79ec4ddaa0fc17e1223c2eb46b618ec928
Opcode Fuzzy Hash: d17fa03bc5c71e04400bdf68b22659bf525cc744d3c5e99a38921b4b68368131
Instruction Fuzzy Hash: 4B022879E015189FCB04DF99D5808ADBBF2FF8A310F618165E856AB766D330ED81CB90

Uniqueness

Uniqueness Score: 0.00%

Function 001AD6D8, Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.14809300061.001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e663c709c542aaeb34eebbba0f8abad24e883406253aea7e593bdcbac6c555
Instruction ID: d801e2111dca0ec95cf363829e84c12e5af4b2643258946f2e56b3b91ff552e5
Opcode Fuzzy Hash: 11e663c709c542aaeb34eebbba0f8abad24e883406253aea7e593bdcbac6c555
Instruction Fuzzy Hash: 4FF1F478E015189FDB04DF99E5808ADFBB2FF8A300F628555E856AB762D330ED41CB94

Uniqueness

Uniqueness Score: 0.00%

Function 001A635E, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.14809300061.001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb53660ec386488d1b1f0b7e70862a2d165ecdc3930202b2736179c93371619
Instruction ID: 35d7cc12c3cc3cf923a104792e52693ba8fba35bb000e661bc83ab19ce0dd50e
Opcode Fuzzy Hash: 5cb53660ec386488d1b1f0b7e70862a2d165ecdc3930202b2736179c93371619
Instruction Fuzzy Hash: 9FA1F978E11228CFCB14DF99D584CADBBF2BF5A301B5AC595E419AB222D331EC46CB50

Uniqueness

Uniqueness Score: 0.00%

Function 001A60A3, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.14809300061.001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c353e98a4b2a4899c71cd82971b96088dd8145ec85d9bca1996246e7bdf2c36
Instruction ID: 418796a2d1b3832559113b0352d1ca245b8440984392273db5f0b0c256f2f055
Opcode Fuzzy Hash: 8c353e98a4b2a4899c71cd82971b96088dd8145ec85d9bca1996246e7bdf2c36
Instruction Fuzzy Hash: B791D779E11228CFCB14CF99D584CADB7F2BF59301B5AC595E419AB222D331EC86CB90

Uniqueness

Uniqueness Score: 0.00%

Function 001A60E3, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.14809300061.001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ff5102ac47051fa952bc07a46fd9d791dd58e3d46f6c3eae47e6c8977c4967
Instruction ID: 1b3d2bec66108040ec9e45caafedff2120ac685308365a78c7615379f3ea00a7
Opcode Fuzzy Hash: 41ff5102ac47051fa952bc07a46fd9d791dd58e3d46f6c3eae47e6c8977c4967
Instruction Fuzzy Hash: CE810679E11228CFCB14CF99D584DADB7F2BF59301B5AC5A5E419AB222D331EC46CB80

Uniqueness

Uniqueness Score: 0.00%

Function 001A6232, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.14809300061.001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 786cc4153714d1aec16240f8439aa73baa703ef22d770a527b0dcd3997a40133
Instruction ID: 4927bee4889fce7329e1bf6eb99536fd56b2381e06348feba59ab1980b549304
Opcode Fuzzy Hash: 786cc4153714d1aec16240f8439aa73baa703ef22d770a527b0dcd3997a40133
Instruction Fuzzy Hash: 1E81D579E11228CFCB14CF99D584CADB7F2BF59301B5AC5A5E419AB222D331EC46CB90

Uniqueness

Uniqueness Score: 0.00%

Function 00551E97, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
synchronizationUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32(00000000,00000000,?,?), ref: 00551F8B

Part of subcall function 00551C04: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 00551CB2

Strings

d, xrefs: 00551FB6

Memory Dump Source

Source File: 00000001.00000002.14809707322.00550000.00000040.00000001.sdmp, Offset: 00550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_550000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: Create$MutexProcess
String ID: d
API String ID: 2089245102-2564639436
Opcode ID: 9150c0aa135747188a0f91637622f4f15ce0ed33650badeca4e6c88fbd847475
Instruction ID: 9910dbd1689ba2be41bf903d24ad9deee5a12b98d4e3676de243bf0fe8d82759
Opcode Fuzzy Hash: 9150c0aa135747188a0f91637622f4f15ce0ed33650badeca4e6c88fbd847475
Instruction Fuzzy Hash: 1F41533615C381A9E6108FA0D811B7BB7A5EFC4B21F105D1FF988CB1D0E7B28694875B

Uniqueness

Uniqueness Score: 100.00%

Function 001ADC20, Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 001ADC9F

Memory Dump Source

Source File: 00000001.00000002.14809300061.001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1a0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 42951cd954e18c28a1b038ceacf6c6b1a22db88e9f3cb7d93747f5367290256d
Instruction ID: a790fe3a5143ea1ed114b2b3b9b2cabd23f9ad1a89ed2f9bf52afb1c5ab9f8b7
Opcode Fuzzy Hash: 42951cd954e18c28a1b038ceacf6c6b1a22db88e9f3cb7d93747f5367290256d
Instruction Fuzzy Hash: 4B2132B58002198FCB10CF99D480BEEFBF4BB49320F14845AE859B3250C378AA44CFA1

Uniqueness

Uniqueness Score: 6.12%

Function 005317A0, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetProcessId.KERNEL32 ref: 005317FF

Memory Dump Source

Source File: 00000001.00000002.14809688883.00530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_530000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: Process
String ID:
API String ID: 1235230986-0
Opcode ID: e1fc10d171e5755d0444b8bb00cef6d2c5649e89b47c1f9e9aff0cc527f234b5
Instruction ID: a16cc14d981f283b0b3ee92993b1e95eb6631f23b0df5b91116bc226b979cb81
Opcode Fuzzy Hash: e1fc10d171e5755d0444b8bb00cef6d2c5649e89b47c1f9e9aff0cc527f234b5
Instruction Fuzzy Hash: 8B1133B59002088FCB10DFA9D484B9EFBF4FB89324F24886AD418A7310C778A944CFA4

Uniqueness

Uniqueness Score: 4.01%

Function 005310C0, Relevance: 1.4, APIs: 1, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 005311D8

Memory Dump Source

Source File: 00000001.00000002.14809688883.00530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_530000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e22b86f377f4eb81e588694a030cc93c07b6636ab201ef7f399feb779fd72e78
Instruction ID: 35899ea47e8b8fe0cb2fb2fd399bdd1682eb4415c4e146059f531e26d3edf684
Opcode Fuzzy Hash: e22b86f377f4eb81e588694a030cc93c07b6636ab201ef7f399feb779fd72e78
Instruction Fuzzy Hash: CD417974A006498FCB10DFA9D880AAEBFF4FF89310F15855AD558A7361C734A944CBA1

Uniqueness

Uniqueness Score: 0.00%

Function 00531168, Relevance: 1.3, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 005311D8

Memory Dump Source

Source File: 00000001.00000002.14809688883.00530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_530000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 619fcd97e8fb686f91622eca9c2019c87fb4d36566951d20f6eaac0c19e09ab8
Instruction ID: 07567752a691b1a9a3d4a3ab92f738d36d14767b245a95c484a55e9dbf880334
Opcode Fuzzy Hash: 619fcd97e8fb686f91622eca9c2019c87fb4d36566951d20f6eaac0c19e09ab8
Instruction Fuzzy Hash: A21126B59006489FCB20DFA9D884BDEBFF4FB89310F248559E558A7210C778A944CFA0

Uniqueness

Uniqueness Score: 0.00%

Function 0012D3DC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.14809166349.0012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12d000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da11a5ed6638aaa56a3d6969e01d53837e29b26a3398daa6a5233370a8da4f57
Instruction ID: 38f239c0ce056a04d26f8301ab3577829006fa90457b590e5b5fb10bf7b66344
Opcode Fuzzy Hash: da11a5ed6638aaa56a3d6969e01d53837e29b26a3398daa6a5233370a8da4f57
Instruction Fuzzy Hash: 2721F575504284DFDB15EF10F9C0B2BBF65FB98324F24C5A9E8094B646C336E866C7A2

Uniqueness

Uniqueness Score: 0.00%

Function 0012D4C8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.14809166349.0012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12d000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723cbba9aacd0813bf11378a1c0d3f51e38b3c317050e60caaaf502b4f109324
Instruction ID: 7825bb3034c2c60be3bf6b931397acc49079e3cdd5772bc9a3432ab1a08c7616
Opcode Fuzzy Hash: 723cbba9aacd0813bf11378a1c0d3f51e38b3c317050e60caaaf502b4f109324
Instruction Fuzzy Hash: 44210375504240EFDB15DF14F9C4B2ABF75FB88318F24C5A9E8094B206C376D866C7A1

Uniqueness

Uniqueness Score: 0.00%

Function 0012D3D7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.14809166349.0012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12d000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a55b3225f22547ec31cad3f10bdac74d3526d69ab7a79cc14dcc14148f0f655
Instruction ID: 2990299f68dbe4d1d41dbe09d0882dc29ce74998f0c449959ab499e2b06b093a
Opcode Fuzzy Hash: 5a55b3225f22547ec31cad3f10bdac74d3526d69ab7a79cc14dcc14148f0f655
Instruction Fuzzy Hash: 7D11E976404280DFCF11DF10E9C4B16BF72FB94314F24C6A9D8084B656C336D866CBA2

Uniqueness

Uniqueness Score: 0.00%

Function 0012D4C3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.14809166349.0012D000.00000040.00000001.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12d000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a55b3225f22547ec31cad3f10bdac74d3526d69ab7a79cc14dcc14148f0f655
Instruction ID: f0366f1b34440e2c59e658eec7a6a2bd5da2e525a77a7d865a9d1f9aeecf984e
Opcode Fuzzy Hash: 5a55b3225f22547ec31cad3f10bdac74d3526d69ab7a79cc14dcc14148f0f655
Instruction Fuzzy Hash: 1F11B676504280DFDF16CF10E9C4B1ABF71FB94314F24C6A9D8094B656C376D866CBA2

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Analysis Process: systemupdate_ProtectedAUS.exe PID: 3188 Parent PID: 2312 systemupdate_ProtectedAUS.exeUNIQUE

Execution Graph

Execution Coverage:	25.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	106
Total number of Limit Nodes:	2

Executed Functions

Function 003C79D8, Relevance: 46.4, Strings: 35, Instructions: 2643UNIQUE

Download Yara Rule

Strings

fC"h, xrefs: 003C9625
fC"h, xrefs: 003C8314
fC"h, xrefs: 003C8855
`D6, xrefs: 003C8699
fC"h, xrefs: 003C9B7B
fC"h, xrefs: 003CA57C
p6oh, xrefs: 003C843D
fC"h, xrefs: 003C9757
LCoh, xrefs: 003CA38B
p6oh, xrefs: 003C82C9
p6oh, xrefs: 003C880A
l{8g, xrefs: 003C85BE
p6oh, xrefs: 003C80AD
fC"h, xrefs: 003C89E8
fC"h, xrefs: 003C9566
d7oh, xrefs: 003C8408
d7oh, xrefs: 003C87EB
LCoh, xrefs: 003C900C
fC"h, xrefs: 003C95BC
fC"h, xrefs: 003CA80C
d7oh, xrefs: 003C82AA
p6oh, xrefs: 003C80C3
fC"h, xrefs: 003CA7B6
fC"h, xrefs: 003CA862
`D6, xrefs: 003C863C
fC"h, xrefs: 003C8472
p6oh, xrefs: 003C8820
fC"h, xrefs: 003C80F5
`D6, xrefs: 003C8668
p6oh, xrefs: 003C8427
`D6, xrefs: 003C8624
fC"h, xrefs: 003C96A9
d7oh, xrefs: 003C808E
fC"h, xrefs: 003C9510
p6oh, xrefs: 003C82DF

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID: LCoh$LCoh$`D6$`D6$`D6$`D6$d7oh$d7oh$d7oh$d7oh$fC"h$fC"h$fC"h$fC"h$fC"h$fC"h$fC"h$fC"h$fC"h$fC"h$fC"h$fC"h$fC"h$fC"h$fC"h$fC"h$l{8g$p6oh$p6oh$p6oh$p6oh$p6oh$p6oh$p6oh$p6oh
API String ID: 0-168179485
Opcode ID: c10762502ff66255959d49d0b1da022028b21c096fefce4d3e7e593bd4723809
Instruction ID: b4970eabb4e2c65189b7a32955bea119034d7812d434d9ec8dda33d2a814dd2c
Opcode Fuzzy Hash: c10762502ff66255959d49d0b1da022028b21c096fefce4d3e7e593bd4723809
Instruction Fuzzy Hash: E6432C74E00218CFDB66DF64C998BADB7B6AF88304F1185E9D409AB391DB359E81CF41

Uniqueness

Uniqueness Score: 100.00%

Function 003C0FEA, Relevance: 9.2, Strings: 7, Instructions: 426
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LCoh, xrefs: 003C11E5
fC"h, xrefs: 003C166C
fC"h, xrefs: 003C1793
fC"h, xrefs: 003C1747
LCoh, xrefs: 003C1040
fC"h, xrefs: 003C16B2
fC"h, xrefs: 003C1701

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID: LCoh$LCoh$fC"h$fC"h$fC"h$fC"h$fC"h
API String ID: 0-4019340232
Opcode ID: 9d24d776675b2c4194fd6aa37e2a9df9a0c04150712924d69a3b73811c591c04
Instruction ID: f800289a7deaf9017e35d84c33d4b4f0496def040f2515e33892db88486b65fb
Opcode Fuzzy Hash: 9d24d776675b2c4194fd6aa37e2a9df9a0c04150712924d69a3b73811c591c04
Instruction Fuzzy Hash: F3124C78E40218CFDB19DF64D894BADB7B2BF88304F6084A9E909AB391DB315D91DF50

Uniqueness

Uniqueness Score: 100.00%

Function 003C1B40, Relevance: 2.8, Strings: 2, Instructions: 305
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fC"h, xrefs: 003C1F2F
Sv, xrefs: 003C1E74

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID: fC"h$Sv
API String ID: 0-1303951893
Opcode ID: 3be85bdd59ca6cfe855d34229f3e73f15508c430ccaff2a9eae65b0124e5ddc9
Instruction ID: b06ddb6159539861a83f67c9188fa24893a4dab33aeb67f144b099a14440cf9b
Opcode Fuzzy Hash: 3be85bdd59ca6cfe855d34229f3e73f15508c430ccaff2a9eae65b0124e5ddc9
Instruction Fuzzy Hash: F4B19D39A002008FD759DF79C484F6D77E2AF8A324F258668E812DB3A2DB31DD41DB91

Uniqueness

Uniqueness Score: 100.00%

Function 003CCCD0, Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9e7f4fbd2b5ea62febd044d7305204757f915ef2d86e6438a3db37b102160a
Instruction ID: 6158814930ad23bb29f46ed0d4ebc4e2deb6dbb10ffef891557a09b822f16485
Opcode Fuzzy Hash: bd9e7f4fbd2b5ea62febd044d7305204757f915ef2d86e6438a3db37b102160a
Instruction Fuzzy Hash: B9E17074B002148BDB45DBB8C898AADB7B2EF88315F55852EE406EB395DF35DC81CB81

Uniqueness

Uniqueness Score: 0.00%

Function 003C5768, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0663815f6e9d01cff3bdc8dfaa07c5946da525dc3616c29adfd03e5ead9d24
Instruction ID: e10c38e65d9986efc7ae0a58da36bd1f81296460d87f80a811f62d1afc0a6f40
Opcode Fuzzy Hash: 3a0663815f6e9d01cff3bdc8dfaa07c5946da525dc3616c29adfd03e5ead9d24
Instruction Fuzzy Hash: 1EB14C74E00609CFDB15CFA9C885BAEBBF2AF88314F15852DD815E7254EB74AC85CB81

Uniqueness

Uniqueness Score: 0.00%

Function 003C6058, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a100816618c2417932364236d7e900af0a65dfbabb68870c2d94efc7ab4a36ed
Instruction ID: 0696a61d5a717d7746e2fac86e5f16d7e18fb8f57867fe4dc139d62b818563da
Opcode Fuzzy Hash: a100816618c2417932364236d7e900af0a65dfbabb68870c2d94efc7ab4a36ed
Instruction Fuzzy Hash: D0B14D74E002498FDF11CFA9C886BADBBF2AF88314F19852DD815EB254DB749C45CB81

Uniqueness

Uniqueness Score: 0.00%

Function 003CB700, Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 454
memorythreadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040,?,00000000,00000000,02D41158), ref: 003CB9B6
VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040,?,00000000,00000000,02D41158), ref: 003CBA33
ResumeThread.KERNELBASE(?,?,00000000,00000000,02D41158), ref: 003CBC6B

Strings

.@"h, xrefs: 003CB85F

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: AllocVirtual$ResumeThread
String ID: .@"h
API String ID: 3804112640-4125631899
Opcode ID: 2b5cec16153d3dc4bc4348f248400bb7657bf0c298aff1f47adae02c1f7bf77a
Instruction ID: cf96ec97c75c551cc939bc1c79d0fbb6294fbe3827f2e653e5e9288696e53c91
Opcode Fuzzy Hash: 2b5cec16153d3dc4bc4348f248400bb7657bf0c298aff1f47adae02c1f7bf77a
Instruction Fuzzy Hash: D0029034A102288FDB25DF64CC95BADB7B6AF85304F54809CD50AEB391CF749E85CB92

Uniqueness

Uniqueness Score: 100.00%

Function 003CB690, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 381
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.@"h, xrefs: 003CB85F

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID: .@"h
API String ID: 0-4125631899
Opcode ID: 0bd0ebd1bdd160caa4d65a39e591b7b84c056d5be716e24b746aaf6fa89e8b95
Instruction ID: 1c0a48593d9dfd75c74db16e45e5ecc128eaec2aa6fa0de77cd255d7c28420b5
Opcode Fuzzy Hash: 0bd0ebd1bdd160caa4d65a39e591b7b84c056d5be716e24b746aaf6fa89e8b95
Instruction Fuzzy Hash: 23F19C74A10218DFDB26CF24CC95FA9BBB6AF85305F14809CE549EB292CB709E85CF51

Uniqueness

Uniqueness Score: 100.00%

Function 003CB6F8, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 353
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.@"h, xrefs: 003CB85F

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID: .@"h
API String ID: 0-4125631899
Opcode ID: 65fee687fb23eac7a265d56bf4d93ed85b315969b1b271a5a05def1690dee358
Instruction ID: 355b980228845198cc78b4269a44aa45610220a805d47662690db87101b97adc
Opcode Fuzzy Hash: 65fee687fb23eac7a265d56bf4d93ed85b315969b1b271a5a05def1690dee358
Instruction Fuzzy Hash: C9E17874A102189FDB25CF24CC85FAABBB6AF85305F14809DE90DEB291CB709E85CF51

Uniqueness

Uniqueness Score: 100.00%

Function 003C2C48, Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNEL32(?,?,?,?,?,?,?,?), ref: 003C2D44

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: e3f203b7a2fa2657c7e16eb24588af7d3ab80d40ec18f8d06b9fb769fea77940
Instruction ID: 9057e0a596add57f444c0590f26e2f313d67727c894a8af973d5cda16c4405ca
Opcode Fuzzy Hash: e3f203b7a2fa2657c7e16eb24588af7d3ab80d40ec18f8d06b9fb769fea77940
Instruction Fuzzy Hash: 5B51DEB5D00208DFCB10DFE8C594BDEBBB5BF48304F608069E409AB251CB71A949CFA1

Uniqueness

Uniqueness Score: 0.02%

Function 003CD938, Relevance: 1.6, APIs: 1, Instructions: 71
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CredEnumerateW.ADVAPI32(00000000,?,?,?), ref: 003CD9CB

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: CredEnumerate
String ID:
API String ID: 3404281133-0
Opcode ID: e5065c9b2dff1d7b67824ba5b284e2318b43374210d7241aa7453302308830fc
Instruction ID: 090c025972e146a945821c8a631642c7a4aebfc8d40534b12c657954475d7b12
Opcode Fuzzy Hash: e5065c9b2dff1d7b67824ba5b284e2318b43374210d7241aa7453302308830fc
Instruction Fuzzy Hash: 773124B5D0121A9FCB10DF99D484BDEFBB0FF48320F10856AE858A7340D374AA54CBA1

Uniqueness

Uniqueness Score: 100.00%

Function 003CD940, Relevance: 1.6, APIs: 1, Instructions: 68
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CredEnumerateW.ADVAPI32(00000000,?,?,?), ref: 003CD9CB

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: CredEnumerate
String ID:
API String ID: 3404281133-0
Opcode ID: 54aecbd02e5bdc6cc38ac15be8fb8d2c5843cc81e1fe53098866119e7ba80a90
Instruction ID: a5d81fc1676ebd4357d0fc6e5dccec02ad4d7bc705b500435474efd8d2f90a43
Opcode Fuzzy Hash: 54aecbd02e5bdc6cc38ac15be8fb8d2c5843cc81e1fe53098866119e7ba80a90
Instruction Fuzzy Hash: 242105B5D01219AFCB10DF99D484BDEFBB4FF48324F10856AE858A7340D774AA54CBA1

Uniqueness

Uniqueness Score: 100.00%

Function 003CAF68, Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,?,00000001), ref: 003CC2A4

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3be54b72276efbbb6b9f48cf28ce448244419ce6799d7d57df580ce8a7ef58f4
Instruction ID: 8c2f1d2d172392d76cc6774b86af52602cf8cecbcf363779dab6fabd7b1970ac
Opcode Fuzzy Hash: 3be54b72276efbbb6b9f48cf28ce448244419ce6799d7d57df580ce8a7ef58f4
Instruction Fuzzy Hash: AF21E3B59102499FDF10CFD9D984BDEBBF4FB49314F10842AE918A7240D378AA44CBA5

Uniqueness

Uniqueness Score: 0.04%

Function 003CC220, Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,?,00000001), ref: 003CC2A4

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b3f1c6a2afb30c669b2443d01f13d0fcdb16a8ff9bb9bb4cdb6754c1c08d7fe3
Instruction ID: 0cd5dd2fa8a11bfeee1466c0b5da80e4ebffc50bbd0b70e68756b517603b5001
Opcode Fuzzy Hash: b3f1c6a2afb30c669b2443d01f13d0fcdb16a8ff9bb9bb4cdb6754c1c08d7fe3
Instruction Fuzzy Hash: 7421E0B5910249DFDF10CFA9D884BDEBBF4FB49314F10846AE958A7240D378AA44CF61

Uniqueness

Uniqueness Score: 0.04%

Function 003CAF5C, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,00000004,?,?,00000000,00000000,02D41158), ref: 003CC1D1

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 435b55f1cca7143e068d5ffd1d204a82d5acf62cc93e17dc0071a00d63020d70
Instruction ID: 62aaedd0bc55959094690ef8ddbdf2f84125fed31ec114c0fd1f9d03fa8b9d78
Opcode Fuzzy Hash: 435b55f1cca7143e068d5ffd1d204a82d5acf62cc93e17dc0071a00d63020d70
Instruction Fuzzy Hash: 3C21F3B59102499FDB11CF9AD884BEEBBF4FB08314F10846EE918A7201D374AA44CBA5

Uniqueness

Uniqueness Score: 0.11%

Function 003CC158, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,00000004,?,?,00000000,00000000,02D41158), ref: 003CC1D1

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 55ed789f053d1ba4aa5b899c37cee61095648340bc19d6db297d5048892604bf
Instruction ID: 3155a2a9e10bb4f54d17c089376003d9be7a8053319d27377af1c346fe4bde39
Opcode Fuzzy Hash: 55ed789f053d1ba4aa5b899c37cee61095648340bc19d6db297d5048892604bf
Instruction Fuzzy Hash: 9D21EDB5D102499FDB11CF9AD884BDEBBB4FB48314F14846EE858A7241D378AA44CBA1

Uniqueness

Uniqueness Score: 0.11%

Function 003CAF74, Relevance: 1.6, APIs: 1, Instructions: 59
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNEL32(?,00000000,?,?,?,?,003CB88F,?,00000000,00000000,02D41158), ref: 003CC10B

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: c0bc87f9e2e1006df5e64497302a4f74111c5852a24287867551263a0a24d533
Instruction ID: e851a466dbfcbb86a4405298e1f904c0de0deae3478d9a7fad42e3aef3ee17a9
Opcode Fuzzy Hash: c0bc87f9e2e1006df5e64497302a4f74111c5852a24287867551263a0a24d533
Instruction Fuzzy Hash: 4F2133B5D102098FDB10CF9AC844BEEBBF4EB89324F14C46ED858A3200D378A945CFA1

Uniqueness

Uniqueness Score: 0.78%

Function 003CAF50, Relevance: 1.6, APIs: 1, Instructions: 59
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNEL32(?,00000000,?,?,?,?,003CB88F,?,00000000,00000000,02D41158), ref: 003CC10B

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f91f273effc2446467359ce6b062300afbdd51b0dbf67138211ef148ed448cb2
Instruction ID: fdf4d0130a7ced2824f0808a083939f919dd941fc73a81f335f63718f74f70c8
Opcode Fuzzy Hash: f91f273effc2446467359ce6b062300afbdd51b0dbf67138211ef148ed448cb2
Instruction Fuzzy Hash: D921F2B59102098FDB10CF9AC844BEEBBF4EB89324F14846ED858A7240D779A945CFA1

Uniqueness

Uniqueness Score: 0.78%

Function 003C3C22, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003C6E54

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 4dd42fc31cf0ab76a85beeb7fc27ffcfd43c6d5484c7211a4f4d8dfcd979d635
Instruction ID: 7ee44a8051c4fa8bb9d7b965e331835ec2a6bcf3f9a071de4ac58dbb114f6639
Opcode Fuzzy Hash: 4dd42fc31cf0ab76a85beeb7fc27ffcfd43c6d5484c7211a4f4d8dfcd979d635
Instruction Fuzzy Hash: A7219AB48043888FCB11DFA9C855BDFBFF4EF49214F14849EC469A7291C378A844CBA2

Uniqueness

Uniqueness Score: 0.32%

Function 003CC09E, Relevance: 1.6, APIs: 1, Instructions: 56threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,00000000,?,?,?,?,003CB88F,?,00000000,00000000,02D41158), ref: 003CC10B

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 83577bd2c5e74e64ecccd0349e5f72804469b6ce6b38b508ce18ca6b799f5860
Instruction ID: de7cca8d9e7064b1e2f4ca776ddee984fa8f265f066c5344153549f078f723f9
Opcode Fuzzy Hash: 83577bd2c5e74e64ecccd0349e5f72804469b6ce6b38b508ce18ca6b799f5860
Instruction Fuzzy Hash: 3F2103B5D102498FDB10CF9AD844BDEBBF4EB88314F14856ED858A3240D379A945CFA1

Uniqueness

Uniqueness Score: 0.78%

Function 003C3C40, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003C6E54

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 3796b0388347d12daa2b771eed57015d3ef8bf65cb6f8d166681d3df3d5cb4c1
Instruction ID: 7de1a77809f905682c125e50152214830a272c6a684e930db00628f69ce8a8ef
Opcode Fuzzy Hash: 3796b0388347d12daa2b771eed57015d3ef8bf65cb6f8d166681d3df3d5cb4c1
Instruction Fuzzy Hash: 3B1125B8D002098FCB10DF99C545B9EFBF4EB48314F10885AD829A7310D774A944CFA1

Uniqueness

Uniqueness Score: 0.32%

Function 003C6DF0, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003C6E54

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 9ece8c05092b560efb26dd20bffe80cc1d5109858ddb4912386e40139efe6809
Instruction ID: 2cb524351e54e868c09dba842e519e03dc211861e551cee8468e01797826d95b
Opcode Fuzzy Hash: 9ece8c05092b560efb26dd20bffe80cc1d5109858ddb4912386e40139efe6809
Instruction Fuzzy Hash: AE1104B89002498FCB10DFA9D585BDEFBF0AF48214F14895AD859A7350D378A944CFA1

Uniqueness

Uniqueness Score: 0.32%

Function 0036D2B4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.14813588602.0036D000.00000040.00000001.sdmp, Offset: 0036D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36d000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ad51d6dc95ed98ae5ef6b25cbc4438c50145f52138d8d11b2e36df89608c18
Instruction ID: 4bb1700177eaab304aeb1b2236edf0e926d2a0340dabe19bd0bcaf5766430853
Opcode Fuzzy Hash: a5ad51d6dc95ed98ae5ef6b25cbc4438c50145f52138d8d11b2e36df89608c18
Instruction Fuzzy Hash: 84210778A04244DFCB12CF10D5C0B2ABB65FB88318F34C5ADE8094B749C336D806CB62

Uniqueness

Uniqueness Score: 0.00%

Function 0036D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.14813588602.0036D000.00000040.00000001.sdmp, Offset: 0036D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36d000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7cf9f7417af184999f98e15a1e29f76a5b0059672c4d9a47b112a84831012a
Instruction ID: 1881b3cfb1151078568f1a30fb711c6bec4ecbf676afd4a9e76f38e998b52175
Opcode Fuzzy Hash: ca7cf9f7417af184999f98e15a1e29f76a5b0059672c4d9a47b112a84831012a
Instruction Fuzzy Hash: 5521F574A04244DFCB16DF10D8C4B26BB65EB84318F24C569D8094B64AC337D806CAA1

Uniqueness

Uniqueness Score: 0.00%

Function 0036D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.14813588602.0036D000.00000040.00000001.sdmp, Offset: 0036D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36d000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00cb6254f7c47b96390276d06076bfe19cf885635d13f8954bc2b2e87f2a4134
Instruction ID: 3782c243ae145d17c24081c9e9a3645e6d7a65c94bccd56f3034c7ba6a825629
Opcode Fuzzy Hash: 00cb6254f7c47b96390276d06076bfe19cf885635d13f8954bc2b2e87f2a4134
Instruction Fuzzy Hash: 63119075904280DFCB12CF14D5C4B15FB71FB85314F24C6A9D8094B65AC33AD84ACB61

Uniqueness

Uniqueness Score: 0.00%

Function 0036D2AF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.14813588602.0036D000.00000040.00000001.sdmp, Offset: 0036D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36d000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00cb6254f7c47b96390276d06076bfe19cf885635d13f8954bc2b2e87f2a4134
Instruction ID: 2a73fd3199bc8baaa9207caf2795e75fc352a2331f68610fc8f068ff5a193aa6
Opcode Fuzzy Hash: 00cb6254f7c47b96390276d06076bfe19cf885635d13f8954bc2b2e87f2a4134
Instruction Fuzzy Hash: 04119079904680DFCB12CF10D5C4B19BB61FB84314F38C6A9D8494B756C33AD85ACB62

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Function 003C5418, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.14813675053.003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3c0000_systemupdate_ProtectedAUS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11310b5191507a27e53b0d685f6d85d78165068b4ead5f732246794e0d638c21
Instruction ID: a8b4280e0dc6d6cf532c43352e426d627125376715668dbafc1d8233f3ac7bcc
Opcode Fuzzy Hash: 11310b5191507a27e53b0d685f6d85d78165068b4ead5f732246794e0d638c21
Instruction Fuzzy Hash: 7CA14A74E006098FDF15CFA9C981BAEBBF2AF88314F14812DD415EB254EB74AC85CB91

Uniqueness

Uniqueness Score: 0.00%

Analysis Process: vbc.exe PID: 2440 Parent PID: 3188 vbc.exeUNIQUE

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	11.8%
Signature Coverage:	6.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	188

Executed Functions

Function 00401F3D, Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 346
registrycomUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32 ref: 00401F8E
RegEnumValueA.ADVAPI32(?,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00401FC1
RegEnumValueA.ADVAPI32(?,00000001,?,00000400,00000000,00000000,00000000,00000000), ref: 00402036
RegCloseKey.ADVAPI32(?), ref: 0040204F
CoInitialize.OLE32(00000000), ref: 00402101
CLSIDFromString.OLE32(?,?), ref: 0040211B
CLSIDFromString.OLE32(?,?), ref: 0040212B
CoCreateInstance.OLE32(?,00000000,00000001,?,?), ref: 00402145
_wcschr.LIBCMT ref: 004021EA
__wcsnicmp.LIBCMT ref: 00402249
__wcsnicmp.LIBCMT ref: 00402263
CoUninitialize.OLE32 ref: 0040238D

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00401F5A
http://, xrefs: 00402243
{3C374A40-BAE4-11CF-BF7D-00AA006946EE}, xrefs: 004020D6
https://, xrefs: 0040225D
{AFA0DC11-C313-11D0-831A-00C04FD5AE38}, xrefs: 004020EF
http://www.facebook.com/, xrefs: 0040205E
/, xrefs: 00402213

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: EnumFromStringValue__wcsnicmp$CloseCreateInitializeInstanceOpenUninitialize_wcschr
String ID: /$Software\Microsoft\Internet Explorer\IntelliForms\Storage2$http://$http://www.facebook.com/$https://${3C374A40-BAE4-11CF-BF7D-00AA006946EE}${AFA0DC11-C313-11D0-831A-00C04FD5AE38}
API String ID: 3508844707-2581409083
Opcode ID: 7f87489f8755db533ae58970329c4496bff015cda9f0027fac09c0aadfecc4d1
Instruction ID: 236733ae42f18aad4e7ad052d39f46084bc98a3f7ab2ed7f63f0882270a2222f
Opcode Fuzzy Hash: 7f87489f8755db533ae58970329c4496bff015cda9f0027fac09c0aadfecc4d1
Instruction Fuzzy Hash: 69C185719002199ADF24DAA0CD48BEA7779FB44304F1045EBEA09A71C1D7B59F86CF68

Uniqueness

Uniqueness Score: 100.00%

Function 00404399, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 131
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004015C5: GetStdHandle.KERNEL32(000000F5), ref: 004015D7
Part of subcall function 004015C5: GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 004015E2

GetCurrentProcess.KERNEL32(000F01FF,?), ref: 004043D9
OpenProcessToken.ADVAPI32(00000000), ref: 004043E0
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 004043F9
AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 00404414

Part of subcall function 00401619: _wprintf.LIBCMT ref: 00401630
Part of subcall function 00401619: _wprintf.LIBCMT ref: 00401646
Part of subcall function 00401619: _wprintf.LIBCMT ref: 00401655
Part of subcall function 00401619: _wprintf.LIBCMT ref: 00401663
Part of subcall function 00401619: _wprintf.LIBCMT ref: 0040167B
Part of subcall function 00401619: _wprintf.LIBCMT ref: 00401685
Part of subcall function 00401619: _wprintf.LIBCMT ref: 0040168F
Part of subcall function 00401619: _wprintf.LIBCMT ref: 0040169A
Part of subcall function 00401619: _wprintf.LIBCMT ref: 004016A4
Part of subcall function 00401619: _wprintf.LIBCMT ref: 004016AF
Part of subcall function 00401619: _wprintf.LIBCMT ref: 004016B9
Part of subcall function 00401619: _wprintf.LIBCMT ref: 004016C7
Part of subcall function 00401619: _wprintf.LIBCMT ref: 004016D1

CloseHandle.KERNELBASE(?), ref: 00404428
GetEnvironmentVariableA.KERNEL32(PROMPT,?,00000080), ref: 00404454
_wprintf.LIBCMT ref: 0040451C
_wprintf.LIBCMT ref: 00404528

Strings

Error: Output file name is not specified., xrefs: 004044D8
SeDebugPrivilege, xrefs: 004043F3
Press any key to exit...., xrefs: 00404521
Error: Invalid parameters specified., xrefs: 00404482
This is command-line application. Kindly Run it from the CMD Prompt, xrefs: 00404517
PROMPT, xrefs: 0040444F

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wprintf$HandleProcessToken$AdjustBufferCloseConsoleCurrentEnvironmentInfoLookupOpenPrivilegePrivilegesScreenValueVariable
String ID: Error: Invalid parameters specified.$ Error: Output file name is not specified.$ Press any key to exit....$ This is command-line application. Kindly Run it from the CMD Prompt$PROMPT$SeDebugPrivilege
API String ID: 3116118200-3402409182
Opcode ID: f3ba9d24fb922e6f1a57194ce43e474a6d1bc4482a3683ae625b8ba06c0e8581
Instruction ID: 59766ebe2bd482bcbddda0e8b6d41e0098518e87eb0848bba48e726c3f20b9ed
Opcode Fuzzy Hash: f3ba9d24fb922e6f1a57194ce43e474a6d1bc4482a3683ae625b8ba06c0e8581
Instruction Fuzzy Hash: B341A2B1504204ABDB14AF719C45AAE7768AF8070EF1444BFFA05B51D2DF3D9E488A1D

Uniqueness

Uniqueness Score: 100.00%

Function 00449182, Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c8076e0f52b7b85f682d71cd05aa8b96f7182b20a72c2dcf6ae6f99bfd7d098
Instruction ID: cd91675c22560a5d21e0ad0fa57d62ad70b5a515cc01d08771c07ebf934e8d1b
Opcode Fuzzy Hash: 5c8076e0f52b7b85f682d71cd05aa8b96f7182b20a72c2dcf6ae6f99bfd7d098
Instruction Fuzzy Hash: 16328F75A022289BDB24CF55DC80AEAB7F5FB46314F1840DAE40AE7B81D7349E81DF46

Uniqueness

Uniqueness Score: 0.00%

Function 0040AFF0, Relevance: 4.6, APIs: 3, Instructions: 84UNIQUE

Download Yara Rule

APIs

Part of subcall function 0040AF25: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000200,-00000003,?,?,?,0040B024,?,?,00000104,?,?,-00000003), ref: 0040AF45
Part of subcall function 0040AF25: _malloc.LIBCMT ref: 0040AF55
Part of subcall function 0040AF25: _free.LIBCMT ref: 0040AF62

Part of subcall function 0040A347: GetVersionExA.KERNEL32(?), ref: 0040A375

GetDiskFreeSpaceW.KERNELBASE(00000000,?,?,?,?,?,?,-00000003,?), ref: 0040B082
GetDiskFreeSpaceA.KERNEL32(00000000,?,?,?,?,?,?,-00000003,?), ref: 0040B0B6
_free.LIBCMT ref: 0040B0BF

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace_free$FullNamePathVersion_malloc
String ID:
API String ID: 138112127-0
Opcode ID: 03a91d142b656b8a7c1163a91063fe475db5ceecb728297f49f0982ea8f6f4a1
Instruction ID: 51d722c3fd77eccce6d57187154632daab7a80a4c3c7704d5c4690b09382290e
Opcode Fuzzy Hash: 03a91d142b656b8a7c1163a91063fe475db5ceecb728297f49f0982ea8f6f4a1
Instruction Fuzzy Hash: 2A21977190021C9ED726AB658C42BEB73ACDF05704F1404BBE615E71D1EB789E848BEE

Uniqueness

Uniqueness Score: 100.00%

Function 004041A8, Relevance: 4.6, APIs: 3, Instructions: 77UNIQUE

Download Yara Rule

APIs

Part of subcall function 00401230: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00020019,?), ref: 00401278
Part of subcall function 00401230: RegQueryValueExA.KERNEL32(?,svcVersion,00000000,?,?,?), ref: 004012AE
Part of subcall function 00401230: RegQueryValueExA.ADVAPI32(?,Version,00000000,?,?,?), ref: 004012E0
Part of subcall function 00401230: RegCloseKey.KERNEL32(?), ref: 00401313

_memset.LIBCMT ref: 004041DA
GetVersionExA.KERNEL32(?), ref: 004041EB
FreeLibrary.KERNEL32(00000000), ref: 0040428A

Part of subcall function 004040B8: LoadLibraryA.KERNEL32(vaultcli.dll), ref: 004040C4
Part of subcall function 004040B8: GetLastError.KERNEL32 ref: 004040D3

Part of subcall function 004023A8: CredEnumerateA.ADVAPI32(00000000,00000000,?,?), ref: 00402400
Part of subcall function 004023A8: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 00402485
Part of subcall function 004023A8: ___from_strstr_to_strchr.LIBCMT ref: 004024A1
Part of subcall function 004023A8: _strstr.LIBCMT ref: 004024BF
Part of subcall function 004023A8: swprintf.LIBCMT ref: 004024F2

Part of subcall function 00401F3D: RegOpenKeyExA.KERNEL32 ref: 00401F8E
Part of subcall function 00401F3D: RegEnumValueA.ADVAPI32(?,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00401FC1
Part of subcall function 00401F3D: RegEnumValueA.ADVAPI32(?,00000001,?,00000400,00000000,00000000,00000000,00000000), ref: 00402036
Part of subcall function 00401F3D: RegCloseKey.ADVAPI32(?), ref: 0040204F

Part of subcall function 004025C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000100,00000000,00000000), ref: 004026C2
Part of subcall function 004025C9: _strstr.LIBCMT ref: 004026F6
Part of subcall function 004025C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000100,00000000,00000000), ref: 00402721

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Value$ByteCharCloseEnumLibraryMultiOpenQueryWide_strstr$CredCryptDataEnumerateErrorFreeLastLoadUnprotectVersion___from_strstr_to_strchr_memsetswprintf
String ID:
API String ID: 3661251238-0
Opcode ID: e674d39f9758df4f8e82d0dd90810e70705767e8847f169ce77e2ebd7a0b8721
Instruction ID: fd32af64a4bd8ed847c377ae70c93f11884c7e67fa000ae0ba9ef4fe83d88d80
Opcode Fuzzy Hash: e674d39f9758df4f8e82d0dd90810e70705767e8847f169ce77e2ebd7a0b8721
Instruction Fuzzy Hash: BA21D1716043009AD624BB72AD0BB5E33945F44719F00093FF284BA0D2DEBCC1848A9F

Uniqueness

Uniqueness Score: 100.00%

Function 00447049, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0044704F

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7c28c69a44da227d4f6a6a7b2ceac40ed25bb325f8b16ddcd9fe6da40a2bd230
Instruction ID: e8f4d733dc47490eb7cf8ae9516b4b5e02db13001603bf70689deaeb25ce38b9
Opcode Fuzzy Hash: 7c28c69a44da227d4f6a6a7b2ceac40ed25bb325f8b16ddcd9fe6da40a2bd230
Instruction Fuzzy Hash: 47A0123000020CA78A001B81EC084447F6CD6411557004024F40C04022973294904584

Uniqueness

Uniqueness Score: 0.01%

Function 0044D57E, Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 622fileUNIQUELIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 0044D7C9
___createFile.LIBCMT ref: 0044D80A
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 0044D833
__dosmaperr.LIBCMT ref: 0044D83A
GetFileType.KERNELBASE(00000000), ref: 0044D84D
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 0044D870
__dosmaperr.LIBCMT ref: 0044D879
CloseHandle.KERNEL32(00000000), ref: 0044D882
__set_osfhnd.LIBCMT ref: 0044D8B2
__lseeki64_nolock.LIBCMT ref: 0044D91C
__close_nolock.LIBCMT ref: 0044D942
__chsize_nolock.LIBCMT ref: 0044D972
__lseeki64_nolock.LIBCMT ref: 0044D984
__lseeki64_nolock.LIBCMT ref: 0044DA7C
__lseeki64_nolock.LIBCMT ref: 0044DA91
__close_nolock.LIBCMT ref: 0044DAF1

Part of subcall function 004472E5: CloseHandle.KERNELBASE(00000000), ref: 00447335
Part of subcall function 004472E5: GetLastError.KERNEL32(?,0044D947,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0044733F
Part of subcall function 004472E5: __free_osfhnd.LIBCMT ref: 0044734C
Part of subcall function 004472E5: __dosmaperr.LIBCMT ref: 0044736E

Part of subcall function 00442B74: __getptd_noexit.LIBCMT ref: 00442B74

__lseeki64_nolock.LIBCMT ref: 0044DB13
CloseHandle.KERNEL32(00000000), ref: 0044DC48
___createFile.LIBCMT ref: 0044DC67
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0044DC74
__dosmaperr.LIBCMT ref: 0044DC7B
__free_osfhnd.LIBCMT ref: 0044DC9B
__invoke_watson.LIBCMT ref: 0044DCC9
CloseHandle.KERNEL32(FFFFFFFE), ref: 0044DCDF

Strings

@, xrefs: 0044D89E

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __lseeki64_nolock$CloseErrorFileHandleLast__dosmaperr$___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd
String ID: @
API String ID: 1064426618-2766056989
Opcode ID: 3cdf5bc2911dc7f0f11f22361461cf2e50e6765ff7f52354feb2638c1a609017
Instruction ID: 8ea6f17564dfb676ff10ddab6c0d4b3c0eb05905e4ba26a90d8d423bbbda1119
Opcode Fuzzy Hash: 3cdf5bc2911dc7f0f11f22361461cf2e50e6765ff7f52354feb2638c1a609017
Instruction Fuzzy Hash: 6A221071D042059BFB289F68DC85BAE7B60EF04328F25422BE525AB3E2C73D8D41C759

Uniqueness

Uniqueness Score: 100.00%

Function 00405778, Relevance: 35.3, APIs: 10, Strings: 10, Instructions: 322
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(?,00000001,00000001,00000000,?,0040366A,?), ref: 00405803
GetLastError.KERNEL32(?,0040366A,?), ref: 00405827
GetFileAttributesA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0040366A,?), ref: 0040585A

Part of subcall function 0040541A: GetTempPathA.KERNEL32(00000410,?), ref: 0040544B
Part of subcall function 0040541A: __time64.LIBCMT ref: 00405458
Part of subcall function 0040541A: __allrem.LIBCMT ref: 00405470
Part of subcall function 0040541A: swprintf.LIBCMT ref: 00405485
Part of subcall function 0040541A: GetLastError.KERNEL32(?,?,00000000,?,?,0000022B,00000000,?,00000208,00000003,?,0040581C,?,0040366A,?), ref: 004054C0

Strings

., xrefs: 00405A2B
---, xrefs: 00405A99
\logins.json, xrefs: 004057C4
#2d, xrefs: 004059FF
/signons.txt, xrefs: 00405792
/signons2.txt, xrefs: 0040579E
/signons3.txt, xrefs: 004057AB
\signons.sqlite, xrefs: 004057B8
j6@, xrefs: 00405B7E, 0040588B, 0040580E
#2c, xrefs: 004059DC

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLast$PathTemp__allrem__time64swprintf
String ID: #2c$#2d$---$.$/signons.txt$/signons2.txt$/signons3.txt$\logins.json$\signons.sqlite$j6@
API String ID: 1317575291-2039412583
Opcode ID: bf6b42526533325b13c9d4b9a3fa12a431bec66e2881922a2b2a6146ca432814
Instruction ID: eb684abbe1a659daf7df9d89132785e23275345fda7c5fa6c0dac7c703dc911f
Opcode Fuzzy Hash: bf6b42526533325b13c9d4b9a3fa12a431bec66e2881922a2b2a6146ca432814
Instruction Fuzzy Hash: AAB1C171901B289ACF20DB91CC49ADB7379EF15315F1041B7E804B6181EBB9AF89CF89

Uniqueness

Uniqueness Score: 100.00%

Function 004042A3, Relevance: 35.1, APIs: 6, Strings: 14, Instructions: 66
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wfopen_s.LIBCMT ref: 004042B5
_wprintf.LIBCMT ref: 0040432E
_wprintf.LIBCMT ref: 00404338
_fprintf.LIBCMT ref: 00404354
_fprintf.LIBCMT ref: 00404369
_wprintf.LIBCMT ref: 00404390

Part of subcall function 0043F2C0: _strlen.LIBCMT ref: 0043F366
Part of subcall function 0043F2C0: __lock_file.LIBCMT ref: 0043F371
Part of subcall function 0043F2C0: __stbuf.LIBCMT ref: 0043F37D
Part of subcall function 0043F2C0: __ftbuf.LIBCMT ref: 0043F395

Strings

_______________________________________________________________________, xrefs: 00404349
Username, xrefs: 0040431F
**********************************************, xrefs: 004042CC
Password, xrefs: 0040431A
**********************************************, xrefs: 004042EC
Error: Failed to create file '%s' for writing Password list. Make sure you have specified correct & full file path, xrefs: 004042F9
Produced by %s from http://www.SecurityXploded.com, xrefs: 0040435E
Website URL, xrefs: 00404315
==============================================================================================================, xrefs: 00404333
%-20s %-30s %-20s %-s, xrefs: 00404329
BrowserPasswordDump, xrefs: 00404359, 00404386
Browser Password Recovery Report, xrefs: 004042DC
Tip: For more options type %s.exe -h , xrefs: 0040438B
Browser, xrefs: 00404324

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wprintf$_fprintf$__ftbuf__lock_file__stbuf__wfopen_s_strlen
String ID: %-20s %-30s %-20s %-s$ Tip: For more options type %s.exe -h $_______________________________________________________________________$ **********************************************$ Error: Failed to create file '%s' for writing Password list. Make sure you have specified correct & full file path$ Browser Password Recovery Report$ **********************************************$ ==============================================================================================================$ Produced by %s from http://www.SecurityXploded.com$Browser$BrowserPasswordDump$Password$Username$Website URL
API String ID: 718506414-2565730701
Opcode ID: 47cfa29c0ea67c11a33e437b5fc8003e63d5b32d05c2c8d7534f195a6c6307af
Instruction ID: 630b8d98e6f98468579705620ca41fb454552b89908472decd622954546fdb52
Opcode Fuzzy Hash: 47cfa29c0ea67c11a33e437b5fc8003e63d5b32d05c2c8d7534f195a6c6307af
Instruction Fuzzy Hash: C211A072AC8710F2D91533626C63F5A26056A49B0BB2526BFFD00341E3AEAE5C1D905F

Uniqueness

Uniqueness Score: 100.00%

Function 00402C57, Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 289
fileUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00402C8C
_memset.LIBCMT ref: 00402CAA
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00402D27
GetFileAttributesA.KERNELBASE(?), ref: 00402D5E
GetFileAttributesA.KERNELBASE(?), ref: 00402DED
GetTempPathA.KERNEL32(000003E8,?), ref: 00402E96
CopyFileA.KERNEL32(?,?,00000000), ref: 00402EC4
GetLastError.KERNEL32 ref: 00402ECE
DeleteFileA.KERNELBASE(?), ref: 00403000
GetLastError.KERNEL32 ref: 00403008

Part of subcall function 00402884: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004028A6
Part of subcall function 00402884: GetLastError.KERNEL32 ref: 004028B0

Strings

Web Data, xrefs: 00402C71
\Google\Chrome\User Data\Default\, xrefs: 00402D00
\Comodo\Dragon\User Data\Default\, xrefs: 00402CED
\, xrefs: 00402E3D
Login Data, xrefs: 00402C91
\Chromium\User Data\Default\, xrefs: 00402CF9
select * from logins where blacklisted_by_user=0;, xrefs: 00402CC1
\Google\Chrome SxS\User Data\Default\, xrefs: 00402CE1
\MapleStudio\ChromePlus\User Data\Default\, xrefs: 00402CD5

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$ErrorLast$AttributesPath_memset$CopyCryptDataDeleteFolderTempUnprotect
String ID: Login Data$Web Data$\$\Chromium\User Data\Default\$\Comodo\Dragon\User Data\Default\$\Google\Chrome SxS\User Data\Default\$\Google\Chrome\User Data\Default\$\MapleStudio\ChromePlus\User Data\Default\$select * from logins where blacklisted_by_user=0;
API String ID: 1402508811-4185613998
Opcode ID: 9be94a1e263b17595b1ff09a036508637bb48d1e7a244499210e42673a8470a9
Instruction ID: 475c2dbbdadf3be3901553f0f28ca0f70ac7c6f88b815937ee2b87c8547c8229
Opcode Fuzzy Hash: 9be94a1e263b17595b1ff09a036508637bb48d1e7a244499210e42673a8470a9
Instruction Fuzzy Hash: 1EA18471801219AADF20EA61DC49EDE777CAF45304F0405EBF509F21C2EB799B89CB99

Uniqueness

Uniqueness Score: 100.00%

Function 00403D44, Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 139
processsynchronizationUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00403D6F
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00403D93
swprintf.LIBCMT ref: 00403DBE
GetFileAttributesA.KERNELBASE(?), ref: 00403DD3

Part of subcall function 00403C38: _memset.LIBCMT ref: 00403C65
Part of subcall function 00403C38: SHGetFolderPathA.SHELL32(00000000,0000002A,00000000,00000000,00000000), ref: 00403C81
Part of subcall function 00403C38: GetLastError.KERNEL32 ref: 00403C8D
Part of subcall function 00403C38: SHGetFolderPathA.SHELL32(00000000,00000026,00000000,00000000,00000000), ref: 00403C9D
Part of subcall function 00403C38: GetLastError.KERNEL32 ref: 00403CA3
Part of subcall function 00403C38: swprintf.LIBCMT ref: 00403CC0
Part of subcall function 00403C38: GetFileAttributesA.KERNEL32 ref: 00403CC9

GetTempPathA.KERNEL32(00000208,?), ref: 00403E01
swprintf.LIBCMT ref: 00403E1B
swprintf.LIBCMT ref: 00403E42
_memset.LIBCMT ref: 00403E53
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00403E90
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00403EA2
CloseHandle.KERNEL32(?), ref: 00403EB4
CloseHandle.KERNEL32(?), ref: 00403EBC
GetFileAttributesA.KERNEL32(?), ref: 00403EC5

Part of subcall function 00403835: __wfopen_s.LIBCMT ref: 00403862
Part of subcall function 00403835: _fgets.LIBCMT ref: 00403893
Part of subcall function 00403835: _strstr.LIBCMT ref: 004038FA
Part of subcall function 00403835: _fgets.LIBCMT ref: 00403C00

GetLastError.KERNEL32 ref: 00403EED

Strings

"%s" -convert xml1 -s -o "%s" "%s", xrefs: 00403E35
Apple Computer\Preferences, xrefs: 00403D77
%s\%s\keychain.plist, xrefs: 00403DAC
%skeytest.tmp, xrefs: 00403E0E

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Pathswprintf$AttributesErrorFileFolderLast_memset$CloseHandle_fgets$CreateObjectProcessSingleTempWait__wfopen_s_strstr
String ID: "%s" -convert xml1 -s -o "%s" "%s"$%s\%s\keychain.plist$%skeytest.tmp$Apple Computer\Preferences
API String ID: 1339761189-2073509708
Opcode ID: 5e06d0cce004dfa5a0986d7c18c5cc25ad5765322c4bb6ba961a49ae3027e71e
Instruction ID: 41227ee00fa3c387e793d291abb7524b8f06c8f582b7bb6b8e5a3bf9e8fe634e
Opcode Fuzzy Hash: 5e06d0cce004dfa5a0986d7c18c5cc25ad5765322c4bb6ba961a49ae3027e71e
Instruction Fuzzy Hash: 30414F72901228AEDB20EB65DC44EDB7BBCEB49319F4005A6E509E6191D7349B88CF54

Uniqueness

Uniqueness Score: 100.00%

Function 00405BC5, Relevance: 29.8, APIs: 10, Strings: 7, Instructions: 69
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDllDirectoryA.KERNEL32(00000000), ref: 00405BD8

Part of subcall function 0040516F: _memset.LIBCMT ref: 0040519E
Part of subcall function 0040516F: LoadLibraryA.KERNEL32(?), ref: 004051E4

GetLastError.KERNEL32 ref: 00405BEE

Part of subcall function 004053F5: FreeLibrary.KERNELBASE(658D0000,00405CCC), ref: 00405413

SetDllDirectoryA.KERNEL32(00000000), ref: 00405BF6
74ECFFF6.KERNEL32(658D0000,NSS_Init), ref: 00405C15
74ECFFF6.KERNEL32(NSS_Shutdown), ref: 00405C27
74ECFFF6.KERNEL32(PK11_GetInternalKeySlot), ref: 00405C39
74ECFFF6.KERNEL32(PK11_FreeSlot), ref: 00405C4B
74ECFFF6.KERNEL32(PK11_Authenticate), ref: 00405C5D
74ECFFF6.KERNEL32(PK11SDR_Decrypt), ref: 00405C6F
74ECFFF6.KERNEL32(PK11_CheckUserPassword), ref: 00405C81

Strings

NSS_Shutdown, xrefs: 00405C17
PK11_FreeSlot, xrefs: 00405C3B
PK11_Authenticate, xrefs: 00405C4D
PK11SDR_Decrypt, xrefs: 00405C5F
PK11_CheckUserPassword, xrefs: 00405C71
NSS_Init, xrefs: 00405C0F
PK11_GetInternalKeySlot, xrefs: 00405C29

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DirectoryLibrary$ErrorFreeLastLoad_memset
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot
API String ID: 278284886-407999416
Opcode ID: b5cb34ab79fa6cfaef68245d33a602da3d8fc0003e64d6a5b7f3d719eaff5285
Instruction ID: 33f9fd3df8d800ae195e91ad112411a557fb3dc968ffaa99ed7acbf39a18f2f8
Opcode Fuzzy Hash: b5cb34ab79fa6cfaef68245d33a602da3d8fc0003e64d6a5b7f3d719eaff5285
Instruction Fuzzy Hash: EA21B530955B119ADB616F75EC097573FA8FB14B0AF14453AE804A22E1E7F88C88CF4E

Uniqueness

Uniqueness Score: 100.00%

Function 004046E6, Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 207
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00404713
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040474E
GetLastError.KERNEL32 ref: 00404758
__wfopen_s.LIBCMT ref: 004047D9
_strstr.LIBCMT ref: 0040481B
_strstr.LIBCMT ref: 0040482F
_fgets.LIBCMT ref: 00404848
_strstr.LIBCMT ref: 00404873
_strstr.LIBCMT ref: 004048AF
_malloc.LIBCMT ref: 004048F2

Strings

path=, xrefs: 00404829
Mozilla\SeaMonkey, xrefs: 00404728
Mozilla\Firefox, xrefs: 0040472F
name=default, xrefs: 00404815
\profiles.ini, xrefs: 004047AE

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _strstr$ErrorFolderLastPath__wfopen_s_fgets_malloc_memset
String ID: Mozilla\Firefox$Mozilla\SeaMonkey$\profiles.ini$name=default$path=
API String ID: 445489200-2403234793
Opcode ID: bb06624a5f386399a0e46f90a4713bd5a58578662c1adb941874b5914deee0a7
Instruction ID: 5d159dd8fd3ed4980fe34b3e7b0823016142e5176c53a03b6f7e1e881f64c5d4
Opcode Fuzzy Hash: bb06624a5f386399a0e46f90a4713bd5a58578662c1adb941874b5914deee0a7
Instruction Fuzzy Hash: 485130B6800218A9CB10EA218C45ED777ACAF55314F1454BFF945E31C2EF7C9E8D8BA8

Uniqueness

Uniqueness Score: 100.00%

Function 00446488, Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 198de1bab5617eeda00c947a63fbcf17f6d6a85220c91ed19c33406133fa0118
Instruction ID: c87d0283bc661d25fb0c7cd8753e25f38135e614682ba155fc5e60357fb449ea
Opcode Fuzzy Hash: 198de1bab5617eeda00c947a63fbcf17f6d6a85220c91ed19c33406133fa0118
Instruction Fuzzy Hash: A5324A70A042919FFB218F58D840BAE7BB1EF17304F26405FE8959B392D7789842CB5B

Uniqueness

Uniqueness Score: 0.00%

Function 004028D1, Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 271
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00402905
_memset.LIBCMT ref: 00402924
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00402965
GetFileAttributesA.KERNELBASE(?), ref: 00402999
GetFileAttributesA.KERNEL32(?), ref: 00402A28
GetTempPathA.KERNEL32(000003E8,?), ref: 00402AD1
GetLastError.KERNEL32 ref: 00402B07
GetLastError.KERNEL32 ref: 00402C42

Strings

Web Data, xrefs: 004028EB
\, xrefs: 00402A78
Login Data, xrefs: 0040290A
\Flock\User Data\Default\, xrefs: 00402941
select * from logins where blacklisted_by_user=0;, xrefs: 0040292C

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLastPath_memset$FolderTemp
String ID: Login Data$Web Data$\$\Flock\User Data\Default\$select * from logins where blacklisted_by_user=0;
API String ID: 4148099018-2542716756
Opcode ID: d69c29696ab55aa258689c83827ff8b50f1a507cc4d0bf406687d7f06f607ffb
Instruction ID: d80c0ffb2774b6a9b077eef6b7c2af799138db415b37355424118949e037b087
Opcode Fuzzy Hash: d69c29696ab55aa258689c83827ff8b50f1a507cc4d0bf406687d7f06f607ffb
Instruction Fuzzy Hash: 59919071900219AADF24DAA18C49FDF777DAB89304F5044EBF508B21C1EB78AE89CF54

Uniqueness

Uniqueness Score: 100.00%

Function 00444A55, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 219
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 00444A63

Part of subcall function 004473AF: __mtinitlocknum.LIBCMT ref: 004473C1
Part of subcall function 004473AF: RtlEnterCriticalSection.NTDLL(?), ref: 004473DA

__calloc_crt.LIBCMT ref: 00444A74

Part of subcall function 0044781B: __calloc_impl.LIBCMT ref: 0044782A
Part of subcall function 0044781B: Sleep.KERNEL32(00000000), ref: 00447841

@_EH4_CallFilterFunc@8.LIBCMT ref: 00444A8F
GetStartupInfoW.KERNEL32(?,00461D18,00000064), ref: 00444AE8
__calloc_crt.LIBCMT ref: 00444B33
GetFileType.KERNEL32(00000001), ref: 00444B7A
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00444BB3

Strings

D3, xrefs: 00444A9F, 00444ADD

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID: D3
API String ID: 1426640281-3488907147
Opcode ID: c2f5de48c772c217b84d482e1625e08e89dc079a84c036689e0a798c1df8a14a
Instruction ID: 09655ebbde56739fe122de267ee1f4dc4e653722d8d84f81803da60410ba108c
Opcode Fuzzy Hash: c2f5de48c772c217b84d482e1625e08e89dc079a84c036689e0a798c1df8a14a
Instruction Fuzzy Hash: CF81E4709057458FEB14CF68D884669BBF0AF85324B28426FD4A6AB3D1D738D843CB59

Uniqueness

Uniqueness Score: 100.00%

Function 0040454E, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 125
registryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040457A
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?,?,?,?,?,?,00000000), ref: 004045CA
RegQueryValueExA.KERNEL32(?,00000000,00000000,?,?,00000104,?,?,?,?,?,00000000), ref: 004045F5
RegCloseKey.KERNEL32(?,75706DBE,?,?,?,?,?,00000000), ref: 00404622
_malloc.LIBCMT ref: 00404692
RegCloseKey.ADVAPI32(?,?,?,?,?,?,00000000), ref: 004046CA

Strings

SOFTWARE\Clients\StartMenuInternet\SEAMONKEY.EXE\shell\open\command, xrefs: 00404597
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command, xrefs: 0040459E
\, xrefs: 0040466D

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Close$OpenQueryValue_malloc_memset
String ID: SOFTWARE\Clients\StartMenuInternet\SEAMONKEY.EXE\shell\open\command$SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command$\
API String ID: 1742752003-2382300969
Opcode ID: 74c53a6de8fe0eb34b81f5ba6b263c74f013f6812d37a52de4e2a82ee1278ab6
Instruction ID: 9a6d5e3a7e6e8ffbdbde3c0277ad48e7b8f53f89dd90a06e13a0e1a7fa3e5c65
Opcode Fuzzy Hash: 74c53a6de8fe0eb34b81f5ba6b263c74f013f6812d37a52de4e2a82ee1278ab6
Instruction Fuzzy Hash: 7E4127708041189BDF21DB24DC54BFA777CAB56308F1005FAE689B21C2EB7A5FC98B54

Uniqueness

Uniqueness Score: 100.00%

Function 00401230, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71
registryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Internet Explorer,00000000,00020019,?), ref: 00401278
RegQueryValueExA.KERNEL32(?,svcVersion,00000000,?,?,?), ref: 004012AE
RegQueryValueExA.ADVAPI32(?,Version,00000000,?,?,?), ref: 004012E0
RegCloseKey.KERNEL32(?), ref: 00401313

Strings

11.0.9600.18537, xrefs: 00401253, 00401300
SOFTWARE\Microsoft\Internet Explorer, xrefs: 0040126E
Version, xrefs: 004012CF
6.0, xrefs: 00401248
svcVersion, xrefs: 0040129D

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID: 11.0.9600.18537$6.0$SOFTWARE\Microsoft\Internet Explorer$Version$svcVersion
API String ID: 1586453840-3926588707
Opcode ID: f4ff95292fa89edc27a7504e480f22c7ddedcbaa7efc3c1c6e566444bfea3cb5
Instruction ID: 2adeccfd58698fa0b904e5aa5ab29155b2ab8fff161f893c69811288bcb2abb9
Opcode Fuzzy Hash: f4ff95292fa89edc27a7504e480f22c7ddedcbaa7efc3c1c6e566444bfea3cb5
Instruction Fuzzy Hash: 1B2183B1A0131CAAD720DB51DC89FEA777CAB04705F1001ABBA15E51D3EA749E848F58

Uniqueness

Uniqueness Score: 100.00%

Function 0040344F, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 121
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00403483
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004034B4
GetFileAttributesA.KERNELBASE(?), ref: 00403522
GetFileAttributesA.KERNELBASE(?), ref: 00403586

Part of subcall function 0040344F: __wfopen_s.LIBCMT ref: 00403072
Part of subcall function 0040344F: _fseek.LIBCMT ref: 00403099
Part of subcall function 0040344F: _malloc.LIBCMT ref: 004030B2

Strings

Opera\Opera\profile\, xrefs: 0040349B
http, xrefs: 00403379
Opera\Opera\, xrefs: 00403488
wand.dat, xrefs: 00403508, 00403572

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AttributesFile$FolderPath__wfopen_s_fseek_malloc_memset
String ID: Opera\Opera\$Opera\Opera\profile\$http$wand.dat
API String ID: 4017050026-4065301253
Opcode ID: 4520a98e9bc4af7661d9a726659f747c8c5ef9e4a879b026e528bae71a8275bf
Instruction ID: 4b32d0477e43ea2184eb26eeb38afaacbd59df8ed37b18dd14da60408fb066a6
Opcode Fuzzy Hash: 4520a98e9bc4af7661d9a726659f747c8c5ef9e4a879b026e528bae71a8275bf
Instruction Fuzzy Hash: C631B6B28042447BC210EA619C49D9BB7ECABC8315F40193FF998D31D1E778EA08C6A6

Uniqueness

Uniqueness Score: 100.00%

Function 0040A55B, Relevance: 7.6, APIs: 5, Instructions: 57fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 0040A580
GetLastError.KERNEL32 ref: 0040A58B
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0040A5AE
GetLastError.KERNEL32 ref: 0040A5B8

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$PointerRead
String ID:
API String ID: 2170121939-0
Opcode ID: 1d14ddda8ce5bd291bcca5792ae1bde327c2d8b4c464bd2be0447b4e7562c58b
Instruction ID: fc9d68caf02719ed72d46be2830cfabb2b6070443f826908d3de9129d98e1edf
Opcode Fuzzy Hash: 1d14ddda8ce5bd291bcca5792ae1bde327c2d8b4c464bd2be0447b4e7562c58b
Instruction Fuzzy Hash: C1118E76200305FBDF11CF64DC05B9A7BA8FB043A1F104236FA15EA2D0D774E9609B9A

Uniqueness

Uniqueness Score: 2.20%

Function 0040FFF6, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 380UNIQUE

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00410035
_memset.LIBCMT ref: 00410228

Strings

:memory:, xrefs: 0041002F
qC, xrefs: 0041000E

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memcmp_memset
String ID: :memory:$qC
API String ID: 433756748-766443301
Opcode ID: 4effd2667b923fc56ce3f8071d1e731f70f7e75a62d76a2aa8c0bd25a59ec61e
Instruction ID: 8516dcb5444e04b1fc19a79eb32c7755c1e661864c98b508c5f09ae44880fce5
Opcode Fuzzy Hash: 4effd2667b923fc56ce3f8071d1e731f70f7e75a62d76a2aa8c0bd25a59ec61e
Instruction Fuzzy Hash: 15E1A0709042559FDB24DF65C880BAA7BB1BF15304F2480AFE849EB342DBB9D8C5CB59

Uniqueness

Uniqueness Score: 100.00%

Function 0040DD3D, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 273UNIQUE

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0040DDCF

Part of subcall function 00407E4B: _memset.LIBCMT ref: 00407E61

_memset.LIBCMT ref: 0040DF73

Strings

-journal, xrefs: 0040DEB1
:memory:, xrefs: 0040DDC7

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memset$_memcmp
String ID: -journal$:memory:
API String ID: 538417588-354093883
Opcode ID: 013ff54ad404ca9362b7d50185d4473d3d031cffced41ac9d6e3479894822b2f
Instruction ID: 2534efebb8288e2ccd2f00699feac06f845880543929484f2ac757e5992f2742
Opcode Fuzzy Hash: 013ff54ad404ca9362b7d50185d4473d3d031cffced41ac9d6e3479894822b2f
Instruction Fuzzy Hash: 07A1B1B1E00606AFCB15CFA9C8416AABBF0BF44310F14827EE459EB381D738D955CB99

Uniqueness

Uniqueness Score: 100.00%

Function 004035AF, Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 004046E6: _memset.LIBCMT ref: 00404713
Part of subcall function 004046E6: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040474E
Part of subcall function 004046E6: GetLastError.KERNEL32 ref: 00404758

GetFileAttributesA.KERNELBASE(00000000), ref: 004035CE
SetDllDirectoryA.KERNEL32(00000000), ref: 00403627

Part of subcall function 0040454E: _memset.LIBCMT ref: 0040457A
Part of subcall function 0040454E: RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?,?,?,?,?,?,00000000), ref: 004045CA
Part of subcall function 0040454E: RegQueryValueExA.KERNEL32(?,00000000,00000000,?,?,00000104,?,?,?,?,?,00000000), ref: 004045F5
Part of subcall function 0040454E: RegCloseKey.KERNEL32(?,75706DBE,?,?,?,?,?,00000000), ref: 00404622
Part of subcall function 0040454E: _malloc.LIBCMT ref: 00404692

GetFileAttributesA.KERNELBASE(00000000), ref: 004035E7

Part of subcall function 00405BC5: SetDllDirectoryA.KERNEL32(00000000), ref: 00405BD8
Part of subcall function 00405BC5: GetLastError.KERNEL32 ref: 00405BEE
Part of subcall function 00405BC5: SetDllDirectoryA.KERNEL32(00000000), ref: 00405BF6
Part of subcall function 00405BC5: 74ECFFF6.KERNEL32(658D0000,NSS_Init), ref: 00405C15
Part of subcall function 00405BC5: 74ECFFF6.KERNEL32(NSS_Shutdown), ref: 00405C27
Part of subcall function 00405BC5: 74ECFFF6.KERNEL32(PK11_GetInternalKeySlot), ref: 00405C39
Part of subcall function 00405BC5: 74ECFFF6.KERNEL32(PK11_FreeSlot), ref: 00405C4B
Part of subcall function 00405BC5: 74ECFFF6.KERNEL32(PK11_Authenticate), ref: 00405C5D
Part of subcall function 00405BC5: 74ECFFF6.KERNEL32(PK11SDR_Decrypt), ref: 00405C6F
Part of subcall function 00405BC5: 74ECFFF6.KERNEL32(PK11_CheckUserPassword), ref: 00405C81

SetDllDirectoryA.KERNEL32(00000000), ref: 0040360B

Part of subcall function 004053F5: FreeLibrary.KERNELBASE(658D0000,00405CCC), ref: 00405413

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Directory$AttributesErrorFileLast_memset$CloseFolderFreeLibraryOpenPathQueryValue_malloc
String ID:
API String ID: 304941828-0
Opcode ID: 8b5be48192ab019babe16f9111fd45f534da9ef9bc90811e4b7a5d08f0aee468
Instruction ID: 3215ab3e9c5db905f9bbb6642bd0b2af6c651a2c64f52b4713891b772780c8f8
Opcode Fuzzy Hash: 8b5be48192ab019babe16f9111fd45f534da9ef9bc90811e4b7a5d08f0aee468
Instruction Fuzzy Hash: 4D11E73150161467DB312F7A9C4566F7A5C9F80766B18093BE801F33D1EEBECE02469D

Uniqueness

Uniqueness Score: 12.89%

Function 0040516F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42libraryUNIQUE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040519E
LoadLibraryA.KERNEL32(?), ref: 004051E4

Strings

nss3.dll, xrefs: 004051C8

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: LibraryLoad_memset
String ID: nss3.dll
API String ID: 2997193564-2492180550
Opcode ID: 3002a9d495ae00c154f96ea5d6c766f703db8883a8c245f8663acb55f1715572
Instruction ID: 55ad9e39a55c903ff9547eb2cbc7afcffa5b63cadcfddafb3298d092d508fe3e
Opcode Fuzzy Hash: 3002a9d495ae00c154f96ea5d6c766f703db8883a8c245f8663acb55f1715572
Instruction Fuzzy Hash: 22016C7191125866D711E7568C05FCA77AC9F0C745F4004B6F745D3181E7F8AA44CA6D

Uniqueness

Uniqueness Score: 100.00%

Function 0040AC83, Relevance: 4.6, APIs: 3, Instructions: 130fileUNIQUE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,00000000,00000000), ref: 0040AD5C
_free.LIBCMT ref: 0040AD72
_free.LIBCMT ref: 0040ADE9

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free$CreateFile
String ID:
API String ID: 2252325716-0
Opcode ID: 50e2908d4ffc8971987c86f6e6fee25a3d809ac81c76cfa3da1c2adeec68ce9a
Instruction ID: 5bf5b013798ea011ef1da4973d0597665fb668a681034c64c742d07112804797
Opcode Fuzzy Hash: 50e2908d4ffc8971987c86f6e6fee25a3d809ac81c76cfa3da1c2adeec68ce9a
Instruction Fuzzy Hash: E141DE716083019FD710CF29C841B5BBBE2AF88354F10892EF999E62D1E738D9509B5B

Uniqueness

Uniqueness Score: 100.00%

Function 0043349D, Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1125UNIQUE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043351E

Strings

too many terms in compound SELECT, xrefs: 00433739

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memset
String ID: too many terms in compound SELECT
API String ID: 2102423945-2451016212
Opcode ID: a26a3e3b268f74435526cf317d264a15cfc9dc80ff60580e113eb839d911ec31
Instruction ID: 7fae650f72c5ed6f37d394b1b1df5652df8aa4f8a7438559e46606477fda056b
Opcode Fuzzy Hash: a26a3e3b268f74435526cf317d264a15cfc9dc80ff60580e113eb839d911ec31
Instruction Fuzzy Hash: EF9265706083409FD724DF29C881A6BBBE6BFC8314F10892EF99987351DB39ED458B46

Uniqueness

Uniqueness Score: 100.00%

Function 0040AEBF, Relevance: 4.5, APIs: 3, Instructions: 47UNIQUE

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 0040AEE4
_free.LIBCMT ref: 0040AEF5

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AttributesFile_free
String ID:
API String ID: 2296893129-0
Opcode ID: cf7a8db0cb6c161e5e6d82884ae2e0edb1d2a4795ecdd8d6c391bdc4a09bd7c8
Instruction ID: aa8c4c1ce35555e095efe9f575b63939b83022f70f1487c90c945f6e07f4be7c
Opcode Fuzzy Hash: cf7a8db0cb6c161e5e6d82884ae2e0edb1d2a4795ecdd8d6c391bdc4a09bd7c8
Instruction Fuzzy Hash: 3AF0C2722557169BCB109EB598859AB3388AB843A87140537EA01E62C1CB38DC6192AB

Uniqueness

Uniqueness Score: 100.00%

Function 0044721B, Relevance: 3.1, APIs: 2, Instructions: 52UNIQUELIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00447272
__close_nolock.LIBCMT ref: 0044728B

Part of subcall function 00442B40: __getptd_noexit.LIBCMT ref: 00442B40

Part of subcall function 00442B74: __getptd_noexit.LIBCMT ref: 00442B74

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 9107af3e4ebcd2b7385f72f32ecaf719687e29c708b71c6481694f11ace22614
Instruction ID: 8c35b5a515f79a87157c6fc648992071e7a8fe07e6d51c812da3ff7dc575d3b9
Opcode Fuzzy Hash: 9107af3e4ebcd2b7385f72f32ecaf719687e29c708b71c6481694f11ace22614
Instruction Fuzzy Hash: B611C632909A904EF701BF6989423597B60AF42339F1503CBF4705B2E3C7FC994286AE

Uniqueness

Uniqueness Score: 37.75%

Function 004443F2, Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00444414
__calloc_crt.LIBCMT ref: 0044442D

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __calloc_crt
String ID:
API String ID: 3494438863-0
Opcode ID: c11f47d995f5feecc15aaec94d90b88e1f62b4cd1a14d16deecc71c12a29fc57
Instruction ID: 3d1ae830937f7de49037720bfa9ef5da238216d04d5beb573a29ef5a59ef7683
Opcode Fuzzy Hash: c11f47d995f5feecc15aaec94d90b88e1f62b4cd1a14d16deecc71c12a29fc57
Instruction Fuzzy Hash: 05F068717492128AF7249F5A7C51B716794E784B64F14C07BFA01DB291F7B8C8828A4E

Uniqueness

Uniqueness Score: 1.40%

Function 004408BF, Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00442B74: __getptd_noexit.LIBCMT ref: 00442B74

__lock_file.LIBCMT ref: 00440904

Part of subcall function 00444492: __lock.LIBCMT ref: 004444B5

__fclose_nolock.LIBCMT ref: 0044090F

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 097313f2133792eb7c08879dee758569807f38e35b29e64b48bb240b727fa647
Instruction ID: 780df067b3030213fb711f7f09a759a5780afcafe71407a5b5535614842ea881
Opcode Fuzzy Hash: 097313f2133792eb7c08879dee758569807f38e35b29e64b48bb240b727fa647
Instruction Fuzzy Hash: 29F090718013059AFB10BB76880275E77A06F81338F25820FA564AA1D2CB7C8952AB9E

Uniqueness

Uniqueness Score: 2.04%

Function 0044CAD6, Relevance: 3.0, APIs: 2, Instructions: 32UNIQUELIBRARYCODE

Download Yara Rule

APIs

___copy_path_to_wide_string.LIBCMT ref: 0044CAE5
_free.LIBCMT ref: 0044CB15

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ___copy_path_to_wide_string_free
String ID:
API String ID: 339592613-0
Opcode ID: 54d4fb7b8a88810a4ea91da8d687376565ec037ab9b255463baabbd5745462db
Instruction ID: c3291ede5c58a6fb7f24c0e8098764167dcd0a236cd0bca4cfa5ce6b2e505eb4
Opcode Fuzzy Hash: 54d4fb7b8a88810a4ea91da8d687376565ec037ab9b255463baabbd5745462db
Instruction Fuzzy Hash: FCF01C3291010DBBDF019FD5DD02DDE7F6AEF083A8F204155FA10A11A0E77ACA20EB98

Uniqueness

Uniqueness Score: 100.00%

Function 004015C5, Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5), ref: 004015D7
GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 004015E2

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: BufferConsoleHandleInfoScreen
String ID:
API String ID: 3205511803-0
Opcode ID: 52d4730f18a0b963158cf73c55395cfc960444ad3a76b8a5d9663065ac742197
Instruction ID: 45f79bbdf51d2713b6d997d0a65874159505a258f9ce29f5dc197a3e19081f42
Opcode Fuzzy Hash: 52d4730f18a0b963158cf73c55395cfc960444ad3a76b8a5d9663065ac742197
Instruction Fuzzy Hash: CAE0D83050420AEBCB00DFA58C0967E73B8AB44B15F60013DE503EA1D2FA34EA009629

Uniqueness

Uniqueness Score: 1.64%

Function 004476E1, Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004476E6

Part of subcall function 0044781B: __calloc_impl.LIBCMT ref: 0044782A
Part of subcall function 0044781B: Sleep.KERNEL32(00000000), ref: 00447841

RtlEncodePointer.NTDLL(00000000), ref: 004476F0

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: EncodePointerSleep__calloc_crt__calloc_impl
String ID:
API String ID: 2972565945-0
Opcode ID: 4ca0bbf34cffe094de8410f54bb66d336841bb1e888edb2d9a64a8b8c1e557ce
Instruction ID: ca0597da6d64427ffd4a0732ec9bbc0bed6aafa8190036c7798ecac31130154a
Opcode Fuzzy Hash: 4ca0bbf34cffe094de8410f54bb66d336841bb1e888edb2d9a64a8b8c1e557ce
Instruction Fuzzy Hash: 20D01232E487215AF7615B6578097952AD0D744B71F51452BE900DA291EB6448C24A8D

Uniqueness

Uniqueness Score: 0.05%

Function 00401601, Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,004015AD,00468230,00001000,?,?), ref: 00401606
SetConsoleTextAttribute.KERNEL32(00000000,00000004), ref: 00401611

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AttributeConsoleHandleText
String ID:
API String ID: 1363055914-0
Opcode ID: 48f6a26479a78500e7e28ffbf8dd0a9338357492c86df5e69f30df453ac946ef
Instruction ID: f42ce1dbf158a59516987d045b12306a2c50d08444eee0f0c25a47228432d6e5
Opcode Fuzzy Hash: 48f6a26479a78500e7e28ffbf8dd0a9338357492c86df5e69f30df453ac946ef
Instruction Fuzzy Hash: D3B09B31C05231E7863017797C0D8C72D18FD525773154771F425560E18A24C88085F4

Uniqueness

Uniqueness Score: 1.51%

Function 00440BE2, Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 00440BE8

Part of subcall function 00440BB0: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00440BED,00000000,?,00447462,000000FF,0000001E,00461DD8,00000008,004473C6,00000000,?), ref: 00440BBF
Part of subcall function 00440BB0: 74ECFFF6.KERNEL32(?,CorExitProcess,?,?,00440BED,00000000,?,00447462,000000FF,0000001E,00461DD8,00000008,004473C6,00000000,?), ref: 00440BD1

ExitProcess.KERNEL32 ref: 00440BF1

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExitProcess$HandleModule___crt
String ID:
API String ID: 2165862795-0
Opcode ID: ead20bbb30560bf91836b9e84c0b57aafde4b4317b08fefec9bedbda9b557657
Instruction ID: 2a5a592825967c9192218008d3dce58eb47c168692aa0bd3b44781f21394016c
Opcode Fuzzy Hash: ead20bbb30560bf91836b9e84c0b57aafde4b4317b08fefec9bedbda9b557657
Instruction Fuzzy Hash: 22B09230000608BBDF012FA2DC0A8583F39EB01299B408025FA0408132EB72EAE19A8C

Uniqueness

Uniqueness Score: 0.24%

Function 0040A524, Relevance: 2.5, APIs: 2, Instructions: 26sleepUNIQUE

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 0040A538
CloseHandle.KERNELBASE(?), ref: 0040A541

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep
String ID:
API String ID: 252777609-0
Opcode ID: 30c3d04b136ce7fdbce7f8a54883a7f6d26e67f33bc6129848176246adda8728
Instruction ID: da9e8525cf1010f3dda44029fa7408f4791a384921faf391b973be77be69072e
Opcode Fuzzy Hash: 30c3d04b136ce7fdbce7f8a54883a7f6d26e67f33bc6129848176246adda8728
Instruction Fuzzy Hash: A6E02637304722BBDA08565BAC1566AF6D6FFC8762B01403AE90AE60C0C671DC9252C9

Uniqueness

Uniqueness Score: 37.75%

Function 0040E44A, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ebeaeeb2c65aa2250cae267d32c5fdfe9c5c8f7ed4df502d73640f9b764ee2
Instruction ID: 7070d662cca89854d6d574aab151d8e4435d0bfe20581f05eb9486bc86bd2ecf
Opcode Fuzzy Hash: 32ebeaeeb2c65aa2250cae267d32c5fdfe9c5c8f7ed4df502d73640f9b764ee2
Instruction Fuzzy Hash: BE31C831704700ABDB25AAA79C4172A72D1AB8075CF140D3FE851AB3D1EB78ED25879E

Uniqueness

Uniqueness Score: 0.00%

Function 00446380, Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: b8e0c879bd5c724a38cbaf6a0298da4e60a9c59ea5fb07d05eba5f0f479f7907
Instruction ID: 43a5a67330f3cf893601cd5d96a24b861ef009b221b9976fb680c318a0d3ae25
Opcode Fuzzy Hash: b8e0c879bd5c724a38cbaf6a0298da4e60a9c59ea5fb07d05eba5f0f479f7907
Instruction Fuzzy Hash: 5F21B0728006848EFF017FA589423597760AF4332AF160647F4644B1F3CBBC99008A6F

Uniqueness

Uniqueness Score: 0.00%

Function 004490A0, Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 004490FF

Part of subcall function 00442B40: __getptd_noexit.LIBCMT ref: 00442B40

Part of subcall function 00442B74: __getptd_noexit.LIBCMT ref: 00442B74

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 6f430ed9d869dd818a84008589be428a8df7642c1e615d92e38ebd6eab54d909
Instruction ID: 5c99317c251ab30e1e21b300a1054f25d69e06adebce8282fdbbdae5412e7eee
Opcode Fuzzy Hash: 6f430ed9d869dd818a84008589be428a8df7642c1e615d92e38ebd6eab54d909
Instruction Fuzzy Hash: C511D032800A819FFB01BF65884675A7760AF4233AF15064BF4201B2E2C7BC9D00A76E

Uniqueness

Uniqueness Score: 6.84%

Function 0040E166, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040E187

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 9908b66d25165cf7dee5869cf505fee7955ef3bf29ebde0d3ace7f0327b27b77
Instruction ID: f3d2a09e0c1d708c59f8b1b8d632568edf2ebbe734d55bbe74330fc40781f47e
Opcode Fuzzy Hash: 9908b66d25165cf7dee5869cf505fee7955ef3bf29ebde0d3ace7f0327b27b77
Instruction Fuzzy Hash: 8C01DF72600204AFDB05DF15CC81E56B36AFF89314F20047AFD11AB262D776ED20CBA4

Uniqueness

Uniqueness Score: 0.18%

Function 0040753C, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040754C

Part of subcall function 0043EA05: __FF_MSGBANNER.LIBCMT ref: 0043EA1C
Part of subcall function 0043EA05: __NMSG_WRITE.LIBCMT ref: 0043EA23
Part of subcall function 0043EA05: RtlAllocateHeap.NTDLL(002F0000,00000000,00000001), ref: 0043EA48

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 59ace83676deaf8ae9f8d3b11852e367053aa8d4cdc38c82212bd447351387e3
Instruction ID: 166153e1229066254b2c72415f02c68fda7f952a3ce69bf316473fb0af3f9a97
Opcode Fuzzy Hash: 59ace83676deaf8ae9f8d3b11852e367053aa8d4cdc38c82212bd447351387e3
Instruction Fuzzy Hash: 19D0C2B2A1661127CB089A29DC1019536949E45224305413EE91DD77C0D626DC0287C4

Uniqueness

Uniqueness Score: 0.36%

Function 00447710, Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00440D4D: __lock.LIBCMT ref: 00440D4F

__onexit_nolock.LIBCMT ref: 00447728

Part of subcall function 00447750: RtlDecodePointer.NTDLL ref: 00447763
Part of subcall function 00447750: RtlDecodePointer.NTDLL ref: 0044776E
Part of subcall function 00447750: __realloc_crt.LIBCMT ref: 004477AF
Part of subcall function 00447750: __realloc_crt.LIBCMT ref: 004477C3
Part of subcall function 00447750: RtlEncodePointer.NTDLL(00000000), ref: 004477D5
Part of subcall function 00447750: RtlEncodePointer.NTDLL(?), ref: 004477E3
Part of subcall function 00447750: RtlEncodePointer.NTDLL(00000000), ref: 004477EF

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: c77d1fcbe3abf195842cb2b30927d10eba5c5d599d3a0cc062d89d0b5e9101ff
Instruction ID: 2f26d7e420ce8e2b1d9f1725148c551d4cab0dc07d7b84f94fae0eae8af157b0
Opcode Fuzzy Hash: c77d1fcbe3abf195842cb2b30927d10eba5c5d599d3a0cc062d89d0b5e9101ff
Instruction Fuzzy Hash: 7CD05E76D00204E6FB51BBBA880374C76A06F80728F60424FF014A61D2CBBC5A429B8E

Uniqueness

Uniqueness Score: 0.02%

Function 004053F5, Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(658D0000,00405CCC), ref: 00405413

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 79396209d0e606064249b1dfd22f584d708d711e99d1142a20b84122f6da9ba7
Instruction ID: 3fa4118f876ba73b30e6859f9d35ee23579d7930474dbf3ffc05fee691e7d10c
Opcode Fuzzy Hash: 79396209d0e606064249b1dfd22f584d708d711e99d1142a20b84122f6da9ba7
Instruction Fuzzy Hash: 43D0E9706017018ADA509BA5ED887973398A754746B185435D404D72A2E6B8DCC1DA6E

Uniqueness

Uniqueness Score: 0.03%

Function 00440E8E, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 00440E98

Part of subcall function 00440D5F: __lock.LIBCMT ref: 00440D6D
Part of subcall function 00440D5F: RtlDecodePointer.NTDLL(00461B70), ref: 00440DAC
Part of subcall function 00440D5F: RtlDecodePointer.NTDLL ref: 00440DBD
Part of subcall function 00440D5F: RtlEncodePointer.NTDLL(00000000), ref: 00440DD6
Part of subcall function 00440D5F: RtlDecodePointer.NTDLL(-00000004), ref: 00440DE6
Part of subcall function 00440D5F: RtlEncodePointer.NTDLL(00000000), ref: 00440DEC
Part of subcall function 00440D5F: RtlDecodePointer.NTDLL ref: 00440E02
Part of subcall function 00440D5F: RtlDecodePointer.NTDLL ref: 00440E0D

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: 61b85877a92619bbd4e33a8b3c08217683325d07f34c7a63d4c82275bcda1e2a
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: 90B0127198030C33EA112582EC03F053B0C4740B54F100021FF0C1C1F2A5A3B57450CD

Uniqueness

Uniqueness Score: 0.23%

Function 004479E8, Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(Function_000479A1), ref: 004479ED

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 42812844f6c171ad48f3977a81d391d22dc983dc4dc7f1e626e690bd97260c11
Instruction ID: d996bea3c0167c2c0b64df2b3f46977e52767c3ed9542ea0d1a1c50dca518100
Opcode Fuzzy Hash: 42812844f6c171ad48f3977a81d391d22dc983dc4dc7f1e626e690bd97260c11
Instruction Fuzzy Hash: 91A002F459F740CBAB045F70BE4DA243AB0A79872B76012B6E44185266EBB54081AADF

Uniqueness

Uniqueness Score: 0.01%

Function 00441B92, Relevance: 1.5, APIs: 1, Instructions: 2COMMON

Download Yara Rule

APIs

___security_init_cookie.LIBCMT ref: 00441B92

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ___security_init_cookie
String ID:
API String ID: 3657697845-0
Opcode ID: 7807fdc9ee4f8d9b98bb1b4b2a83c0c975fbfbc5d4660e87755ed80148822623
Instruction ID: 90015fca355c4142a72ca6cf9ef9ba233b35445bbb7c3de05d2dc16a793b3cd3
Opcode Fuzzy Hash: 7807fdc9ee4f8d9b98bb1b4b2a83c0c975fbfbc5d4660e87755ed80148822623
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: 0.77%

Non-executed Functions

Function 0042D61C, Relevance: 66.2, Strings: 51, Instructions: 2446UNIQUE

Download Yara Rule

Strings

cid, xrefs: 0042E0EB, 0042E31B
-%T, xrefs: 0042D6AD
NONE, xrefs: 0042E928
case_sensitive_like, xrefs: 0042E97F
collation_list, xrefs: 0042E62D
normal, xrefs: 0042DA0A, 0042DAB9
index_list, xrefs: 0042E3CD
synchronous, xrefs: 0042E026, 0042E04D
table_info, xrefs: 0042E099
user_version, xrefs: 0042EAFB
on_update, xrefs: 0042E7BF
unsupported encoding: %s, xrefs: 0042EAD5
auto_vacuum, xrefs: 0042DCC1, 0042DD03
temp_store_directory, xrefs: 0042DF1E, 0042DF4D
integrity_check, xrefs: 0042E9B1, 0042EC21
Safety level may not be changed inside a transaction, xrefs: 0042E060
table, xrefs: 0042E783
dflt_value, xrefs: 0042E14B
quick_check, xrefs: 0042E9C6
seq, xrefs: 0042E43F, 0042E529, 0042E656, 0042E76F
*** in database %s ***, xrefs: 0042ED6B
rowid , xrefs: 0042EED9
max_page_count, xrefs: 0042D902, 0042D974
type, xrefs: 0042E11F
seqno, xrefs: 0042E306
journal_size_limit, xrefs: 0042DC48, 0042DCAE
missing from index , xrefs: 0042EEEA
locking_mode, xrefs: 0042D9F8, 0042DAD5
from, xrefs: 0042E797
index_info, xrefs: 0042E2AA
wrong # of entries in index , xrefs: 0042F017
page_size, xrefs: 0042D893, 0042D8BF
freelist_count, xrefs: 0042EB0B
encoding, xrefs: 0042E9DB, 0042EA0B
temp_store, xrefs: 0042DEE7, 0042DF05
database_list, xrefs: 0042E4F4
incremental_vacuum, xrefs: 0042DDB4
page_count, xrefs: 0042D981, 0042D9DE
foreign_key_list, xrefs: 0042E6E5
name, xrefs: 0042E109, 0042E32F, 0042E454, 0042E53E, 0042E66B
notnull, xrefs: 0042E135
on_delete, xrefs: 0042E7D3
default_cache_size, xrefs: 0042D703
cache_size, xrefs: 0042D73D, 0042DE83, 0042DEAF
unique, xrefs: 0042E468
schema_version, xrefs: 0042EAEB
match, xrefs: 0042E7E7
journal_mode, xrefs: 0042DB24, 0042DBF1
not a writable directory, xrefs: 0042DFB9
exclusive, xrefs: 0042DA13, 0042DABE
file, xrefs: 0042E552

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: missing from index $*** in database %s ***$-%T$NONE$Safety level may not be changed inside a transaction$auto_vacuum$cache_size$case_sensitive_like$cid$collation_list$database_list$default_cache_size$dflt_value$encoding$exclusive$file$foreign_key_list$freelist_count$from$incremental_vacuum$index_info$index_list$integrity_check$journal_mode$journal_size_limit$locking_mode$match$max_page_count$name$normal$not a writable directory$notnull$on_delete$on_update$page_count$page_size$quick_check$rowid $schema_version$seq$seqno$synchronous$table$table_info$temp_store$temp_store_directory$type$unique$unsupported encoding: %s$user_version$wrong # of entries in index
API String ID: 0-323641776
Opcode ID: 58271de9a1989dac655a8276db525814fa10e13f5afba50255a51191059babe7
Instruction ID: c09b388076a19a1e0da802c6d7521f71440fa41b7f5b83358a84040147d543a7
Opcode Fuzzy Hash: 58271de9a1989dac655a8276db525814fa10e13f5afba50255a51191059babe7
Instruction Fuzzy Hash: CE03C831F00214ABDB14EB66DD42BAE77A2AF84714F15803FF905AB3C2EA78DD418759

Uniqueness

Uniqueness Score: 100.00%

Function 004023A8, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 162encryptionUNIQUE

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32(00000000,00000000,?,?), ref: 00402400
CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 00402485
___from_strstr_to_strchr.LIBCMT ref: 004024A1
_strstr.LIBCMT ref: 004024BF
swprintf.LIBCMT ref: 004024F2
swprintf.LIBCMT ref: 0040250D
___from_strstr_to_strchr.LIBCMT ref: 0040251B
GetLastError.KERNEL32 ref: 00402593
AuditFree.ADVAPI32(?), ref: 004025AC
GetLastError.KERNEL32 ref: 004025B4

Strings

J, xrefs: 004023F6
http://%s, xrefs: 004024E5
https://%s, xrefs: 004024DA
:443, xrefs: 004024B4
Microsoft_WinInet_, xrefs: 00402436

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast___from_strstr_to_strchrswprintf$AuditCredCryptDataEnumerateFreeUnprotect_strstr
String ID: :443$J$Microsoft_WinInet_$http://%s$https://%s
API String ID: 4108919291-3660155129
Opcode ID: f52ec16731683933d6720cd65942bd6af1e71c8197f558edc1d6c318c894bb48
Instruction ID: 216f5718e81ab50cfbcef51ac4c62f28be2b762c44ac00821a8d5ac9a0e0124e
Opcode Fuzzy Hash: f52ec16731683933d6720cd65942bd6af1e71c8197f558edc1d6c318c894bb48
Instruction Fuzzy Hash: 58519071900258EBDB20DB95CD45EDA73BCAB08304F5400AAF548E7292DB74EEC5CF28

Uniqueness

Uniqueness Score: 100.00%

Function 004080C8, Relevance: 23.5, APIs: 5, Strings: 8, Instructions: 765UNIQUE

Download Yara Rule

Strings

Inf, xrefs: 0040879A
d, xrefs: 00408134
-Inf, xrefs: 0040878E
0123456789ABCDEF0123456789abcdef, xrefs: 004084CC
-x0, xrefs: 00408556
+Inf, xrefs: 00408795
NaN, xrefs: 0040869C
+, xrefs: 00408634

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: +$+Inf$-Inf$-x0$0123456789ABCDEF0123456789abcdef$Inf$NaN$d
API String ID: 0-415213533
Opcode ID: 096323e5eae6d96faf6abef743b50f5eec50cff56d3b89a2615a42c137803a4d
Instruction ID: e7187d520ebc50dac35f798e2e7e764f0a81b0265649f9154479cab55ccbc3b3
Opcode Fuzzy Hash: 096323e5eae6d96faf6abef743b50f5eec50cff56d3b89a2615a42c137803a4d
Instruction Fuzzy Hash: E252D23190C7918ED725CF29865022BBBE1AFD6344F18496FE8C5B7392DB38C946C74A

Uniqueness

Uniqueness Score: 100.00%

Function 00401CEA, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182registryencryptionUNIQUE

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00401D58
RegCloseKey.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00401D64
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,00000001,?,00000000,?,00000000,?), ref: 00401DA4
RegCloseKey.ADVAPI32(?,?,00000000,?,00000000,00000001,?,00000000,?,00000000,?), ref: 00401DAE
CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000000,?), ref: 00401E2D
swprintf.LIBCMT ref: 00401E9F
swprintf.LIBCMT ref: 00401EB6

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00401D05

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseQueryValueswprintf$CryptDataUnprotect
String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 784427415-680441574
Opcode ID: a8b70ad00bcd2c34fc0f3c59ee7ba357d2e70291f2cff45d33a335eedaa3632e
Instruction ID: bd1dd0ddbf1b60b248f488494012cfc9b4ba8420bb3a3c7113e21bd07c7a0e16
Opcode Fuzzy Hash: a8b70ad00bcd2c34fc0f3c59ee7ba357d2e70291f2cff45d33a335eedaa3632e
Instruction Fuzzy Hash: FD6173719002189FEB24DB64DC84FEE77B8EB48314F1442EAE609A7291DF35AE85CF54

Uniqueness

Uniqueness Score: 100.00%

Function 00401329, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 122encryptionUNIQUE

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0040136B
GetLastError.KERNEL32 ref: 00401375
CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 00401398
GetLastError.KERNEL32 ref: 004013A2
CryptReleaseContext.ADVAPI32(?,00000000,?,00000000,00000000), ref: 00401497

Strings

%s%2.2X, xrefs: 0040141E, 00401454

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Crypt$ContextErrorLast$AcquireCreateHashRelease
String ID: %s%2.2X
API String ID: 4104741015-1682948137
Opcode ID: 6850ef86fb4076c0b7dc8c4acebd046bee77553286abbc5ec8fdca19b540f2c1
Instruction ID: e640cd6cd8cac83edaeb27620b346a54ece7981c423c4c8694d6f0465735f5d9
Opcode Fuzzy Hash: 6850ef86fb4076c0b7dc8c4acebd046bee77553286abbc5ec8fdca19b540f2c1
Instruction Fuzzy Hash: 044168B1600218AFEB209B65DC45FFB77BCEB48705F5040BABB05E6191E6348E858B68

Uniqueness

Uniqueness Score: 100.00%

Function 0041EC16, Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 390UNIQUE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041EC69

Strings

cannot open value of type %s, xrefs: 0041EF34
no such column: "%s", xrefs: 0041EFF9
cannot open indexed column for writing, xrefs: 0041EEDA
integer, xrefs: 0041EF1C
real, xrefs: 0041EF21
cannot open virtual table: %s, xrefs: 0041ECA0
cannot open view: %s, xrefs: 0041ECC4
no such rowid: %lld, xrefs: 0041EFD9
null, xrefs: 0041EF2B, 0041EF33

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memset
String ID: cannot open indexed column for writing$cannot open value of type %s$cannot open view: %s$cannot open virtual table: %s$integer$no such column: "%s"$no such rowid: %lld$null$real
API String ID: 2102423945-3895736865
Opcode ID: f19eb400f3c41d13b4b4adb641b36c7561a1bd7158cf6593a71066a539921850
Instruction ID: 1c39d258b606269677df8366a9a9b37e657cd3d020fb47e65ab0c728d684064c
Opcode Fuzzy Hash: f19eb400f3c41d13b4b4adb641b36c7561a1bd7158cf6593a71066a539921850
Instruction Fuzzy Hash: 58D1D275A043009FDB14DF26C981A6B77E1BF88314F14456EFC469B382D738EC859B9A

Uniqueness

Uniqueness Score: 100.00%

Function 004392D4, Relevance: 14.8, Strings: 11, Instructions: 1003UNIQUE

Download Yara Rule

Strings

m, xrefs: 00439845
{, xrefs: 00439837
), xrefs: 00439861
7, xrefs: 0043984C
{7Fm, xrefs: 00439695
1, xrefs: 0043976C
6, xrefs: 00439830
?, xrefs: 0043985A
z, xrefs: 00439829
F, xrefs: 0043983E
@, xrefs: 00439358

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: )$1$6$7$?$@$F$m$z${${7Fm
API String ID: 0-3350488062
Opcode ID: ab22884605708cacbf87638a16f2b24ad69a0498c3ce37b007d2e7a4d264f689
Instruction ID: abc2ea1c28d9af5ec1e8d3d20012650d70f5329abdd167f77e90dae66f534301
Opcode Fuzzy Hash: ab22884605708cacbf87638a16f2b24ad69a0498c3ce37b007d2e7a4d264f689
Instruction Fuzzy Hash: 2B921B71E002189FDB24DF95C881BAEBBB2BF88314F14815EE859AB391D774AD81CF44

Uniqueness

Uniqueness Score: 100.00%

Function 00403678, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 96encryptionUNIQUE

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 004037F6
GetLastError.KERNEL32 ref: 00403800

Strings

com., xrefs: 0040378B
I, xrefs: 004036FD
e.Sa, xrefs: 00403799
appl, xrefs: 00403792
fari, xrefs: 004037A0
H}>, xrefs: 004036AE

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CryptDataErrorLastUnprotect
String ID: H}>$I$appl$com.$e.Sa$fari
API String ID: 2338517654-3462864509
Opcode ID: 94a7040397679afb0da2cfae656555b9312754760937709b9bff47d08068d2f1
Instruction ID: 112c83f1d6b321e5d779c1ba887b5631f319be0a502ba95ed125041437fd58d1
Opcode Fuzzy Hash: 94a7040397679afb0da2cfae656555b9312754760937709b9bff47d08068d2f1
Instruction Fuzzy Hash: 0A4124B1C043189FDB21DFA6D9946DEBBB8FF04308F20419EE059AB206D7344A858FA5

Uniqueness

Uniqueness Score: 100.00%

Function 004014AE, Relevance: 13.6, APIs: 9, Instructions: 78encryptionUNIQUE

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 004014E0
GetLastError.KERNEL32 ref: 004014EA
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00401502
GetLastError.KERNEL32 ref: 0040150C
CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000000), ref: 0040156B

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Crypt$ContextErrorLast$AcquireCreateHashRelease
String ID:
API String ID: 4104741015-0
Opcode ID: cb05d4a9a8b8c3cfb9550d350d9a92a4cfd5376c2814b7609c45730aaef85564
Instruction ID: 13da4c9eb335e9b0161705412a548af386c45a7e3d318d12b2a33f42dfa186b3
Opcode Fuzzy Hash: cb05d4a9a8b8c3cfb9550d350d9a92a4cfd5376c2814b7609c45730aaef85564
Instruction Fuzzy Hash: 8B21EB71A00209AFDF109FA5EC49FAF7BB8EB48705F104036F602FA1E1D77499459B69

Uniqueness

Uniqueness Score: 100.00%

Function 0040AB07, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138windowUNIQUE

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000E6,?), ref: 0040AB5A
GetTempPathA.KERNEL32(000000E6,?), ref: 0040AB8B
_free.LIBCMT ref: 0040ABB2
GetLastError.KERNEL32(00000000,000000E6), ref: 0040AC49
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000000,?,?,00000000), ref: 0040AC5F

Strings

%s\etilqs_, xrefs: 0040ABE9
OsError 0x%x (%u), xrefs: 0040AC6B

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PathTemp$ErrorFormatLastMessage_free
String ID: %s\etilqs_$OsError 0x%x (%u)
API String ID: 257238391-953182593
Opcode ID: 16943fa6115931c8d725ff94af29ed07b3479ecbca6071eab1db20e76ea755a9
Instruction ID: 048ffe273a1deeaf6115c4458aa2f8582d6da36ed0614943e47704e738e1a82c
Opcode Fuzzy Hash: 16943fa6115931c8d725ff94af29ed07b3479ecbca6071eab1db20e76ea755a9
Instruction Fuzzy Hash: E9417A315003486BE7119766CC46FFF36ACDB54748F1004BFFA05E61C2EE789E85866A

Uniqueness

Uniqueness Score: 100.00%

Function 0042B386, Relevance: 7.4, Strings: 5, Instructions: 1199UNIQUE

Download Yara Rule

Strings

table %S has no column named %s, xrefs: 0042B9D6
%d values for %d columns, xrefs: 0042B8F4
table %S has %d columns but %d values were supplied, xrefs: 0042B800
rows inserted, xrefs: 0042C121
PQC, xrefs: 0042BFEC, 0042BF5B, 0042BC56, 0042B4FC

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: %d values for %d columns$PQC$rows inserted$table %S has %d columns but %d values were supplied$table %S has no column named %s
API String ID: 0-3933732821
Opcode ID: bfa28d55098c353a8d688e384a322c76cf40cc56afa9e66ae6ce6e320f876ab4
Instruction ID: 80051d1740749a808c0c5e75704f5f90acfb60860884c3a17a1ce1490c759cc0
Opcode Fuzzy Hash: bfa28d55098c353a8d688e384a322c76cf40cc56afa9e66ae6ce6e320f876ab4
Instruction Fuzzy Hash: D9928D707043019BDB24DE25D881B6BBBE2EFC4314F54892EF9899B391D779D841CB8A

Uniqueness

Uniqueness Score: 100.00%

Function 00431223, Relevance: 6.8, Strings: 5, Instructions: 578UNIQUE

Download Yara Rule

Strings

X7C, xrefs: 00431817
LIMIT clause should come after %s not before, xrefs: 00431294
X7C, xrefs: 0043123E
ORDER BY clause should come after %s not before, xrefs: 0043126E
SELECTs to the left and right of %s do not have the same number of result columns, xrefs: 004312E2

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memset
String ID: LIMIT clause should come after %s not before$ORDER BY clause should come after %s not before$SELECTs to the left and right of %s do not have the same number of result columns$X7C$X7C
API String ID: 2102423945-551544611
Opcode ID: 0b380d768b6e293677172490d8d6e983447e731701675c14bed95a8c4dcff366
Instruction ID: 06507366ad9bb645f16cef60264797060e35baf9a56a7de25e8e74fb357399c2
Opcode Fuzzy Hash: 0b380d768b6e293677172490d8d6e983447e731701675c14bed95a8c4dcff366
Instruction Fuzzy Hash: 39225271E002149FCF14DFA5D891AAEBBB5AF8C314F24916EE805AB355DB38EC42CB54

Uniqueness

Uniqueness Score: 100.00%

Function 0040B148, Relevance: 6.1, APIs: 4, Instructions: 60timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 0040B16F
GetCurrentProcessId.KERNEL32 ref: 0040B18B
GetTickCount.KERNEL32 ref: 0040B1A0
QueryPerformanceCounter.KERNEL32(?), ref: 0040B1B7

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4122616988-0
Opcode ID: 4d717b62ccedae848c66fecf42440c0f91cf3a6b7ae322fe5b531e543040420f
Instruction ID: 5573ff8d0779eb9e970b08bbd5f5d3e778c41fe2405c7178ce7c20baa5cee598
Opcode Fuzzy Hash: 4d717b62ccedae848c66fecf42440c0f91cf3a6b7ae322fe5b531e543040420f
Instruction Fuzzy Hash: 7B11A776A0061ADBCB00CFA8DD8849EFBB5FF49755B50003AE906E7281C775F94187E8

Uniqueness

Uniqueness Score: 1.34%

Function 00435460, Relevance: 3.6, Strings: 2, Instructions: 1057COMMON

Download Yara Rule

Strings

no such column: %s, xrefs: 00435741
rows updated, xrefs: 00435F95

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: no such column: %s$rows updated
API String ID: 0-885832449
Opcode ID: e203a31a506f2057730e560754275b65403bd6c4c760271b5fa5c7d26cfb4e65
Instruction ID: b4ce00cad43e15cd2f025ff4e09c4d130f6588f425d016b15a420459969a495b
Opcode Fuzzy Hash: e203a31a506f2057730e560754275b65403bd6c4c760271b5fa5c7d26cfb4e65
Instruction Fuzzy Hash: CC825D75F00608AFDF24DF55D881BAEBBB2EF88314F24802EE805AB391D7799951DB44

Uniqueness

Uniqueness Score: 8.94%

Function 00402884, Relevance: 3.0, APIs: 2, Instructions: 37encryptionUNIQUE

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004028A6
GetLastError.KERNEL32 ref: 004028B0

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CryptDataErrorLastUnprotect
String ID:
API String ID: 2338517654-0
Opcode ID: 04b8d0630e7645b7ef90869d6005f6aa84b7ccc7cac2b962110de36102875b66
Instruction ID: b635409500d68d1f47125f04b53cfe1906871641c4550d985b56995902c84602
Opcode Fuzzy Hash: 04b8d0630e7645b7ef90869d6005f6aa84b7ccc7cac2b962110de36102875b66
Instruction Fuzzy Hash: E5F08276900219FBCB01ABEDAC448EFBFBCEE88215B14447AE501E3142E274954487A5

Uniqueness

Uniqueness Score: 100.00%

Function 0044706C, Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00447071
UnhandledExceptionFilter.KERNEL32(004401E0), ref: 0044707A

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 23ac448b40df33725da15c11452ecc075401f9ec2ed433e575d6cbcb18c878f7
Instruction ID: 431b5b6d55591f59a67da81c5ddb3cf07809f4b4185e530316c8010aac57b188
Opcode Fuzzy Hash: 23ac448b40df33725da15c11452ecc075401f9ec2ed433e575d6cbcb18c878f7
Instruction Fuzzy Hash: 6CB09231044708ABCA802BD1EC0DB883FA8EB95A6BF044024F60D480629B6294D08A99

Uniqueness

Uniqueness Score: 0.02%

Function 00404F44, Relevance: 2.7, Strings: 2, Instructions: 187UNIQUE

Download Yara Rule

Strings

u2@, xrefs: 00405134
UUUU, xrefs: 00404FD0

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: UUUU$u2@
API String ID: 0-1132444183
Opcode ID: 9a34f9b9761bd84daece0e3a20f84ddd8ded304b861b43637c9569a22b7614fc
Instruction ID: 14790c8c6396b702bbad005063c0d6e3ac1ee14afceafae076eb958ebc85837e
Opcode Fuzzy Hash: 9a34f9b9761bd84daece0e3a20f84ddd8ded304b861b43637c9569a22b7614fc
Instruction Fuzzy Hash: 0F51D523F109610BE75CCABD8C5636D6AD2D7C8301B49823DE962D33C2D8BCDA16D794

Uniqueness

Uniqueness Score: 100.00%

Function 00432513, Relevance: 2.0, APIs: 1, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013a97ef4ca6fd37885ddaecd38749e153caa4932e06c0ca3050e05fd65b0ee3
Instruction ID: 220339bd0c54e9a8b81c7b04430dd88d7c9ab7668bf576977675982e13af3a04
Opcode Fuzzy Hash: 013a97ef4ca6fd37885ddaecd38749e153caa4932e06c0ca3050e05fd65b0ee3
Instruction Fuzzy Hash: 45126D71A083019FDB14CF28C580A2BB7E1BF9C314F14A96EE8899B356D778DD41CB96

Uniqueness

Uniqueness Score: 0.00%

Function 0041ADF6, Relevance: 1.6, Strings: 1, Instructions: 400UNIQUE

Download Yara Rule

Strings

string or blob too big, xrefs: 0041E9A3

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: c18cf89abaa838a81220c64af99c856be56ad49fb16a17007ff9ba817d069cba
Instruction ID: 864758d9b87c1f80d4271ac03387e4c77c4c371fb259379b19c5813abbf02dd7
Opcode Fuzzy Hash: c18cf89abaa838a81220c64af99c856be56ad49fb16a17007ff9ba817d069cba
Instruction Fuzzy Hash: EB02E775E04219DFDB24DF65C890BADB7B2BB88304F2481AED449A7342DB34AD86CF45

Uniqueness

Uniqueness Score: 100.00%

Function 00443C67, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000001,00000000), ref: 00443C67

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: cad097290e12b1b4f6b4af668c122442a5fbade9ec49fa03d932c48df6e6b355
Instruction ID: 9c87fba3d9f4e25d9d5505986f67a57b972fe4df9d792ea3022934618778e6ea
Opcode Fuzzy Hash: cad097290e12b1b4f6b4af668c122442a5fbade9ec49fa03d932c48df6e6b355
Instruction Fuzzy Hash: 7AB012F03016034B870C4B39AC1810939D46748316301403DF003C6660EF20C4D09F04

Uniqueness

Uniqueness Score: 0.04%

Function 004388E7, Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8c0a27a624732005806bacda7eca9c24c1c90c62841d3e8b34e9a80acb7ffd
Instruction ID: 1bde675d7cb36a4dfc236672df8b399ac4285bb6791fc2477a4d09314199fdd8
Opcode Fuzzy Hash: ba8c0a27a624732005806bacda7eca9c24c1c90c62841d3e8b34e9a80acb7ffd
Instruction Fuzzy Hash: 0922CE71D00B09DFDB12CF64C8916AAF7B6EF59380F14A31AF8167B251EB34A842CB54

Uniqueness

Uniqueness Score: 0.00%

Function 00409101, Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bc4f280c4f43f9b34f3b7e14573a1adb0df6110127e6b4d982452ea7f777ad
Instruction ID: 0303ccd593202b298946c15832e9dad50c71af7ea2cd5666f6de60dd6283fd17
Opcode Fuzzy Hash: 45bc4f280c4f43f9b34f3b7e14573a1adb0df6110127e6b4d982452ea7f777ad
Instruction Fuzzy Hash: B4C15B739192828ADB154D3884412AA7B63DBB6300F1889BFC4E69B7C7D13CDE47C755

Uniqueness

Uniqueness Score: 0.00%

Function 0044AF89, Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 947c8c80846cd5ef9b79afa1489b92ae01a8c007dd4fd7a42249d79b9a971375
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: F7C1643224519309FF2E463A847503FFAA19AA27B131A075FD9B3CB2D4EF18D534D668

Uniqueness

Uniqueness Score: 0.00%

Function 0044B3BE, Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 82206f98a64442fab1d9e6d250ead7e3fc54b3ffe1589196ab6bcb09d267fd00
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 8AC1753220519309FF2E4639C47503FFAA19AA27B131A075FD5B2CB2D5EF28D534D668

Uniqueness

Uniqueness Score: 0.00%

Function 0044AB54, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 0a87ff71265b5533d886972f838e712b874229f1e94b48d7fc1039efa0819dc6
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 9AC1C8722851930AFF2E4639C47503FFAA29A927B131A076FD5B3CB2C4EE18D534D619

Uniqueness

Uniqueness Score: 0.00%

Function 0044A73C, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 964a182c8b463d7b8dc4f94027c52cbbbd804eb579ffd4cb39d8dad8079028e9
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 85C1823224519309FF2E4639843503FFBA19AA2BB131A175FD5B3CB2C4EE28D534D629

Uniqueness

Uniqueness Score: 0.00%

Function 0042170A, Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f0dcef36a83bfe4b1d2abcd5f71e0b761cc08f6b5e0902d1dc2980e3d3d9ad
Instruction ID: c45748679917e11f656f14e3c0ff5ed0403404945de07b0f7a2762cd0b474aaa
Opcode Fuzzy Hash: 21f0dcef36a83bfe4b1d2abcd5f71e0b761cc08f6b5e0902d1dc2980e3d3d9ad
Instruction Fuzzy Hash: 25A18F75F002149FCF18DFA9D491AAEBBB1EF88314F6440AAE905AB352D634DD81CB94

Uniqueness

Uniqueness Score: 0.00%

Function 0041C8D5, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a1f4fc1f7770ecf54f30701b9110e107b6e7f01cace5a40b767f9815dabab6
Instruction ID: fde7858b9745702015d4641007b9973432358b79b4ace49d13ee0d11f70987c6
Opcode Fuzzy Hash: f9a1f4fc1f7770ecf54f30701b9110e107b6e7f01cace5a40b767f9815dabab6
Instruction Fuzzy Hash: DEA13C75E44328CFDB28CB15CC80BAAB3B2AF95314F1581DAD949A7391D734AEC18F46

Uniqueness

Uniqueness Score: 0.00%

Function 00404CCC, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da0a6755cc4fb0cde715dc2969c72d1d33f0a0ed93c740cf1cb9ca20dda6d82
Instruction ID: e9166c92d23ea881a7f391818d3d0e8853d1512bb3726e96ce969474da023ca4
Opcode Fuzzy Hash: 8da0a6755cc4fb0cde715dc2969c72d1d33f0a0ed93c740cf1cb9ca20dda6d82
Instruction Fuzzy Hash: CD81AC319091959FDB19CF6D88904ADFFF1EE99240758819EE895EB383C638D606CBF0

Uniqueness

Uniqueness Score: 0.00%

Function 0040494F, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8372c4356d596b28eeceba545d7fe4d27a2ae28253c89b92fb3154f3acc86d5
Instruction ID: 6085f1343506ba1194b1e2bbbe16cbd3898391059da68f07d5652f4e731f9ace
Opcode Fuzzy Hash: c8372c4356d596b28eeceba545d7fe4d27a2ae28253c89b92fb3154f3acc86d5
Instruction Fuzzy Hash: 82615477A20614CBC708DF19FC52596B761FB5D301B4A822EE502DB392DA39EE13DB84

Uniqueness

Uniqueness Score: 0.00%

Function 00404BBF, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c10a98b26791f37a2dcd5c5a604c30aa1fabb3f6e17e78f1eb4068557c228d
Instruction ID: e0499c6cb47041c6478430642dc5da84ff6b4007533e07d4534a5b8869239d75
Opcode Fuzzy Hash: 32c10a98b26791f37a2dcd5c5a604c30aa1fabb3f6e17e78f1eb4068557c228d
Instruction Fuzzy Hash: 1F316D7372042507E398E53D8C0676BA2C3DBC86A0719C63AE696D73C2ED68ED1282C4

Uniqueness

Uniqueness Score: 0.00%

Function 0043F640, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 3943e006dad30c2b35a75684744f4ed9506d338c73f28b1d61306e06602dfd69
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: DA112E77A0004143D6148A3DC5BA5B79395EBDD321F2D637FE0424BB78D22B995F9508

Uniqueness

Uniqueness Score: 0.00%

Function 0040173D, Relevance: 68.7, APIs: 30, Strings: 9, Instructions: 476stringlibraryUNIQUE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(pstorec.dll), ref: 0040177F
GetLastError.KERNEL32(?,?,?,?,0045317F,000000FF), ref: 0040178B
74ECFFF6.KERNEL32(00000000,PStoreCreateInstance,?,?,?,?,0045317F,000000FF), ref: 004017C5
GetLastError.KERNEL32(?,?,?,?,0045317F,000000FF), ref: 004017D1
FreeLibrary.KERNEL32(00000000,?,?,?,?,0045317F,000000FF), ref: 004017D8
_com_issue_errorex.COMSUPP ref: 00401842
FreeLibrary.KERNEL32(?,00000000,00000400,004596A8), ref: 00401848
swprintf.LIBCMT ref: 0040189F
_com_issue_errorex.COMSUPP ref: 004018E0
_com_issue_errorex.COMSUPP ref: 0040196E
_memset.LIBCMT ref: 004019B9
_memset.LIBCMT ref: 004019C7
_memset.LIBCMT ref: 004019D5
_memset.LIBCMT ref: 004019E3
swprintf.LIBCMT ref: 004019FB
_com_issue_errorex.COMSUPP ref: 00401A77

Part of subcall function 0044E8C0: GetErrorInfo.OLEAUT32(00000000,004596A8,?,00401847,00000000,00000400,004596A8), ref: 0044E905

lstrlen.KERNEL32(?), ref: 00401A87
swprintf.LIBCMT ref: 00401AF1
lstrcmp.KERNEL32(?,5e7e8100), ref: 00401B05
_strstr.LIBCMT ref: 00401B21
lstrcmp.KERNEL32(?,e161255a), ref: 00401B82
_strstr.LIBCMT ref: 00401B9C
_strstr.LIBCMT ref: 00401BB8
_strstr.LIBCMT ref: 00401BCB
lstrcpyn.KERNEL32(?,?,00000008), ref: 00401BE1
_strstr.LIBCMT ref: 00401BF0
_strstr.LIBCMT ref: 00401C04
___from_strstr_to_strchr.LIBCMT ref: 00401C20
___from_strstr_to_strchr.LIBCMT ref: 00401C4D
___from_strstr_to_strchr.LIBCMT ref: 00401C92

Strings

e161255a, xrefs: 00401B76
:String, xrefs: 00401BAB, 00401BB6
5e7e8100, xrefs: 00401AF9
pstorec.dll, xrefs: 00401777
http:/, xrefs: 00401BEA
https:/, xrefs: 00401BFE
StringIndex, xrefs: 00401B96
PStoreCreateInstance, xrefs: 004017BF
%ws, xrefs: 004019F4

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _strstr$_com_issue_errorex_memset$ErrorLibrary___from_strstr_to_strchrswprintf$FreeLastlstrcmp$InfoLoadlstrcpynlstrlen
String ID: %ws$5e7e8100$:String$PStoreCreateInstance$StringIndex$e161255a$http:/$https:/$pstorec.dll
API String ID: 2006584277-1781466581
Opcode ID: c9291dc0df9edbff115d6eba607c207e8f2f94f17579559f2a12fb11536a3f8b
Instruction ID: ebdffb0fa715aad9c91bb8fedda387324a36028152473a51467efa50d7050c54
Opcode Fuzzy Hash: c9291dc0df9edbff115d6eba607c207e8f2f94f17579559f2a12fb11536a3f8b
Instruction Fuzzy Hash: B1F1B372900619ABDB20EBA5CC45EEB77BCBF44705F1444AEF505E7181EE38EE448B68

Uniqueness

Uniqueness Score: 100.00%

Function 00406651, Relevance: 54.7, APIs: 19, Strings: 12, Instructions: 465UNIQUE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004066EC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00406726
_memcmp.LIBCMT ref: 004067CA
_memcmp.LIBCMT ref: 0040680A
_memcmp.LIBCMT ref: 0040683A
_memcmp.LIBCMT ref: 004068C3
_memcmp.LIBCMT ref: 004068F3
_memcmp.LIBCMT ref: 00406930
_memcmp.LIBCMT ref: 004069EA
_strncmp.LIBCMT ref: 00406A41
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00406ACD
__allrem.LIBCMT ref: 00406AD8
_memcmp.LIBCMT ref: 00406B1E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00406B46
_memcmp.LIBCMT ref: 00406B65
_strncmp.LIBCMT ref: 00406BB5
_memcmp.LIBCMT ref: 00406BF0
_memcmp.LIBCMT ref: 00406C10
_memcmp.LIBCMT ref: 00406C3B

Strings

hour, xrefs: 00406804
-, xrefs: 0040673D
localtime, xrefs: 004069E4
unixepoch, xrefs: 00406B18
utc, xrefs: 00406B5F
month, xrefs: 0040692A, 00406BDF
start of , xrefs: 00406BAF
weekday , xrefs: 00406A3B
year, xrefs: 00406834, 00406C0A
minute, xrefs: 004068BD
day, xrefs: 004067C4, 00406C35
second, xrefs: 004068ED

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memcmp$Unothrow_t@std@@@__ehfuncinfo$??2@$_strncmp$__allrem_memset
String ID: -$day$hour$localtime$minute$month$second$start of $unixepoch$utc$weekday $year
API String ID: 152601959-3507268942
Opcode ID: f3b4cdd88590e9127c702cc987a97a04c5244d473823942857760fdba5ed30d2
Instruction ID: 1ee899da5132e623605963c04245b994d3b192b5fad381cfb57372e20079d785
Opcode Fuzzy Hash: f3b4cdd88590e9127c702cc987a97a04c5244d473823942857760fdba5ed30d2
Instruction Fuzzy Hash: 15F133B1E046089AEB15EF70CC517AE77B4AF05348F16427BEC07BB2C6EB7888558749

Uniqueness

Uniqueness Score: 100.00%

Function 00401619, Relevance: 49.1, APIs: 13, Strings: 15, Instructions: 54UNIQUE

Download Yara Rule

APIs

Part of subcall function 004015C5: GetStdHandle.KERNEL32(000000F5), ref: 004015D7
Part of subcall function 004015C5: GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 004015E2

Part of subcall function 00401601: GetStdHandle.KERNEL32(000000F5,00000000,004015AD,00468230,00001000,?,?), ref: 00401606
Part of subcall function 00401601: SetConsoleTextAttribute.KERNEL32(00000000,00000004), ref: 00401611

_wprintf.LIBCMT ref: 00401630
_wprintf.LIBCMT ref: 00401646

Part of subcall function 0043FC61: __stbuf.LIBCMT ref: 0043FCAD
Part of subcall function 0043FC61: __ftbuf.LIBCMT ref: 0043FCDB

_wprintf.LIBCMT ref: 00401655
_wprintf.LIBCMT ref: 00401663
_wprintf.LIBCMT ref: 0040167B
_wprintf.LIBCMT ref: 00401685
_wprintf.LIBCMT ref: 0040168F
_wprintf.LIBCMT ref: 0040169A
_wprintf.LIBCMT ref: 004016A4
_wprintf.LIBCMT ref: 004016AF
_wprintf.LIBCMT ref: 004016B9
_wprintf.LIBCMT ref: 004016C7
_wprintf.LIBCMT ref: 004016D1

Strings

//Show this help screen, xrefs: 004016B4
****************************************************************, xrefs: 0040162A, 0040162F, 00401662
%s.exe -h, xrefs: 004016C2
%s.exe -f "c:\passlist.txt", xrefs: 004016AA
Examples:, xrefs: 00401680
%s.exe, xrefs: 00401695
//Dump login passwords from all the Browsers to a file 'c:\passlist.txt', xrefs: 0040169F
Usage: %s.exe [-h | -f <output_file_name>], xrefs: 00401676
%s, xrefs: 00401650
http://securityxploded.com/browser-password-dump.php, xrefs: 0040164B
BrowserPasswordDump, xrefs: 00401670, 00401675, 00401694, 004016A9, 004016C1
3.6, xrefs: 00401635
Browser Password Dump, xrefs: 0040163C
//Dump login passwords from all the Browsers to console, xrefs: 0040168A
%s v%s by SecurityXploded, xrefs: 00401641

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wprintf$ConsoleHandle$AttributeBufferInfoScreenText__ftbuf__stbuf
String ID: %s.exe$ %s.exe -f "c:\passlist.txt"$ %s.exe -h$ //Dump login passwords from all the Browsers to console$ //Dump login passwords from all the Browsers to a file 'c:\passlist.txt'$ //Show this help screen$ Examples:$ Usage: %s.exe [-h | -f <output_file_name>]$ %s$ %s v%s by SecurityXploded$****************************************************************$3.6$Browser Password Dump$BrowserPasswordDump$http://securityxploded.com/browser-password-dump.php
API String ID: 3262292661-2879426120
Opcode ID: b8967ce6b5c21fd085886abd8ed04e0add64bf56fa950f7457a9ab34d94c2a93
Instruction ID: fe1aa10abee3bf08f288e37f315ef5a5e4f4d2e05d157f2ccf7ad07784bd116c
Opcode Fuzzy Hash: b8967ce6b5c21fd085886abd8ed04e0add64bf56fa950f7457a9ab34d94c2a93
Instruction Fuzzy Hash: 0E01D291FC820866E81132A71DCBF1E14186ACAF5BF28343FBCC5351C39DAEA40D616E

Uniqueness

Uniqueness Score: 100.00%

Function 00403835, Relevance: 47.6, APIs: 16, Strings: 11, Instructions: 310UNIQUE

Download Yara Rule

APIs

__wfopen_s.LIBCMT ref: 00403862
_fgets.LIBCMT ref: 00403893
_strstr.LIBCMT ref: 004038FA
_strstr.LIBCMT ref: 0040396F
_strstr.LIBCMT ref: 004039CE
_strstr.LIBCMT ref: 004039EB
_strstr.LIBCMT ref: 00403A6D
_fgets.LIBCMT ref: 00403C00

Strings

</data>, xrefs: 00403A8A, 00403AC6
saved, xrefs: 00403B61
<key>server</key>, xrefs: 00403A67
passwords, xrefs: 00403B4A
</string>, xrefs: 004039E5, 00403B7C
<string>, xrefs: 004039C8, 00403B2D
<dict>, xrefs: 00403969
<data>, xrefs: 00403AE3
<key>account</key>, xrefs: 00403BD9
</dict>, xrefs: 004038F4
<key>data</key>, xrefs: 00403B0B

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _strstr$_fgets$__wfopen_s
String ID: </data>$</dict>$</string>$<data>$<dict>$<key>account</key>$<key>data</key>$<key>server</key>$<string>$passwords$saved
API String ID: 1711266154-3867735639
Opcode ID: 681c0a052362e01a15367481536b37113e9fdb792b2438bbce2637949f4acb08
Instruction ID: a8b929ab4c36e7d8c28f90fd3812f70ed44f558aec73399850f8e4bd73332667
Opcode Fuzzy Hash: 681c0a052362e01a15367481536b37113e9fdb792b2438bbce2637949f4acb08
Instruction Fuzzy Hash: ACA1127690830959DF24DE659C45EDA7BBC9B08315F1000FBE508F71C2EE79EB488A2C

Uniqueness

Uniqueness Score: 100.00%

Function 0040541A, Relevance: 45.8, APIs: 20, Strings: 6, Instructions: 301fileUNIQUE

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000410,?), ref: 0040544B
__time64.LIBCMT ref: 00405458

Part of subcall function 0044105C: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0040545D,?,?,00000208,00000003,?,0040581C,?,0040366A,?), ref: 00441065
Part of subcall function 0044105C: __aulldiv.LIBCMT ref: 00441085

__allrem.LIBCMT ref: 00405470
swprintf.LIBCMT ref: 00405485
GetLastError.KERNEL32(?,?,00000000,?,?,0000022B,00000000,?,00000208,00000003,?,0040581C,?,0040366A,?), ref: 004054C0
CreateFileMappingA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 004054D4
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,00000000,?,?,0000022B,00000000,?,00000208,00000003), ref: 004054EC
GetLastError.KERNEL32(?,?,00000000,?,?,0000022B,00000000,?,00000208,00000003,?,0040581C,?,0040366A,?), ref: 004054FE
CloseHandle.KERNEL32(00000000), ref: 00405505
_strstr.LIBCMT ref: 0040556D
_strstr.LIBCMT ref: 004055B8
___from_strstr_to_strchr.LIBCMT ref: 004055DE
_strstr.LIBCMT ref: 00405611
___from_strstr_to_strchr.LIBCMT ref: 00405638
_strstr.LIBCMT ref: 0040566B
___from_strstr_to_strchr.LIBCMT ref: 00405692
___from_strstr_to_strchr.LIBCMT ref: 0040571F
UnmapViewOfFile.KERNEL32(?,?,?,00000000,?,?,0000022B,00000000,?,00000208,00000003,?,0040581C,?,0040366A,?), ref: 00405739
CloseHandle.KERNEL32(?), ref: 0040574B
CloseHandle.KERNEL32(?), ref: 00405758

Strings

"encryptedUsername":, xrefs: 0040558A
"logins":, xrefs: 0040551A
%sfirefox_tmp_%d.bin, xrefs: 0040547E
{"nextId":, xrefs: 0040550D
"encryptedPassword":, xrefs: 00405598
"hostname":, xrefs: 0040557C

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File___from_strstr_to_strchr_strstr$CloseHandle$ErrorLastTimeView$CreateMappingPathSystemTempUnmap__allrem__aulldiv__time64swprintf
String ID: "encryptedPassword":$"encryptedUsername":$"hostname":$"logins":$%sfirefox_tmp_%d.bin${"nextId":
API String ID: 3109789586-1293949256
Opcode ID: 009ac6dedd8aab54d5fca007712f9dc09d8284ea3e8c81bc8375826e8de7057e
Instruction ID: 413e8bf016511b79fdcbff6a3f51ae92c6d297fc5b988d0893402a2093297d67
Opcode Fuzzy Hash: 009ac6dedd8aab54d5fca007712f9dc09d8284ea3e8c81bc8375826e8de7057e
Instruction Fuzzy Hash: 08A16772C04619AADB20DF648C44AEF777DEF45304F1041AAF944B7181DBB9AE86CF68

Uniqueness

Uniqueness Score: 100.00%

Function 00403F04, Relevance: 35.1, APIs: 3, Strings: 17, Instructions: 113UNIQUE

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 00404008
_fprintf.LIBCMT ref: 0040401F
_fprintf.LIBCMT ref: 00404035

Strings

Apple Safari, xrefs: 00403FA8
CoolNovo, xrefs: 00403FBD
Flock Browser, xrefs: 00403FAF
Browser: %s, xrefs: 00404019
---------------------------------------------------------------------------, xrefs: 00404062
Chrome SXS, xrefs: 00403FB6
Opera Browser, xrefs: 00403F9A
Firefox, xrefs: 00403FA1
Username: %s, xrefs: 0040403B
Comodo Dragon, xrefs: 00403FCB
Website: %s, xrefs: 0040402A
SeaMonkey, xrefs: 00403FC4
Password: %s, xrefs: 0040404C
SRWare Iron Browser, xrefs: 00403FD2
Internet Explorer, xrefs: 00403F8C
%-20s %-30s %-20s %-s, xrefs: 00404003
Google Chrome, xrefs: 00403F93

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _fprintf$_wprintf
String ID: %-20s %-30s %-20s %-s$ Browser: %s$ Password: %s$ Username: %s$ Website: %s$---------------------------------------------------------------------------$ Apple Safari$ Chrome SXS$ Comodo Dragon$ CoolNovo$ Firefox$ Flock Browser$ Google Chrome$ Internet Explorer$ Opera Browser$ SRWare Iron Browser$ SeaMonkey
API String ID: 3790670098-356740883
Opcode ID: fee75209e23558730d431846efe706d9540b720cd66d1370b104eb6f3501f6b9
Instruction ID: 265d2060f09d743dde03ff209318892b02eccaa8761687ec2db3a3ef2b46b27c
Opcode Fuzzy Hash: fee75209e23558730d431846efe706d9540b720cd66d1370b104eb6f3501f6b9
Instruction Fuzzy Hash: D6318A30A44217EADF00AE249C59EB43B3AAB46709F2001FBFE42B21D3D57D5E0D5A1E

Uniqueness

Uniqueness Score: 100.00%

Function 004040B8, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 65libraryUNIQUE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(vaultcli.dll), ref: 004040C4
GetLastError.KERNEL32 ref: 004040D3
74ECFFF6.KERNEL32(00000000,VaultOpenVault,00000094), ref: 004040E9
74ECFFF6.KERNEL32(VaultCloseVault), ref: 004040FB
74ECFFF6.KERNEL32(VaultEnumerateItems), ref: 0040410D
74ECFFF6.KERNEL32(VaultFree), ref: 0040411F
74ECFFF6.KERNEL32(VaultGetItem), ref: 0040413A
74ECFFF6.KERNEL32(VaultGetItem), ref: 00404143
GetLastError.KERNEL32 ref: 00404188
FreeLibrary.KERNEL32 ref: 00404194

Strings

VaultOpenVault, xrefs: 004040E3
VaultEnumerateItems, xrefs: 004040FD
VaultFree, xrefs: 0040410F
VaultGetItem, xrefs: 00404128
vaultcli.dll, xrefs: 004040BF
VaultCloseVault, xrefs: 004040EB

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLastLibrary$FreeLoad
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 1452865118-3967309459
Opcode ID: 11fedaefcdef3ba3a4abce74a4c7efbeaeec23cff243f706bdf952807379a7e8
Instruction ID: ea94518270bb1219c060c3e2d70ca51e1a3de07b19f07da174c8a5d294ca2ebd
Opcode Fuzzy Hash: 11fedaefcdef3ba3a4abce74a4c7efbeaeec23cff243f706bdf952807379a7e8
Instruction Fuzzy Hash: 132147B1951302EBCB14AF70FD292453EE5A758342B144A7BE502D21B1FBF88884CE1E

Uniqueness

Uniqueness Score: 100.00%

Function 00403C38, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 103UNIQUE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00403C65
SHGetFolderPathA.SHELL32(00000000,0000002A,00000000,00000000,00000000), ref: 00403C81
GetLastError.KERNEL32 ref: 00403C8D
SHGetFolderPathA.SHELL32(00000000,00000026,00000000,00000000,00000000), ref: 00403C9D
GetLastError.KERNEL32 ref: 00403CA3
swprintf.LIBCMT ref: 00403CC0
GetFileAttributesA.KERNEL32 ref: 00403CC9
SHGetFolderPathA.SHELL32(00000000,0000002C,00000000,00000000,00000000), ref: 00403CEB
GetLastError.KERNEL32 ref: 00403CF1
SHGetFolderPathA.SHELL32(00000000,0000002B,00000000,00000000,00000000), ref: 00403D01
swprintf.LIBCMT ref: 00403D19
GetFileAttributesA.KERNEL32 ref: 00403D22
GetLastError.KERNEL32 ref: 00403D31

Strings

%s\Safari\Apple Application Support\plutil.exe, xrefs: 00403CB5
%s\Apple\Apple Application Support\plutil.exe, xrefs: 00403D0E

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorFolderLastPath$AttributesFileswprintf$_memset
String ID: %s\Apple\Apple Application Support\plutil.exe$%s\Safari\Apple Application Support\plutil.exe
API String ID: 949164352-935006301
Opcode ID: 016c55747f874587dc8f608766473fcea1f6235d7759d7fc5f8072f81977262b
Instruction ID: eae8423ff20c08bf8165e5609fdd02d8b20e7054d1c077a8afec4fd0d5f5fe2c
Opcode Fuzzy Hash: 016c55747f874587dc8f608766473fcea1f6235d7759d7fc5f8072f81977262b
Instruction Fuzzy Hash: D1219BB1A042587AF710EA759C49FFB7A9CDF54705F000876F995F20C2E678EE844664

Uniqueness

Uniqueness Score: 100.00%

Function 00406F43, Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 351UNIQUE

Download Yara Rule

APIs

Part of subcall function 00406C5B: _memset.LIBCMT ref: 00406C70

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004071B7
__allrem.LIBCMT ref: 004071C2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004071E3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407255
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040727C
__allrem.LIBCMT ref: 00407288

Strings

%02d, xrefs: 00407111, 0040729A
%06.3f, xrefs: 004072FB
%.16g, xrefs: 00407159
W, xrefs: 0040725A
%04d, xrefs: 004070F5
%lld, xrefs: 004071F2
%03d, xrefs: 004072BE

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$_memset
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
API String ID: 3997530026-1989508764
Opcode ID: 3f1e657990530f03e9014b28b7d9bd78ec47f89b71bbb894e2587a3cd39b06fd
Instruction ID: 9a2760adfa7bf91d56c92e027d888165973dd773369e549a9856a653455803fe
Opcode Fuzzy Hash: 3f1e657990530f03e9014b28b7d9bd78ec47f89b71bbb894e2587a3cd39b06fd
Instruction Fuzzy Hash: EDB12972D0C3415AE7249E248C45B3BBB95EB91344F14063FF886BA3D2DA3DED41929B

Uniqueness

Uniqueness Score: 23.02%

Function 00414908, Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 445UNIQUE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00414C7D
_memset.LIBCMT ref: 00414C90

Strings

Fragmented space is %d byte reported as %d on page %d, xrefs: 00414E74
Page %d: , xrefs: 0041492A
unable to get the page. error code=%d, xrefs: 0041499E
On tree page %d cell %d: , xrefs: 00414A10
Corruption detected in cell %d on page %d, xrefs: 00414D3D, 00414DE1
Corruption detected in header on page %d, xrefs: 00414C5F
Multiple uses for byte %d of page %d, xrefs: 00414EB1
Child page depth differs, xrefs: 00414B6C
On page %d at right child: , xrefs: 00414BB8
sqlite3BtreeInitPage() returns error code %d, xrefs: 004149C4

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memset
String ID: Child page depth differs$Corruption detected in cell %d on page %d$Corruption detected in header on page %d$Fragmented space is %d byte reported as %d on page %d$Multiple uses for byte %d of page %d$On page %d at right child: $On tree page %d cell %d: $Page %d: $sqlite3BtreeInitPage() returns error code %d$unable to get the page. error code=%d
API String ID: 2102423945-2138277338
Opcode ID: 3196661aed55c5ffea0dc3aee103eef4122dc409f22395be158dfaf83aa85216
Instruction ID: 4449f1c52aeb1e1102fb1056699099e87c13c55ebea4d73bb25e23df297cbc3e
Opcode Fuzzy Hash: 3196661aed55c5ffea0dc3aee103eef4122dc409f22395be158dfaf83aa85216
Instruction Fuzzy Hash: DE028570E041289FDB24DB65CC81BEDBBB5AF45308F1440AEE949E7282DB389D85CF59

Uniqueness

Uniqueness Score: 100.00%

Function 00426788, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 255UNIQUE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00426802

Part of subcall function 00425590: _memset.LIBCMT ref: 004255DC

Strings

table, xrefs: 0042688C
CREATE %s %.*s, xrefs: 00426966
sqlite_temp_master, xrefs: 00426999
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d, xrefs: 004269B2
CREATE TABLE %Q.sqlite_sequence(name,seq), xrefs: 004269EA
sqlite_master, xrefs: 0042698F
tbl_name='%q', xrefs: 004269FB
4E, xrefs: 0042699E, 004269DC, 004269A8, 004269E8
view, xrefs: 0042689A
VIEW, xrefs: 004268A1, 00426965
TABLE, xrefs: 00426893

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memset
String ID: 4E$CREATE %s %.*s$CREATE TABLE %Q.sqlite_sequence(name,seq)$TABLE$UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d$VIEW$sqlite_master$sqlite_temp_master$table$tbl_name='%q'$view
API String ID: 2102423945-1343417507
Opcode ID: 1690e64908b1bb3e41d3d037fb1efe289a11af7b74d6702b34930be8566f5574
Instruction ID: dadc51f84a76b84ae01c2745e32f2931c0738617d3af410ecc4e060824c9b33f
Opcode Fuzzy Hash: 1690e64908b1bb3e41d3d037fb1efe289a11af7b74d6702b34930be8566f5574
Instruction Fuzzy Hash: F5A1A370E002149FDB14DFA5D881BAEB7B1FF44304F10812EE815AB386DB79A985CF88

Uniqueness

Uniqueness Score: 100.00%

Function 004016E2, Relevance: 17.5, APIs: 4, Strings: 6, Instructions: 27UNIQUE

Download Yara Rule

APIs

Part of subcall function 004015C5: GetStdHandle.KERNEL32(000000F5), ref: 004015D7
Part of subcall function 004015C5: GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 004015E2

Part of subcall function 00401601: GetStdHandle.KERNEL32(000000F5,00000000,004015AD,00468230,00001000,?,?), ref: 00401606
Part of subcall function 00401601: SetConsoleTextAttribute.KERNEL32(00000000,00000004), ref: 00401611

_wprintf.LIBCMT ref: 004016F9
_wprintf.LIBCMT ref: 0040170F

Part of subcall function 0043FC61: __stbuf.LIBCMT ref: 0043FCAD
Part of subcall function 0043FC61: __ftbuf.LIBCMT ref: 0043FCDB

_wprintf.LIBCMT ref: 0040171E
_wprintf.LIBCMT ref: 0040172C

Strings

%s, xrefs: 00401719
****************************************************************, xrefs: 004016F3, 004016F8, 0040172B
http://securityxploded.com/browser-password-dump.php, xrefs: 00401714
3.6, xrefs: 004016FE
Browser Password Dump, xrefs: 00401705
%s v%s by SecurityXploded, xrefs: 0040170A

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wprintf$ConsoleHandle$AttributeBufferInfoScreenText__ftbuf__stbuf
String ID: %s$ %s v%s by SecurityXploded$****************************************************************$3.6$Browser Password Dump$http://securityxploded.com/browser-password-dump.php
API String ID: 3262292661-2707220801
Opcode ID: 5447e342bb2f0d0d2bd48b39043acf3e802c0da38949aaefccc19599d071dbf8
Instruction ID: a409156368bf1bcbdcae675f3f8ab299bc7e4653fc204e6ee928556ec92c6265
Opcode Fuzzy Hash: 5447e342bb2f0d0d2bd48b39043acf3e802c0da38949aaefccc19599d071dbf8
Instruction Fuzzy Hash: D9E04F21FC820467D51132665C87B2E05441B86F1BF28243FFC857A1C3DEBEA809225E

Uniqueness

Uniqueness Score: 100.00%

Function 004416F4, Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044172D

Part of subcall function 00442B74: __getptd_noexit.LIBCMT ref: 00442B74

__gmtime64_s.LIBCMT ref: 004417C6
__gmtime64_s.LIBCMT ref: 004417FC
__gmtime64_s.LIBCMT ref: 00441819
__allrem.LIBCMT ref: 0044186F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044188B
__allrem.LIBCMT ref: 004418A2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004418C0
__allrem.LIBCMT ref: 004418D7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004418F5
__invoke_watson.LIBCMT ref: 00441966

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: ae82f0fd8c9ff6e8a7891d6cb4873f4c4660e46dfe4aa069f5c3141344118efc
Instruction ID: 1c2e9f3b440315e897b9ff87a854a8ffd95e2cb4517053983eaf464a08567440
Opcode Fuzzy Hash: ae82f0fd8c9ff6e8a7891d6cb4873f4c4660e46dfe4aa069f5c3141344118efc
Instruction Fuzzy Hash: DE71B5B2A00716ABF714AE79CC41B6BB3A8AF50364F14422FF514D7791EB78DD808798

Uniqueness

Uniqueness Score: 0.50%

Function 0040AF25, Relevance: 16.6, APIs: 11, Instructions: 85UNIQUE

Download Yara Rule

APIs

Part of subcall function 0040A347: GetVersionExA.KERNEL32(?), ref: 0040A375

GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000200,-00000003,?,?,?,0040B024,?,?,00000104,?,?,-00000003), ref: 0040AF45
_free.LIBCMT ref: 0040AF62

Part of subcall function 0043EE47: HeapFree.KERNEL32(00000000,00000000), ref: 0043EE5B
Part of subcall function 0043EE47: GetLastError.KERNEL32(00000000,?,00443875,00000000,004011BE,?), ref: 0043EE6D

GetFullPathNameW.KERNEL32(00000000,?,00000000,00000000,?,0040B024,?,?,00000104,?,?,-00000003,?), ref: 0040AF76
_free.LIBCMT ref: 0040AF7D
_malloc.LIBCMT ref: 0040AF55

Part of subcall function 0043EA05: __FF_MSGBANNER.LIBCMT ref: 0043EA1C
Part of subcall function 0043EA05: __NMSG_WRITE.LIBCMT ref: 0043EA23
Part of subcall function 0043EA05: RtlAllocateHeap.NTDLL(002F0000,00000000,00000001), ref: 0043EA48

GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000200,-00000003,?,?,?,0040B024,?,?,00000104,?,?,-00000003), ref: 0040AF8D
_malloc.LIBCMT ref: 0040AF97
GetFullPathNameA.KERNEL32(00000000,00000003,00000000,00000000,?,0040B024,?,?,00000104,?,?,-00000003,?), ref: 0040AFA8
_free.LIBCMT ref: 0040AFAF
_free.LIBCMT ref: 0040AFC2
_free.LIBCMT ref: 0040AFE1

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free$FullNamePath$Heap_malloc$AllocateErrorFreeLastVersion
String ID:
API String ID: 645363056-0
Opcode ID: 6da4d3a8b43ce5b528262e305468534b56f73ae5207b229ec103a782ae74f653
Instruction ID: d742aad1ca6b0d95ee89a1469e0c604fbe1e913a3baf9d69510f4047d6236f8c
Opcode Fuzzy Hash: 6da4d3a8b43ce5b528262e305468534b56f73ae5207b229ec103a782ae74f653
Instruction Fuzzy Hash: 3A11D172502201BACA117BB39C4AD9F3A6C9E89758724002EF501A61C2CF388941D6BE

Uniqueness

Uniqueness Score: 100.00%

Function 004025C9, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 212UNIQUE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000100,00000000,00000000), ref: 004026C2
_strstr.LIBCMT ref: 004026F6
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000100,00000000,00000000), ref: 00402721
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000100,00000000,00000000), ref: 00402742
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000100,00000000,00000000,?,?,?,00000000,00000000,00000000,?), ref: 004027AF
_wprintf.LIBCMT ref: 00402870

Strings

internet explorer, xrefs: 004026F0
Cannot close vault. Error (%d), xrefs: 0040286B

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$_strstr_wprintf
String ID: Cannot close vault. Error (%d)$internet explorer
API String ID: 3592056907-3867191668
Opcode ID: e0d95461d60af1d80551beaa2207679d3590da8dd3dfda26e7310912d5bead65
Instruction ID: 4d1387c0489efbbed01cc8ecebd86d00daa755a9ff9f5732f260aac85b03a66a
Opcode Fuzzy Hash: e0d95461d60af1d80551beaa2207679d3590da8dd3dfda26e7310912d5bead65
Instruction Fuzzy Hash: 958164B59002189FDB249F14DD89BEA7778EB04304F0442FEE655B21D1EAB5AEC5CF28

Uniqueness

Uniqueness Score: 100.00%

Function 0040A838, Relevance: 13.6, APIs: 9, Instructions: 136filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,00000000,00000001,00000000), ref: 0040A88A
Sleep.KERNEL32(00000001), ref: 0040A898
GetLastError.KERNEL32 ref: 0040A8AC
UnlockFile.KERNEL32(?,00000000,00000001,00000000), ref: 0040A97C

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$ErrorLastLockSleepUnlock
String ID:
API String ID: 3015003838-0
Opcode ID: 62345021a42c811d69a35d635617d63fc90c33a13fe622fac9dbd771e8aa61d1
Instruction ID: 5200b90f86f007a39e823dd3879f571a5de07d9b63de6ea6e7cd21047070f3ad
Opcode Fuzzy Hash: 62345021a42c811d69a35d635617d63fc90c33a13fe622fac9dbd771e8aa61d1
Instruction Fuzzy Hash: E241D372600300EFDB119F658844AAB7BB5EF84765F25C43BE905EB381D674C990CB5A

Uniqueness

Uniqueness Score: 10.55%

Function 00408A67, Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 382UNIQUE

Download Yara Rule

Strings

0123456789ABCDEF0123456789abcdef, xrefs: 004084CC
-x0, xrefs: 00408556
-, xrefs: 00408626
NaN, xrefs: 0040869C

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: -$-x0$0123456789ABCDEF0123456789abcdef$NaN
API String ID: 0-2453531638
Opcode ID: 55b2cc0ee3bd0f046373cec794fd564e6419ef9d905cce7ada30a437b01eef5e
Instruction ID: fc2e395650303f2015b8f21f557fa234a39a92dafd7fa64f784ae61352e62576
Opcode Fuzzy Hash: 55b2cc0ee3bd0f046373cec794fd564e6419ef9d905cce7ada30a437b01eef5e
Instruction Fuzzy Hash: C0E1D53090C7918ED725CF29865022BBBE1AFDA744F18496FE8C5B7381DA38CD45CB5A

Uniqueness

Uniqueness Score: 100.00%

Function 0040838B, Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 358COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0040847B
__aullrem.LIBCMT ref: 00408491
__aulldvrm.LIBCMT ref: 004084ED

Strings

0123456789ABCDEF0123456789abcdef, xrefs: 004084CC
-x0, xrefs: 00408556
-, xrefs: 00408626
NaN, xrefs: 0040869C

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __aulldvrm$__aullrem
String ID: -$-x0$0123456789ABCDEF0123456789abcdef$NaN
API String ID: 643879872-2453531638
Opcode ID: 0d1f107aeaa83dd19ef11860727706a088e957c550ea1df9cf5d2528cf25f715
Instruction ID: 9c5d48a71091faf85c448d0ca60df465a89945800782f15cd516962cc0f64dce
Opcode Fuzzy Hash: 0d1f107aeaa83dd19ef11860727706a088e957c550ea1df9cf5d2528cf25f715
Instruction Fuzzy Hash: 03D1C13090C7918ED725CF29865022BBBE1AFDA744F18496FE8C5B7381DA38CD45CB5A

Uniqueness

Uniqueness Score: 1.01%

Function 00425CB6, Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 353UNIQUE

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00425E7F

Strings

table %T already exists, xrefs: 00425DEA
there is already an index named %s, xrefs: 00425E23
sqlite_sequence, xrefs: 00425E79
sqlite_temp_master, xrefs: 00425D65, 00425D6F
sqlite_master, xrefs: 00425D60
temporary table name must be unqualified, xrefs: 00425CEB

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memcmp
String ID: sqlite_master$sqlite_sequence$sqlite_temp_master$table %T already exists$temporary table name must be unqualified$there is already an index named %s
API String ID: 2931989736-1813104722
Opcode ID: 3b76c39e5e3c594712d3fc83f5cb47401b625eb702156300072680cd920b053c
Instruction ID: 58ef7e257e15ed6154c117595b1478aa7c678a9611e551a17e3b9a2697547543
Opcode Fuzzy Hash: 3b76c39e5e3c594712d3fc83f5cb47401b625eb702156300072680cd920b053c
Instruction Fuzzy Hash: 24B1C371B00615ABDB14DF25EC82BAE7BA5EF44314F14802EF905EB382E7789E41C788

Uniqueness

Uniqueness Score: 23.02%

Function 0044C5EF, Relevance: 12.1, APIs: 8, Instructions: 118UNIQUELIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0044C607

Part of subcall function 00447437: __FF_MSGBANNER.LIBCMT ref: 0044744C
Part of subcall function 00447437: __NMSG_WRITE.LIBCMT ref: 00447453
Part of subcall function 00447437: __malloc_crt.LIBCMT ref: 00447473

__lock.LIBCMT ref: 0044C61A
__lock.LIBCMT ref: 0044C666
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00461F38,00000018,0044D781,?,00000000,00000109), ref: 0044C682
RtlEnterCriticalSection.NTDLL(8000000C), ref: 0044C69F
RtlLeaveCriticalSection.NTDLL(8000000C), ref: 0044C6AF

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 2777f9be84accda15934c1206faa3214c9007091238da4775ee96c70499a5d45
Instruction ID: f15da3cdad859abfb39d24ddf1a27fbb9ce526781c42851f8fedebdd7e6f4bc9
Opcode Fuzzy Hash: 2777f9be84accda15934c1206faa3214c9007091238da4775ee96c70499a5d45
Instruction Fuzzy Hash: 034144719026068BFB509F68D8C4798B7A0AF01329F29C32FE424A72D0D7BC9941CF8D

Uniqueness

Uniqueness Score: 100.00%

Function 0040AE06, Relevance: 10.6, APIs: 7, Instructions: 71sleepUNIQUE

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 0040AE3C
GetLastError.KERNEL32 ref: 0040AE4A
Sleep.KERNEL32(00000064), ref: 0040AE60
GetFileAttributesA.KERNEL32(00000000), ref: 0040AE70
GetLastError.KERNEL32 ref: 0040AE7E
Sleep.KERNEL32(00000064), ref: 0040AE96
_free.LIBCMT ref: 0040AEA1

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLastSleep$_free
String ID:
API String ID: 2444173395-0
Opcode ID: 434892edc9e8e9016767f646181a2222951ca68531e8e9fe41f251948c378ceb
Instruction ID: 3936e97007680c8efaf154f7c210fee210911028383bae2b4257a56c3e796688
Opcode Fuzzy Hash: 434892edc9e8e9016767f646181a2222951ca68531e8e9fe41f251948c378ceb
Instruction Fuzzy Hash: 3811DA35940310AFCB1067B5E88C56F7A74EB9576AF30013AF512F62D1C7388991D69B

Uniqueness

Uniqueness Score: 100.00%

Function 0040A4AC, Relevance: 9.1, APIs: 6, Instructions: 59UNIQUE

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 0040A4B8
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0040A4CE
_malloc.LIBCMT ref: 0040A4DC

Part of subcall function 0043EA05: __FF_MSGBANNER.LIBCMT ref: 0043EA1C
Part of subcall function 0043EA05: __NMSG_WRITE.LIBCMT ref: 0043EA23
Part of subcall function 0043EA05: RtlAllocateHeap.NTDLL(002F0000,00000000,00000001), ref: 0043EA48

MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,?,000000FF,00000000,00000000), ref: 0040A4F2
_free.LIBCMT ref: 0040A4FD

Part of subcall function 0043EE47: HeapFree.KERNEL32(00000000,00000000), ref: 0043EE5B
Part of subcall function 0043EE47: GetLastError.KERNEL32(00000000,?,00443875,00000000,004011BE,?), ref: 0043EE6D

_free.LIBCMT ref: 0040A513

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharHeapMultiWide_free$AllocateApisErrorFileFreeLast_malloc
String ID:
API String ID: 2311203463-0
Opcode ID: e2344d725279bcfee8c9885f1dbe1695dc80f9ca08c32807d532c5bda50249e6
Instruction ID: 5e09f4cc21b6fbf2d72a9be2d85707ca8ebcca328da7e8c4d71a804bd67823ec
Opcode Fuzzy Hash: e2344d725279bcfee8c9885f1dbe1695dc80f9ca08c32807d532c5bda50249e6
Instruction Fuzzy Hash: 0301A2722042217BD7112ABA5C49E7B61ADDAC5B78720023FF922E62C1EE788D0105A9

Uniqueness

Uniqueness Score: 100.00%

Function 00443937, Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00443937

Part of subcall function 00440CD7: RtlEncodePointer.NTDLL(00000000), ref: 00440CDA
Part of subcall function 00440CD7: __initp_misc_winsig.LIBCMT ref: 00440CFB
Part of subcall function 00440CD7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00446E11
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,FlsAlloc), ref: 00446E25
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,FlsFree), ref: 00446E38
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,FlsGetValue), ref: 00446E4B
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,FlsSetValue), ref: 00446E5E
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00446E71
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,CreateSemaphoreExW), ref: 00446E84
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00446E97
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00446EAA
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,SetThreadpoolTimer), ref: 00446EBD
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00446ED0
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00446EE3
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,CreateThreadpoolWait), ref: 00446EF6
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,SetThreadpoolWait), ref: 00446F09
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,CloseThreadpoolWait), ref: 00446F1C
Part of subcall function 00440CD7: 74ECFFF6.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00446F2F

__mtinitlocks.LIBCMT ref: 0044393C

Part of subcall function 004474DE: InitializeCriticalSectionAndSpinCount.KERNEL32(}F,00000FA0,?,?,00443941,00441A89,00461BE0,00000014), ref: 004474FC

__mtterm.LIBCMT ref: 00443945

Part of subcall function 004439AD: RtlDeleteCriticalSection.NTDLL(00000000), ref: 004473FA
Part of subcall function 004439AD: _free.LIBCMT ref: 00447401
Part of subcall function 004439AD: RtlDeleteCriticalSection.NTDLL(}F), ref: 00447423

__calloc_crt.LIBCMT ref: 0044396A
GetCurrentThreadId.KERNEL32(00441A89,00461BE0,00000014), ref: 00443993

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CriticalSection$Delete$CountCurrentEncodeHandleInitializeModulePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 1640740328-0
Opcode ID: 682a72679f917df7788b48916ace1b64c28311ed5db4ff6a133ca202e315478c
Instruction ID: 324614e7229c1b0d08bf1577ff6068a6d1ea23f21144333d3afb6da943eea44f
Opcode Fuzzy Hash: 682a72679f917df7788b48916ace1b64c28311ed5db4ff6a133ca202e315478c
Instruction Fuzzy Hash: 96F0C27250D65169F2243E757C0765A26808F41F3AB35472FF050D52D2FA998A41805E

Uniqueness

Uniqueness Score: 6.84%

Function 0043FD0D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162UNIQUELIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043FD69
_memcpy_s.LIBCMT ref: 0043FDDB
__filbuf.LIBCMT ref: 0043FE5C
_memset.LIBCMT ref: 0043FEA0

Part of subcall function 00442B74: __getptd_noexit.LIBCMT ref: 00442B74

Strings

0@, xrefs: 0043FD1E

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID: 0@
API String ID: 3877424927-1303110655
Opcode ID: 974b2240a8778556eb8bfb83a1063411a92062d948c6a0cd6447012eeb183e3f
Instruction ID: 47077695e67a6d1deb0ed2f2d0f6edbfec31a68f68ca7c2fcb65173594fd1430
Opcode Fuzzy Hash: 974b2240a8778556eb8bfb83a1063411a92062d948c6a0cd6447012eeb183e3f
Instruction Fuzzy Hash: 60510330E002059BDB249EA9C88566F77A1AF08320F24973FF826863E1D7789D198B09

Uniqueness

Uniqueness Score: 100.00%

Function 004431CF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47UNIQUELIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004437FD: __getptd_noexit.LIBCMT ref: 004437FE

__lock.LIBCMT ref: 0044320C
InterlockedDecrement.KERNEL32(?), ref: 00443229
_free.LIBCMT ref: 0044323C
InterlockedIncrement.KERNEL32(00335B38), ref: 00443254

Strings

8[3, xrefs: 00443242, 0044324A

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID: 8[3
API String ID: 2704283638-866551987
Opcode ID: 7658854817e16d360e3f04eee0476675de7bac337b83fa46574b2a0fbc31edba
Instruction ID: b37f171f3e9423567e4c15a1ccdb6262562a9be69ab22a96f3c25e9a030f6c4b
Opcode Fuzzy Hash: 7658854817e16d360e3f04eee0476675de7bac337b83fa46574b2a0fbc31edba
Instruction Fuzzy Hash: 5401AD31901711ABE711AF66944675AB770BF44F26F14405BE810A7290CBBCAF81CBDE

Uniqueness

Uniqueness Score: 100.00%

Function 00440EC8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43UNIQUE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00440EE0

Part of subcall function 0043EA05: __FF_MSGBANNER.LIBCMT ref: 0043EA1C
Part of subcall function 0043EA05: __NMSG_WRITE.LIBCMT ref: 0043EA23
Part of subcall function 0043EA05: RtlAllocateHeap.NTDLL(002F0000,00000000,00000001), ref: 0043EA48

std::exception::exception.LIBCMT ref: 00440EFC
__CxxThrowException@8.LIBCMT ref: 00440F11

Part of subcall function 00447D5A: RaiseException.KERNEL32(?,?,00000000,00461B8C,?,?,?,00440F16,00000000,00461B8C,?,00000001), ref: 00447DAB

Strings

EE, xrefs: 00440F06, 00440EF2
bad allocation, xrefs: 00440EF5

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation$EE
API String ID: 3074076210-2916647398
Opcode ID: b9add2d23ce35b457b4b2296b37a8905af98f4d3aa5a4dd94b75821cdf912b2e
Instruction ID: 753e73b0023236463bdd8c6ba06f248c96c286899966e3d6f28493a62ba92273
Opcode Fuzzy Hash: b9add2d23ce35b457b4b2296b37a8905af98f4d3aa5a4dd94b75821cdf912b2e
Instruction Fuzzy Hash: C1F0F9B500411E67EB10FA96D801ADF7BAC9F40358F10445BFA00A5182EBB8CA6586AD

Uniqueness

Uniqueness Score: 100.00%

Function 00443884, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41UNIQUELIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004438C8

Part of subcall function 004473AF: __mtinitlocknum.LIBCMT ref: 004473C1
Part of subcall function 004473AF: RtlEnterCriticalSection.NTDLL(?), ref: 004473DA

InterlockedIncrement.KERNEL32(004634C8), ref: 004438D5
__lock.LIBCMT ref: 004438E9
___addlocaleref.LIBCMT ref: 00443907

Strings

X8F, xrefs: 004438FC

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: X8F
API String ID: 1687444384-365887044
Opcode ID: d564fb8d7663738c43d1c97814a621c8e5a9dbff5f4e0ece6ba0d566a6727f31
Instruction ID: 2ac9016c9b851ad33c972360cd3abb7141d85e7ece6f5e6dd5110e595e1c1b1d
Opcode Fuzzy Hash: d564fb8d7663738c43d1c97814a621c8e5a9dbff5f4e0ece6ba0d566a6727f31
Instruction Fuzzy Hash: 78016171440B00DFE760EF66D406749F7F0EF94726F20890FE495972A1DBB8A644DB19

Uniqueness

Uniqueness Score: 100.00%

Function 0044196C, Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00441978

Part of subcall function 0043EA05: __FF_MSGBANNER.LIBCMT ref: 0043EA1C
Part of subcall function 0043EA05: __NMSG_WRITE.LIBCMT ref: 0043EA23
Part of subcall function 0043EA05: RtlAllocateHeap.NTDLL(002F0000,00000000,00000001), ref: 0043EA48

_free.LIBCMT ref: 0044198B

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: fca934afab83a1f194cde9f8ce719e0efcda170d473eae208c081763a0ff9e36
Instruction ID: 81d7bc9bfd6f4ee9c775d61b02ec3d6213037e86203d7a5af57264b4cb52a870
Opcode Fuzzy Hash: fca934afab83a1f194cde9f8ce719e0efcda170d473eae208c081763a0ff9e36
Instruction Fuzzy Hash: 2211C4B24046516BFF212F75AC5565B3BA4AB0436AF24012BF8489A2B1DB7C8CC0C69C

Uniqueness

Uniqueness Score: 1.64%

Function 0040A44E, Relevance: 7.6, APIs: 5, Instructions: 51UNIQUE

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 0040A457
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040A46F
_malloc.LIBCMT ref: 0040A479

Part of subcall function 0043EA05: __FF_MSGBANNER.LIBCMT ref: 0043EA1C
Part of subcall function 0043EA05: __NMSG_WRITE.LIBCMT ref: 0043EA23
Part of subcall function 0043EA05: RtlAllocateHeap.NTDLL(002F0000,00000000,00000001), ref: 0043EA48

WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040A492
_free.LIBCMT ref: 0040A49D

Part of subcall function 0043EE47: HeapFree.KERNEL32(00000000,00000000), ref: 0043EE5B
Part of subcall function 0043EE47: GetLastError.KERNEL32(00000000,?,00443875,00000000,004011BE,?), ref: 0043EE6D

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharHeapMultiWide$AllocateApisErrorFileFreeLast_free_malloc
String ID:
API String ID: 3450208898-0
Opcode ID: 26d368211799babaaa1df4f6b0fdc6858b39187c5768f29f02cf7ccaa58f38db
Instruction ID: e3564b5bd3916b5ec3d0e311abe6178587b1c2baf4c90fbd95f5c8bfc5521a71
Opcode Fuzzy Hash: 26d368211799babaaa1df4f6b0fdc6858b39187c5768f29f02cf7ccaa58f38db
Instruction Fuzzy Hash: 5FF0E9B76052247FA7215BBA9C4CC7B769CCA956B93214336FD11E62C0DE74CC4042B4

Uniqueness

Uniqueness Score: 100.00%

Function 00405CD0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90UNIQUE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405CFD

Part of subcall function 0043EA05: __FF_MSGBANNER.LIBCMT ref: 0043EA1C
Part of subcall function 0043EA05: __NMSG_WRITE.LIBCMT ref: 0043EA23
Part of subcall function 0043EA05: RtlAllocateHeap.NTDLL(002F0000,00000000,00000001), ref: 0043EA48

_malloc.LIBCMT ref: 00405D58

Strings

K[@, xrefs: 00405DAC

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: K[@
API String ID: 680241177-2887614012
Opcode ID: dfe42dd5c556dfe2899b8400e5fe01cf4c65390bd986653fef575c0e01115fa3
Instruction ID: d2c23e731e3d18e7d6378810e15b13245ad9c54a5dc6b02591702e77cc2beb71
Opcode Fuzzy Hash: dfe42dd5c556dfe2899b8400e5fe01cf4c65390bd986653fef575c0e01115fa3
Instruction Fuzzy Hash: CC21D8B15046469ACB249F799C45A97B7B8EF49304F1044BFE245F31C1EE389D468F6C

Uniqueness

Uniqueness Score: 100.00%

Function 00452D26, Relevance: 6.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00452DAA
_memmove.LIBCMT ref: 00452DF1
___AdjustPointer.LIBCMT ref: 00452E3F
_memmove.LIBCMT ref: 00452E48

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: c5dd6a81d570133c8434133ccbae59f89956973b6ba090889aa11d516027c3e7
Instruction ID: d2d43a392bec41ee59afa6625f52eb2343bd6451e3243071019d1fa4c9e54f77
Opcode Fuzzy Hash: c5dd6a81d570133c8434133ccbae59f89956973b6ba090889aa11d516027c3e7
Instruction Fuzzy Hash: 6A41A6362046039BEB289F26DA42B6737A49F02356F24001FFC80576D3DBB9DD89D66D

Uniqueness

Uniqueness Score: 1.09%

Function 0044D090, Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0044D0C4
__isleadbyte_l.LIBCMT ref: 0044D0F2
MultiByteToWideChar.KERNEL32(00000080,00000009,0043FA5D,00000001,00000000,00000000,?,00000000,00000000,?,?,0043FA5D,00000000), ref: 0044D120
MultiByteToWideChar.KERNEL32(00000080,00000009,0043FA5D,00000001,00000000,00000000,?,00000000,00000000,?,?,0043FA5D,00000000), ref: 0044D156

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2e1e42b74cb0f4f6fe44602032de51f19b833009c06114fa1bc3e03e930a0392
Instruction ID: 0c0a4ca05fdc97972ddae4bb5c79401a2cc82774fad1c0a341a07d729254720b
Opcode Fuzzy Hash: 2e1e42b74cb0f4f6fe44602032de51f19b833009c06114fa1bc3e03e930a0392
Instruction Fuzzy Hash: 0F31CD31A04246AFEB218F75CC44BAB7BB5BF41354F15812AE8608B2A0D739DC42DB99

Uniqueness

Uniqueness Score: 0.05%

Function 0043F2C0, Relevance: 6.1, APIs: 4, Instructions: 81UNIQUE

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0043F366
__lock_file.LIBCMT ref: 0043F371
__stbuf.LIBCMT ref: 0043F37D
__ftbuf.LIBCMT ref: 0043F395

Part of subcall function 00442B74: __getptd_noexit.LIBCMT ref: 00442B74

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __ftbuf__getptd_noexit__lock_file__stbuf_strlen
String ID:
API String ID: 583463211-0
Opcode ID: 924ebcb99d2e2c1fe40824c93e137d82a49660eed7528509fd54d2fc9e87068e
Instruction ID: e863883cdbc37b4db647ca640b1791f232eb42fa9c56ec45f5ae143b723a231c
Opcode Fuzzy Hash: 924ebcb99d2e2c1fe40824c93e137d82a49660eed7528509fd54d2fc9e87068e
Instruction Fuzzy Hash: 7F213671D102049AFB14AA758D4176E25A1AFC9338F28937BFC348A2E1EB7C9946920D

Uniqueness

Uniqueness Score: 100.00%

Function 0040A5ED, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 0040A618
GetLastError.KERNEL32 ref: 0040A625
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040A64D
GetLastError.KERNEL32 ref: 0040A67F

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$PointerWrite
String ID:
API String ID: 2977825765-0
Opcode ID: 0e76cd403cda56406276baf378ce353a06a0dbc1a532f0714945516e26367326
Instruction ID: ab56a3a6b8db541f4ad2b644c59f43e432565aea499976e5542928b036b78eca
Opcode Fuzzy Hash: 0e76cd403cda56406276baf378ce353a06a0dbc1a532f0714945516e26367326
Instruction Fuzzy Hash: 1D21A132610705AFDB10CFA4D845BAE77B8EB04360F14463AE951EB3D0D775DD208BAA

Uniqueness

Uniqueness Score: 2.28%

Function 00452670, Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 00452687

Part of subcall function 00452C98: ___AdjustPointer.LIBCMT ref: 00452CE1

_UnwindNestedFrames.LIBCMT ref: 0045269E
___FrameUnwindToState.LIBCMT ref: 004526B0
CallCatchBlock.LIBCMT ref: 004526D4

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: d7491e60be52cc593744b93dc873b8f5dd604558d8cc2ceb373249e21f43cfd9
Instruction ID: cbc161f39998ff51ad422183370e2dbb31bc21c8eeaf10ada42e737c64de8c8c
Opcode Fuzzy Hash: d7491e60be52cc593744b93dc873b8f5dd604558d8cc2ceb373249e21f43cfd9
Instruction Fuzzy Hash: 22011B32000109BBCF129F55CD01EDB3BA6AF4A755F05411BFE1865122D7B9E465DB98

Uniqueness

Uniqueness Score: 0.50%

Function 0044EAC4, Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0044EAE8

Part of subcall function 0044F1C7: __fltout2.LIBCMT ref: 0044F1F0

__cftog_l.LIBCMT ref: 0044EB0E
__cftoe_l.LIBCMT ref: 0044EB40

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 5c6a6e0db2d2d7a5e360b0d374596c526a184512da7cf426753b003541fdca59
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: B8014B3640018ABBDF129E86CC06CEE7F66FF18354B588416FA1958131D23BD9B1AB85

Uniqueness

Uniqueness Score: 1.25%

Function 0040A3F7, Relevance: 6.0, APIs: 4, Instructions: 44UNIQUE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040A40E
_malloc.LIBCMT ref: 0040A418

Part of subcall function 0043EA05: __FF_MSGBANNER.LIBCMT ref: 0043EA1C
Part of subcall function 0043EA05: __NMSG_WRITE.LIBCMT ref: 0043EA23
Part of subcall function 0043EA05: RtlAllocateHeap.NTDLL(002F0000,00000000,00000001), ref: 0043EA48

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040A435
_free.LIBCMT ref: 0040A440

Part of subcall function 0043EE47: HeapFree.KERNEL32(00000000,00000000), ref: 0043EE5B
Part of subcall function 0043EE47: GetLastError.KERNEL32(00000000,?,00443875,00000000,004011BE,?), ref: 0043EE6D

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharHeapMultiWide$AllocateErrorFreeLast_free_malloc
String ID:
API String ID: 1203951092-0
Opcode ID: 0a85c7e7e04f15a682d03fa05d59ab5083902d2d1fba9964cbb0f527b4b73926
Instruction ID: 4f1cc2b5fb2ebe02b0e67dc9d84ca2db366ad293a624be42d6e6af037c41268e
Opcode Fuzzy Hash: 0a85c7e7e04f15a682d03fa05d59ab5083902d2d1fba9964cbb0f527b4b73926
Instruction Fuzzy Hash: 02F0ECB66052313F77207AB75C0DC7B395DDB91B75715033ABD10E61C0D9608C4052B5

Uniqueness

Uniqueness Score: 100.00%

Function 0040A3A2, Relevance: 6.0, APIs: 4, Instructions: 40UNIQUE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 0040A3B7
_malloc.LIBCMT ref: 0040A3C4

Part of subcall function 0043EA05: __FF_MSGBANNER.LIBCMT ref: 0043EA1C
Part of subcall function 0043EA05: __NMSG_WRITE.LIBCMT ref: 0043EA23
Part of subcall function 0043EA05: RtlAllocateHeap.NTDLL(002F0000,00000000,00000001), ref: 0043EA48

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,?,000000FF,00000000,00000000), ref: 0040A3DE
_free.LIBCMT ref: 0040A3E9

Part of subcall function 0043EE47: HeapFree.KERNEL32(00000000,00000000), ref: 0043EE5B
Part of subcall function 0043EE47: GetLastError.KERNEL32(00000000,?,00443875,00000000,004011BE,?), ref: 0043EE6D

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharHeapMultiWide$AllocateErrorFreeLast_free_malloc
String ID:
API String ID: 1203951092-0
Opcode ID: 9bf91e39d4ad0661454959528e6e8edaa16dbcbac0baa8982baf8c8e9f6543a2
Instruction ID: d5b62849417cbbbbe7359716c716e97c555ee2382e019e5e7ea4aa00c23b97bd
Opcode Fuzzy Hash: 9bf91e39d4ad0661454959528e6e8edaa16dbcbac0baa8982baf8c8e9f6543a2
Instruction Fuzzy Hash: EFF0AE716052217BDB3467A79C09D7B356DDB81B74B20033EB910EA1C0DD648D0051B9

Uniqueness

Uniqueness Score: 100.00%

Function 0040A690, Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040A6B5
GetLastError.KERNEL32 ref: 0040A6C0
SetEndOfFile.KERNEL32(?), ref: 0040A6D7
GetLastError.KERNEL32 ref: 0040A6E1

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$Pointer
String ID:
API String ID: 1697706070-0
Opcode ID: be482bdb4162838b08e6ca29971cf82f7cbf63ef4f969177271a8e810d79a483
Instruction ID: 7d3559ee53e86c5fad19e01413ea1c169b2bae278669d1bf55926ae640a5af08
Opcode Fuzzy Hash: be482bdb4162838b08e6ca29971cf82f7cbf63ef4f969177271a8e810d79a483
Instruction Fuzzy Hash: 02F0F631100304DFCF008F74DC08A6A3BF8EB00361B184939F562E62D0DB35DD50AB0A

Uniqueness

Uniqueness Score: 2.48%

Function 00420B9F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00420C62

Strings

variable number must be between ?1 and ?%d, xrefs: 00420BF2
too many SQL variables, xrefs: 00420C22

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memcmp
String ID: too many SQL variables$variable number must be between ?1 and ?%d
API String ID: 2931989736-515162456
Opcode ID: 1e4c99f0d457a2a18e7da22031c377f8cbadab9f221a63cffc69b587344cf166
Instruction ID: b8e1cab4ee2ef3025f6cc72435d5da50e720821c0fe5fe7e45c4151712a4079e
Opcode Fuzzy Hash: 1e4c99f0d457a2a18e7da22031c377f8cbadab9f221a63cffc69b587344cf166
Instruction Fuzzy Hash: B441BBB0B01605EFD724DF6AD480A9AB7F1FF49304F60096ED496D7302D738AA41CB45

Uniqueness

Uniqueness Score: 6.12%

Function 004077FE, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90UNIQUE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00407822

Strings

;u@, xrefs: 00407807
;u@, xrefs: 004077FE

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memset
String ID: ;u@$;u@
API String ID: 2102423945-401478870
Opcode ID: 888ecfc6f08aeeef4c903cddae758c41831f822a52f155f03454d6d4ae90e8fe
Instruction ID: 57798531a01efb49ef524f9d88143a5e370fed2c46581d2a62ec24beb8522097
Opcode Fuzzy Hash: 888ecfc6f08aeeef4c903cddae758c41831f822a52f155f03454d6d4ae90e8fe
Instruction Fuzzy Hash: E631B5B2E0C2108FC7149F29ED556113B66E782728724827FF421A72E0F7B9A401DB8F

Uniqueness

Uniqueness Score: 100.00%

Function 0043FEEB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42UNIQUELIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043FF1A
__lock_file.LIBCMT ref: 0043FF3B

Strings

0@, xrefs: 0043FF06, 0043FF3A, 0043FF44

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __lock_file_memset
String ID: 0@
API String ID: 26237723-1303110655
Opcode ID: 0c5c9ef0f79784355d4f15974e78ba8ced4abd1d3fde05c7eefab2108ba1be1b
Instruction ID: 1047a9ebd3267a4a28e4d80f4a8b7c036847242b4eebb9ce82398d22af7e2fb0
Opcode Fuzzy Hash: 0c5c9ef0f79784355d4f15974e78ba8ced4abd1d3fde05c7eefab2108ba1be1b
Instruction Fuzzy Hash: 3201F731C01249EBDF11AFA68C0198F7B71BF86364F14822FFC1416161D7798A52DF59

Uniqueness

Uniqueness Score: 100.00%

Function 0044C474, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32UNIQUELIBRARYCODE

Download Yara Rule

Strings

yzu, xrefs: 0044C474
2\E, xrefs: 0044C497

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: 2\E$yzu
API String ID: 0-3135533648
Opcode ID: e5f38ec28093de967b8fdf2f557bbd928adccfa690546e5b5d7c31691cbd1f73
Instruction ID: 0360f099c9a4d9b9737682e5d2bcb6f9b779057197e748090c08a307d495fee5
Opcode Fuzzy Hash: e5f38ec28093de967b8fdf2f557bbd928adccfa690546e5b5d7c31691cbd1f73
Instruction Fuzzy Hash: 11F0A735210109AADB149F51C951AF933E8D744705F404026FD96CB5C0E6BCCAC1A769

Uniqueness

Uniqueness Score: 100.00%

Function 004439CA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20UNIQUE

Download Yara Rule

APIs

__lock.LIBCMT ref: 004439E5

Part of subcall function 004473AF: __mtinitlocknum.LIBCMT ref: 004473C1
Part of subcall function 004473AF: RtlEnterCriticalSection.NTDLL(?), ref: 004473DA

__updatetlocinfoEx_nolock.LIBCMT ref: 004439F5

Part of subcall function 00442EC9: ___addlocaleref.LIBCMT ref: 00442EE5
Part of subcall function 00442EC9: ___removelocaleref.LIBCMT ref: 00442EF0
Part of subcall function 00442EC9: ___freetlocinfo.LIBCMT ref: 00442F04

Strings

X8F, xrefs: 004439DB, 004439F0, 004439FC

Memory Dump Source

Source File: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.14658105826.0046F000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: X8F
API String ID: 547918592-365887044
Opcode ID: d46bb1a1468582485d50cee933ae37bf58127898f3c9fe648a25f317d8c66698
Instruction ID: d178646ee48e186078be5d7728db2bbed76cf51608b1dc0a374a1d4da700d7c2
Opcode Fuzzy Hash: d46bb1a1468582485d50cee933ae37bf58127898f3c9fe648a25f317d8c66698
Instruction Fuzzy Hash: E0E08621581381A9FB90BFA26903B8D76E09B80B37F24411FF044770D1DAAC0A44915F

Uniqueness

Uniqueness Score: 100.00%

Description:	Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command `runas` . Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
Tactics:	Defense Evasion
Data Sources:	API monitoring, Anti-virus, File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting , PowerShell , or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Kernel drivers, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report systemupdate_ProtectedAUS.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Cryptography:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus and Machine Learning Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Code Manipulations

Statistics

Function 005501CB, Relevance: 517.4, Strings: 413, Instructions: 1138
UNIQUE

Function 00551C04, Relevance: 13.7, APIs: 9, Instructions: 225
nativethreadprocessUNIQUE

Function 005500AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92
nativeUNIQUE

Function 001AB210, Relevance: 3.8, Strings: 2, Instructions: 1300
UNIQUE

Function 001ADC28, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Function 00551E97, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118
synchronizationUNIQUE

Function 001ADC20, Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Function 003C0FEA, Relevance: 9.2, Strings: 7, Instructions: 426
UNIQUE

Function 003C1B40, Relevance: 2.8, Strings: 2, Instructions: 305
UNIQUE

Function 003CB700, Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 454
memorythreadUNIQUE

Function 003CB690, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 381
UNIQUE

Function 003CB6F8, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 353
UNIQUE

Description:	Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre