Edit tour

Windows Analysis Report
YnsEArPlqx.exe

Overview

General Information

Sample name:	YnsEArPlqx.exe renamed because original name is a hash value
Original sample name:	ab8e88bff0b907fc49b949d704490018.exe
Analysis ID:	1460294
MD5:	ab8e88bff0b907fc49b949d704490018
SHA1:	559f2f2b61bd344293f7cbc78b72d8e368910ae3
SHA256:	921c5314fc334bac928a8398da1c8341b1021cf92ae83bf8b872d422f2e7ef8f
Tags:	exeRiseProStealer
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject threads in other processes

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

YnsEArPlqx.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\YnsEArPlqx.exe" MD5: AB8E88BFF0B907FC49B949D704490018)

schtasks.exe (PID: 7528 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7576 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 7632 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: AB8E88BFF0B907FC49B949D704490018)

MPGPH131.exe (PID: 7640 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: AB8E88BFF0B907FC49B949D704490018)

RageMP131.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: AB8E88BFF0B907FC49B949D704490018)

RageMP131.exe (PID: 8008 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: AB8E88BFF0B907FC49B949D704490018)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: YnsEArPlqx.exe PID: 7408	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7632	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7640	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7852	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 8008	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\YnsEArPlqx.exe, ProcessId: 7408, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/20/24-18:59:13.624078
SID:	2046269
Source Port:	49741
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/20/24-18:58:58.560662
SID:	2046269
Source Port:	49732
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/20/24-18:58:52.840391
SID:	2046269
Source Port:	49731
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/20/24-18:57:14.894991
SID:	2049060
Source Port:	49731
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/20/24-18:59:07.355875
SID:	2046269
Source Port:	49739
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:57:18.828226
SID:	2046266
Source Port:	58709
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:58:03.049093
SID:	2046267
Source Port:	58709
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:57:35.040865
SID:	2046266
Source Port:	58709
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:57:15.478080
SID:	2046266
Source Port:	58709
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:57:18.837910
SID:	2046266
Source Port:	58709
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/20/24-18:58:58.606045
SID:	2046269
Source Port:	49733
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:57:40.684951
SID:	2046267
Source Port:	58709
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:57:26.019896
SID:	2046266
Source Port:	58709
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:57:40.086663
SID:	2046267
Source Port:	58709
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:57:40.210568
SID:	2046267
Source Port:	58709
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:57:40.261626
SID:	2046267
Source Port:	58709
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://77.91.77.81/mine/amadka.exeisepro_bot	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exe	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe3377b	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe.1	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.exe0.1	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.e	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exeB	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exeT3EU	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exeisepro_botA%	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.exek.com	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exew9u	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.exe/risepro	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe0.1	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exeOP	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: YnsEArPlqx.exe

Joe Sandbox ML: detected

Source: YnsEArPlqx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49752 version: TLS 1.2

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	0_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	6_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	7_2_00431F9C

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49739
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49739 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49741
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49741 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49739
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49741

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 77.91.77.66:58709

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 172.67.75.166 172.67.75.166
Source: Joe Sandbox View	IP Address: 77.91.77.66 77.91.77.66

Source: Joe Sandbox View

ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66

Source: C:\Users\user\Desktop\YnsEArPlqx.exe

Code function: 0_2_00409280 recv,GetProcAddress,GetModuleHandleA,GetProcAddress,WSASend,

0_2_00409280

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: RageMP131.exe, 0000000C.00000002.3056865794.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/go.exeOP
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/go.exeT3EU
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/go.exew9u
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/lenin.e
Source: RageMP131.exe, 0000000C.00000002.3056865794.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/lenin.exe
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/lenin.exe/risepro
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/lenin.exe0.1
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/lenin.exek.com
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/mine/amadka.exe.1
Source: RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/mine/amadka.exe0.1
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/mine/amadka.exe3377b
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/mine/amadka.exeB
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/mine/amadka.exeisepro_bot
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/mine/amadka.exeisepro_botA%
Source: YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/L
Source: RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/V
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.333
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33f7
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33k
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33w
Source: RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/h
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/oV
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
Source: RageMP131.exe, 0000000B.00000002.3055498202.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.338
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33H
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33M
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/s
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33NA
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33P.tmp
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933668257.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056302312.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.%9
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.h
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000E67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTf
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTt
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000E67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTv
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot3ABbfQUY
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot8
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botClyf(U3
Source: RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botK:
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botlater
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botrisep
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot~
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49752 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: YnsEArPlqx.exe	Static PE information: section name:
Source: YnsEArPlqx.exe	Static PE information: section name:
Source: YnsEArPlqx.exe	Static PE information: section name:
Source: YnsEArPlqx.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_0043C960	0_2_0043C960
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_0043A928	0_2_0043A928
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_004371A0	0_2_004371A0
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_0044DA86	0_2_0044DA86
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_0044036F	0_2_0044036F
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_00458BB0	0_2_00458BB0
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_004EFC40	0_2_004EFC40
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_0042F580	0_2_0042F580
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_00452610	0_2_00452610
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_004F2FD0	0_2_004F2FD0
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_004547BF	0_2_004547BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0043C960	6_2_0043C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0043A928	6_2_0043A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004371A0	6_2_004371A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0044DA86	6_2_0044DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0044036F	6_2_0044036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00458BB0	6_2_00458BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004EFC40	6_2_004EFC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0042F580	6_2_0042F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00452610	6_2_00452610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004F2FD0	6_2_004F2FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004547BF	6_2_004547BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0043C960	7_2_0043C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0043A928	7_2_0043A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_004371A0	7_2_004371A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0044DA86	7_2_0044DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0044036F	7_2_0044036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00458BB0	7_2_00458BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_004EFC40	7_2_004EFC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0042F580	7_2_0042F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00452610	7_2_00452610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_004F2FD0	7_2_004F2FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_004547BF	7_2_004547BF

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Code function: String function: 00434380 appears 48 times

Source: YnsEArPlqx.exe	Binary or memory string: OriginalFilename vs YnsEArPlqx.exe
Source: YnsEArPlqx.exe, 00000000.00000000.1811623951.000000000058A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs YnsEArPlqx.exe
Source: YnsEArPlqx.exe, 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs YnsEArPlqx.exe
Source: YnsEArPlqx.exe	Binary or memory string: OriginalFilenamedotnet.exe6 vs YnsEArPlqx.exe

Source: YnsEArPlqx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: YnsEArPlqx.exe	Static PE information: Section: ZLIB complexity 0.9987973597852029
Source: YnsEArPlqx.exe	Static PE information: Section: ZLIB complexity 0.994140625
Source: YnsEArPlqx.exe	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9987973597852029
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.994140625
Source: RageMP131.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9987973597852029
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.994140625
Source: MPGPH131.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@3/3

Source: C:\Users\user\Desktop\YnsEArPlqx.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03

Source: C:\Users\user\Desktop\YnsEArPlqx.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\YnsEArPlqx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: YnsEArPlqx.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\YnsEArPlqx.exe

File read: C:\Users\user\Desktop\YnsEArPlqx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\YnsEArPlqx.exe "C:\Users\user\Desktop\YnsEArPlqx.exe"
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior

Source: YnsEArPlqx.exe

Static file information: File size 3270672 > 1048576

Source: YnsEArPlqx.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x267000

Source: C:\Users\user\Desktop\YnsEArPlqx.exe

Code function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

0_2_004CF280

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: YnsEArPlqx.exe	Static PE information: section name:
Source: YnsEArPlqx.exe	Static PE information: section name:
Source: YnsEArPlqx.exe	Static PE information: section name:
Source: YnsEArPlqx.exe	Static PE information: section name:
Source: YnsEArPlqx.exe	Static PE information: section name: .themida
Source: YnsEArPlqx.exe	Static PE information: section name: .boot
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .themida
Source: RageMP131.exe.0.dr	Static PE information: section name: .boot
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .themida
Source: MPGPH131.exe.0.dr	Static PE information: section name: .boot

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_0058901C push eax; iretd	0_2_0058901D
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_006E1593 push ecx; mov dword ptr [esp], ebp	0_2_00822BC8
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_006E1593 push 57F325EEh; mov dword ptr [esp], eax	0_2_00822C06
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_006E1593 push edi; mov dword ptr [esp], ebp	0_2_00822C19
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_006E1593 push eax; mov dword ptr [esp], ecx	0_2_00822C1D
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_006E1593 push 0F00E9F4h; mov dword ptr [esp], eax	0_2_00822C7A
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_00433F59 push ecx; ret	0_2_00433F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_006E1593 push ecx; mov dword ptr [esp], ebp	6_2_00822BC8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_006E1593 push 57F325EEh; mov dword ptr [esp], eax	6_2_00822C06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_006E1593 push edi; mov dword ptr [esp], ebp	6_2_00822C19
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_006E1593 push eax; mov dword ptr [esp], ecx	6_2_00822C1D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_006E1593 push 0F00E9F4h; mov dword ptr [esp], eax	6_2_00822C7A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00433F59 push ecx; ret	6_2_00433F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_006E1593 push ecx; mov dword ptr [esp], ebp	7_2_00822BC8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_006E1593 push 57F325EEh; mov dword ptr [esp], eax	7_2_00822C06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_006E1593 push edi; mov dword ptr [esp], ebp	7_2_00822C19
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_006E1593 push eax; mov dword ptr [esp], ecx	7_2_00822C1D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_006E1593 push 0F00E9F4h; mov dword ptr [esp], eax	7_2_00822C7A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00433F59 push ecx; ret	7_2_00433F6C

Source: YnsEArPlqx.exe	Static PE information: section name: entropy: 7.981638520890903
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.981638520890903
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.981638520890903

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\YnsEArPlqx.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\YnsEArPlqx.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Stalling execution: Execution stalls by calling Sleep			graph_0-13672
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep			graph_6-14101

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	System information queried: FirmwareTableInformation	Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_0-13677
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_6-14116

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_6-16081
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-16274

Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7412	Thread sleep count: 212 > 30	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7624	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7412	Thread sleep count: 313 > 30	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7412	Thread sleep time: -31613s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7412	Thread sleep count: 146 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636	Thread sleep count: 185 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7676	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636	Thread sleep count: 313 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636	Thread sleep time: -31613s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636	Thread sleep count: 143 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644	Thread sleep count: 184 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7672	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644	Thread sleep count: 311 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644	Thread sleep time: -31411s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644	Thread sleep count: 145 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7856	Thread sleep count: 127 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7952	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7856	Thread sleep count: 317 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7856	Thread sleep time: -32017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7856	Thread sleep count: 144 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012	Thread sleep count: 244 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8028	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012	Thread sleep count: 284 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012	Thread sleep count: 144 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012	Thread sleep count: 121 > 30	Jump to behavior

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	0_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	6_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	7_2_00431F9C

Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}E
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000E60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&s
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: RageMP131.exe, 0000000C.00000003.2035826187.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: YnsEArPlqx.exe, 00000000.00000003.1840354529.0000000000D44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Cz
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: RageMP131.exe, 0000000B.00000003.1945525195.0000000000C61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000C.00000003.2035826187.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Q
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: RageMP131.exe, 0000000B.00000002.3055498202.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&9

Source: C:\Users\user\Desktop\YnsEArPlqx.exe

Code function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00438A64

Source: C:\Users\user\Desktop\YnsEArPlqx.exe

0_2_004CF280

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00438A64
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0043451D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00438A64
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0043451D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00438A64
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0043451D

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	0_2_004CF280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	6_2_004CF280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	7_2_004CF280

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: GetLocaleInfoW,	0_2_004531CA
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: EnumSystemLocalesW,	0_2_0044B1B1
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004532F3
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00452B5A
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: GetLocaleInfoW,	0_2_004533F9
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004534CF
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: GetLocaleInfoW,	0_2_00452D5F
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: EnumSystemLocalesW,	0_2_00452E51
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: EnumSystemLocalesW,	0_2_00452E06
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: EnumSystemLocalesW,	0_2_00452EEC
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00452F77
Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Code function: GetLocaleInfoW,	0_2_0044B734
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_004531CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_0044B1B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_004532F3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_00452B5A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_004533F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_004534CF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00452D5F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00452E51
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00452E06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00452EEC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_00452F77
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_0044B734
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_004531CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_0044B1B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_004532F3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_00452B5A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_004533F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_004534CF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00452D5F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00452E51
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00452E06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00452EEC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_00452F77
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_0044B734

Source: C:\Users\user\Desktop\YnsEArPlqx.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YnsEArPlqx.exe

Code function: 0_2_0043361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_0043361D

Source: C:\Users\user\Desktop\YnsEArPlqx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: YnsEArPlqx.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 8008, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: YnsEArPlqx.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 8008, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	12 Virtualization/Sandbox Evasion	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	11 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
YnsEArPlqx.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	55%	ReversingLabs	Win32.Trojan.RiseProStealer
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	55%	ReversingLabs	Win32.Trojan.RiseProStealer

Source	Detection	Scanner	Label
https://ipinfo.io/	0%	URL Reputation	safe
https://t.me/RiseProSUPPORTv	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTt	0%	Avira URL Cloud	safe
http://77.91.77.81/mine/amadka.exeisepro_bot	100%	Avira URL Cloud	phishing
http://77.91.77.81/mine/amadka.exe	100%	Avira URL Cloud	phishing
http://77.91.77.81/cost/go.exe	100%	Avira URL Cloud	phishing
https://ipinfo.io:443/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
https://db-ip.com:443/demo/home.php?s=8.46.123.33H	0%	Avira URL Cloud	safe
http://77.91.77.81/mine/amadka.exe3377b	100%	Avira URL Cloud	phishing
http://77.91.77.81/mine/amadka.exe.1	100%	Avira URL Cloud	phishing
https://db-ip.com:443/demo/home.php?s=8.46.123.33M	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTf	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33NA	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33P.tmp	0%	Avira URL Cloud	safe
http://77.91.77.81/cost/lenin.exe0.1	100%	Avira URL Cloud	phishing
https://ipinfo.io/s	0%	Avira URL Cloud	safe
https://db-ip.com/	0%	Avira URL Cloud	safe
https://db-ip.com/oV	0%	Avira URL Cloud	safe
https://t.me/risepro	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33f7	0%	Avira URL Cloud	safe
http://77.91.77.81/cost/lenin.e	100%	Avira URL Cloud	phishing
https://db-ip.com:443/demo/home.php?s=8.46.123.33	0%	Avira URL Cloud	safe
http://77.91.77.81/mine/amadka.exeB	100%	Avira URL Cloud	phishing
https://db-ip.com/demo/home.php?s=8.46.123.333	0%	Avira URL Cloud	safe
http://77.91.77.81/cost/go.exeT3EU	100%	Avira URL Cloud	phishing
https://db-ip.com/L	0%	Avira URL Cloud	safe
https://t.me/risepro_bot8	0%	Avira URL Cloud	safe
http://77.91.77.81/mine/amadka.exeisepro_botA%	100%	Avira URL Cloud	phishing
https://t.me/risepro_botrisep	0%	Avira URL Cloud	safe
https://db-ip.com/V	0%	Avira URL Cloud	safe
https://t.me/risepro_bot~	0%	Avira URL Cloud	safe
https://t.me/risepro_botClyf(U3	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://t.me/risepro_botK:	0%	Avira URL Cloud	safe
https://t.me/risepro_bot3ABbfQUY	0%	Avira URL Cloud	safe
https://ipinfo.io/Mozilla/5.0	0%	Avira URL Cloud	safe
http://77.91.77.81/cost/lenin.exek.com	100%	Avira URL Cloud	phishing
http://77.91.77.81/cost/go.exew9u	100%	Avira URL Cloud	phishing
http://77.91.77.81/cost/lenin.exe/risepro	100%	Avira URL Cloud	phishing
https://db-ip.com/h	0%	Avira URL Cloud	safe
https://t.me/risepro_botlater	0%	Avira URL Cloud	safe
https://t.me/risepro_bot	0%	Avira URL Cloud	safe
https://t.%9	0%	Avira URL Cloud	safe
http://77.91.77.81/mine/amadka.exe0.1	100%	Avira URL Cloud	phishing
http://77.91.77.81/cost/go.exeOP	100%	Avira URL Cloud	phishing
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe
http://www.winimage.com/zLibDll	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33w	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33k	0%	Avira URL Cloud	safe
http://77.91.77.81/cost/lenin.exe	100%	Avira URL Cloud	malware
https://db-ip.com:443/demo/home.php?s=8.46.123.338	0%	Avira URL Cloud	safe
https://t.h	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false		unknown
db-ip.com	172.67.75.166	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/widget/demo/8.46.123.33	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/	false	URL Reputation: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://77.91.77.81/mine/amadka.exe	RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://77.91.77.81/mine/amadka.exeisepro_bot	MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://ipinfo.io:443/widget/demo/8.46.123.33	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933668257.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056302312.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com:443/demo/home.php?s=8.46.123.33M	MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORTv	RageMP131.exe, 0000000C.00000002.3055648642.0000000000E67000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/cost/go.exe	RageMP131.exe, 0000000C.00000002.3056865794.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://t.me/RiseProSUPPORTt	MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/mine/amadka.exe.1	MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://77.91.77.81/mine/amadka.exe3377b	MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://db-ip.com:443/demo/home.php?s=8.46.123.33H	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/oV	MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33NA	MPGPH131.exe, 00000006.00000002.3055816885.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORTf	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/cost/lenin.exe0.1	RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://t.me/risepro	MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33P.tmp	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/s	MPGPH131.exe, 00000006.00000002.3055816885.0000000000E01000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33f7	MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/cost/lenin.e	MPGPH131.exe, 00000006.00000002.3055816885.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://db-ip.com:443/demo/home.php?s=8.46.123.33	MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/mine/amadka.exeB	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://db-ip.com/demo/home.php?s=8.46.123.333	RageMP131.exe, 0000000C.00000002.3055648642.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_bot8	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/L	RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/mine/amadka.exeisepro_botA%	RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://77.91.77.81/cost/go.exeT3EU	MPGPH131.exe, 00000006.00000002.3055816885.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://t.me/risepro_botrisep	RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/V	RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botClyf(U3	MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_bot~	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botK:	RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000E67000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_bot3ABbfQUY	MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/cost/lenin.exek.com	MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://ipinfo.io/Mozilla/5.0	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/cost/go.exew9u	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://77.91.77.81/cost/lenin.exe/risepro	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://db-ip.com/h	RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_bot	RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botlater	MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.%9	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/mine/amadka.exe0.1	RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.maxmind.com/en/locate-my-ip-address	MPGPH131.exe	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/cost/go.exeOP	RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.winimage.com/zLibDll	YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33w	YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.h	MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33k	RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/cost/lenin.exe	RageMP131.exe, 0000000C.00000002.3056865794.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://db-ip.com:443/demo/home.php?s=8.46.123.338	RageMP131.exe, 0000000B.00000002.3055498202.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
172.67.75.166	db-ip.com	United States	13335	CLOUDFLARENETUS	false
77.91.77.66	unknown	Russian Federation	42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1460294
Start date and time:	2024-06-20 18:56:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YnsEArPlqx.exe renamed because original name is a hash value
Original Sample Name:	ab8e88bff0b907fc49b949d704490018.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: YnsEArPlqx.exe

Simulations

Behavior and APIs

Time	Type	Description
12:58:13	API Interceptor	56x Sleep call for process: RageMP131.exe modified
12:58:13	API Interceptor	87x Sleep call for process: MPGPH131.exe modified
12:58:13	API Interceptor	42x Sleep call for process: YnsEArPlqx.exe modified
17:57:14	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
17:57:14	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
17:57:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
17:57:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
172.67.75.166	T17sbXrL3i.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	https://curious-kringle-id4964-024b3b3.netlify.app/form.html	Get hash	malicious	Unknown	Browse
	4Ip0IVHqJ3.exe	Get hash	malicious	RisePro Stealer	Browse
	https://gacw-no-reply-restriction-appeal-case.netlify.app/feedback_id_38258467296/	Get hash	malicious	Unknown	Browse
	http://rules-prohibiting-violative-advertisi.netlify.app/appeal_case_ID_78234127826/	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	jv9lMYVHh0.exe	Get hash	malicious	RisePro Stealer	Browse
	5i5Cl02eCU.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
77.91.77.66	AlCsIOd0pd.exe	Get hash	malicious	RisePro Stealer	Browse
	setup.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	D44CPdpkNk.exe	Get hash	malicious	RisePro Stealer	Browse
	WGEfBWbWQI.exe	Get hash	malicious	RisePro Stealer	Browse
	2bT2lTwRku.exe	Get hash	malicious	RisePro Stealer	Browse
	T17sbXrL3i.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	setup.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.117.186.192
	D44CPdpkNk.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	1kBeqS7E3z.exe	Get hash	malicious	LummaC, RisePro Stealer, Vidar	Browse	34.117.186.192
	WGEfBWbWQI.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	2bT2lTwRku.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	T17sbXrL3i.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	http://telegliam.icu/	Get hash	malicious	Unknown	Browse	34.117.186.192
	https://ingresar-365-msn.glitch.me/	Get hash	malicious	Unknown	Browse	34.117.186.192
	Jr7B1jZMaT.exe	Get hash	malicious	NovaSentinel	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
db-ip.com	setup.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	104.26.5.15
	D44CPdpkNk.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	1kBeqS7E3z.exe	Get hash	malicious	LummaC, RisePro Stealer, Vidar	Browse	104.26.4.15
	WGEfBWbWQI.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	2bT2lTwRku.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	T17sbXrL3i.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	https://curious-kringle-id4964-024b3b3.netlify.app/form.html	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://glist43-dase23-ac9ae33.netlify.app/dev.html/	Get hash	malicious	Unknown	Browse	104.26.5.15
	4Ip0IVHqJ3.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	AlCsIOd0pd.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	setup.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	77.91.77.81
	setup.exe	Get hash	malicious	Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	77.91.77.81
	FN MultiHack v2.exe	Get hash	malicious	RedLine	Browse	77.91.77.6
	D44CPdpkNk.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387ac	Get hash	malicious	Unknown	Browse	77.91.77.5
	https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387ac	Get hash	malicious	Unknown	Browse	77.91.77.5
	WGEfBWbWQI.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	2bT2lTwRku.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	T17sbXrL3i.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	https://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-comments	Get hash	malicious	Unknown	Browse	34.117.239.71
	https://my.visme.co/v/pvmd79je-dj6mqv	Get hash	malicious	Unknown	Browse	34.117.77.79
	setup.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.117.186.192
	D44CPdpkNk.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	1kBeqS7E3z.exe	Get hash	malicious	LummaC, RisePro Stealer, Vidar	Browse	34.117.186.192
	WGEfBWbWQI.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	2bT2lTwRku.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	T17sbXrL3i.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	http://h3200457.wixsite.com/my-site-1/	Get hash	malicious	Unknown	Browse	34.117.60.144
	http://telegliam.icu/	Get hash	malicious	Unknown	Browse	34.117.186.192
CLOUDFLARENETUS	https://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-comments	Get hash	malicious	Unknown	Browse	172.64.151.101
	FAX_202405_136088.xhtml	Get hash	malicious	Unknown	Browse	104.18.11.207
	SecuriteInfo.com.Trojan.PackedNET.2926.9666.23696.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ATT001_PlayVM.html	Get hash	malicious	Unknown	Browse	172.64.151.101
	Products volume.exe	Get hash	malicious	FormBook	Browse	104.21.84.156
	aaaaa.shtml.html	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://airtable.com/appLxB5sOmdo2GJo9/shrh1CoBQsbhadVcV	Get hash	malicious	HTMLPhisher	Browse	172.64.155.119
	OFS Fitel, LLC In-Service Agreement.doc	Get hash	malicious	Unknown	Browse	104.18.2.35
	ACH Receipt.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://docs.google.com/drawings/d/1qLrBv5e6nFXfFVtMDNkicLQy_velV_hePF-fb4qRTSc/preview	Get hash	malicious	Unknown	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Invoice.docm	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, zgRAT	Browse	34.117.186.192 172.67.75.166
	Setup.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	34.117.186.192 172.67.75.166
	setup.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.117.186.192 172.67.75.166
	setup.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166
	setup.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166
	Galaxy Swapper v2.0.3.exe	Get hash	malicious	LummaC, Xmrig	Browse	34.117.186.192 172.67.75.166
	setup.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166
	setup.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166
	file.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166

Process:	C:\Users\user\Desktop\YnsEArPlqx.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3270672
Entropy (8bit):	7.967404431164332
Encrypted:	false
SSDEEP:	98304:e5tF1/fIhf2JK5KtqWaUMrXYQjC4fbEaSNthtA:Ib4haKUt1aUWI4xfbnSHhu
MD5:	AB8E88BFF0B907FC49B949D704490018
SHA1:	559F2F2B61BD344293F7CBC78B72D8E368910AE3
SHA-256:	921C5314FC334BAC928A8398DA1C8341B1021CF92AE83BF8B872D422F2E7EF8F
SHA-512:	C2388EDC661CBAAECCF2FF9A2C153B5D201CF7A2C605570EB992AFA3878A0F24C96E1443713E9330833001A4D2BE245E6F49F281C663118ADEB76ECF7D2E41B5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....\|......X.X...........@...........................~.......2......................................a..........8....................p~..............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot....p&...X..p&..x..............`..`.reloc.......p~.......1................@................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\YnsEArPlqx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\YnsEArPlqx.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3270672
Entropy (8bit):	7.967404431164332
Encrypted:	false
SSDEEP:	98304:e5tF1/fIhf2JK5KtqWaUMrXYQjC4fbEaSNthtA:Ib4haKUt1aUWI4xfbnSHhu
MD5:	AB8E88BFF0B907FC49B949D704490018
SHA1:	559F2F2B61BD344293F7CBC78B72D8E368910AE3
SHA-256:	921C5314FC334BAC928A8398DA1C8341B1021CF92AE83BF8B872D422F2E7EF8F
SHA-512:	C2388EDC661CBAAECCF2FF9A2C153B5D201CF7A2C605570EB992AFA3878A0F24C96E1443713E9330833001A4D2BE245E6F49F281C663118ADEB76ECF7D2E41B5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....\|......X.X...........@...........................~.......2......................................a..........8....................p~..............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot....p&...X..p&..x..............`..`.reloc.......p~.......1................@................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\YnsEArPlqx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\YnsEArPlqx.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	2.8731406795131336
Encrypted:	false
SSDEEP:	3:L1VcuRn:TRRn
MD5:	D2322FA1329556D66DDD87C7F6D2456D
SHA1:	FEFE77CAE67D8ADEECAC37F97DA6B7BB3CF2CA4F
SHA-256:	382F74819EB312810D9DC06212DFCACFE2AB3B3585DB98DFA83BB35EF0396E70
SHA-512:	BD20A13F63A556FF645BC9FE1E5CC59E7B160C106207B2999881F8B4D661A597850A2BE1FA24A9E8FB6F6E4DCCB109EDF327A5E313F80054EC296F5715551970
Malicious:	false
Reputation:	low
Preview:	1718909364668

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.967404431164332
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	YnsEArPlqx.exe
File size:	3'270'672 bytes
MD5:	ab8e88bff0b907fc49b949d704490018
SHA1:	559f2f2b61bd344293f7cbc78b72d8e368910ae3
SHA256:	921c5314fc334bac928a8398da1c8341b1021cf92ae83bf8b872d422f2e7ef8f
SHA512:	c2388edc661cbaaeccf2ff9a2c153b5d201cf7a2c605570eb992afa3878a0f24c96e1443713e9330833001a4d2be245e6f49f281c663118adeb76ecf7d2e41b5
SSDEEP:	98304:e5tF1/fIhf2JK5KtqWaUMrXYQjC4fbEaSNthtA:Ib4haKUt1aUWI4xfbnSHhu
TLSH:	C0E53367CC66D2E5F27D54332B36890CA63A91A26E2355B5782F133068F2C4D87E1DCE
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

File Icon


Icon Hash:	8596a1a0a1a1b171

Static PE Info

General

Entrypoint:	0x980058
Entrypoint Section:	.boot
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x664C6914 [Tue May 21 09:27:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	63814aaf116ba6abb6496ce4bcad24c6

Entrypoint Preview

Instruction
call 00007FE248B82EC0h
push ebx
mov ebx, esp
push ebx
mov esi, dword ptr [ebx+08h]
mov edi, dword ptr [ebx+10h]
cld
mov dl, 80h
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
mov ebx, 00000002h
add dl, dl
jne 00007FE248B82D77h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007FE248B82D5Ch
add dl, dl
jne 00007FE248B82D77h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007FE248B82DC3h
xor eax, eax
add dl, dl
jne 00007FE248B82D77h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007FE248B82E57h
add dl, dl
jne 00007FE248B82D77h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FE248B82D77h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FE248B82D77h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FE248B82D77h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
je 00007FE248B82D7Ah
push edi
mov eax, eax
sub edi, eax
mov al, byte ptr [edi]
pop edi
mov byte ptr [edi], al
inc edi
mov ebx, 00000002h
jmp 00007FE248B82D0Bh
mov eax, 00000001h
add dl, dl
jne 00007FE248B82D77h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FE248B82D77h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jc 00007FE248B82D5Ch
sub eax, ebx
mov ebx, 00000001h
jne 00007FE248B82D9Ah
mov ecx, 00000001h
add dl, dl
jne 00007FE248B82D77h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc ecx, ecx
add dl, dl
jne 00007FE248B82D77h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jc 00007FE248B82D5Ch
push esi
mov esi, edi
sub esi, ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19618b	0x184	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18a000	0x1638	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7e7000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x197018	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x18369c	0x40
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x15bbc8	0x9d200	261dcbc24cbc9eb16e95b23575219f53	False	0.9987973597852029	data	7.981638520890903	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x15d000	0x27e32	0x10a00	9c4edc30bf568b4831d47c2fa8adcade	False	0.994140625	data	7.943472834836404	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x185000	0x4930	0x800	b28ebea9ebe41ba142a74e93b46ebac9	False	0.98681640625	data	7.721777854568001	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x18a000	0x1638	0x1800	fe6f3fdb9e7e97cba92d8ce4e4fcc95b	False	0.7220052083333334	data	6.54017046361188	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x18c000	0x9858	0x7200	55d409a165ae6286b51388ca331aeab8	False	0.9794750548245614	data	7.934264573672369	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x196000	0x1000	0x400	1b20e07443fa333ff9692026d1e6c6c2	False	0.3984375	data	3.42439969016873	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x197000	0x1000	0x200	54a50a058e0f3b6aa2fe1b22e2033106	False	0.056640625	data	0.18120187678200297	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.themida	0x198000	0x3e8000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot	0x580000	0x267000	0x267000	0a00394383a54186173259ab3252cfac	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x7e7000	0x1000	0x10	f5bc99b71bad9e8a775cc32747e3ca58	False	1.5	GLS_BINARY_LSB_FIRST	2.474601752714581	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x18a440	0x1060	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.8838263358778626
RT_GROUP_ICON	0x18b4a0	0x14	data	Russian	Russia	1.05
RT_VERSION	0x18a130	0x310	data	Russian	Russia	0.45408163265306123
RT_MANIFEST	0x18b4b8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	GetModuleHandleA
USER32.dll	wsprintfA
GDI32.dll	CreateCompatibleBitmap
ADVAPI32.dll	RegQueryValueExA
SHELL32.dll	ShellExecuteA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/20/24-18:59:13.624078	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49741	58709	192.168.2.4	77.91.77.66
06/20/24-18:58:58.560662	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49732	58709	192.168.2.4	77.91.77.66
06/20/24-18:58:52.840391	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49731	58709	192.168.2.4	77.91.77.66
06/20/24-18:57:14.894991	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49731	58709	192.168.2.4	77.91.77.66
06/20/24-18:59:07.355875	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49739	58709	192.168.2.4	77.91.77.66
06/20/24-18:57:18.828226	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49732	77.91.77.66	192.168.2.4
06/20/24-18:58:03.049093	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49741	77.91.77.66	192.168.2.4
06/20/24-18:57:35.040865	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49741	77.91.77.66	192.168.2.4
06/20/24-18:57:15.478080	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49731	77.91.77.66	192.168.2.4
06/20/24-18:57:18.837910	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49733	77.91.77.66	192.168.2.4
06/20/24-18:58:58.606045	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49733	58709	192.168.2.4	77.91.77.66
06/20/24-18:57:40.684951	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49739	77.91.77.66	192.168.2.4
06/20/24-18:57:26.019896	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49739	77.91.77.66	192.168.2.4
06/20/24-18:57:40.086663	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49731	77.91.77.66	192.168.2.4
06/20/24-18:57:40.210568	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49732	77.91.77.66	192.168.2.4
06/20/24-18:57:40.261626	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49733	77.91.77.66	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 20, 2024 18:57:14.867392063 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:14.872680902 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:14.872773886 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:14.894990921 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:14.900186062 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:15.478080034 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:15.526962996 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:18.209875107 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:18.215310097 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:18.215409994 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:18.219486952 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:18.224916935 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:18.225008965 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:18.238785982 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:18.239044905 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:18.244168043 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:18.244507074 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:18.605303049 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:18.610707045 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:18.828226089 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:18.837909937 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:18.870759964 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:18.886356115 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:21.949140072 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:21.949143887 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:21.954988956 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:21.955049992 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:25.393862963 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:25.398869991 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:25.398960114 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:25.410298109 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:25.415654898 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:26.019896030 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:26.073909998 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:29.136550903 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:29.141423941 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:34.425412893 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:34.430507898 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:34.430629015 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:34.440203905 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:34.445101023 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:35.040864944 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:35.089631081 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:38.168387890 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:38.173934937 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:40.086663008 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:40.136542082 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:40.189471960 CEST	49742	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.189557076 CEST	443	49742	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.189647913 CEST	49742	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.190637112 CEST	49742	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.190690041 CEST	443	49742	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.210567951 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:40.261501074 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:40.261626005 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:40.269562006 CEST	49743	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.269599915 CEST	443	49743	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.269674063 CEST	49743	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.270838976 CEST	49743	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.270886898 CEST	443	49743	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.290296078 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.290406942 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.290482998 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.291460991 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.291516066 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.308362961 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:40.684951067 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:40.706904888 CEST	443	49742	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.707005024 CEST	49742	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.711128950 CEST	49742	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.711186886 CEST	443	49742	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.711622000 CEST	443	49742	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.727715969 CEST	49745	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.727813005 CEST	443	49745	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.727895975 CEST	49745	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.728888035 CEST	49745	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.728923082 CEST	443	49745	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.730259895 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:40.755664110 CEST	49742	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.790704012 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.790915966 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.791215897 CEST	443	49743	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.791320086 CEST	49743	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.792150021 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.792197943 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.792450905 CEST	49743	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.792462111 CEST	443	49743	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.792578936 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.792800903 CEST	443	49743	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.796545982 CEST	443	49742	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.839626074 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.842360973 CEST	49743	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.860759020 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.869853973 CEST	49743	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.883080959 CEST	443	49742	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.883428097 CEST	443	49742	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.883512020 CEST	49742	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.886112928 CEST	49742	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.886162043 CEST	443	49742	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.886192083 CEST	49742	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:40.886209965 CEST	443	49742	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.896604061 CEST	49746	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:40.896667957 CEST	443	49746	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:40.896748066 CEST	49746	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:40.897015095 CEST	49746	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:40.897043943 CEST	443	49746	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:40.904494047 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:40.912532091 CEST	443	49743	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.000684023 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.000818014 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.001025915 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:41.001121044 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:41.001121044 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:41.001166105 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.001205921 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.002507925 CEST	49747	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.002594948 CEST	443	49747	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.002676010 CEST	49747	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.003042936 CEST	49747	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.003132105 CEST	443	49747	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.009438038 CEST	443	49743	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.009916067 CEST	443	49743	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.009967089 CEST	49743	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:41.010067940 CEST	49743	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:41.010082960 CEST	443	49743	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.010093927 CEST	49743	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:41.010099888 CEST	443	49743	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.011152983 CEST	49748	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.011173010 CEST	443	49748	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.011234999 CEST	49748	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.011461020 CEST	49748	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.011472940 CEST	443	49748	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.334681034 CEST	443	49745	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.334783077 CEST	49745	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:41.335994005 CEST	49745	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:41.336009979 CEST	443	49745	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.336256027 CEST	443	49745	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.384072065 CEST	49745	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:41.424527884 CEST	443	49745	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.508068085 CEST	443	49745	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.508239985 CEST	443	49745	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.508344889 CEST	49745	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:41.508753061 CEST	49745	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:41.508790016 CEST	443	49745	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.508824110 CEST	49745	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:57:41.508838892 CEST	443	49745	34.117.186.192	192.168.2.4
Jun 20, 2024 18:57:41.510406971 CEST	49749	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.510494947 CEST	443	49749	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.510646105 CEST	49749	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.510972023 CEST	49749	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.511009932 CEST	443	49749	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.516624928 CEST	443	49747	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.516690969 CEST	49747	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.518430948 CEST	49747	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.518444061 CEST	443	49747	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.518704891 CEST	443	49747	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.520112991 CEST	49747	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.525110006 CEST	443	49746	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.525235891 CEST	49746	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.526875973 CEST	49746	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.526887894 CEST	443	49746	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.527396917 CEST	443	49746	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.528537035 CEST	49746	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.533680916 CEST	443	49748	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.533914089 CEST	49748	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.534756899 CEST	49748	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.534763098 CEST	443	49748	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.535790920 CEST	443	49748	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.536973000 CEST	49748	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.560578108 CEST	443	49747	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.572501898 CEST	443	49746	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.580496073 CEST	443	49748	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.670669079 CEST	443	49747	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.670747042 CEST	443	49747	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.670828104 CEST	49747	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.671272993 CEST	49747	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.671322107 CEST	443	49747	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.671353102 CEST	49747	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.671370029 CEST	443	49747	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.671797037 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:41.677098989 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:41.707526922 CEST	443	49746	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.707797050 CEST	443	49746	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.707895994 CEST	49746	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.708054066 CEST	49746	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.708096981 CEST	443	49746	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.708134890 CEST	49746	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.708153009 CEST	443	49746	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.708522081 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:41.709861994 CEST	443	49748	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.710084915 CEST	443	49748	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.710143089 CEST	49748	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.710211039 CEST	49748	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.710232019 CEST	443	49748	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.710256100 CEST	49748	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.710268021 CEST	443	49748	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.711057901 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:41.713349104 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:41.716022968 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:41.985795021 CEST	443	49749	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.985903025 CEST	49749	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.987131119 CEST	49749	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:41.987164021 CEST	443	49749	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.987513065 CEST	443	49749	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:41.991270065 CEST	49749	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:42.036530018 CEST	443	49749	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:42.152816057 CEST	443	49749	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:42.153099060 CEST	443	49749	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:42.153202057 CEST	49749	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:42.153469086 CEST	49749	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:42.153507948 CEST	443	49749	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:42.153534889 CEST	49749	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:57:42.153549910 CEST	443	49749	172.67.75.166	192.168.2.4
Jun 20, 2024 18:57:42.153923035 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:42.159673929 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:49.464940071 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:49.470344067 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:52.715127945 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:52.720165014 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:52.808721066 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:52.814178944 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:57:59.480479002 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:57:59.485503912 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:02.366193056 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:02.417916059 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:02.451795101 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:02.465960026 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:02.496141911 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:02.511650085 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:02.721391916 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:02.761667967 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:03.049093008 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:03.105618000 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:03.190819979 CEST	49751	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:58:03.190865040 CEST	443	49751	34.117.186.192	192.168.2.4
Jun 20, 2024 18:58:03.190953970 CEST	49751	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:58:03.191906929 CEST	49751	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:58:03.191932917 CEST	443	49751	34.117.186.192	192.168.2.4
Jun 20, 2024 18:58:03.659512997 CEST	443	49751	34.117.186.192	192.168.2.4
Jun 20, 2024 18:58:03.659627914 CEST	49751	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:58:03.660859108 CEST	49751	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:58:03.660887957 CEST	443	49751	34.117.186.192	192.168.2.4
Jun 20, 2024 18:58:03.661843061 CEST	443	49751	34.117.186.192	192.168.2.4
Jun 20, 2024 18:58:03.701503992 CEST	49751	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:58:03.748549938 CEST	443	49751	34.117.186.192	192.168.2.4
Jun 20, 2024 18:58:03.828887939 CEST	443	49751	34.117.186.192	192.168.2.4
Jun 20, 2024 18:58:03.829221010 CEST	443	49751	34.117.186.192	192.168.2.4
Jun 20, 2024 18:58:03.829324007 CEST	49751	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:58:03.829612017 CEST	49751	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:58:03.829665899 CEST	443	49751	34.117.186.192	192.168.2.4
Jun 20, 2024 18:58:03.829696894 CEST	49751	443	192.168.2.4	34.117.186.192
Jun 20, 2024 18:58:03.829714060 CEST	443	49751	34.117.186.192	192.168.2.4
Jun 20, 2024 18:58:03.832252026 CEST	49752	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:58:03.832298994 CEST	443	49752	172.67.75.166	192.168.2.4
Jun 20, 2024 18:58:03.832386017 CEST	49752	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:58:03.832801104 CEST	49752	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:58:03.832832098 CEST	443	49752	172.67.75.166	192.168.2.4
Jun 20, 2024 18:58:04.384896994 CEST	443	49752	172.67.75.166	192.168.2.4
Jun 20, 2024 18:58:04.385020018 CEST	49752	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:58:04.386295080 CEST	49752	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:58:04.386311054 CEST	443	49752	172.67.75.166	192.168.2.4
Jun 20, 2024 18:58:04.387135983 CEST	443	49752	172.67.75.166	192.168.2.4
Jun 20, 2024 18:58:04.388725996 CEST	49752	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:58:04.436502934 CEST	443	49752	172.67.75.166	192.168.2.4
Jun 20, 2024 18:58:04.556865931 CEST	443	49752	172.67.75.166	192.168.2.4
Jun 20, 2024 18:58:04.557096958 CEST	443	49752	172.67.75.166	192.168.2.4
Jun 20, 2024 18:58:04.557162046 CEST	49752	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:58:04.557215929 CEST	49752	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:58:04.557245016 CEST	443	49752	172.67.75.166	192.168.2.4
Jun 20, 2024 18:58:04.557271004 CEST	49752	443	192.168.2.4	172.67.75.166
Jun 20, 2024 18:58:04.557285070 CEST	443	49752	172.67.75.166	192.168.2.4
Jun 20, 2024 18:58:04.557780981 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:04.562638998 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:09.293189049 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:09.298407078 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:18.632580042 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:18.683968067 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:18.699707985 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:18.704699993 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:18.746516943 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:18.793112040 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:18.808842897 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:18.813803911 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:18.814426899 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:18.840141058 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:18.845093012 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:19.420250893 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:19.449507952 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:19.454644918 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:19.634773016 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:19.683732986 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:21.761961937 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:21.769064903 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:25.012032032 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:25.017864943 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:25.058866024 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:25.064270020 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:31.965137959 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:31.970119953 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:35.120271921 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:35.168335915 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:36.594540119 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:36.608009100 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:36.637063026 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:36.652693033 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:38.152647018 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:38.202181101 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:38.512538910 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:38.543402910 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:38.548664093 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:41.654438019 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:41.659532070 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:46.579662085 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:46.615417004 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:46.621339083 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:46.625395060 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:46.668185949 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:46.668193102 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:46.684319973 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:46.684467077 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:46.684617996 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:46.689163923 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:46.689290047 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:46.689438105 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:46.800071955 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:46.855700016 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:46.856758118 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:46.862021923 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:48.391851902 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:48.433866978 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:52.840390921 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:52.847284079 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:55.355422974 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:55.402640104 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:55.439012051 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:55.464445114 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:55.480784893 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:55.513658047 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:55.705344915 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:55.748805046 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:55.837332010 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:55.887082100 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:55.934210062 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:55.939651012 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:58.560662031 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:58.566133976 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:58:58.606045008 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:58:58.611638069 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.855362892 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.855537891 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.855609894 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.855878115 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.855892897 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.855909109 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.855936050 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.855950117 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.855951071 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.855989933 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.856003046 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.856019020 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.856050968 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.856446981 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.856463909 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.856478930 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.856616974 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.856981993 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.856995106 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.857064009 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.857400894 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.857465982 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.857481003 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.857518911 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.890222073 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.890256882 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.890310049 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.890326977 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.890341997 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.890355110 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.890439987 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.890707970 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.890753031 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.891439915 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.891453981 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.891468048 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.891484022 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.891495943 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.891498089 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.891515017 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.891529083 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.891557932 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.891727924 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.891753912 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.891768932 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.891793966 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.902725935 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.902962923 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.903286934 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.903357983 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.903570890 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.903584957 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.903636932 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.903678894 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.903692961 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.903740883 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.904050112 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.904494047 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.904544115 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.904566050 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.904578924 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.904620886 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.904733896 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.904901028 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.904913902 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.904938936 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.904952049 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.904953957 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.904972076 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.904997110 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.905028105 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.905575037 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.908236980 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.908297062 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.933921099 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.982393026 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.982443094 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.982479095 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.982513905 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:03.982515097 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:03.982577085 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.012788057 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.012854099 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.012885094 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.012924910 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.012958050 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.012991905 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.013025999 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.013029099 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.013098001 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.021223068 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.021384001 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.021418095 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.021451950 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.021461010 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.021488905 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.021500111 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.027765989 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.027870893 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.032684088 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.032716990 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.070729017 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.070976973 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.071012974 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.071059942 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.071085930 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.071141005 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.071779966 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.071832895 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.071888924 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.073100090 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.073129892 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.073189020 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.073784113 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.073813915 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.073868990 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.073923111 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.073993921 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.074023962 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.074044943 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.074179888 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.074297905 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.074331045 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.074354887 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.074811935 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.074863911 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.075196981 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.076070070 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.076132059 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.076296091 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.121471882 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.121541977 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.137613058 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.142573118 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.157079935 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.187741995 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.188908100 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.188963890 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.188966036 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.189017057 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.189065933 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.189066887 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.189116001 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:04.189173937 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.199547052 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.247224092 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:04.252103090 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:07.355875015 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:07.362529039 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.077682018 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.108182907 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.121596098 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.138931036 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.152730942 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.184130907 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.267925024 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.277990103 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.282882929 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.357955933 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.358006954 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.358066082 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.358159065 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.358189106 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.358246088 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.358541012 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.358577013 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.358612061 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.358663082 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.358700037 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.358757973 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.358772039 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.359008074 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.359038115 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.359069109 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.359175920 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.359204054 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.359231949 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.359621048 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.359648943 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.359690905 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.359745026 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.359778881 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.359802008 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.364290953 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.364351988 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.482995987 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.483170033 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.483205080 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.483239889 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.483252048 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.483297110 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.488450050 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.488501072 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:10.488565922 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.496721029 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:10.501696110 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:13.624078035 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:13.629488945 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:15.470177889 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:15.528093100 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:15.533096075 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:15.538882017 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:15.554799080 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:15.590244055 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:15.605875969 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:15.637245893 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:15.637370110 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:15.642118931 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:15.642208099 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:15.685239077 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:15.730901003 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:15.943691015 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:15.943802118 CEST	58709	49739	77.91.77.66	192.168.2.4
Jun 20, 2024 18:59:15.943872929 CEST	49739	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:15.965406895 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:59:15.970355988 CEST	58709	49741	77.91.77.66	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 20, 2024 18:57:40.177056074 CEST	62226	53	192.168.2.4	1.1.1.1
Jun 20, 2024 18:57:40.185633898 CEST	53	62226	1.1.1.1	192.168.2.4
Jun 20, 2024 18:57:40.888211966 CEST	59892	53	192.168.2.4	1.1.1.1
Jun 20, 2024 18:57:40.896069050 CEST	53	59892	1.1.1.1	192.168.2.4
Jun 20, 2024 18:58:03.178292036 CEST	54465	53	192.168.2.4	1.1.1.1
Jun 20, 2024 18:58:03.186853886 CEST	53	54465	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 20, 2024 18:57:40.177056074 CEST	192.168.2.4	1.1.1.1	0x3b85	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Jun 20, 2024 18:57:40.888211966 CEST	192.168.2.4	1.1.1.1	0x2b33	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false
Jun 20, 2024 18:58:03.178292036 CEST	192.168.2.4	1.1.1.1	0x3f5b	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jun 20, 2024 18:57:40.185633898 CEST	1.1.1.1	192.168.2.4	0x3b85	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false
Jun 20, 2024 18:57:40.896069050 CEST	1.1.1.1	192.168.2.4	0x2b33	No error (0)	db-ip.com	172.67.75.166	A (IP address)	IN (0x0001)	false
Jun 20, 2024 18:57:40.896069050 CEST	1.1.1.1	192.168.2.4	0x2b33	No error (0)	db-ip.com	104.26.5.15	A (IP address)	IN (0x0001)	false
Jun 20, 2024 18:57:40.896069050 CEST	1.1.1.1	192.168.2.4	0x2b33	No error (0)	db-ip.com	104.26.4.15	A (IP address)	IN (0x0001)	false
Jun 20, 2024 18:58:03.186853886 CEST	1.1.1.1	192.168.2.4	0x3f5b	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

https:

db-ip.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.4	49730	34.117.186.192	443

Timestamp	Bytes transferred	Direction	Data
2024-06-20 16:56:58 UTC	59	OUT	GET / HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-06-20 16:56:58 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 20 Jun 2024 16:56:58 GMT content-type: application/json; charset=utf-8 Content-Length: 319 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-20 16:56:58 UTC	319	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49742	34.117.186.192	443	7408	C:\Users\user\Desktop\YnsEArPlqx.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-20 16:57:40 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-20 16:57:40 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 20 Jun 2024 16:57:40 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-20 16:57:40 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-20 16:57:40 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49744	34.117.186.192	443	7632	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-20 16:57:40 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-20 16:57:40 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 20 Jun 2024 16:57:40 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-20 16:57:40 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-20 16:57:40 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49743	34.117.186.192	443	7640	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-20 16:57:40 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-20 16:57:41 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 20 Jun 2024 16:57:40 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-20 16:57:41 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-20 16:57:41 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49745	34.117.186.192	443	7852	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-20 16:57:41 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-20 16:57:41 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 20 Jun 2024 16:57:41 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-20 16:57:41 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-20 16:57:41 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49747	172.67.75.166	443	7632	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-20 16:57:41 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-20 16:57:41 UTC	655	IN	HTTP/1.1 200 OK Date: Thu, 20 Jun 2024 16:57:41 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: A29E9FE1:D714_93878F2E:0050_66745F85_14B39213:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HcbdHTtm2uVTP4Mc5vf6eNWdfb6Ft2A3SgY6kjX50L8q8LFjzI6%2B%2BoW3fetUlMEbQmDtEuqgEsFLQr9i10OXEsHNuErlCYvvQWSB%2FxOrhnkPQsHQPtbUJd8nLw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 896d4ca2e9d941f9-EWR alt-svc: h3=":443"; ma=86400
2024-06-20 16:57:41 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-06-20 16:57:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49746	172.67.75.166	443	7408	C:\Users\user\Desktop\YnsEArPlqx.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-20 16:57:41 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-20 16:57:41 UTC	667	IN	HTTP/1.1 200 OK Date: Thu, 20 Jun 2024 16:57:41 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC466E06:B3FC_93878F2E:0050_66745F85_14B39214:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bc0yxZJ1%2Fnb7ma9BR3PjeKUhvXaJcckcQh93aipnmSMWbqYrCU7NGVsyuegQD%2BLcIHBcW7jUZaItcvAlff7g1xZd%2F3x%2B7%2FpVb81JGTuOaOS2%2FL%2BcEkvUM8T%2B7Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 896d4ca30e1b17a5-EWR alt-svc: h3=":443"; ma=86400
2024-06-20 16:57:41 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-06-20 16:57:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49748	172.67.75.166	443	7640	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-20 16:57:41 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-20 16:57:41 UTC	653	IN	HTTP/1.1 200 OK Date: Thu, 20 Jun 2024 16:57:41 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC466ED9:BFFA_93878F2E:0050_66745F85_14C7BFE1:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8YoK0LJLyX0LAZq5adY8GhpzxjxdbYxGx1S8ymxVoqA6GU%2BhTn3wcGwGmE9tzJtzlqpobHWts%2BcIf1YkJDGeEn6yWBKW99R1sG81Qu2BLWHjKObhviKunZofEA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 896d4ca31c6a80d0-EWR alt-svc: h3=":443"; ma=86400
2024-06-20 16:57:41 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-06-20 16:57:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49749	172.67.75.166	443	7852	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-20 16:57:41 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-20 16:57:42 UTC	659	IN	HTTP/1.1 200 OK Date: Thu, 20 Jun 2024 16:57:42 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC46E715:6DD8_93878F2E:0050_66745F86_14B3922A:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vpwLOtZz2G5NUXqOespxGiz%2FBKgieP70dT%2Bw1AJLekUyzAuB0o9Yvr898O60kyoaO7M15Il%2BxNi7%2BnNSXmlkJ794u9s1krwG%2F3QT6RWpGBJyJMGwBe9WZtae8A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 896d4ca5dc397295-EWR alt-svc: h3=":443"; ma=86400
2024-06-20 16:57:42 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-06-20 16:57:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49751	34.117.186.192	443	8008	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-20 16:58:03 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-20 16:58:03 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 20 Jun 2024 16:58:03 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-20 16:58:03 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-20 16:58:03 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49752	172.67.75.166	443	8008	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-20 16:58:04 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-20 16:58:04 UTC	657	IN	HTTP/1.1 200 OK Date: Thu, 20 Jun 2024 16:58:04 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: A29E9BB3:866C_93878F2E:0050_66745F9C_14B39570:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KGJ5SYB7Y4e4XV8agE04lOslY6J3qfrwxLZu1IBBBct7GIlm5qcbzEv7gbhOBZ%2BPKJiR%2BeI8oMJKFsBnGMTKn9tQrmkXYHuk3IHdARmQfKCIbhRg7T%2F%2F70f1Dw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 896d4d31eda743bf-EWR alt-svc: h3=":443"; ma=86400
2024-06-20 16:58:04 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-06-20 16:58:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:57:10
Start date:	20/06/2024
Path:	C:\Users\user\Desktop\YnsEArPlqx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YnsEArPlqx.exe"
Imagebase:	0x400000
File size:	3'270'672 bytes
MD5 hash:	AB8E88BFF0B907FC49B949D704490018
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	12:57:13
Start date:	20/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x1c0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:57:13
Start date:	20/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:57:13
Start date:	20/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0x1c0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:57:13
Start date:	20/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:57:14
Start date:	20/06/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x400000
File size:	3'270'672 bytes
MD5 hash:	AB8E88BFF0B907FC49B949D704490018
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:57:14
Start date:	20/06/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x400000
File size:	3'270'672 bytes
MD5 hash:	AB8E88BFF0B907FC49B949D704490018
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	12:57:22
Start date:	20/06/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x400000
File size:	3'270'672 bytes
MD5 hash:	AB8E88BFF0B907FC49B949D704490018
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	12:57:30
Start date:	20/06/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x400000
File size:	3'270'672 bytes
MD5 hash:	AB8E88BFF0B907FC49B949D704490018
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	34

Executed Functions

Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,0054D15C,00000000,74D723A0,-00589880), ref: 004096A6
GetProcAddress.KERNEL32(00000000,?), ref: 004096B4
WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0054D15C,00000000,74D723A0,-00589880), ref: 004096C9

Strings

Ws2_32.dll, xrefs: 0040969A

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: AddressHandleModuleProcSend
String ID: Ws2_32.dll
API String ID: 2819740048-3093949381
Opcode ID: 7294c9645cf97d84db5cacd27826e0eca47045cda1462dd577437eb231bc3e12
Instruction ID: 188670ed5cfc709ed037a390f66f33add7af100e18449b0941b00ad524943a05
Opcode Fuzzy Hash: 7294c9645cf97d84db5cacd27826e0eca47045cda1462dd577437eb231bc3e12
Instruction Fuzzy Hash: 7C02CE70D04298DEDF25CFA4C8907ADBBB0EF59304F24429EE4456B2C6D7781D86CB96

Function 004C7B00 Relevance: 18.3, APIs: 12, Instructions: 279
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000370,0000FFFF,00001006,?,00000008), ref: 004C7BA6
recv.WS2_32(?,00000004,00000002), ref: 004C7BC1
WSAGetLastError.WS2_32 ref: 004C7BC5
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 004C7C43
recv.WS2_32(00000000,0000000C,00000008), ref: 004C7C64
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004C7D00
recv.WS2_32(00000000,?,00000008), ref: 004C7D1B

Part of subcall function 004C8590: WSAStartup.WS2_32 ref: 004C85BA
Part of subcall function 004C8590: getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
Part of subcall function 004C8590: socket.WS2_32(?,?,?), ref: 004C865D
Part of subcall function 004C8590: connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
Part of subcall function 004C8590: closesocket.WS2_32(00000000), ref: 004C867D
Part of subcall function 004C8590: FreeAddrInfoW.WS2_32(?), ref: 004C868A
Part of subcall function 004C8590: WSACleanup.WS2_32 ref: 004C8690

recv.WS2_32(?,00000004,00000008), ref: 004C7E23
__Xtime_get_ticks.LIBCPMT ref: 004C7E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C7E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004C7EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004C7EB9

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
String ID:
API String ID: 3089209366-0
Opcode ID: d803b51f4fef140545f14ed8f9c08ccca676a723a1ae9220af6ecf2f2423aebf
Instruction ID: b3d54dcccad81d83ab75f13ba9899d4b50e1d8608cabcccfb3508871926cac68
Opcode Fuzzy Hash: d803b51f4fef140545f14ed8f9c08ccca676a723a1ae9220af6ecf2f2423aebf
Instruction Fuzzy Hash: 9EB1AC71D043089BEB10DBA8CC49BAEBBB1BB54314F24025EE815BB2D2D7785D88DF95

Function 004C8590 Relevance: 12.1, APIs: 8, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 004C85BA
getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
socket.WS2_32(?,?,?), ref: 004C865D
connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
closesocket.WS2_32(00000000), ref: 004C867D
FreeAddrInfoW.WS2_32(?), ref: 004C868A
WSACleanup.WS2_32 ref: 004C8690
FreeAddrInfoW.WS2_32(?), ref: 004C86A5

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID:
API String ID: 448659506-0
Opcode ID: 52d29ec15fbf37ccd53ab56e21f2e3f1d11727fcf2b6a4206c2cbc59116a4c78
Instruction ID: ffa07009e3086412046aa5b15573dbd5c691e56a3beb11943292ef2f0f62f1de
Opcode Fuzzy Hash: 52d29ec15fbf37ccd53ab56e21f2e3f1d11727fcf2b6a4206c2cbc59116a4c78
Instruction Fuzzy Hash: 9531C1726043009BD7208F25DC48B2BB7E5FB94729F114B1EF9A4922E0D7759C089AA7

Function 00449789 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00448E9F: GetConsoleOutputCP.KERNEL32(E9FAE29F,00000000,00000000,?), ref: 00448F02

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0044990E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00449918

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 2beaef352ff8862ad6b8b16251cd0bd229135013537871e9a6efb1225fc67aec
Instruction ID: 4c198159cf300fc4e9085a349e24ad4d45033eb13303bb4f9288eddf9455663d
Opcode Fuzzy Hash: 2beaef352ff8862ad6b8b16251cd0bd229135013537871e9a6efb1225fc67aec
Instruction Fuzzy Hash: 9961C5B1C14119BFEF11DFA8C844AAFBBB9AF49304F14014AE800A7316D739DD05EB65

Function 00448DFF Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00448CE6,00000000,?,0057A178,0000000C,00448DA2,?,?,?), ref: 00448E55
GetLastError.KERNEL32(?,00448CE6,00000000,?,0057A178,0000000C,00448DA2,?,?,?), ref: 00448E5F

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 1fe827fdfe079599b9b1dab25e2b646f0beb01ea40d46a72429d261cc15a62e7
Instruction ID: bfed174018f4c3fae0b74bea86efe9ace0911028d3bee9629bfc5162a0057b67
Opcode Fuzzy Hash: 1fe827fdfe079599b9b1dab25e2b646f0beb01ea40d46a72429d261cc15a62e7
Instruction Fuzzy Hash: 6E1125336042102AF6252236A84677F67499B82738F39061FF918CB2D2DF689C81825D

Function 0044251C Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00442626,?,?,?,?,?), ref: 00442558
GetLastError.KERNEL32(?,?,?,?,00442626,?,?,?,?,?,00000000,?,00000000), ref: 00442565

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 0df1753fdbe4f7a704092f8361e7cfb0c7cc0fcadc70f8748e4d2d33b1623b65
Instruction ID: bcffdd1dd92d970d4fbe8e398a8ab980657c5c2bf717c74f1f656664416c076e
Opcode Fuzzy Hash: 0df1753fdbe4f7a704092f8361e7cfb0c7cc0fcadc70f8748e4d2d33b1623b65
Instruction Fuzzy Hash: 9B012632610615BFDF158F69DC1699E3B29EB84334F240209F8019B2E1E6B5ED429BA4

Function 004032D0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0040331F

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: ac639495c118a2832fc09027b5ebf4fad0cef292c7be368858978faeea3118d5
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: 63F024321001009BCB246F61D4565EAB7ECDF28366B50083FFC8DD7292EB3EDA408788

Function 0044A65A Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001), ref: 0044A69B

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 89032516e5b3e6299283371760f336f91a06b383302663fb1c071aa923d3998c
Instruction ID: 9689b7dccde3e7d2c1426315cc49502dff6dd5535dcc2f3da2dc3831567fdc71
Opcode Fuzzy Hash: 89032516e5b3e6299283371760f336f91a06b383302663fb1c071aa923d3998c
Instruction Fuzzy Hash: 4CF0E0311905246BFB216A66DC05B5B375CAF41760F1E8117EC84EB190CA3CDC3146EE

Function 0044B094 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 0044B0C6

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c639ae0624eff34eb8e57d07392fb4ffc7a0b3e65f726cef66c68c9318aea675
Instruction ID: 07eaf642519ac51a5bd3283dd2addbb445c80e248ae9cef49388ffb333b33e8c
Opcode Fuzzy Hash: c639ae0624eff34eb8e57d07392fb4ffc7a0b3e65f726cef66c68c9318aea675
Instruction Fuzzy Hash: 99E022322006206BFF313AA69C14B5B764CEF413A3F190227EC25A62D1DB3CCC0092EE

Non-executed Functions

Function 004CF280 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 240injectionmemorysynchronizationCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 004CF2F1
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004CF30D
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 004CF342
VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 004CF36B
WriteProcessMemory.KERNEL32(?,00000000,?,00000218,00000000), ref: 004CF50F
WriteProcessMemory.KERNEL32(?,00000218,004CF5E0,-00000010,00000000), ref: 004CF531
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000218,00000000,00000000,00000000), ref: 004CF544
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004CF54D

Strings

131, xrefs: 004CF4D3, 004CF4E3
%s|%s, xrefs: 004CF4EF

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
String ID: %s|%s$131
API String ID: 2137838514-1629954864
Opcode ID: b88fb1ed2ebfd2a655c4879da0ce9de7ec8f2c0603ef1b71525654192dd42d6d
Instruction ID: 2ab717f03d3c912496b66fb944616d360f792c6fe5d042a247d22025e7d5b78f
Opcode Fuzzy Hash: b88fb1ed2ebfd2a655c4879da0ce9de7ec8f2c0603ef1b71525654192dd42d6d
Instruction Fuzzy Hash: 36B16BB1D002089FDB14CFA4CC95BAEBBB5FF18300F10426DE905BB291D774A984DBA5

Function 004534CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004535D7
IsValidCodePage.KERNEL32(?), ref: 00453615
IsValidLocale.KERNEL32(?,00000001), ref: 00453628
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00453670
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045368B

Strings

*V, xrefs: 00453534

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: *V
API String ID: 415426439-2897881622
Opcode ID: bb3ee8500ca9cacc625c50b97d6e48ff5c53ad3e39c4a6c01d9da358df15b7ae
Instruction ID: 4a54d826d8e8e5dc964d84ffa3ac1e49b68ae0fe58eca9cd8e7cd24ca5604c7d
Opcode Fuzzy Hash: bb3ee8500ca9cacc625c50b97d6e48ff5c53ad3e39c4a6c01d9da358df15b7ae
Instruction Fuzzy Hash: 4E517471A00209AFDB20DFA5CC41ABF77B8AF05743F14446AED01E7252EB74DA48DB65

Function 004547BF Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 004549D6

Strings

1#INF, xrefs: 004548F5
1#SNAN, xrefs: 004548CB
1#IND, xrefs: 004548C4
1#QNAN, xrefs: 004548D2

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 43a42e638d961d261596a491a02aa4b2327403fcfc943c4a8adc8c2915f1bcde
Instruction ID: 95be6499ce7b8f5c3e7b75284ec9f8f0661dd908efafa341dd21629552806af8
Opcode Fuzzy Hash: 43a42e638d961d261596a491a02aa4b2327403fcfc943c4a8adc8c2915f1bcde
Instruction Fuzzy Hash: 3AD23D71E086288FDB65CE28CD507EAB7B5EB84306F1441EBD80DE7241D778AE898F45

Function 00452B5A Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

GetACP.KERNEL32(?,?,?,?,?,?,00447300,?,?,?,?,?,-00000050,?,?,?), ref: 00452C19
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00447300,?,?,?,?,?,-00000050,?,?), ref: 00452C50
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00452DB3

Strings

utf8, xrefs: 00452D22
*V, xrefs: 00452B98

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: *V$utf8
API String ID: 607553120-210452255
Opcode ID: 95727e6ef7b94787d777f99e21165c393144e5509e4be2ad3f52f8295ffa9360
Instruction ID: 742b11dcb7ff0b0bfa38c284345f0d68b4d7ce619a9ba0daefdf44cafbbca61f
Opcode Fuzzy Hash: 95727e6ef7b94787d777f99e21165c393144e5509e4be2ad3f52f8295ffa9360
Instruction Fuzzy Hash: F071FA32600602A6D725AF75CD45B6B73A8EF16705F10042FFD05D7283EBF8E94C9699

Function 004532F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00453605,?,?), ref: 0045338C
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00453605,?,?), ref: 004533B5
GetACP.KERNEL32(?,?,00453605,?,?), ref: 004533CA

Strings

OCP, xrefs: 00453347
ACP, xrefs: 00453311

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: b900ca414d4c4be95a8c6f041d08249478f894891a183a2f82a4edaf5765dc51
Instruction ID: 0023b8279c9b3e3643c8ce07df61025d6c2b7e12d2ffc4f7461f6cfcb2a1a3ae
Opcode Fuzzy Hash: b900ca414d4c4be95a8c6f041d08249478f894891a183a2f82a4edaf5765dc51
Instruction Fuzzy Hash: 8021C432600100A7DB308F54C900A9BB3A6AF50FD3B568466EC06D7312EF36EF49D358

Function 0043C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: 01dad5c531b3804b6668612822d9feb5b6f7af541a2af8c3bc89036eeee974e8
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: DA023A71E002199BDF14CFA9D9C06AEFBB1FF48314F24926AE919B7380D735A9418B94

Function 0043361D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00433077,?,?,?,?,004C7E2F), ref: 00433655
GetSystemTimeAsFileTime.KERNEL32(?,E9FAE29F,00000000,?,00551382,000000FF,?,00433077,?,?,?,?,004C7E2F), ref: 00433659

Strings

`-@, xrefs: 0043364F

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID: `-@
API String ID: 743729956-3781167437
Opcode ID: a70e229828252f114f3dcb939b169fb3f53d7191ad82fa45b454faadf805d98c
Instruction ID: 3e04e591088ee8cc2650925c1d28f2227fba881fd4e87dc1a7d03300bd93dc66
Opcode Fuzzy Hash: a70e229828252f114f3dcb939b169fb3f53d7191ad82fa45b454faadf805d98c
Instruction Fuzzy Hash: 73F0A032904A54EFCB118F44DC11B59BBA8F708B21F004626EC12A3790DB34A9049F94

Function 00452F77 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452FCB
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00453015
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004530DB

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: f5cfd2435bfc6126f1a27ca0e302e8257e218aad689c2380b82d9cb027d6b9a4
Instruction ID: 48740d242bba4bd8a9c349c0ec2c6d2d1cd0f344531baebb5e7d544be35332ed
Opcode Fuzzy Hash: f5cfd2435bfc6126f1a27ca0e302e8257e218aad689c2380b82d9cb027d6b9a4
Instruction Fuzzy Hash: 4661C2315006079FEB249F25CC82BABB7A8EF04787F10417AED05C6686EB7CDA49CB54

Function 00438A64 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00438B5C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00438B66
UnhandledExceptionFilter.KERNEL32(?), ref: 00438B73

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 190c57a89f893cc3a60c21e64f5d89c3dc83bf777de16abb744d2c180980a4ce
Instruction ID: 8ec399b23226fa191ec5ef1820ea8a0bb8d05e2da4fe9e987d2f7c16b8c22cf0
Opcode Fuzzy Hash: 190c57a89f893cc3a60c21e64f5d89c3dc83bf777de16abb744d2c180980a4ce
Instruction Fuzzy Hash: 8331D4759013189BCB21DF65D8897CDBBB8BF08310F5051EAF81CA7251EB749B858F48

Function 00431F9C Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(000000FF,?,0041D027,?,?,?,00424721), ref: 00431FA8
FindFirstFileExW.KERNEL32(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,0041D027,?,?,?,00424721), ref: 00431FD7
GetLastError.KERNEL32(?,0041D027,?,?,?,00424721), ref: 00431FE9

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: Find$CloseErrorFileFirstLast
String ID:
API String ID: 4020440971-0
Opcode ID: b16ae3ed5c4ea8c825a7741cabbb9deee3b3ed014939fe7a26025e30d09a83a3
Instruction ID: 374c7283d1fee54890fd1da0f93e4c1b7d6ed331c4205a5270736a92a01d96fc
Opcode Fuzzy Hash: b16ae3ed5c4ea8c825a7741cabbb9deee3b3ed014939fe7a26025e30d09a83a3
Instruction Fuzzy Hash: D9F08232000208BFDB206FB5DC08DBA7BADEB18371F108626FD68C16B0D731D9A596B5

Function 0044B734 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?,?,?,00447E76,?,20001004,?,00000002,?,?,00447468), ref: 0044B768

Strings

`-@, xrefs: 0044B753

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: InfoLocale
String ID: `-@
API String ID: 2299586839-3781167437
Opcode ID: 49b4b54da173fcca6da5c5c7afb6aecc463d0371a21e889a3031e465fe0a4c2b
Instruction ID: 6cde8863e94abc83afdff9d02dc43b85bf30edba8fd47250f688fa8aae92868b
Opcode Fuzzy Hash: 49b4b54da173fcca6da5c5c7afb6aecc463d0371a21e889a3031e465fe0a4c2b
Instruction Fuzzy Hash: 65E04F36500218BBEF223F61EC05EAE7F26EF447A2F008416FD0565271CB75C921BAE9

Function 0044DA86 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0044DA81,?,?,?,?,?,?,00000000), ref: 0044DCB3

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c4b844f4748ab43110d9ddc2113bf4f3516c88aed4eb779ad480f52b638fb61b
Instruction ID: a9cfdaf791ee03315f30e706cc2315f363a0b4456a4e08294abae47f684f0219
Opcode Fuzzy Hash: c4b844f4748ab43110d9ddc2113bf4f3516c88aed4eb779ad480f52b638fb61b
Instruction Fuzzy Hash: ECB15171910608DFE715CF28C48AB557BE0FF45364F25865AE899CF3A1C339E992CB44

Function 004531CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045321E

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: ce8f16c0568beb61190bd24bea5fc54c05911f28a5d336557b2a67b9f4554f6f
Instruction ID: c68ba993faf54d01c6f16d81f3f5077507b086e8cfab0080940638b83f1b5490
Opcode Fuzzy Hash: ce8f16c0568beb61190bd24bea5fc54c05911f28a5d336557b2a67b9f4554f6f
Instruction Fuzzy Hash: 8D219872514606ABDB189E25DC42A7BB3A8EF04756F1000BFFD01D6242EB7CDE489758

Function 00452E51 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

EnumSystemLocalesW.KERNEL32(00452F77,00000001,00000000,?,?,?,004535AB,?), ref: 00452EC3

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ed3a15461aa07a0672f4d58e186f542e4a9ded439744096cd7c499f36c17fdd7
Instruction ID: 0b970845e1a8773270f0425e193d970e9e25a52c90aa89fa5165c8154eb0a54b
Opcode Fuzzy Hash: ed3a15461aa07a0672f4d58e186f542e4a9ded439744096cd7c499f36c17fdd7
Instruction Fuzzy Hash: 8B11593B2007014FDB189F39D99267BB7A1FF84319B14442EED8687B41D3B5B806DB44

Function 004533F9 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00453193,00000000,00000000,?), ref: 00453425

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 9fb8eb4d6cfb5dc9ab71851ad247751131481363ade4371d576ad0b9e7960359
Instruction ID: 7310505bafe8fff12ee8f5912ce4e44c5146d6de948bcf0b33cac505e4352342
Opcode Fuzzy Hash: 9fb8eb4d6cfb5dc9ab71851ad247751131481363ade4371d576ad0b9e7960359
Instruction Fuzzy Hash: 72014E336002127BDB195E25CC45BBB7764DB41797F14442AEC06A3281DA78FE45D994

Function 00452D5F Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00452DB3

Strings

utf8, xrefs: 00452D22
*V, xrefs: 00452B98

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: *V$utf8
API String ID: 3736152602-210452255
Opcode ID: 59e00f747d9bc6cf307ab543fe27e9585fa5185e009a5a777542dc83f29e6ce8
Instruction ID: aeef1e48df53c0e1e1989da3d76282249285fc4edbaa792ed956cb55b8cc0ce8
Opcode Fuzzy Hash: 59e00f747d9bc6cf307ab543fe27e9585fa5185e009a5a777542dc83f29e6ce8
Instruction Fuzzy Hash: E3F0C832610205ABD714AF35DC4AEBB73A8DB59316F10017FF902D7282EA7CAD099768

Function 00452EEC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

EnumSystemLocalesW.KERNEL32(004531CA,00000001,?,?,?,?,00453573,?,?,?,?), ref: 00452F36

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a7aabdafeecc33135d5ef59119c1dd02303f614df75aa08249f401847eac2aa8
Instruction ID: 46f5077cb0f7882f4a3a694ed1b059b17750918d15d6876221f24d4c3ab0ea03
Opcode Fuzzy Hash: a7aabdafeecc33135d5ef59119c1dd02303f614df75aa08249f401847eac2aa8
Instruction Fuzzy Hash: 38F022372003045FDB249F35AC81A7B7BA1FB82769B15842FFE068B692C2B59C02A654

Function 0044B1B1 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044424B: RtlEnterCriticalSection.NTDLL(-00588967), ref: 0044425A

EnumSystemLocalesW.KERNEL32(0044B1A4,00000001,0057A298,0000000C,0044B5D9,?,?,?,?), ref: 0044B1E9

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: c95449866fe5fa4667aabee73304f47e4942a34859e8fff04667a9b00fb14092
Instruction ID: e80e171ad64c81d089edaf6c836f83e2cf4dda05f2f2c126e8d7e53f9a4c0b50
Opcode Fuzzy Hash: c95449866fe5fa4667aabee73304f47e4942a34859e8fff04667a9b00fb14092
Instruction Fuzzy Hash: F3F04F76A00200DFE700DF99E806B9C7BF0FB59B25F10819BF810E7290DBB999049F45

Function 00452E06 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

EnumSystemLocalesW.KERNEL32(00452D5F,00000001,?,?,?,004535CD,?,?,?,?), ref: 00452E3D

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5ffb0c9d813d6eba6d8fd2e10c847f2c312efa30acac4b18343fb8da06ef6d7e
Instruction ID: fee7300587f55c0c421301d99721cdf1a1ff6f595eefe83fa7d5e966eb6188b0
Opcode Fuzzy Hash: 5ffb0c9d813d6eba6d8fd2e10c847f2c312efa30acac4b18343fb8da06ef6d7e
Instruction Fuzzy Hash: 8FF0553A30020557CB04AF35D80666BBFA0EFC2711B06405BEE09CB392C2B99846DB94

Function 004F2FD0 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4a0174d0d62f2b1227807bd6e07e9c018e82f5f56551d9681256b3b92353b2
Instruction ID: 68aa0d5ee95f80c7a91d8174e86b503e14c67071ff11744bcabbed3cfa87bcc2
Opcode Fuzzy Hash: 4b4a0174d0d62f2b1227807bd6e07e9c018e82f5f56551d9681256b3b92353b2
Instruction Fuzzy Hash: F96270B0D002599FDB14CF59C5846BEBBB1BF84308F2481AEDA14AB346C779DA46CF94

Function 0042F580 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
Instruction ID: 0e8ddfc969875e3dd00111f91a6503ca4c3a70c52638cfea05a5ef0fdf848abd
Opcode Fuzzy Hash: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
Instruction Fuzzy Hash: 1EE10276F1022A9FDB05CFA8D4816ADFBF1AF88320B5942AAD814B7340D774A945CB94

Function 0044036F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41b321b0bedac8989d8c8297ce8e3211a7e70ffbcb0090baa5e3f65be106bda
Instruction ID: 86fdf0966577921a64d033a0687854855d7760d31b02c963075edfb0c817f6d8
Opcode Fuzzy Hash: a41b321b0bedac8989d8c8297ce8e3211a7e70ffbcb0090baa5e3f65be106bda
Instruction Fuzzy Hash: 45C1DA709006069FEB24CF68C484A6BBBB1EF45304F14461FDB969B791C338ED66CB5A

Function 00452610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 337bf9b0213a408d992dbd779b211f999c4c3a8d278f465cc99103b402b18e84
Instruction ID: 7c06e8313ae742015ce167e0291709e23a9c2e608a4b019449313ff3a09dc83f
Opcode Fuzzy Hash: 337bf9b0213a408d992dbd779b211f999c4c3a8d278f465cc99103b402b18e84
Instruction Fuzzy Hash: 21B129315007019BDB38EB65CD82AB7B3A8EF45309F14452FED43C6642EBB9E989C718

Function 00458BB0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31304fda07eb44754811e6465f7945cd712cae6a90f07cbe7a52602e90953672
Instruction ID: f297913e25a3591813c030fa515b242fba5e7fe6b87ce0d9dc90972f2508a2cf
Opcode Fuzzy Hash: 31304fda07eb44754811e6465f7945cd712cae6a90f07cbe7a52602e90953672
Instruction Fuzzy Hash: 0281FDB4A002469FDB118F69D8817BEFBF4AB2A315F04016EDC55A7383CB38990DD7A4

Function 004EFC40 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9e1b96ebeb8905ce8cf41e2ed65b6f129fd888b54bee42289f6865976a0455
Instruction ID: 9260139a4ef8e20400bb9b6c572cac56afe306f3fbbdb3538d7680a8b6287584
Opcode Fuzzy Hash: 5d9e1b96ebeb8905ce8cf41e2ed65b6f129fd888b54bee42289f6865976a0455
Instruction Fuzzy Hash: 506195356345684FE708CF1EECD04363B52A39E30538542AAEA81C7395C576FA2EE7E0

Function 0043A928 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction ID: 0bb0d4fe57c201db2c152aeff89cf209e4ab217caaafa113e802d716cdce1c0b
Opcode Fuzzy Hash: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction Fuzzy Hash: 5B517D72D00219AFDF04CF99C940AEFBBB6FF88314F198459E955AB301D7389A50CB95

Function 004371A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 4ba24db855cab2182e42f47a77fd888252c09f86d43135b4b8e5651c7dd79236
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: B21131F724D08143EA74863DC8B46BBA795EBCD320F2D63BBE0C14BB58D52AD5459908

Function 004579E3 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 004579FC

Strings

`-@, xrefs: 00457AC6, 00457B70, 00457BB6
acos, xrefs: 00457B32
pow, xrefs: 00457A9A, 00457B44, 00457B91
log, xrefs: 00457A59, 00457A68
asin, xrefs: 00457B29
sqrt, xrefs: 00457B3B
exp, xrefs: 00457A7B, 00457AE0
log10, xrefs: 00457A3E, 00457A4D

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: DecodePointer
String ID: `-@$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3628989360
Opcode ID: 4c17630f5161de399ffce6b570c60365a2c89c55b52a7f760b39540bf94f5387
Instruction ID: bbf143f63b3841ec77cfacb8c6df481a799db6acf17f433172942b25d65e7ef2
Opcode Fuzzy Hash: 4c17630f5161de399ffce6b570c60365a2c89c55b52a7f760b39540bf94f5387
Instruction Fuzzy Hash: 1651B370808A0ACBCF109F58F84C1BEBFB1FB05309F154166D851A7266C7799A2DCB4D

Function 0041A060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041A09D
std::_Lockit::_Lockit.LIBCPMT ref: 0041A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0041A0E7
__Getctype.LIBCPMT ref: 0041A1C5
std::_Facet_Register.LIBCPMT ref: 0041A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 0041A223

Strings

E@, xrefs: 0041A1AE
PD@, xrefs: 0041A19A
PG@, xrefs: 0041A1BF

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: PD@$PG@$E@
API String ID: 1102183713-4120405683
Opcode ID: 495f4126c8959cda1dad90c343e93fba20469dde2e2043d742b69906c970156d
Instruction ID: b372b58ab1bb25eec4b44a09b7f8f3aef2cc67a410616163416d5e42c3dffe19
Opcode Fuzzy Hash: 495f4126c8959cda1dad90c343e93fba20469dde2e2043d742b69906c970156d
Instruction Fuzzy Hash: 6E51BAB0D01245DFCB11CF98C9457AEBBF0FB14714F14825ED855AB391DB78AA88CB92

Function 004372D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00437307
___except_validate_context_record.LIBVCRUNTIME ref: 0043730F
_ValidateLocalCookies.LIBCMT ref: 00437398
__IsNonwritableInCurrentImage.LIBCMT ref: 004373C3
_ValidateLocalCookies.LIBCMT ref: 00437418

Strings

`-@, xrefs: 004373DC
csm, xrefs: 004373AD

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: `-@$csm
API String ID: 1170836740-3738301566
Opcode ID: a837c65dc98bc53f7a591b5dada66322cfdf011b0ab20b220170fbbfaeea83fd
Instruction ID: bde692452db8eba3752ab90a3e7788ac0719a0bf92b2230e47b89eff8dfd02fd
Opcode Fuzzy Hash: a837c65dc98bc53f7a591b5dada66322cfdf011b0ab20b220170fbbfaeea83fd
Instruction Fuzzy Hash: B041F8709042099FCF20DF59C885A9FBBA4BF08328F14905BFC54AB392D739E905DB95

Function 0041C430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041C45A
std::_Lockit::_Lockit.LIBCPMT ref: 0041C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 0041C4A4
std::_Facet_Register.LIBCPMT ref: 0041C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 0041C5C4

Strings

E@, xrefs: 0041C562
PD@, xrefs: 0041C54E

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E@$PD@
API String ID: 459529453-4103272508
Opcode ID: fb94b052f71f665722219136562a8730e5ed9d67761b2a33bc821d4977d05291
Instruction ID: e4bc83ced0ac359faa997fd18d4eeb760fe14de2594101695cc0fd15b6690fbc
Opcode Fuzzy Hash: fb94b052f71f665722219136562a8730e5ed9d67761b2a33bc821d4977d05291
Instruction Fuzzy Hash: C351EFB0900255EFDB11CF58C991BAEBBF0FB10314F24415EE846AB381D7B9AA45CB95

Function 0044BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044BBEC

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: d7b9d7273cbfac5d15a556f8c8651b9033d93685d5a38535419dded3191b9e75
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: D5B14672D006559FEB158F24CC81BEBBBA5EF59310F2441ABE904AB382D778D901C7E9

Function 0044B37E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,0044B48D,?,?,00000000,00000001,?,?,0044B6B7,00000022,FlsSetValue,00561B88,00561B90,00000001), ref: 0044B43F

Strings

ext-ms-, xrefs: 0044B3E9
api-ms-, xrefs: 0044B3D5

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 033630484f002e070c94113c7b6ef7f262f68e90d70309fdd043a749aa00ed93
Instruction ID: e3d7dbf8d3e43151f67a2d3675c4fcd7809fc0c9af6198dcb17880ded4e1cd5b
Opcode Fuzzy Hash: 033630484f002e070c94113c7b6ef7f262f68e90d70309fdd043a749aa00ed93
Instruction Fuzzy Hash: A2212B36A01220A7E7319F619C45A6B7768EB51761F140112FC06A7392D734ED05D6D9

Function 00443633 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E9FAE29F,?,?,00000000,00551365,000000FF,?,0044360F,?,?,004435E3,00000016), ref: 00443668
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044367A
FreeLibrary.KERNEL32(00000000,?,00000000,00551365,000000FF,?,0044360F,?,?,004435E3,00000016), ref: 0044369C

Strings

`-@, xrefs: 0044368B
CorExitProcess, xrefs: 00443672
mscoree.dll, xrefs: 00443661

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$`-@$mscoree.dll
API String ID: 4061214504-3731901874
Opcode ID: 66c557226bdf84cfe892202a4e2d9d598a1facfa92736b92f61228ad13b2a6bb
Instruction ID: 11f561727bfec435161e86ab51d2faaed74d5e09c0b89d0474703e999051cdf2
Opcode Fuzzy Hash: 66c557226bdf84cfe892202a4e2d9d598a1facfa92736b92f61228ad13b2a6bb
Instruction Fuzzy Hash: 5601A232A44715AFDB219F44DC19BAFBBB8FB14B52F014526E812E27E0DB749A04CA94

Function 00432729 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00432730
std::_Lockit::_Lockit.LIBCPMT ref: 0043273B
std::_Lockit::~_Lockit.LIBCPMT ref: 004327A9

Part of subcall function 0043288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004328A4

std::locale::_Setgloballocale.LIBCPMT ref: 00432756

Strings

`-@, xrefs: 00432778, 0043279C

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `-@
API String ID: 677527491-3781167437
Opcode ID: 8a5613631ec3d916f95b396eb7cc43f12c5d676d84142dd5ef1a29976cc47206
Instruction ID: 335728d06f8999c9367bb6f0cb93ad347570f0e44e9dcbef2930aaa8ccdcd417
Opcode Fuzzy Hash: 8a5613631ec3d916f95b396eb7cc43f12c5d676d84142dd5ef1a29976cc47206
Instruction Fuzzy Hash: 9D01FC35A006109BC70AFB20CC5157D7BB0FF98790F44250EE81163391CFB8AE06DB89

Function 00432BC8 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00432BDC
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432BFB
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432C29
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432C84
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432C9B

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 8f089e7040faa662b45679f060ee1b8a0f0adfff173fd46cb89089840a213128
Instruction ID: ee0d2db44a198d3d02c1eb3b1b0ff5a364ec90963e300245c4d31640e9e12550
Opcode Fuzzy Hash: 8f089e7040faa662b45679f060ee1b8a0f0adfff173fd46cb89089840a213128
Instruction Fuzzy Hash: B2415931900A0ADFCB20DF65CA8096EB3B4FF0C311F20692BD446D7650D7B8E986DB69

Function 00407350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040750C
___std_exception_destroy.LIBVCRUNTIME ref: 00407522

Strings

[json.exception., xrefs: 004073A1
)@, xrefs: 00407502, 0040751C

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@$[json.exception.
API String ID: 4194217158-3378332251
Opcode ID: 74f1ced649a80f54c74698f2e3f1ef80366f2fbaef409b1663f26043a5eac72a
Instruction ID: d1fd1ad00dbeab1566b73d8112c34bc80c76f551163e59ed82d928a5322bc1a2
Opcode Fuzzy Hash: 74f1ced649a80f54c74698f2e3f1ef80366f2fbaef409b1663f26043a5eac72a
Instruction Fuzzy Hash: 8C51CFB1C046489BD710DFA8C905B9EBBB4FF15318F14426EE850A73C2E7B86A44C7A5

Function 00404900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040499F

Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,74D723A0,?,00431D09,?,005799D8,74D723A0,?,74D723A0,-00589880), ref: 0043525B

Strings

ios_base::failbit set, xrefs: 00404828, 00404941
ios_base::badbit set, xrefs: 00404937, 00404962
ios_base::eofbit set, xrefs: 00404946

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1903096808-1866435925
Opcode ID: 5e8fcf04681b5496c91e096f1d273a5343178b8940b0c322b64de4dd1df32f3c
Instruction ID: 99c94d1e80f512c720ba00148ae48faeb0acee82eabb402b7e5943aa58dcc262
Opcode Fuzzy Hash: 5e8fcf04681b5496c91e096f1d273a5343178b8940b0c322b64de4dd1df32f3c
Instruction Fuzzy Hash: AC119CF2844644ABCB10DF688C03BAB37C8E744715F04463EFE58972C1EB399800C79A

Function 00448E9F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(E9FAE29F,00000000,00000000,?), ref: 00448F02

Part of subcall function 0044EC55: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0044A862,?,00000000,-00000008), ref: 0044ECB6

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00449154
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0044919A
GetLastError.KERNEL32 ref: 0044923D

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: d46c0870a8277536d77cd1fa32924c999241811f2f15ebdbc3735bbe4b8907ba
Instruction ID: b6f9ea87837ca93654473fd2bae4ec290e60b55bc3ade45d2d9d29a5185f0d60
Opcode Fuzzy Hash: d46c0870a8277536d77cd1fa32924c999241811f2f15ebdbc3735bbe4b8907ba
Instruction Fuzzy Hash: 70D1BC75D00249AFDF14CFA8C880AAEBBB5FF09304F28456AE856EB351D734AD45CB54

Function 00456D32 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000,?,?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000), ref: 00456D49
GetLastError.KERNEL32(?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000,?,?,?,0044986B,?), ref: 00456D55

Part of subcall function 00456D1B: CloseHandle.KERNEL32(FFFFFFFE,00456D65,?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000,?,?), ref: 00456D2B

___initconout.LIBCMT ref: 00456D65

Part of subcall function 00456CDD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00456D0C,00453DBB,?,?,00449291,?,00000000,00000000,?), ref: 00456CF0

WriteConsoleW.KERNEL32(?,?,?,00000000,?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000,?), ref: 00456D7A

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 6d252f6c85546040703605b5d122fbb434f3c9b6b34be8e7cd3f73b3df330617
Instruction ID: b582005f90f2c4d159ccd48a3422ceca8e6e351b7b3b67145bbef734a6de3f3c
Opcode Fuzzy Hash: 6d252f6c85546040703605b5d122fbb434f3c9b6b34be8e7cd3f73b3df330617
Instruction Fuzzy Hash: F4F01C37500518BBCF221FD1DC18A8A3F76EB583A2B814415FE0D96231D6328928EB94

Function 004036E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00403819
___std_exception_destroy.LIBVCRUNTIME ref: 004038F0

Strings

)@, xrefs: 004037ED, 004038EA

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )@
API String ID: 2970364248-4120265097
Opcode ID: d74468ffd67e1f67a533358448dba50ed35dce3ee86280088cdc18d36a5f914b
Instruction ID: 269ef50febfdc4b1c22cf7239a576f40f0b19685bcb009e1facc48eb6157c32a
Opcode Fuzzy Hash: d74468ffd67e1f67a533358448dba50ed35dce3ee86280088cdc18d36a5f914b
Instruction Fuzzy Hash: DD6169B1C00248DBDB10DF98C945B9EFFB5FF19324F14825EE814AB282D7B95A44CBA5

Function 004047F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040499F

Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,74D723A0,?,00431D09,?,005799D8,74D723A0,?,74D723A0,-00589880), ref: 0043525B

Strings

ios_base::failbit set, xrefs: 00404828
ios_base::badbit set, xrefs: 00404937, 00404962

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 1903096808-1240500531
Opcode ID: 8193a8ffeaccef37eb783ff7fe0bdc902a64c2974526b8af49cedd0c2b6b92ef
Instruction ID: 59789774a96eacd1a5b8f49c51d8e497543063f0a2ed12b155596828dbf76f3a
Opcode Fuzzy Hash: 8193a8ffeaccef37eb783ff7fe0bdc902a64c2974526b8af49cedd0c2b6b92ef
Instruction Fuzzy Hash: E84124B2C00244ABCB04DF68C845BAEBBB8FB49710F14826EF554A73C1D7795A00CBA5

Function 00404040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004040C4

Strings

bad locale name, xrefs: 004040E6

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 0039d2d2ea2786ef81fe116e8b864d57793cf36a19fa060d6cb0c255b1586cee
Instruction ID: 65c2995a4cce64452fc0e082f9126f7f9302ed92d60cad1113ce5137d9e79936
Opcode Fuzzy Hash: 0039d2d2ea2786ef81fe116e8b864d57793cf36a19fa060d6cb0c255b1586cee
Instruction Fuzzy Hash: DB112670805B84EED321CF69C50474BBFF0AF25714F10868DD09597781D3B9A604CB95

Function 00416590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004165C9
___std_exception_copy.LIBVCRUNTIME ref: 004165FC

Strings

)@, xrefs: 004165BA, 004165ED

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )@
API String ID: 2659868963-4120265097
Opcode ID: ec459901e9a8c12f2536e06f4ce64afd8286d8aca2aa337d2d7da09c98386d96
Instruction ID: 79ebb971947c26e29da123751e765caa72f3f100f47198c89106861aa63fe252
Opcode Fuzzy Hash: ec459901e9a8c12f2536e06f4ce64afd8286d8aca2aa337d2d7da09c98386d96
Instruction Fuzzy Hash: F0112EB6910649EBCB11CF99C980B86FBF8FF09724F10876AE82497641E774A5448BA0

Function 00407A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00407A5C
___std_exception_destroy.LIBVCRUNTIME ref: 00407A72

Strings

)@, xrefs: 00407A52, 00407A6C

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@
API String ID: 4194217158-4120265097
Opcode ID: 9ee8fa866bcea9d2c14fc14309fcadf8facde4318e0e6bb098ed358a1a235593
Instruction ID: 96290d15a7b89a27e7413382239de33ac52fdad5c525fa7f0e86a9c1871ea130
Opcode Fuzzy Hash: 9ee8fa866bcea9d2c14fc14309fcadf8facde4318e0e6bb098ed358a1a235593
Instruction Fuzzy Hash: 68F012B1805744DFC711DF98C90178DFFF8FB05728F50466AE855A3780E7B5660487A5

Function 0044B7F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000016,00000001,004389D2,00000001,00000016,00438BE1,?,?,?,?,?,00000000), ref: 0044B834

Strings

`-@, xrefs: 0044B824
InitializeCriticalSectionEx, xrefs: 0044B804

Memory Dump Source

Source File: 00000000.00000002.3053233972.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3053185131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053500918.0000000000585000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053601538.0000000000596000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000598000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000751000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000753000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000757000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000759000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000760000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000768000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000076C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000770000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000772000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000774000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000776000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.0000000000782000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007AE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007B3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3053643608.00000000007BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3055032532.0000000000980000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YnsEArPlqx.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$`-@
API String ID: 2593887523-3269949891
Opcode ID: 1f2253b5c78e33ee57fe7f30907939316c5faef6f9275bf3e632fad4f43c2f0e
Instruction ID: 5bcc12c1b0658f8dc7434a33690804c70bb56e7eadbb0958c8ec10a8e9d05d13
Opcode Fuzzy Hash: 1f2253b5c78e33ee57fe7f30907939316c5faef6f9275bf3e632fad4f43c2f0e
Instruction Fuzzy Hash: BDE09236581318BBCB212F92DC06DAE7F25EB24BA2F048022FD1956161C7768821BBD9

Analysis Process: MPGPH131.exePID: 7632, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1941
Total number of Limit Nodes:	35

Executed Functions

Function 004C7B00 Relevance: 18.3, APIs: 12, Instructions: 279
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000338,0000FFFF,00001006,?,00000008), ref: 004C7BA6
recv.WS2_32(?,00000004,00000002), ref: 004C7BC1
WSAGetLastError.WS2_32 ref: 004C7BC5
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 004C7C43
recv.WS2_32(00000000,0000000C,00000008), ref: 004C7C64
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004C7D00
recv.WS2_32(00000000,?,00000008), ref: 004C7D1B

Part of subcall function 004C8590: WSAStartup.WS2_32 ref: 004C85BA
Part of subcall function 004C8590: getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
Part of subcall function 004C8590: socket.WS2_32(?,?,?), ref: 004C865D
Part of subcall function 004C8590: connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
Part of subcall function 004C8590: closesocket.WS2_32(00000000), ref: 004C867D
Part of subcall function 004C8590: FreeAddrInfoW.WS2_32(?), ref: 004C868A
Part of subcall function 004C8590: WSACleanup.WS2_32 ref: 004C8690

recv.WS2_32(?,00000004,00000008), ref: 004C7E23
__Xtime_get_ticks.LIBCPMT ref: 004C7E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C7E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004C7EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004C7EB9

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
String ID:
API String ID: 3089209366-0
Opcode ID: 8d3946fe3169219faa6fe5bee61fed8aa12524093e2a17fd3f9cf1df00312f66
Instruction ID: b3d54dcccad81d83ab75f13ba9899d4b50e1d8608cabcccfb3508871926cac68
Opcode Fuzzy Hash: 8d3946fe3169219faa6fe5bee61fed8aa12524093e2a17fd3f9cf1df00312f66
Instruction Fuzzy Hash: 9EB1AC71D043089BEB10DBA8CC49BAEBBB1BB54314F24025EE815BB2D2D7785D88DF95

Function 004C8590 Relevance: 12.1, APIs: 8, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 004C85BA
getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
socket.WS2_32(?,?,?), ref: 004C865D
connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
closesocket.WS2_32(00000000), ref: 004C867D
FreeAddrInfoW.WS2_32(?), ref: 004C868A
WSACleanup.WS2_32 ref: 004C8690
FreeAddrInfoW.WS2_32(?), ref: 004C86A5

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID:
API String ID: 448659506-0
Opcode ID: 52d29ec15fbf37ccd53ab56e21f2e3f1d11727fcf2b6a4206c2cbc59116a4c78
Instruction ID: ffa07009e3086412046aa5b15573dbd5c691e56a3beb11943292ef2f0f62f1de
Opcode Fuzzy Hash: 52d29ec15fbf37ccd53ab56e21f2e3f1d11727fcf2b6a4206c2cbc59116a4c78
Instruction Fuzzy Hash: 9531C1726043009BD7208F25DC48B2BB7E5FB94729F114B1EF9A4922E0D7759C089AA7

Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,0054D15C,00000000,74D723A0,-00589880), ref: 004096A6
GetProcAddress.KERNEL32(00000000,?), ref: 004096B4
WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0054D15C,00000000,74D723A0,-00589880), ref: 004096C9

Strings

Ws2_32.dll, xrefs: 0040969A

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: AddressHandleModuleProcSend
String ID: Ws2_32.dll
API String ID: 2819740048-3093949381
Opcode ID: 0c5b624b17a65c434d4aee340a1faa291cdcfc0b514f52879977d9ab4ae146b8
Instruction ID: 188670ed5cfc709ed037a390f66f33add7af100e18449b0941b00ad524943a05
Opcode Fuzzy Hash: 0c5b624b17a65c434d4aee340a1faa291cdcfc0b514f52879977d9ab4ae146b8
Instruction Fuzzy Hash: 7C02CE70D04298DEDF25CFA4C8907ADBBB0EF59304F24429EE4456B2C6D7781D86CB96

Function 004C7EF0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8.46.123.33, xrefs: 004C7F78
`", xrefs: 004C7FC6

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID:
String ID: 8.46.123.33$`"
API String ID: 0-2723457641
Opcode ID: 62be95e75bfc9955406362dd2ba270c5b44af2c2caadd96de6633b75f5f62eae
Instruction ID: 65307ecbef6fb9e01e3d4ad067897c34c173f6a72c2a6aa1ef5fcaa49911cde8
Opcode Fuzzy Hash: 62be95e75bfc9955406362dd2ba270c5b44af2c2caadd96de6633b75f5f62eae
Instruction Fuzzy Hash: 0E02A070D04248DFDB14DF68C945BDDBBB0AB14308F14419ED8057B386EBB95E88DB9A

Function 00449789 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00448E9F: GetConsoleOutputCP.KERNEL32(E81620C6,00000000,00000000,?), ref: 00448F02

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0044990E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00449918

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 2beaef352ff8862ad6b8b16251cd0bd229135013537871e9a6efb1225fc67aec
Instruction ID: 4c198159cf300fc4e9085a349e24ad4d45033eb13303bb4f9288eddf9455663d
Opcode Fuzzy Hash: 2beaef352ff8862ad6b8b16251cd0bd229135013537871e9a6efb1225fc67aec
Instruction Fuzzy Hash: 9961C5B1C14119BFEF11DFA8C844AAFBBB9AF49304F14014AE800A7316D739DD05EB65

Function 00448DFF Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00448CE6,00000000,?,0057A178,0000000C,00448DA2,?,?,?), ref: 00448E55
GetLastError.KERNEL32(?,00448CE6,00000000,?,0057A178,0000000C,00448DA2,?,?,?), ref: 00448E5F

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 1fe827fdfe079599b9b1dab25e2b646f0beb01ea40d46a72429d261cc15a62e7
Instruction ID: bfed174018f4c3fae0b74bea86efe9ace0911028d3bee9629bfc5162a0057b67
Opcode Fuzzy Hash: 1fe827fdfe079599b9b1dab25e2b646f0beb01ea40d46a72429d261cc15a62e7
Instruction Fuzzy Hash: 6E1125336042102AF6252236A84677F67499B82738F39061FF918CB2D2DF689C81825D

Function 0044251C Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00442626,?,?,?,?,?), ref: 00442558
GetLastError.KERNEL32(?,?,?,?,00442626,?,?,?,?,?,00000000,?,00000000), ref: 00442565

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 0df1753fdbe4f7a704092f8361e7cfb0c7cc0fcadc70f8748e4d2d33b1623b65
Instruction ID: bcffdd1dd92d970d4fbe8e398a8ab980657c5c2bf717c74f1f656664416c076e
Opcode Fuzzy Hash: 0df1753fdbe4f7a704092f8361e7cfb0c7cc0fcadc70f8748e4d2d33b1623b65
Instruction Fuzzy Hash: 9B012632610615BFDF158F69DC1699E3B29EB84334F240209F8019B2E1E6B5ED429BA4

Function 0044B01A Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B030
GetLastError.KERNEL32(?,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B03B

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1c4e9b2b04b0a897153f19679bc75b8cfe8e1d75e6b310813c54f5389fc1414e
Instruction ID: f233056e1464041c82b2d36bf1c88bdb576215b3e64377b8de55bab97aefa9e3
Opcode Fuzzy Hash: 1c4e9b2b04b0a897153f19679bc75b8cfe8e1d75e6b310813c54f5389fc1414e
Instruction Fuzzy Hash: 66E08C32100204ABEB212FA5AC0CB9A3B69EF00756F15802AF608971B0DB38C894D798

Function 00429E20 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00429F7B

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 89231c32f34513f3653cdb43c5981eaf783eb102a5dde278478019f5030ff27f
Instruction ID: efe4cd6a287aa12a83b409d23e88dd93d6c4865ddef84cf0d949cd52fc0f7608
Opcode Fuzzy Hash: 89231c32f34513f3653cdb43c5981eaf783eb102a5dde278478019f5030ff27f
Instruction Fuzzy Hash: AA410271E001259FCB14DF68C9419AEBBB9EB89310F64422EE815E7381D738DE01CBE4

Function 004032D0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0040331F

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: ac639495c118a2832fc09027b5ebf4fad0cef292c7be368858978faeea3118d5
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: 63F024321001009BCB246F61D4565EAB7ECDF28366B50083FFC8DD7292EB3EDA408788

Function 0044A65A Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001), ref: 0044A69B

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 89032516e5b3e6299283371760f336f91a06b383302663fb1c071aa923d3998c
Instruction ID: 9689b7dccde3e7d2c1426315cc49502dff6dd5535dcc2f3da2dc3831567fdc71
Opcode Fuzzy Hash: 89032516e5b3e6299283371760f336f91a06b383302663fb1c071aa923d3998c
Instruction Fuzzy Hash: 4CF0E0311905246BFB216A66DC05B5B375CAF41760F1E8117EC84EB190CA3CDC3146EE

Function 0044B094 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 0044B0C6

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c639ae0624eff34eb8e57d07392fb4ffc7a0b3e65f726cef66c68c9318aea675
Instruction ID: 07eaf642519ac51a5bd3283dd2addbb445c80e248ae9cef49388ffb333b33e8c
Opcode Fuzzy Hash: c639ae0624eff34eb8e57d07392fb4ffc7a0b3e65f726cef66c68c9318aea675
Instruction Fuzzy Hash: 99E022322006206BFF313AA69C14B5B764CEF413A3F190227EC25A62D1DB3CCC0092EE

Non-executed Functions

Function 004CF280 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 240injectionmemorysynchronizationCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 004CF2F1
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004CF30D
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 004CF342
VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 004CF36B
WriteProcessMemory.KERNEL32(?,00000000,?,00000218,00000000), ref: 004CF50F
WriteProcessMemory.KERNEL32(?,00000218,004CF5E0,-00000010,00000000), ref: 004CF531
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000218,00000000,00000000,00000000), ref: 004CF544
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004CF54D

Strings

131, xrefs: 004CF4D3, 004CF4E3
%s|%s, xrefs: 004CF4EF

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
String ID: %s|%s$131
API String ID: 2137838514-1629954864
Opcode ID: 56832ecef500e677efd1bb06992289c8d25f2aec25ece3c31dc7adbce4683aa5
Instruction ID: 2ab717f03d3c912496b66fb944616d360f792c6fe5d042a247d22025e7d5b78f
Opcode Fuzzy Hash: 56832ecef500e677efd1bb06992289c8d25f2aec25ece3c31dc7adbce4683aa5
Instruction Fuzzy Hash: 36B16BB1D002089FDB14CFA4CC95BAEBBB5FF18300F10426DE905BB291D774A984DBA5

Function 004534CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004535D7
IsValidCodePage.KERNEL32(?), ref: 00453615
IsValidLocale.KERNEL32(?,00000001), ref: 00453628
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00453670
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045368B

Strings

*V, xrefs: 00453534

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: *V
API String ID: 415426439-2897881622
Opcode ID: bb3ee8500ca9cacc625c50b97d6e48ff5c53ad3e39c4a6c01d9da358df15b7ae
Instruction ID: 4a54d826d8e8e5dc964d84ffa3ac1e49b68ae0fe58eca9cd8e7cd24ca5604c7d
Opcode Fuzzy Hash: bb3ee8500ca9cacc625c50b97d6e48ff5c53ad3e39c4a6c01d9da358df15b7ae
Instruction Fuzzy Hash: 4E517471A00209AFDB20DFA5CC41ABF77B8AF05743F14446AED01E7252EB74DA48DB65

Function 00452B5A Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

GetACP.KERNEL32(?,?,?,?,?,?,00447300,?,?,?,?,?,-00000050,?,?,?), ref: 00452C19
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00447300,?,?,?,?,?,-00000050,?,?), ref: 00452C50
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00452DB3

Strings

*V, xrefs: 00452B98
utf8, xrefs: 00452D22

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: *V$utf8
API String ID: 607553120-210452255
Opcode ID: 95727e6ef7b94787d777f99e21165c393144e5509e4be2ad3f52f8295ffa9360
Instruction ID: 742b11dcb7ff0b0bfa38c284345f0d68b4d7ce619a9ba0daefdf44cafbbca61f
Opcode Fuzzy Hash: 95727e6ef7b94787d777f99e21165c393144e5509e4be2ad3f52f8295ffa9360
Instruction Fuzzy Hash: F071FA32600602A6D725AF75CD45B6B73A8EF16705F10042FFD05D7283EBF8E94C9699

Function 004532F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00453605,?,?), ref: 0045338C
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00453605,?,?), ref: 004533B5
GetACP.KERNEL32(?,?,00453605,?,?), ref: 004533CA

Strings

OCP, xrefs: 00453347
ACP, xrefs: 00453311

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: b900ca414d4c4be95a8c6f041d08249478f894891a183a2f82a4edaf5765dc51
Instruction ID: 0023b8279c9b3e3643c8ce07df61025d6c2b7e12d2ffc4f7461f6cfcb2a1a3ae
Opcode Fuzzy Hash: b900ca414d4c4be95a8c6f041d08249478f894891a183a2f82a4edaf5765dc51
Instruction Fuzzy Hash: 8021C432600100A7DB308F54C900A9BB3A6AF50FD3B568466EC06D7312EF36EF49D358

Function 0043C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: 01dad5c531b3804b6668612822d9feb5b6f7af541a2af8c3bc89036eeee974e8
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: DA023A71E002199BDF14CFA9D9C06AEFBB1FF48314F24926AE919B7380D735A9418B94

Function 004579E3 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 004579FC

Strings

exp, xrefs: 00457A7B, 00457AE0
sqrt, xrefs: 00457B3B
log10, xrefs: 00457A3E, 00457A4D
asin, xrefs: 00457B29
acos, xrefs: 00457B32
`-@, xrefs: 00457AC6, 00457B70, 00457BB6
pow, xrefs: 00457A9A, 00457B44, 00457B91
log, xrefs: 00457A59, 00457A68

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: DecodePointer
String ID: `-@$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3628989360
Opcode ID: 4c17630f5161de399ffce6b570c60365a2c89c55b52a7f760b39540bf94f5387
Instruction ID: bbf143f63b3841ec77cfacb8c6df481a799db6acf17f433172942b25d65e7ef2
Opcode Fuzzy Hash: 4c17630f5161de399ffce6b570c60365a2c89c55b52a7f760b39540bf94f5387
Instruction Fuzzy Hash: 1651B370808A0ACBCF109F58F84C1BEBFB1FB05309F154166D851A7266C7799A2DCB4D

Function 0041A060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041A09D
std::_Lockit::_Lockit.LIBCPMT ref: 0041A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0041A0E7
__Getctype.LIBCPMT ref: 0041A1C5
std::_Facet_Register.LIBCPMT ref: 0041A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 0041A223

Strings

PG@, xrefs: 0041A1BF
E@, xrefs: 0041A1AE
PD@, xrefs: 0041A19A

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: PD@$PG@$E@
API String ID: 1102183713-4120405683
Opcode ID: 495f4126c8959cda1dad90c343e93fba20469dde2e2043d742b69906c970156d
Instruction ID: b372b58ab1bb25eec4b44a09b7f8f3aef2cc67a410616163416d5e42c3dffe19
Opcode Fuzzy Hash: 495f4126c8959cda1dad90c343e93fba20469dde2e2043d742b69906c970156d
Instruction Fuzzy Hash: 6E51BAB0D01245DFCB11CF98C9457AEBBF0FB14714F14825ED855AB391DB78AA88CB92

Function 004372D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00437307
___except_validate_context_record.LIBVCRUNTIME ref: 0043730F
_ValidateLocalCookies.LIBCMT ref: 00437398
__IsNonwritableInCurrentImage.LIBCMT ref: 004373C3
_ValidateLocalCookies.LIBCMT ref: 00437418

Strings

csm, xrefs: 004373AD
`-@, xrefs: 004373DC

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: `-@$csm
API String ID: 1170836740-3738301566
Opcode ID: a837c65dc98bc53f7a591b5dada66322cfdf011b0ab20b220170fbbfaeea83fd
Instruction ID: bde692452db8eba3752ab90a3e7788ac0719a0bf92b2230e47b89eff8dfd02fd
Opcode Fuzzy Hash: a837c65dc98bc53f7a591b5dada66322cfdf011b0ab20b220170fbbfaeea83fd
Instruction Fuzzy Hash: B041F8709042099FCF20DF59C885A9FBBA4BF08328F14905BFC54AB392D739E905DB95

Function 0041C430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041C45A
std::_Lockit::_Lockit.LIBCPMT ref: 0041C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 0041C4A4
std::_Facet_Register.LIBCPMT ref: 0041C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 0041C5C4

Strings

E@, xrefs: 0041C562
PD@, xrefs: 0041C54E

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E@$PD@
API String ID: 459529453-4103272508
Opcode ID: fb94b052f71f665722219136562a8730e5ed9d67761b2a33bc821d4977d05291
Instruction ID: e4bc83ced0ac359faa997fd18d4eeb760fe14de2594101695cc0fd15b6690fbc
Opcode Fuzzy Hash: fb94b052f71f665722219136562a8730e5ed9d67761b2a33bc821d4977d05291
Instruction Fuzzy Hash: C351EFB0900255EFDB11CF58C991BAEBBF0FB10314F24415EE846AB381D7B9AA45CB95

Function 0044BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044BBEC

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: d7b9d7273cbfac5d15a556f8c8651b9033d93685d5a38535419dded3191b9e75
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: D5B14672D006559FEB158F24CC81BEBBBA5EF59310F2441ABE904AB382D778D901C7E9

Function 0044B37E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,0044B48D,?,?,00000000,00000001,?,?,0044B6B7,00000022,FlsSetValue,00561B88,00561B90,00000001), ref: 0044B43F

Strings

ext-ms-, xrefs: 0044B3E9
api-ms-, xrefs: 0044B3D5

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 033630484f002e070c94113c7b6ef7f262f68e90d70309fdd043a749aa00ed93
Instruction ID: e3d7dbf8d3e43151f67a2d3675c4fcd7809fc0c9af6198dcb17880ded4e1cd5b
Opcode Fuzzy Hash: 033630484f002e070c94113c7b6ef7f262f68e90d70309fdd043a749aa00ed93
Instruction Fuzzy Hash: A2212B36A01220A7E7319F619C45A6B7768EB51761F140112FC06A7392D734ED05D6D9

Function 00443633 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E81620C6,?,?,00000000,00551365,000000FF,?,0044360F,?,?,004435E3,00000016), ref: 00443668
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044367A
FreeLibrary.KERNEL32(00000000,?,00000000,00551365,000000FF,?,0044360F,?,?,004435E3,00000016), ref: 0044369C

Strings

mscoree.dll, xrefs: 00443661
CorExitProcess, xrefs: 00443672
`-@, xrefs: 0044368B

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$`-@$mscoree.dll
API String ID: 4061214504-3731901874
Opcode ID: 66c557226bdf84cfe892202a4e2d9d598a1facfa92736b92f61228ad13b2a6bb
Instruction ID: 11f561727bfec435161e86ab51d2faaed74d5e09c0b89d0474703e999051cdf2
Opcode Fuzzy Hash: 66c557226bdf84cfe892202a4e2d9d598a1facfa92736b92f61228ad13b2a6bb
Instruction Fuzzy Hash: 5601A232A44715AFDB219F44DC19BAFBBB8FB14B52F014526E812E27E0DB749A04CA94

Function 00432729 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00432730
std::_Lockit::_Lockit.LIBCPMT ref: 0043273B
std::_Lockit::~_Lockit.LIBCPMT ref: 004327A9

Part of subcall function 0043288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004328A4

std::locale::_Setgloballocale.LIBCPMT ref: 00432756

Strings

`-@, xrefs: 00432778, 0043279C

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `-@
API String ID: 677527491-3781167437
Opcode ID: 8a5613631ec3d916f95b396eb7cc43f12c5d676d84142dd5ef1a29976cc47206
Instruction ID: 335728d06f8999c9367bb6f0cb93ad347570f0e44e9dcbef2930aaa8ccdcd417
Opcode Fuzzy Hash: 8a5613631ec3d916f95b396eb7cc43f12c5d676d84142dd5ef1a29976cc47206
Instruction Fuzzy Hash: 9D01FC35A006109BC70AFB20CC5157D7BB0FF98790F44250EE81163391CFB8AE06DB89

Function 00432BC8 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00432BDC
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432BFB
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432C29
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432C84
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432C9B

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 8f089e7040faa662b45679f060ee1b8a0f0adfff173fd46cb89089840a213128
Instruction ID: ee0d2db44a198d3d02c1eb3b1b0ff5a364ec90963e300245c4d31640e9e12550
Opcode Fuzzy Hash: 8f089e7040faa662b45679f060ee1b8a0f0adfff173fd46cb89089840a213128
Instruction Fuzzy Hash: B2415931900A0ADFCB20DF65CA8096EB3B4FF0C311F20692BD446D7650D7B8E986DB69

Function 00407350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040750C
___std_exception_destroy.LIBVCRUNTIME ref: 00407522

Strings

)@, xrefs: 00407502, 0040751C
[json.exception., xrefs: 004073A1

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@$[json.exception.
API String ID: 4194217158-3378332251
Opcode ID: 4652241d20ade2deec45ea96ce2d830c3218ea46f2c4051146d7c77cfc23a2b6
Instruction ID: d1fd1ad00dbeab1566b73d8112c34bc80c76f551163e59ed82d928a5322bc1a2
Opcode Fuzzy Hash: 4652241d20ade2deec45ea96ce2d830c3218ea46f2c4051146d7c77cfc23a2b6
Instruction Fuzzy Hash: 8C51CFB1C046489BD710DFA8C905B9EBBB4FF15318F14426EE850A73C2E7B86A44C7A5

Function 00404900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040499F

Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,74D723A0,?,00431D09,?,005799D8,74D723A0,?,74D723A0,-00589880), ref: 0043525B

Strings

ios_base::badbit set, xrefs: 00404937, 00404962
ios_base::eofbit set, xrefs: 00404946
ios_base::failbit set, xrefs: 00404828, 00404941

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1903096808-1866435925
Opcode ID: 5e8fcf04681b5496c91e096f1d273a5343178b8940b0c322b64de4dd1df32f3c
Instruction ID: 99c94d1e80f512c720ba00148ae48faeb0acee82eabb402b7e5943aa58dcc262
Opcode Fuzzy Hash: 5e8fcf04681b5496c91e096f1d273a5343178b8940b0c322b64de4dd1df32f3c
Instruction Fuzzy Hash: AC119CF2844644ABCB10DF688C03BAB37C8E744715F04463EFE58972C1EB399800C79A

Function 00448E9F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(E81620C6,00000000,00000000,?), ref: 00448F02

Part of subcall function 0044EC55: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0044A862,?,00000000,-00000008), ref: 0044ECB6

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00449154
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0044919A
GetLastError.KERNEL32 ref: 0044923D

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: d46c0870a8277536d77cd1fa32924c999241811f2f15ebdbc3735bbe4b8907ba
Instruction ID: b6f9ea87837ca93654473fd2bae4ec290e60b55bc3ade45d2d9d29a5185f0d60
Opcode Fuzzy Hash: d46c0870a8277536d77cd1fa32924c999241811f2f15ebdbc3735bbe4b8907ba
Instruction Fuzzy Hash: 70D1BC75D00249AFDF14CFA8C880AAEBBB5FF09304F28456AE856EB351D734AD45CB54

Function 00456D32 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000,?,?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000), ref: 00456D49
GetLastError.KERNEL32(?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000,?,?,?,0044986B,?), ref: 00456D55

Part of subcall function 00456D1B: CloseHandle.KERNEL32(FFFFFFFE,00456D65,?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000,?,?), ref: 00456D2B

___initconout.LIBCMT ref: 00456D65

Part of subcall function 00456CDD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00456D0C,00453DBB,?,?,00449291,?,00000000,00000000,?), ref: 00456CF0

WriteConsoleW.KERNEL32(?,?,?,00000000,?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000,?), ref: 00456D7A

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 6d252f6c85546040703605b5d122fbb434f3c9b6b34be8e7cd3f73b3df330617
Instruction ID: b582005f90f2c4d159ccd48a3422ceca8e6e351b7b3b67145bbef734a6de3f3c
Opcode Fuzzy Hash: 6d252f6c85546040703605b5d122fbb434f3c9b6b34be8e7cd3f73b3df330617
Instruction Fuzzy Hash: F4F01C37500518BBCF221FD1DC18A8A3F76EB583A2B814415FE0D96231D6328928EB94

Function 004036E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00403819
___std_exception_destroy.LIBVCRUNTIME ref: 004038F0

Strings

)@, xrefs: 004037ED, 004038EA

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )@
API String ID: 2970364248-4120265097
Opcode ID: bc0d8998ef7677fe248552ffb990bdda24e50fd16254b161269e6276ba7dcb2c
Instruction ID: 269ef50febfdc4b1c22cf7239a576f40f0b19685bcb009e1facc48eb6157c32a
Opcode Fuzzy Hash: bc0d8998ef7677fe248552ffb990bdda24e50fd16254b161269e6276ba7dcb2c
Instruction Fuzzy Hash: DD6169B1C00248DBDB10DF98C945B9EFFB5FF19324F14825EE814AB282D7B95A44CBA5

Function 004047F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040499F

Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,74D723A0,?,00431D09,?,005799D8,74D723A0,?,74D723A0,-00589880), ref: 0043525B

Strings

ios_base::badbit set, xrefs: 00404937, 00404962
ios_base::failbit set, xrefs: 00404828

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 1903096808-1240500531
Opcode ID: c1627b7a904a1720a38adf2e22fc85e0473b9d2390fa8136052c714cdea77bf3
Instruction ID: 59789774a96eacd1a5b8f49c51d8e497543063f0a2ed12b155596828dbf76f3a
Opcode Fuzzy Hash: c1627b7a904a1720a38adf2e22fc85e0473b9d2390fa8136052c714cdea77bf3
Instruction Fuzzy Hash: E84124B2C00244ABCB04DF68C845BAEBBB8FB49710F14826EF554A73C1D7795A00CBA5

Function 00404040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004040C4

Strings

bad locale name, xrefs: 004040E6

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 0039d2d2ea2786ef81fe116e8b864d57793cf36a19fa060d6cb0c255b1586cee
Instruction ID: 65c2995a4cce64452fc0e082f9126f7f9302ed92d60cad1113ce5137d9e79936
Opcode Fuzzy Hash: 0039d2d2ea2786ef81fe116e8b864d57793cf36a19fa060d6cb0c255b1586cee
Instruction Fuzzy Hash: DB112670805B84EED321CF69C50474BBFF0AF25714F10868DD09597781D3B9A604CB95

Function 00416590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004165C9
___std_exception_copy.LIBVCRUNTIME ref: 004165FC

Strings

)@, xrefs: 004165BA, 004165ED

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )@
API String ID: 2659868963-4120265097
Opcode ID: ec459901e9a8c12f2536e06f4ce64afd8286d8aca2aa337d2d7da09c98386d96
Instruction ID: 79ebb971947c26e29da123751e765caa72f3f100f47198c89106861aa63fe252
Opcode Fuzzy Hash: ec459901e9a8c12f2536e06f4ce64afd8286d8aca2aa337d2d7da09c98386d96
Instruction Fuzzy Hash: F0112EB6910649EBCB11CF99C980B86FBF8FF09724F10876AE82497641E774A5448BA0

Function 00407A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00407A5C
___std_exception_destroy.LIBVCRUNTIME ref: 00407A72

Strings

)@, xrefs: 00407A52, 00407A6C

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@
API String ID: 4194217158-4120265097
Opcode ID: 9ee8fa866bcea9d2c14fc14309fcadf8facde4318e0e6bb098ed358a1a235593
Instruction ID: 96290d15a7b89a27e7413382239de33ac52fdad5c525fa7f0e86a9c1871ea130
Opcode Fuzzy Hash: 9ee8fa866bcea9d2c14fc14309fcadf8facde4318e0e6bb098ed358a1a235593
Instruction Fuzzy Hash: 68F012B1805744DFC711DF98C90178DFFF8FB05728F50466AE855A3780E7B5660487A5

Function 0043361D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00433077,?,?,?,?,004C7E2F), ref: 00433655
GetSystemTimeAsFileTime.KERNEL32(?,E81620C6,00000000,?,00551382,000000FF,?,00433077,?,?,?,?,004C7E2F), ref: 00433659

Strings

`-@, xrefs: 0043364F

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID: `-@
API String ID: 743729956-3781167437
Opcode ID: a70e229828252f114f3dcb939b169fb3f53d7191ad82fa45b454faadf805d98c
Instruction ID: 3e04e591088ee8cc2650925c1d28f2227fba881fd4e87dc1a7d03300bd93dc66
Opcode Fuzzy Hash: a70e229828252f114f3dcb939b169fb3f53d7191ad82fa45b454faadf805d98c
Instruction Fuzzy Hash: 73F0A032904A54EFCB118F44DC11B59BBA8F708B21F004626EC12A3790DB34A9049F94

Function 0044B7F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000016,00000001,004389D2,00000001,00000016,00438BE1,?,?,?,?,?,00000000), ref: 0044B834

Strings

`-@, xrefs: 0044B824
InitializeCriticalSectionEx, xrefs: 0044B804

Memory Dump Source

Source File: 00000006.00000002.3053323681.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.3053289630.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053619862.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053666684.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053714192.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3053748111.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3055172793.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_MPGPH131.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$`-@
API String ID: 2593887523-3269949891
Opcode ID: 1f2253b5c78e33ee57fe7f30907939316c5faef6f9275bf3e632fad4f43c2f0e
Instruction ID: 5bcc12c1b0658f8dc7434a33690804c70bb56e7eadbb0958c8ec10a8e9d05d13
Opcode Fuzzy Hash: 1f2253b5c78e33ee57fe7f30907939316c5faef6f9275bf3e632fad4f43c2f0e
Instruction Fuzzy Hash: BDE09236581318BBCB212F92DC06DAE7F25EB24BA2F048022FD1956161C7768821BBD9

Analysis Process: MPGPH131.exePID: 7640, Parent PID: 1044COMMON

Executed Functions

Function 004C7B00 Relevance: 18.3, APIs: 12, Instructions: 279
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(0000031C,0000FFFF,00001006,?,00000008), ref: 004C7BA6
recv.WS2_32(?,00000004,00000002), ref: 004C7BC1
WSAGetLastError.WS2_32 ref: 004C7BC5
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 004C7C43
recv.WS2_32(00000000,0000000C,00000008), ref: 004C7C64
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 004C7D00
recv.WS2_32(00000000,?,00000008), ref: 004C7D1B

Part of subcall function 004C8590: WSAStartup.WS2_32 ref: 004C85BA
Part of subcall function 004C8590: getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
Part of subcall function 004C8590: socket.WS2_32(?,?,?), ref: 004C865D
Part of subcall function 004C8590: connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
Part of subcall function 004C8590: closesocket.WS2_32(00000000), ref: 004C867D
Part of subcall function 004C8590: FreeAddrInfoW.WS2_32(?), ref: 004C868A
Part of subcall function 004C8590: WSACleanup.WS2_32 ref: 004C8690

recv.WS2_32(?,00000004,00000008), ref: 004C7E23
__Xtime_get_ticks.LIBCPMT ref: 004C7E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004C7E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 004C7EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 004C7EB9

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
String ID:
API String ID: 3089209366-0
Opcode ID: 3d24dd6fae86035e1c91623a14a330b8fac7169f0fffea1d609c34c200ec8250
Instruction ID: b3d54dcccad81d83ab75f13ba9899d4b50e1d8608cabcccfb3508871926cac68
Opcode Fuzzy Hash: 3d24dd6fae86035e1c91623a14a330b8fac7169f0fffea1d609c34c200ec8250
Instruction Fuzzy Hash: 9EB1AC71D043089BEB10DBA8CC49BAEBBB1BB54314F24025EE815BB2D2D7785D88DF95

Function 004C8590 Relevance: 12.1, APIs: 8, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 004C85BA
getaddrinfo.WS2_32(?,?,?,00589328), ref: 004C863C
socket.WS2_32(?,?,?), ref: 004C865D
connect.WS2_32(00000000,00559BFC,?), ref: 004C8671
closesocket.WS2_32(00000000), ref: 004C867D
FreeAddrInfoW.WS2_32(?), ref: 004C868A
WSACleanup.WS2_32 ref: 004C8690
FreeAddrInfoW.WS2_32(?), ref: 004C86A5

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID:
API String ID: 448659506-0
Opcode ID: 52d29ec15fbf37ccd53ab56e21f2e3f1d11727fcf2b6a4206c2cbc59116a4c78
Instruction ID: ffa07009e3086412046aa5b15573dbd5c691e56a3beb11943292ef2f0f62f1de
Opcode Fuzzy Hash: 52d29ec15fbf37ccd53ab56e21f2e3f1d11727fcf2b6a4206c2cbc59116a4c78
Instruction Fuzzy Hash: 9531C1726043009BD7208F25DC48B2BB7E5FB94729F114B1EF9A4922E0D7759C089AA7

Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,0054D15C,00000000,74D723A0,-00589880), ref: 004096A6
GetProcAddress.KERNEL32(00000000,?), ref: 004096B4
WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0054D15C,00000000,74D723A0,-00589880), ref: 004096C9

Strings

Ws2_32.dll, xrefs: 0040969A

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: AddressHandleModuleProcSend
String ID: Ws2_32.dll
API String ID: 2819740048-3093949381
Opcode ID: ddc30ba664299dc2f1fc7c2c0b072229e183ede947392a5cffdfd32cc45b5d46
Instruction ID: 188670ed5cfc709ed037a390f66f33add7af100e18449b0941b00ad524943a05
Opcode Fuzzy Hash: ddc30ba664299dc2f1fc7c2c0b072229e183ede947392a5cffdfd32cc45b5d46
Instruction Fuzzy Hash: 7C02CE70D04298DEDF25CFA4C8907ADBBB0EF59304F24429EE4456B2C6D7781D86CB96

Function 004C7EF0 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8.46.123.33, xrefs: 004C7F78

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID:
String ID: 8.46.123.33
API String ID: 0-2289477214
Opcode ID: 4e806a04750b243027b33f7d66f69192023bdf775b07e2eba2c1c4d53df461e3
Instruction ID: 65307ecbef6fb9e01e3d4ad067897c34c173f6a72c2a6aa1ef5fcaa49911cde8
Opcode Fuzzy Hash: 4e806a04750b243027b33f7d66f69192023bdf775b07e2eba2c1c4d53df461e3
Instruction Fuzzy Hash: 0E02A070D04248DFDB14DF68C945BDDBBB0AB14308F14419ED8057B386EBB95E88DB9A

Function 00449789 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00448E9F: GetConsoleOutputCP.KERNEL32(E82F9700,00000000,00000000,?), ref: 00448F02

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0044990E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00449918

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 2beaef352ff8862ad6b8b16251cd0bd229135013537871e9a6efb1225fc67aec
Instruction ID: 4c198159cf300fc4e9085a349e24ad4d45033eb13303bb4f9288eddf9455663d
Opcode Fuzzy Hash: 2beaef352ff8862ad6b8b16251cd0bd229135013537871e9a6efb1225fc67aec
Instruction Fuzzy Hash: 9961C5B1C14119BFEF11DFA8C844AAFBBB9AF49304F14014AE800A7316D739DD05EB65

Function 00448DFF Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00448CE6,00000000,?,0057A178,0000000C,00448DA2,?,?,?), ref: 00448E55
GetLastError.KERNEL32(?,00448CE6,00000000,?,0057A178,0000000C,00448DA2,?,?,?), ref: 00448E5F

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 1fe827fdfe079599b9b1dab25e2b646f0beb01ea40d46a72429d261cc15a62e7
Instruction ID: bfed174018f4c3fae0b74bea86efe9ace0911028d3bee9629bfc5162a0057b67
Opcode Fuzzy Hash: 1fe827fdfe079599b9b1dab25e2b646f0beb01ea40d46a72429d261cc15a62e7
Instruction Fuzzy Hash: 6E1125336042102AF6252236A84677F67499B82738F39061FF918CB2D2DF689C81825D

Function 0044251C Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00442626,?,?,?,?,?), ref: 00442558
GetLastError.KERNEL32(?,?,?,?,00442626,?,?,?,?,?,00000000,?,00000000), ref: 00442565

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 0df1753fdbe4f7a704092f8361e7cfb0c7cc0fcadc70f8748e4d2d33b1623b65
Instruction ID: bcffdd1dd92d970d4fbe8e398a8ab980657c5c2bf717c74f1f656664416c076e
Opcode Fuzzy Hash: 0df1753fdbe4f7a704092f8361e7cfb0c7cc0fcadc70f8748e4d2d33b1623b65
Instruction Fuzzy Hash: 9B012632610615BFDF158F69DC1699E3B29EB84334F240209F8019B2E1E6B5ED429BA4

Function 0044B01A Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B030
GetLastError.KERNEL32(?,?,00451B48,?,00000000,?,?,00451DE9,?,00000007,?,?,004522DD,?,?), ref: 0044B03B

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1c4e9b2b04b0a897153f19679bc75b8cfe8e1d75e6b310813c54f5389fc1414e
Instruction ID: f233056e1464041c82b2d36bf1c88bdb576215b3e64377b8de55bab97aefa9e3
Opcode Fuzzy Hash: 1c4e9b2b04b0a897153f19679bc75b8cfe8e1d75e6b310813c54f5389fc1414e
Instruction Fuzzy Hash: 66E08C32100204ABEB212FA5AC0CB9A3B69EF00756F15802AF608971B0DB38C894D798

Function 004032D0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0040331F

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 4c9de15bf43b7906aab7ed6efc04c82af185101d7b74466eda9590404471e6f8
Instruction ID: ac639495c118a2832fc09027b5ebf4fad0cef292c7be368858978faeea3118d5
Opcode Fuzzy Hash: 4c9de15bf43b7906aab7ed6efc04c82af185101d7b74466eda9590404471e6f8
Instruction Fuzzy Hash: 63F024321001009BCB246F61D4565EAB7ECDF28366B50083FFC8DD7292EB3EDA408788

Function 0044A65A Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001), ref: 0044A69B

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 89032516e5b3e6299283371760f336f91a06b383302663fb1c071aa923d3998c
Instruction ID: 9689b7dccde3e7d2c1426315cc49502dff6dd5535dcc2f3da2dc3831567fdc71
Opcode Fuzzy Hash: 89032516e5b3e6299283371760f336f91a06b383302663fb1c071aa923d3998c
Instruction Fuzzy Hash: 4CF0E0311905246BFB216A66DC05B5B375CAF41760F1E8117EC84EB190CA3CDC3146EE

Function 0044B094 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 0044B0C6

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c639ae0624eff34eb8e57d07392fb4ffc7a0b3e65f726cef66c68c9318aea675
Instruction ID: 07eaf642519ac51a5bd3283dd2addbb445c80e248ae9cef49388ffb333b33e8c
Opcode Fuzzy Hash: c639ae0624eff34eb8e57d07392fb4ffc7a0b3e65f726cef66c68c9318aea675
Instruction Fuzzy Hash: 99E022322006206BFF313AA69C14B5B764CEF413A3F190227EC25A62D1DB3CCC0092EE

Non-executed Functions

Function 004CF280 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 240injectionmemorysynchronizationCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 004CF2F1
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004CF30D
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 004CF342
VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 004CF36B
WriteProcessMemory.KERNEL32(?,00000000,?,00000218,00000000), ref: 004CF50F
WriteProcessMemory.KERNEL32(?,00000218,004CF5E0,-00000010,00000000), ref: 004CF531
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000218,00000000,00000000,00000000), ref: 004CF544
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004CF54D

Strings

%s|%s, xrefs: 004CF4EF
131, xrefs: 004CF4D3, 004CF4E3

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
String ID: %s|%s$131
API String ID: 2137838514-1629954864
Opcode ID: 24dd464d7d6b4de60cf743bb8fa1d264754b13f2225653ad842add4f79ad0571
Instruction ID: 2ab717f03d3c912496b66fb944616d360f792c6fe5d042a247d22025e7d5b78f
Opcode Fuzzy Hash: 24dd464d7d6b4de60cf743bb8fa1d264754b13f2225653ad842add4f79ad0571
Instruction Fuzzy Hash: 36B16BB1D002089FDB14CFA4CC95BAEBBB5FF18300F10426DE905BB291D774A984DBA5

Function 004534CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004535D7
IsValidCodePage.KERNEL32(?), ref: 00453615
IsValidLocale.KERNEL32(?,00000001), ref: 00453628
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00453670
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045368B

Strings

*V, xrefs: 00453534

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: *V
API String ID: 415426439-2897881622
Opcode ID: bb3ee8500ca9cacc625c50b97d6e48ff5c53ad3e39c4a6c01d9da358df15b7ae
Instruction ID: 4a54d826d8e8e5dc964d84ffa3ac1e49b68ae0fe58eca9cd8e7cd24ca5604c7d
Opcode Fuzzy Hash: bb3ee8500ca9cacc625c50b97d6e48ff5c53ad3e39c4a6c01d9da358df15b7ae
Instruction Fuzzy Hash: 4E517471A00209AFDB20DFA5CC41ABF77B8AF05743F14446AED01E7252EB74DA48DB65

Function 00452B5A Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00449E42: GetLastError.KERNEL32(00000000,?,0044F82B), ref: 00449E46
Part of subcall function 00449E42: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 00449EE8

GetACP.KERNEL32(?,?,?,?,?,?,00447300,?,?,?,?,?,-00000050,?,?,?), ref: 00452C19
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00447300,?,?,?,?,?,-00000050,?,?), ref: 00452C50
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00452DB3

Strings

utf8, xrefs: 00452D22
*V, xrefs: 00452B98

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: *V$utf8
API String ID: 607553120-210452255
Opcode ID: 95727e6ef7b94787d777f99e21165c393144e5509e4be2ad3f52f8295ffa9360
Instruction ID: 742b11dcb7ff0b0bfa38c284345f0d68b4d7ce619a9ba0daefdf44cafbbca61f
Opcode Fuzzy Hash: 95727e6ef7b94787d777f99e21165c393144e5509e4be2ad3f52f8295ffa9360
Instruction Fuzzy Hash: F071FA32600602A6D725AF75CD45B6B73A8EF16705F10042FFD05D7283EBF8E94C9699

Function 004532F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00453605,?,?), ref: 0045338C
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00453605,?,?), ref: 004533B5
GetACP.KERNEL32(?,?,00453605,?,?), ref: 004533CA

Strings

OCP, xrefs: 00453347
ACP, xrefs: 00453311

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: b900ca414d4c4be95a8c6f041d08249478f894891a183a2f82a4edaf5765dc51
Instruction ID: 0023b8279c9b3e3643c8ce07df61025d6c2b7e12d2ffc4f7461f6cfcb2a1a3ae
Opcode Fuzzy Hash: b900ca414d4c4be95a8c6f041d08249478f894891a183a2f82a4edaf5765dc51
Instruction Fuzzy Hash: 8021C432600100A7DB308F54C900A9BB3A6AF50FD3B568466EC06D7312EF36EF49D358

Function 0043C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: 01dad5c531b3804b6668612822d9feb5b6f7af541a2af8c3bc89036eeee974e8
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: DA023A71E002199BDF14CFA9D9C06AEFBB1FF48314F24926AE919B7380D735A9418B94

Function 004579E3 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 004579FC

Strings

`-@, xrefs: 00457AC6, 00457B70, 00457BB6
acos, xrefs: 00457B32
sqrt, xrefs: 00457B3B
exp, xrefs: 00457A7B, 00457AE0
asin, xrefs: 00457B29
log10, xrefs: 00457A3E, 00457A4D
pow, xrefs: 00457A9A, 00457B44, 00457B91
log, xrefs: 00457A59, 00457A68

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: DecodePointer
String ID: `-@$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3628989360
Opcode ID: 4c17630f5161de399ffce6b570c60365a2c89c55b52a7f760b39540bf94f5387
Instruction ID: bbf143f63b3841ec77cfacb8c6df481a799db6acf17f433172942b25d65e7ef2
Opcode Fuzzy Hash: 4c17630f5161de399ffce6b570c60365a2c89c55b52a7f760b39540bf94f5387
Instruction Fuzzy Hash: 1651B370808A0ACBCF109F58F84C1BEBFB1FB05309F154166D851A7266C7799A2DCB4D

Function 0041A060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041A09D
std::_Lockit::_Lockit.LIBCPMT ref: 0041A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0041A0E7
__Getctype.LIBCPMT ref: 0041A1C5
std::_Facet_Register.LIBCPMT ref: 0041A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 0041A223

Strings

E@, xrefs: 0041A1AE
PG@, xrefs: 0041A1BF
PD@, xrefs: 0041A19A

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: PD@$PG@$E@
API String ID: 1102183713-4120405683
Opcode ID: cf66166f52ff7971b600a3250f2a29593a1149a421a208e93fab5363b0ce8f21
Instruction ID: b372b58ab1bb25eec4b44a09b7f8f3aef2cc67a410616163416d5e42c3dffe19
Opcode Fuzzy Hash: cf66166f52ff7971b600a3250f2a29593a1149a421a208e93fab5363b0ce8f21
Instruction Fuzzy Hash: 6E51BAB0D01245DFCB11CF98C9457AEBBF0FB14714F14825ED855AB391DB78AA88CB92

Function 004372D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00437307
___except_validate_context_record.LIBVCRUNTIME ref: 0043730F
_ValidateLocalCookies.LIBCMT ref: 00437398
__IsNonwritableInCurrentImage.LIBCMT ref: 004373C3
_ValidateLocalCookies.LIBCMT ref: 00437418

Strings

`-@, xrefs: 004373DC
csm, xrefs: 004373AD

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: `-@$csm
API String ID: 1170836740-3738301566
Opcode ID: a837c65dc98bc53f7a591b5dada66322cfdf011b0ab20b220170fbbfaeea83fd
Instruction ID: bde692452db8eba3752ab90a3e7788ac0719a0bf92b2230e47b89eff8dfd02fd
Opcode Fuzzy Hash: a837c65dc98bc53f7a591b5dada66322cfdf011b0ab20b220170fbbfaeea83fd
Instruction Fuzzy Hash: B041F8709042099FCF20DF59C885A9FBBA4BF08328F14905BFC54AB392D739E905DB95

Function 0041C430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0041C45A
std::_Lockit::_Lockit.LIBCPMT ref: 0041C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 0041C4A4
std::_Facet_Register.LIBCPMT ref: 0041C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 0041C5C4

Strings

E@, xrefs: 0041C562
PD@, xrefs: 0041C54E

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E@$PD@
API String ID: 459529453-4103272508
Opcode ID: 4956459445cc7cc7d841703dbe2ed42e033006db9883af498c412f7626095107
Instruction ID: e4bc83ced0ac359faa997fd18d4eeb760fe14de2594101695cc0fd15b6690fbc
Opcode Fuzzy Hash: 4956459445cc7cc7d841703dbe2ed42e033006db9883af498c412f7626095107
Instruction Fuzzy Hash: C351EFB0900255EFDB11CF58C991BAEBBF0FB10314F24415EE846AB381D7B9AA45CB95

Function 0044BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044BBEC

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: d7b9d7273cbfac5d15a556f8c8651b9033d93685d5a38535419dded3191b9e75
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: D5B14672D006559FEB158F24CC81BEBBBA5EF59310F2441ABE904AB382D778D901C7E9

Function 0044B37E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,0044B48D,?,?,00000000,00000001,?,?,0044B6B7,00000022,FlsSetValue,00561B88,00561B90,00000001), ref: 0044B43F

Strings

ext-ms-, xrefs: 0044B3E9
api-ms-, xrefs: 0044B3D5

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 033630484f002e070c94113c7b6ef7f262f68e90d70309fdd043a749aa00ed93
Instruction ID: e3d7dbf8d3e43151f67a2d3675c4fcd7809fc0c9af6198dcb17880ded4e1cd5b
Opcode Fuzzy Hash: 033630484f002e070c94113c7b6ef7f262f68e90d70309fdd043a749aa00ed93
Instruction Fuzzy Hash: A2212B36A01220A7E7319F619C45A6B7768EB51761F140112FC06A7392D734ED05D6D9

Function 00443633 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,E82F9700,?,?,00000000,00551365,000000FF,?,0044360F,?,?,004435E3,00000016), ref: 00443668
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044367A
FreeLibrary.KERNEL32(00000000,?,00000000,00551365,000000FF,?,0044360F,?,?,004435E3,00000016), ref: 0044369C

Strings

`-@, xrefs: 0044368B
mscoree.dll, xrefs: 00443661
CorExitProcess, xrefs: 00443672

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$`-@$mscoree.dll
API String ID: 4061214504-3731901874
Opcode ID: 66c557226bdf84cfe892202a4e2d9d598a1facfa92736b92f61228ad13b2a6bb
Instruction ID: 11f561727bfec435161e86ab51d2faaed74d5e09c0b89d0474703e999051cdf2
Opcode Fuzzy Hash: 66c557226bdf84cfe892202a4e2d9d598a1facfa92736b92f61228ad13b2a6bb
Instruction Fuzzy Hash: 5601A232A44715AFDB219F44DC19BAFBBB8FB14B52F014526E812E27E0DB749A04CA94

Function 00432729 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00432730
std::_Lockit::_Lockit.LIBCPMT ref: 0043273B
std::_Lockit::~_Lockit.LIBCPMT ref: 004327A9

Part of subcall function 0043288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 004328A4

std::locale::_Setgloballocale.LIBCPMT ref: 00432756

Strings

`-@, xrefs: 00432778, 0043279C

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `-@
API String ID: 677527491-3781167437
Opcode ID: 8a5613631ec3d916f95b396eb7cc43f12c5d676d84142dd5ef1a29976cc47206
Instruction ID: 335728d06f8999c9367bb6f0cb93ad347570f0e44e9dcbef2930aaa8ccdcd417
Opcode Fuzzy Hash: 8a5613631ec3d916f95b396eb7cc43f12c5d676d84142dd5ef1a29976cc47206
Instruction Fuzzy Hash: 9D01FC35A006109BC70AFB20CC5157D7BB0FF98790F44250EE81163391CFB8AE06DB89

Function 00432BC8 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00432BDC
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432BFB
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432C29
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432C84
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00432C9B

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 8f089e7040faa662b45679f060ee1b8a0f0adfff173fd46cb89089840a213128
Instruction ID: ee0d2db44a198d3d02c1eb3b1b0ff5a364ec90963e300245c4d31640e9e12550
Opcode Fuzzy Hash: 8f089e7040faa662b45679f060ee1b8a0f0adfff173fd46cb89089840a213128
Instruction Fuzzy Hash: B2415931900A0ADFCB20DF65CA8096EB3B4FF0C311F20692BD446D7650D7B8E986DB69

Function 00407350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040750C
___std_exception_destroy.LIBVCRUNTIME ref: 00407522

Strings

[json.exception., xrefs: 004073A1
)@, xrefs: 00407502, 0040751C

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@$[json.exception.
API String ID: 4194217158-3378332251
Opcode ID: ed8046a3216ddeace2ba6bc1a63a61367f4591f9b00a8cd9401d811279d7cf04
Instruction ID: d1fd1ad00dbeab1566b73d8112c34bc80c76f551163e59ed82d928a5322bc1a2
Opcode Fuzzy Hash: ed8046a3216ddeace2ba6bc1a63a61367f4591f9b00a8cd9401d811279d7cf04
Instruction Fuzzy Hash: 8C51CFB1C046489BD710DFA8C905B9EBBB4FF15318F14426EE850A73C2E7B86A44C7A5

Function 00404900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040499F

Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,74D723A0,?,00431D09,?,005799D8,74D723A0,?,74D723A0,-00589880), ref: 0043525B

Strings

ios_base::eofbit set, xrefs: 00404946
ios_base::badbit set, xrefs: 00404937, 00404962
ios_base::failbit set, xrefs: 00404828, 00404941

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1903096808-1866435925
Opcode ID: 5e8fcf04681b5496c91e096f1d273a5343178b8940b0c322b64de4dd1df32f3c
Instruction ID: 99c94d1e80f512c720ba00148ae48faeb0acee82eabb402b7e5943aa58dcc262
Opcode Fuzzy Hash: 5e8fcf04681b5496c91e096f1d273a5343178b8940b0c322b64de4dd1df32f3c
Instruction Fuzzy Hash: AC119CF2844644ABCB10DF688C03BAB37C8E744715F04463EFE58972C1EB399800C79A

Function 00448E9F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(E82F9700,00000000,00000000,?), ref: 00448F02

Part of subcall function 0044EC55: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0044A862,?,00000000,-00000008), ref: 0044ECB6

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00449154
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0044919A
GetLastError.KERNEL32 ref: 0044923D

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: d46c0870a8277536d77cd1fa32924c999241811f2f15ebdbc3735bbe4b8907ba
Instruction ID: b6f9ea87837ca93654473fd2bae4ec290e60b55bc3ade45d2d9d29a5185f0d60
Opcode Fuzzy Hash: d46c0870a8277536d77cd1fa32924c999241811f2f15ebdbc3735bbe4b8907ba
Instruction Fuzzy Hash: 70D1BC75D00249AFDF14CFA8C880AAEBBB5FF09304F28456AE856EB351D734AD45CB54

Function 00456D32 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000,?,?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000), ref: 00456D49
GetLastError.KERNEL32(?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000,?,?,?,0044986B,?), ref: 00456D55

Part of subcall function 00456D1B: CloseHandle.KERNEL32(FFFFFFFE,00456D65,?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000,?,?), ref: 00456D2B

___initconout.LIBCMT ref: 00456D65

Part of subcall function 00456CDD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00456D0C,00453DBB,?,?,00449291,?,00000000,00000000,?), ref: 00456CF0

WriteConsoleW.KERNEL32(?,?,?,00000000,?,00453DCE,?,00000001,?,?,?,00449291,?,00000000,00000000,?), ref: 00456D7A

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 6d252f6c85546040703605b5d122fbb434f3c9b6b34be8e7cd3f73b3df330617
Instruction ID: b582005f90f2c4d159ccd48a3422ceca8e6e351b7b3b67145bbef734a6de3f3c
Opcode Fuzzy Hash: 6d252f6c85546040703605b5d122fbb434f3c9b6b34be8e7cd3f73b3df330617
Instruction Fuzzy Hash: F4F01C37500518BBCF221FD1DC18A8A3F76EB583A2B814415FE0D96231D6328928EB94

Function 004036E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00403819
___std_exception_destroy.LIBVCRUNTIME ref: 004038F0

Strings

)@, xrefs: 004037ED, 004038EA

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )@
API String ID: 2970364248-4120265097
Opcode ID: f6f30e31f85ce950f1fa6973965a42a1d736ba8a23ea96827b1d399a811dfef4
Instruction ID: 269ef50febfdc4b1c22cf7239a576f40f0b19685bcb009e1facc48eb6157c32a
Opcode Fuzzy Hash: f6f30e31f85ce950f1fa6973965a42a1d736ba8a23ea96827b1d399a811dfef4
Instruction Fuzzy Hash: DD6169B1C00248DBDB10DF98C945B9EFFB5FF19324F14825EE814AB282D7B95A44CBA5

Function 004047F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040499F

Part of subcall function 004351FB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,74D723A0,?,00431D09,?,005799D8,74D723A0,?,74D723A0,-00589880), ref: 0043525B

Strings

ios_base::badbit set, xrefs: 00404937, 00404962
ios_base::failbit set, xrefs: 00404828

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 1903096808-1240500531
Opcode ID: 35eb3ed04202005fd1b576b70113dfa79425ebb9137dc2370a73229c77559635
Instruction ID: 59789774a96eacd1a5b8f49c51d8e497543063f0a2ed12b155596828dbf76f3a
Opcode Fuzzy Hash: 35eb3ed04202005fd1b576b70113dfa79425ebb9137dc2370a73229c77559635
Instruction Fuzzy Hash: E84124B2C00244ABCB04DF68C845BAEBBB8FB49710F14826EF554A73C1D7795A00CBA5

Function 00404040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004040C4

Strings

bad locale name, xrefs: 004040E6

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 0039d2d2ea2786ef81fe116e8b864d57793cf36a19fa060d6cb0c255b1586cee
Instruction ID: 65c2995a4cce64452fc0e082f9126f7f9302ed92d60cad1113ce5137d9e79936
Opcode Fuzzy Hash: 0039d2d2ea2786ef81fe116e8b864d57793cf36a19fa060d6cb0c255b1586cee
Instruction Fuzzy Hash: DB112670805B84EED321CF69C50474BBFF0AF25714F10868DD09597781D3B9A604CB95

Function 00416590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004165C9
___std_exception_copy.LIBVCRUNTIME ref: 004165FC

Strings

)@, xrefs: 004165BA, 004165ED

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )@
API String ID: 2659868963-4120265097
Opcode ID: ec459901e9a8c12f2536e06f4ce64afd8286d8aca2aa337d2d7da09c98386d96
Instruction ID: 79ebb971947c26e29da123751e765caa72f3f100f47198c89106861aa63fe252
Opcode Fuzzy Hash: ec459901e9a8c12f2536e06f4ce64afd8286d8aca2aa337d2d7da09c98386d96
Instruction Fuzzy Hash: F0112EB6910649EBCB11CF99C980B86FBF8FF09724F10876AE82497641E774A5448BA0

Function 00407A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00407A5C
___std_exception_destroy.LIBVCRUNTIME ref: 00407A72

Strings

)@, xrefs: 00407A52, 00407A6C

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )@
API String ID: 4194217158-4120265097
Opcode ID: 9ee8fa866bcea9d2c14fc14309fcadf8facde4318e0e6bb098ed358a1a235593
Instruction ID: 96290d15a7b89a27e7413382239de33ac52fdad5c525fa7f0e86a9c1871ea130
Opcode Fuzzy Hash: 9ee8fa866bcea9d2c14fc14309fcadf8facde4318e0e6bb098ed358a1a235593
Instruction Fuzzy Hash: 68F012B1805744DFC711DF98C90178DFFF8FB05728F50466AE855A3780E7B5660487A5

Function 0043361D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00433077,?,?,?,?,004C7E2F), ref: 00433655
GetSystemTimeAsFileTime.KERNEL32(?,E82F9700,00000000,?,00551382,000000FF,?,00433077,?,?,?,?,004C7E2F), ref: 00433659

Strings

`-@, xrefs: 0043364F

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID: `-@
API String ID: 743729956-3781167437
Opcode ID: a70e229828252f114f3dcb939b169fb3f53d7191ad82fa45b454faadf805d98c
Instruction ID: 3e04e591088ee8cc2650925c1d28f2227fba881fd4e87dc1a7d03300bd93dc66
Opcode Fuzzy Hash: a70e229828252f114f3dcb939b169fb3f53d7191ad82fa45b454faadf805d98c
Instruction Fuzzy Hash: 73F0A032904A54EFCB118F44DC11B59BBA8F708B21F004626EC12A3790DB34A9049F94

Function 0044B7F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000016,00000001,004389D2,00000001,00000016,00438BE1,?,?,?,?,?,00000000), ref: 0044B834

Strings

`-@, xrefs: 0044B824
InitializeCriticalSectionEx, xrefs: 0044B804

Memory Dump Source

Source File: 00000007.00000002.3053247613.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.3053200294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053519546.0000000000585000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053569469.000000000058A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053617711.0000000000596000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000598000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000751000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000753000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000757000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000759000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000075E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000760000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000766000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000768000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000076C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000770000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000772000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000774000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000776000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.0000000000782000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.000000000078A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007AE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007B3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3053664986.00000000007BB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3054993007.0000000000980000.00000020.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_MPGPH131.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$`-@
API String ID: 2593887523-3269949891
Opcode ID: 1f2253b5c78e33ee57fe7f30907939316c5faef6f9275bf3e632fad4f43c2f0e
Instruction ID: 5bcc12c1b0658f8dc7434a33690804c70bb56e7eadbb0958c8ec10a8e9d05d13
Opcode Fuzzy Hash: 1f2253b5c78e33ee57fe7f30907939316c5faef6f9275bf3e632fad4f43c2f0e
Instruction Fuzzy Hash: BDE09236581318BBCB212F92DC06DAE7F25EB24BA2F048022FD1956161C7768821BBD9

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YnsEArPlqx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Windows Analysis Report
YnsEArPlqx.exe

Function 00409280 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 382
libraryloadernetworkCOMMON

Function 004C7B00 Relevance: 18.3, APIs: 12, Instructions: 279
networksleepCOMMON

Function 004C8590 Relevance: 12.1, APIs: 8, Instructions: 92
networkCOMMON

Function 00449789 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Function 00448DFF Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Function 0044251C Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Function 004032D0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Function 0044A65A Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 0044B094 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre